Identify the target hostname of a TLS-encrypted HTTP session in Wireshark without decrypting the payload.

During a TLS handshake, the client indicates the server name it wants to reach by sending the Server Name Indication (SNI) extension in the ClientHello. Wireshark reads this during the handshake and shows the hostname, so you can identify the target host of the TLS session without decrypting any payload. DNS queries might reveal a hostname, but they’re separate from the TLS session and may not always be visible or relevant (DNS over HTTPS/TLS or cached results can obscure the exact target for this session). The HTTP Host header is inside the encrypted TLS payload, so it isn’t accessible without decryption. The certificate subject reflects the server’s certificate identity, which can be the same or related but isn’t a guaranteed indicator of the specific destination for the current connection, especially with wildcards or virtual hosting. The SNI extension is the direct, reliable signal of the intended host for the TLS session.