Ι am using the below filter to capture all outgoing HTTPS traffic.
tcpdump "port 443 and src host 192.168.0.4"
13:43:54.343747 IP 192.168.0.4.39358 > stackoverflow.com.https: Flags [R], seq 1287671898, win 0, length 0 13:43:54.343843 IP 192.168.0.4.39358 > stackoverflow.com.https: Flags [R], seq 1287671899, win 0, length 0 13:43:54.343887 IP 192.168.0.4.39358 > stackoverflow.com.https: Flags [R], seq 1287671898, win 0, length 0 13:43:54.343931 IP 192.168.0.4.39358 > stackoverflow.com.https: Flags [R], seq 1287671898, win 0, length 0
How is tcpdump
getting the hostname(stackoverflow.com.https) details,if it only sniffs into the tcp layer??