What does override-destination do in Clash sniffing?

When enabled for a protocol (such as TLS), the core can replace the connection’s routing key with the hostname recovered from the handshake (for example SNI) instead of relying only on the destination IP seen on the wire. That helps DOMAIN and DOMAIN-SUFFIX rules fire as you expect, but it also means a bad sniff, a middlebox, or an unusual port mapping can send traffic down the wrong policy path.

Why do only some websites break after I enable sniffing with Fake-IP?

Fake-IP already decouples what applications resolve from what the core dials. Sniffing adds a second interpretation layer for TLS and HTTP. Sites that multiplex many hosts on one IP, use ECH or nonstandard paths, or depend on QUIC without matching sniff coverage may no longer match the same rules as before—so a subset of destinations fails while the rest look fine.

Should I turn off sniffing entirely to fix partial failures?

Treat disabling sniffing as a diagnostic step, not the default cure. First log what hostname the core believes it saw, compare with your DOMAIN rules, and try narrowing override-destination or adding skip-domain and force-domain exceptions. Turning sniffing off may restore older behavior but can reintroduce IP-only matches and GEOIP surprises you originally wanted to avoid.

How is this different from a plain DNS mode problem?

DNS mode (Fake-IP versus redir-host) decides how names become addresses before the connection is classified. Sniffing runs during the live flow and can change which metadata the rules engine uses. Symptoms overlap—wrong node, endless loading on one tab—but the fixes differ: DNS articles focus on resolvers and enhanced-mode; this article focuses on sniff toggles, override-destination, and rule-order collisions after SNI appears in logs.

Clash Sniff: Fake-IP & override-dest 2026

Why “sniffing fixed routing” sometimes breaks routing

Modern proxy cores can inspect early bytes of a connection—most often the TLS Server Name Indication field or a cleartext HTTP Host header—and feed that hostname into the same rules: pipeline you use for DOMAIN-SUFFIX lines. That sounds like an unqualified win: you get meaningful domain labels even when the operating system handed you only an IP. In production, though, sniffing is a second opinion layered on top of DNS answers, TUN capture paths, and whatever Fake-IP already synthesized when applications asked for names.

When those layers disagree, Clash does not throw a tidy error banner. You see partial site failures: one hostname in a multi-CDN property works while its static bucket does not; a single sign-on redirect loops; streaming loads the shell but segment requests exit the wrong country. Forum threads describe the outcome as “CDN hopping” or “rules ignored,” but the engine is usually doing something deterministic—just not what your mental model assumed.

This article sits beside our Fake-IP versus Redir-Host guide (DNS path) and the matched-rule debugging workflow (rule hits). Here the focus is the intersection: how sniff rewrite and override-destination change the metadata your DOMAIN rows consume, and how to verify that in logs without disabling the whole profile.

What the sniffer actually changes in Meta-class cores

In Clash Meta (mihomo) configurations, sniffer: controls whether the core attempts protocol-aware recovery of a hostname from live traffic. TLS sniffing watches Client Hello handshakes for SNI; HTTP sniffing can read Host headers on unencrypted or early plaintext segments. The point is not curiosity—it is supply missing labels to the rules engine when connections arrive as raw tuples.

Two practical consequences matter for triage. First, sniffing is bounded by what your config covers: ports lists, protocol toggles, skip lists, and whether QUIC or exotic stacks are in play. Second, some toggles—most notably override-destination for a given protocol—tell the kernel, in effect, “trust the recovered name enough to route as if that were the destination identity,” rather than only logging it. That is powerful when IP-based rules used to win incorrectly; it is hazardous when the recovered name is wrong, stale, or belongs to a shared front door that dozens of real backends hide behind.

Keep a copy of your effective running config after each merge from the remote subscription URL provider. Template authors change sniffer stanzas quietly, and a silent import can re-enable override behavior you had carefully neutralized locally.

override-destination in plain language

Without override-destination, a sniffed hostname might appear as diagnostic context while the core still classifies using the destination IP and port you originally saw—useful when you only want logging. With override-destination enabled for TLS or HTTP, successful sniff results can become the authoritative routing key for that flow. Domain-style matchers can suddenly “see” the SNI label you expected; conversely, IP-specific matchers may stop behaving the way they did before the toggle existed.

That shift explains why users report abrupt behavior changes when they paste a trending “optimized” profile: the bundle not only enables sniffer but also flips override flags for TLS defaults. Your GEOIP line might move earlier or later in practical effect because the metadata type associated with the connection changed—even though you never edited the rules: array yourself.

A minimal pattern many operators use while learning is to keep sniffing available for visibility but gate overrides behind exceptions: broad skip-domain lists for sensitive properties, or per-host force-domain entries where you know SNI is stable. Exact YAML keys evolve between releases; treat the names here as conceptual anchors and verify against the version pinned by your GUI or package manager.

How Fake-IP stacks on top

Fake-IP reserves a pool of addresses that stand in for real resolutions until the core completes its own mapping. Applications connect quickly; the proxy decides outbound policy with more context. The design pairs naturally with transparent interception and TUN setups described in our TUN troubleshooting guide. It also means the first IP your GEOIP or IP-CIDR lines encounter may be synthetic, which already pushes some flows toward domain-based matchers or FINAL catch-alls.

Adding aggressive sniff overrides on that base does not create a contradiction by mathematics—but it does narrow the margin for error. If DNS mapping, sniff recovery, and your hand-written DOMAIN line each tell a slightly different story about “which hostname owns this socket,” only one story wins in the rules engine. The symptom surface is famously uneven: the property you test with a simple landing page looks fine, while XHR calls to a sibling API hostname—a name you never added explicitly—fall through to a default proxy and time out against a regional edge you did not intend.

When someone says “Fake-IP and sniffing fight,” what they usually mean is that rule order and matcher types no longer line up with the metadata present after both subsystems run. Fix the metadata story first; swapping DNS modes blindly is slower than reading one debug trace.

Step 1: One failing URL, one profile, no parallel interceptors

Parallel VPN clients, enterprise agents, browser “secure DNS” features, and second-layer packet filters can strip or rewrite handshakes before Clash sees them. That turns sniffing into a lottery. Pick a single reproducer—a URL that always fails within thirty seconds—and close every other tunneling product for the test window.

Record four facts before you touch YAML: client mode (system proxy versus TUN), whether Fake-IP is on, the approximate time the failure began relative to a profile update, and whether the site is TLS-only or also uses QUIC for some assets. QUIC-heavy properties are a frequent source of “half broken” experiences if your sniff coverage emphasizes TLS:443 but video manifests ride a different stack.

Export the effective configuration from your app if possible. You want to diff what the engine runs, not the last file you edited offline while the daemon still holds an older merge in memory. If you rely on remote rule providers bundled through the subscription URL, remember that the merged rule array—not the pretty local header comments—defines precedence.

Freeze GUI experiments Avoid toggling twelve tray-menu options between retries. Each flip changes variables faster than logs can attribute causality.

Step 2: Raise log verbosity and capture sniff-related lines

Informational logs tell you a tunnel exists; they rarely narrate which hostname the sniffer attached to a connection identifier. Switch the core to debug logging for a short capture—seconds, not hours—and reproduce the failure once. Desktop clients expose this under advanced settings; headless installs use log-level fields or flags depending on packaging.

What you are looking for is a coherent chain: a connection identifier, evidence that a TLS or HTTP parser ran, a recovered name if any, and the downstream matched rule string referencing that metadata. If your build phrases these lines differently, learn that phrasing once and reuse it—screenshots of redacted samples are worth more than another generic “sniffing broken?” post.

Security hygiene matters: debug logs contain browsing metadata. Scrub before sharing, rotate files, and never paste raw subscription URL tokens adjacent to traces. URLs are credential-adjacent in many airports’ delivery models.

Step 3: Isolate override-destination and rewrite behavior

Once you can see the sniffed hostname in logs, ask a binary question: does disabling override-destination for the relevant protocol (or narrowing its scope) make the symptom vanish while leaving basic sniffing on? If yes, you have confirmed that routing keys—not upstream bandwidth—are the issue. If no, proceed to Step 4 while keeping sniff enabled; the failure may be a pure rule-order problem revealed only after sniff exposes a domain you were not matching before.

For stubborn hosts, maintain explicit exceptions rather than a global toggle war. Large operators keep a short list of domains where SNI does not represent the ultimate backend—certain financial portals, some enterprise SSO hubs, shared edges where marketing and app API hostnames multiplex aggressively. Those belong in skip lists or bespoke direct rules above broad catch-alls, not at the bottom beside FINAL.

If your template merged nested defaults you do not understand, replace them incrementally. A readable temporary profile might mirror only the sniffer: stanza from upstream while you test, rather than inheriting twenty hidden protocol blocks. Document what you changed; next month’s subscription refresh will try to undo it.

Step 4: Audit rule order with the metadata you actually have

After sniffing, the rules engine may see a domain string where it previously saw only an address. That can make a DOMAIN-SUFFIX line start firing—or stop firing if an earlier IP-based rule now loses relevance. Open your merged rules: list and walk it slowly: first match wins, always. Nothing below a hit executes for that flow.

Pair this pass with the YAML routing guide if you need a refresher on Rule Providers and merge hygiene. Providers are not magical; they expand to ordinary rows. A remote provider’s GEOIP block sitting above your boutique DOMAIN line can shadow it forever—even if the GUI makes your personal line look “near the top” in a prettified view.

When logs show a domain label you recognize yet the matched rule is still wrong, read the rule literally: type, payload, policy target. Then open proxy-groups: and recurse nested groups until you reach the leaf node. Misrouting persists when the rule is correct but the selection chain drifts—exactly the workflow captured in the matched-rule article.

Step 5: Reconcile DNS, Fake-IP, and what sniff saw

Sniffing does not replace DNS; it complements it. If applications resolve critical names outside the core’s resolver—DoH baked into the browser, hard-coded secure DNS in mobile WebViews, split-horizon corporate DNS—your Fake-IP map and sniff result can diverge from what your YAML author assumed. Symptoms look like “only Chrome breaks” or “only this app breaks,” which is a clue to inspect per-app resolvers before rewriting more rules.

Use the DNS guide linked earlier to confirm enhanced mode, fake-ip ranges, and fallback resolvers align with your LAN constraints. Then return to sniff traces: do the names logged match the suffixes your rules target? If sniff shows cdn.example.com while you only wrote DOMAIN,example.com, behavior may still be sane—until a sibling hostname you never listed owns the failing request.

Where possible, prefer explicit suffix coverage for multi-host properties you depend on daily. Rule-bloat anxiety is real, yet guessing a single apex domain for a modern SaaS surface is how “partial breakage” returns every few weeks whenever the vendor shifts asset hosts.

Step 6: Confirm capture mode and regression-test after rollback

System-proxy-only capture misses processes that ignore WinINET or macOS proxy tables; TUN lifts more traffic but changes timing and sometimes DNS binding. Re-run your six-step ladder after any mode switch. A sniff configuration that worked under classic proxy may need different skip lists under TUN because more processes suddenly participate.

Document a rollback path: the minimal stanza edits that restored service, the exact log lines that proved it, and the date of the subscription refresh that might reintroduce upstream overrides. Teams that operate Clash at small scale still benefit from treating profiles like infrastructure code—brief rationale comments above controversial sniff stanzas save future you from undoing a fix at 2 a.m.

End checks with a sanity matrix: landing page, login redirect, one API call visible in devtools, and a heavy asset such as a large static file. Each stage may hit a different hostname; partial green on that matrix usually means incomplete suffix coverage, not mysticism.

Symptom quick map

What you observe	What to inspect first
Only QUIC-heavy sites fail after sniffing	Protocol coverage and ports; try parallel test with QUIC disabled in browser
DOMAIN rule “ignored” overnight	Provider merge order; new GEOIP/IP-CIDR above your line
Correct rule in logs but wrong country at player	Nested SELECT / URL-TEST winners; leaf node drift
Works without override-destination, fails with it on	SNI multiplexing; add skip-domain or narrow override scope
Browser differs from curl for same URL	Secure DNS, extensions, per-app proxy bypass

Illustrative YAML shape (verify keys for your version)

The following block is a readability scaffold—confirm field names against your pinned mihomo release before copying verbatim:

sniffer:
  enable: true
  sniff:
    TLS:
      ports: [443, 8443]
      # override-destination: true   # toggle deliberately after logs
  skip-domain:
    - " '+.bank.example'"
  force-domain:
    - " '+.cdn-you-trust.example'"

Comments in snippets are for illustration only; production profiles may relocate lists or use different merge strategies.

Open source references

Behavioral details change between Meta releases. When documentation and experience disagree, the mihomo repository remains the authoritative source for defaults and regression history. GitHub is for transparency and engineering discussion—not the primary channel to distribute installers. Prefer the project’s official release pages and this site’s download flow when you hand a binary to a colleague.

Frequently asked questions

Does sniffing slow everything down? Usually not materially for desktop browsing; the cost shows up as CPU for debug logging or pathological misconfigurations that force excessive parser work. If you suspect performance, profile with logging off and compare latency distributions methodically.

Is turning off Fake-IP the same fix as turning off sniffing? No. Fake-IP changes resolver semantics; sniffing changes which hostname labels participate in routing for live flows. You might need neither change, one, or both depending on logs.

Why do CDNs “jump” regions? Because different hostnames resolve to different edges; when metadata flips from IP-centric to SNI-centric matching, the path through your policy groups can change—even though the browser URL bar stayed constant.

Closing thoughts

Clash sniffing is not a superstition toggle. Used deliberately—with traced override-destination decisions and honest rule order audits—it tames the IP-only failure modes that send traffic to wrong continents. Used blindly, it becomes another variable that makes DOMAIN rows look flaky. The operators who win keep short evidence bundles: one debug trace, one matched rule line, one YAML hunk changed, one note about the next subscription URL refresh.

Transparent engines reward that discipline. Compared with opaque clients that hide routing keys, Clash-class cores let you read the collision between Fake-IP, SNI, and your own priorities—which is still why teams standardize on them in 2026 despite noisier app stores.

→ Download Clash for free, reproduce one failing flow with debug logging, and walk this six-step ladder: confirm what the sniffer recovered, whether override-destination steered the hit, and which DOMAIN or provider line actually owns the socket—then refresh your subscription URL knowing the baseline behaves.

For structure-heavy profiles, continue with the YAML routing guide; browse the full tech column for scenario-specific domain lists.