Inspecting Claude Code’s Network Traffic with Linux Namespaces and MITM Proxying (Part 3) 0 ▲ blog 1 day ago · Tech · hide · 0 comments Extracting hostnames from encrypted traffic In the last post, we explored isolating traffic using namespaces. Now, we’ll explore pulling hostnames from an encrypted session. The capture file contains Claude’s isolated traffic, but all of it is encrypted with TLS. We can’t read the contents of any request or response. However, we don’t need decryption to determine if WebFetch connects directly to target websites or routes through Anthropic. If example.com appears as a direct connection from the namespace, WebFetch is local. If only api.anthropic.com appears, it’s proxied. TLS leaks destination hostnames in two places, and we can extract them from the encrypted capture. Open the capture: tcpdump -nr claude.pcap | head -30 You’ll see TCP handshakes, data transfers, and teardowns. But the payloads are encrypted. TLS protects them. You can’t see the URLs being fetched, the headers, or the response bodies because they’re encrypted in HTTPS transactions. What TLS leaks: SNI and DNS Even… No comments yet. Log in to reply on the Fediverse. Comments will appear here.