A Claude Code skill for identifying which proxy protocol is being carried over a forwarded/relayed TCP or UDP port (realm, gost, iptables NAT, nginx stream, socat, etc.) via passive packet analysis.
Supports fingerprinting of: XTLS-Reality, Trojan, VLESS-TLS, ShadowTLS, Shadowsocks, Snell, VMess, Hysteria/Hysteria2, TUIC, WireGuard.
When you see a mystery port being relayed on a VPS, you usually want to know what's actually running over it — without breaking the proxy or DoS-ing the box with tcpdump -s 0 on a Gbps stream. This skill encodes the right workflow:
- Safe capture flags (snaplen + packet count + timeout) tuned for small VPS
- A handshake-byte fingerprint table covering the common protocols
- SNI-based disambiguation between Reality / Trojan / VLESS-TLS / ShadowTLS
- Hard-won gotchas (mux connections, relative seq numbers, conntrack reorder)
Clone into your Claude Code skills directory:
git clone https://github.com/KysonGeek/identifying-proxy-protocols.git \
~/.claude/skills/identifying-proxy-protocolsThen in any Claude Code session, just describe the situation — e.g. "识别 20303 端口的协议" / "what protocol is on port 8443?" — and the skill activates automatically.
The skill is invoked by Claude when relevant. You only need to supply the port number; Claude handles the capture, parsing, and protocol classification.
See SKILL.md for the full workflow, fingerprint table, and worked example.
Read the "Resource Safety First" section of SKILL.md before running any capture commands manually. Full-payload tcpdump on a proxied port can take down a small VPS within seconds.
MIT