Overview
The BypassEngine is the core component responsible for detecting and fragmenting TLS ClientHello and HTTP request packets to bypass deep packet inspection (DPI). It supports ISP-specific presets and customizable fragmentation strategies.
BypassEngine
Constructor
pub fn new(config: BypassConfig) -> Self
Configuration for the bypass engine
New instance of the bypass engine
Methods
process_outgoing
pub fn process_outgoing(&self, data: &[u8]) -> BypassResult
Raw packet data to process
Result containing fragments, delays, and metadata
use turkey_dpi_engine::{BypassEngine, BypassConfig};
let engine = BypassEngine::new(BypassConfig::default());
let packet = b"\x16\x03\x01...";
let result = engine.process_outgoing(packet);
if result.modified {
println!("Protocol: {:?}", result.protocol);
println!("Hostname: {:?}", result.hostname);
println!("Fragments: {}", result.fragments.len());
// Send fragments with delay
for fragment in result.fragments {
send_packet(&fragment);
if let Some(delay) = result.inter_fragment_delay {
thread::sleep(delay);
}
}
// Send fake packet if configured
if let Some(fake) = result.fake_packet {
send_with_ttl(&fake, 1);
}
}
BypassConfig
Structure
pub struct BypassConfig {
pub fragment_sni: bool,
pub tls_split_pos: usize,
pub fragment_http_host: bool,
pub http_split_pos: usize,
pub send_fake_packets: bool,
pub fake_packet_ttl: u8,
pub fragment_delay_us: u64,
pub use_tcp_segmentation: bool,
pub min_segment_size: usize,
pub max_segment_size: usize,
}
Fields
Enable SNI fragmentation for TLS ClientHello packets
Position to split TLS ClientHello (0 = split at SNI midpoint)
Enable fragmentation of HTTP Host header
Offset from Host header start to split HTTP requests
Send fake packets with corrupted SNI before real packets
TTL for fake packets (should expire before reaching destination)
Microseconds to delay between sending fragments
Use TCP segmentation for initial fragment
Minimum TCP segment size for fragmentation
Maximum TCP segment size for first fragment
ISP Presets
Default
let config = BypassConfig::default();
Turk Telekom
let config = BypassConfig::turk_telekom();
tls_split_pos: 2http_split_pos: 2max_segment_size: 20
Vodafone TR
let config = BypassConfig::vodafone_tr();
tls_split_pos: 3http_split_pos: 3fragment_delay_us: 100max_segment_size: 30
Superonline
let config = BypassConfig::superonline();
tls_split_pos: 1http_split_pos: 1max_segment_size: 15
Aggressive
let config = BypassConfig::aggressive();
tls_split_pos: 0 (splits at SNI midpoint)http_split_pos: 1fragment_delay_us: 10000 (10ms)max_segment_size: 5
Example:
use turkey_dpi_engine::BypassConfig;
// Use ISP-specific preset
let config = BypassConfig::turk_telekom();
// Or create custom configuration
let custom = BypassConfig {
fragment_sni: true,
tls_split_pos: 2,
fragment_http_host: true,
http_split_pos: 3,
send_fake_packets: false,
fake_packet_ttl: 1,
fragment_delay_us: 500,
use_tcp_segmentation: true,
min_segment_size: 1,
max_segment_size: 25,
};
BypassResult
Structure
pub struct BypassResult {
pub fragments: Vec<Bytes>,
pub inter_fragment_delay: Option<Duration>,
pub fake_packet: Option<Bytes>,
pub modified: bool,
pub protocol: DetectedProtocol,
pub hostname: Option<String>,
}
Fields
Packet fragments to send (in order)
Delay to insert between sending fragments
Fake packet with corrupted SNI (send first with low TTL)
Whether the packet was fragmented (false = passthrough)
Detected protocol: TlsClientHello, HttpRequest, or Unknown
Extracted hostname from SNI or Host header
let result = engine.process_outgoing(packet_data);
match result.protocol {
DetectedProtocol::TlsClientHello => {
println!("TLS handshake to: {:?}", result.hostname);
}
DetectedProtocol::HttpRequest => {
println!("HTTP request to: {:?}", result.hostname);
}
DetectedProtocol::Unknown => {
// Packet passed through unmodified
}
}
// Check if packet was fragmented
if result.modified {
assert!(result.fragments.len() >= 2);
}
DetectedProtocol
Enum
pub enum DetectedProtocol {
TlsClientHello,
HttpRequest,
Unknown,
}
Packet is a TLS ClientHello with SNI extension
Packet is an HTTP request with Host header
Packet type could not be identified (passthrough)
Complete Example
use turkey_dpi_engine::{BypassEngine, BypassConfig, DetectedProtocol};
use std::thread;
fn main() {
// Create engine with ISP-specific preset
let engine = BypassEngine::new(BypassConfig::vodafone_tr());
// Sample TLS ClientHello packet (truncated)
let tls_packet = vec![
0x16, 0x03, 0x01, 0x00, 0x5a, // TLS Record
0x01, 0x00, 0x00, 0x56, // Handshake
0x03, 0x03, // TLS 1.2
// ... random bytes ...
];
// Process packet
let result = engine.process_outgoing(&tls_packet);
match result.protocol {
DetectedProtocol::TlsClientHello => {
println!("Detected TLS ClientHello");
println!("Server: {}", result.hostname.unwrap_or_default());
println!("Fragments: {}", result.fragments.len());
// Send fake packet first (if enabled)
if let Some(fake) = result.fake_packet {
send_packet_with_ttl(&fake, 1);
}
// Send fragments with delay
for (i, fragment) in result.fragments.iter().enumerate() {
send_packet(fragment);
// Add delay between fragments (not after last)
if i < result.fragments.len() - 1 {
if let Some(delay) = result.inter_fragment_delay {
thread::sleep(delay);
}
}
}
}
DetectedProtocol::HttpRequest => {
println!("Detected HTTP request");
// Handle HTTP fragmentation...
}
DetectedProtocol::Unknown => {
// Send unmodified
send_packet(&result.fragments[0]);
}
}
}
fn send_packet(data: &[u8]) {
// Implementation: send via raw socket or packet filter
}
fn send_packet_with_ttl(data: &[u8], ttl: u8) {
// Implementation: send with specific TTL
}
See Also
- Config - Advanced configuration system
- Pipeline - Full packet processing pipeline