this is an extension in the TLS Client Hello message that allows a client to specify the hostname it wants to connect to before encryption begins. This helps servers that host multiple domains on the same IP to present the correct SSL certificate. Since the SNI field is sent in plaintext, network analysts and security professionals can inspect it to detect potentially malicious domains without decrypting the traffic
root@dco:~$ wireshark &
#step 1: get an overview
WireShark
Filter: (http.request or tls.handshake.type == 1) and !(ssdp) && tls.handshake.extensions_server_name
* the tls.handshake.extensions_server_name filter will limit the output data to only those packets that have SNI field
#step 2:
WireShark > Packet list > Packet Details > TLS > TLSvX.X Record Layer > Handshake Protocol > Extension: server_name > Server Name Indication Extension > right-click "Server Name: ..." > Apply as Column
* visually scan potential malicious domains from the packet list Server Name Column
