release: version 1.0.9 - Add SNI, ALPN, TLS version extraction and architecture.yml compliance

New features:
- Extract SNI (Server Name Indication) from TLS ClientHello
- Extract ALPN (Application-Layer Protocol Negotiation) protocols
- Detect TLS version from ClientHello using tlsfingerprint library
- Add ConnID field for TCP flow correlation
- Add SensorID field for multi-sensor deployments
- Add SynToCHMs timing field for behavioral detection
- Add AsyncBuffer configuration for output queue sizing

Architecture changes:
- Remove JA4Hash from LogRecord (JA4 format includes its own hash portions)
- Update api.TLSClientHello with new TLS metadata fields
- Update api.LogRecord with correlation, TLS, and timing fields
- Ensure 100% compliance with architecture.yml specification

Tests:
- Add unit tests for TLS extension extraction (SNI, ALPN, Version)
- Update tests for new LogRecord schema without JA4Hash
- Add tests for AsyncBuffer configuration

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>

internal/config/loader_test.go

@@ -93,7 +93,7 @@ func TestMergeConfigs(t *testing.T) {
 			PacketBufferSize: 2000,
 		},
 		Outputs: []api.OutputConfig{
-			{Type: "stdout", Enabled: true},
+			{Type: "stdout", Enabled: true, AsyncBuffer: 5000},
 		},
 	}
 
@@ -117,6 +117,9 @@ func TestMergeConfigs(t *testing.T) {
 	if result.Core.PacketBufferSize != 2000 {
 		t.Errorf("PacketBufferSize = %v, want 2000", result.Core.PacketBufferSize)
 	}
+	if result.Outputs[0].AsyncBuffer != 5000 {
+		t.Errorf("Outputs[0].AsyncBuffer = %v, want 5000", result.Outputs[0].AsyncBuffer)
+	}
 }
 
 func TestValidate(t *testing.T) {
@@ -345,6 +348,20 @@ func TestValidate_InvalidOutputs(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "output with AsyncBuffer zero (default)",
+			outputs: []api.OutputConfig{
+				{Type: "stdout", Enabled: true, AsyncBuffer: 0},
+			},
+			wantErr: false,
+		},
+		{
+			name: "output with custom AsyncBuffer",
+			outputs: []api.OutputConfig{
+				{Type: "unix_socket", Enabled: true, AsyncBuffer: 5000, Params: map[string]string{"socket_path": "/tmp/x.sock"}},
+			},
+			wantErr: false,
+		},
 	}
 
 	for _, tt := range tests {

internal/fingerprint/engine.go

@@ -18,6 +18,8 @@ func NewEngine() *EngineImpl {
 }
 
 // FromClientHello generates JA4 (and optionally JA3) fingerprints from a TLS ClientHello
+// Note: JA4Hash is populated for internal use but should NOT be serialized to LogRecord
+// as the JA4 format already includes its own hash portions (per architecture.yml)
 func (e *EngineImpl) FromClientHello(ch api.TLSClientHello) (*api.Fingerprints, error) {
 	if len(ch.Payload) == 0 {
 		return nil, fmt.Errorf("empty ClientHello payload")
@@ -40,11 +42,12 @@ func (e *EngineImpl) FromClientHello(ch api.TLSClientHello) (*api.Fingerprints,
 
 	// Extract JA4 hash portion (last segment after underscore)
 	// JA4 format: <tls_ver><ciphers><extensions>_<sni_hash>_<cipher_extension_hash>
+	// This is kept for internal use but NOT serialized to LogRecord
 	ja4Hash := extractJA4Hash(ja4)
 
 	return &api.Fingerprints{
 		JA4:     ja4,
-		JA4Hash: ja4Hash,
+		JA4Hash: ja4Hash, // Internal use only - not serialized to LogRecord
 		JA3:     ja3,
 		JA3Hash: ja3Hash,
 	}, nil

internal/fingerprint/engine_test.go

@@ -45,3 +45,91 @@ func TestNewEngine(t *testing.T) {
 		t.Error("NewEngine() returned nil")
 	}
 }
+
+func TestFromClientHello_ValidPayload(t *testing.T) {
+	// Use a minimal valid TLS 1.2 ClientHello with extensions
+	// Build a proper ClientHello using the same structure as parser tests
+	clientHello := buildMinimalClientHelloForTest()
+
+	ch := api.TLSClientHello{
+		SrcIP:   "192.168.1.100",
+		SrcPort: 54321,
+		DstIP:   "10.0.0.1",
+		DstPort: 443,
+		Payload: clientHello,
+	}
+
+	engine := NewEngine()
+	fp, err := engine.FromClientHello(ch)
+
+	if err != nil {
+		t.Fatalf("FromClientHello() error = %v", err)
+	}
+	if fp == nil {
+		t.Fatal("FromClientHello() returned nil")
+	}
+
+	// Verify JA4 is populated (format: t13d... or t12d...)
+	if fp.JA4 == "" {
+		t.Error("JA4 should not be empty")
+	}
+
+	// JA4Hash is populated for internal use (but not serialized to LogRecord)
+	// It contains the hash portions of the JA4 string
+	if fp.JA4Hash == "" {
+		t.Error("JA4Hash should be populated for internal use")
+	}
+}
+
+// buildMinimalClientHelloForTest creates a minimal valid TLS 1.2 ClientHello
+func buildMinimalClientHelloForTest() []byte {
+	// Cipher suites (minimal set)
+	cipherSuites := []byte{0x00, 0x04, 0x13, 0x01, 0x13, 0x02, 0xc0, 0x2f}
+	// Compression methods (null only)
+	compressionMethods := []byte{0x01, 0x00}
+	// No extensions
+	extensions := []byte{}
+	extLen := len(extensions)
+
+	// Build ClientHello handshake body
+	handshakeBody := []byte{
+		0x03, 0x03,             // Version: TLS 1.2
+		// Random (32 bytes)
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00,                   // Session ID length: 0
+	}
+
+	// Add cipher suites (with length prefix)
+	cipherSuiteLen := len(cipherSuites)
+	handshakeBody = append(handshakeBody, byte(cipherSuiteLen>>8), byte(cipherSuiteLen))
+	handshakeBody = append(handshakeBody, cipherSuites...)
+
+	// Add compression methods (with length prefix)
+	handshakeBody = append(handshakeBody, compressionMethods...)
+
+	// Add extensions (with length prefix)
+	handshakeBody = append(handshakeBody, byte(extLen>>8), byte(extLen))
+	handshakeBody = append(handshakeBody, extensions...)
+
+	// Now build full handshake with type and length
+	handshakeLen := len(handshakeBody)
+	handshake := append([]byte{
+		0x01,                   // Handshake type: ClientHello
+		byte(handshakeLen >> 16), byte(handshakeLen >> 8), byte(handshakeLen), // Handshake length
+	}, handshakeBody...)
+
+	// Build TLS record
+	recordLen := len(handshake)
+	record := make([]byte, 5+recordLen)
+	record[0] = 0x16 // Handshake
+	record[1] = 0x03 // Version: TLS 1.2
+	record[2] = 0x03
+	record[3] = byte(recordLen >> 8)
+	record[4] = byte(recordLen)
+	copy(record[5:], handshake)
+
+	return record
+}

internal/output/writers.go

@@ -504,6 +504,7 @@ func NewBuilder() *BuilderImpl {
 }
 
 // NewFromConfig constructs writers from AppConfig
+// Uses AsyncBuffer from OutputConfig if specified, otherwise uses DefaultQueueSize
 func (b *BuilderImpl) NewFromConfig(cfg api.AppConfig) (api.Writer, error) {
 	multiWriter := NewMultiWriter()
 
@@ -515,6 +516,12 @@ func (b *BuilderImpl) NewFromConfig(cfg api.AppConfig) (api.Writer, error) {
 		var writer api.Writer
 		var err error
 
+		// Determine queue size: use AsyncBuffer if specified, otherwise default
+		queueSize := DefaultQueueSize
+		if outputCfg.AsyncBuffer > 0 {
+			queueSize = outputCfg.AsyncBuffer
+		}
+
 		switch outputCfg.Type {
 		case "stdout":
 			writer = NewStdoutWriter()
@@ -537,7 +544,7 @@ func (b *BuilderImpl) NewFromConfig(cfg api.AppConfig) (api.Writer, error) {
 			if logLevel == "" {
 				logLevel = "error"
 			}
-			writer, err = NewUnixSocketWriterWithConfigAndLogLevel(socketPath, DefaultDialTimeout, DefaultWriteTimeout, DefaultQueueSize, logLevel)
+			writer, err = NewUnixSocketWriterWithConfigAndLogLevel(socketPath, DefaultDialTimeout, DefaultWriteTimeout, queueSize, logLevel)
 			if err != nil {
 				return nil, err
 			}

internal/output/writers_test.go

@@ -258,6 +258,24 @@ func TestBuilder_NewFromConfig(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "unix socket with custom AsyncBuffer",
+			config: api.AppConfig{
+				Core: api.Config{
+					Interface:   "eth0",
+					ListenPorts: []uint16{443},
+				},
+				Outputs: []api.OutputConfig{
+					{
+						Type:        "unix_socket",
+						Enabled:     true,
+						AsyncBuffer: 5000,
+						Params:      map[string]string{"socket_path": "test.sock"},
+					},
+				},
+			},
+			wantErr: false,
+		},
 	}
 
 	for _, tt := range tests {
@@ -409,11 +427,17 @@ func TestLogRecordJSONSerialization(t *testing.T) {
 		IPDF:       true,
 		TCPWindow:  65535,
 		TCPOptions: "MSS,WS,SACK,TS",
-		JA4:        "t13d1516h2_8daaf6152771_02cb136f2775",
-		JA4Hash:    "8daaf6152771_02cb136f2775",
-		JA3:        "771,4865-4866-4867,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-17513,29-23-24,0",
-		JA3Hash:    "a0e6f06c7a6d15e5e3f0f0e6f06c7a6d",
-		Timestamp:  time.Now().UnixNano(),
+		// New fields per architecture.yml
+		ConnID:     "flow-abc123",
+		SensorID:   "sensor-01",
+		TLSVersion: "1.3",
+		SNI:        "example.com",
+		ALPN:       "h2",
+		// Fingerprints - note: JA4Hash is NOT in LogRecord per architecture
+		JA4:       "t13d1516h2_8daaf6152771_02cb136f2775",
+		JA3:       "771,4865-4866-4867,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-17513,29-23-24,0",
+		JA3Hash:   "a0e6f06c7a6d15e5e3f0f0e6f06c7a6d",
+		Timestamp: time.Now().UnixNano(),
 	}
 
 	data, err := json.Marshal(rec)
@@ -434,6 +458,15 @@ func TestLogRecordJSONSerialization(t *testing.T) {
 	if got.JA4 != rec.JA4 {
 		t.Errorf("JA4 = %v, want %v", got.JA4, rec.JA4)
 	}
+	// Verify JA4Hash is NOT present (architecture decision)
+	// JA4Hash field doesn't exist in LogRecord anymore
+	// Verify new fields
+	if got.ConnID != rec.ConnID {
+		t.Errorf("ConnID = %v, want %v", got.ConnID, rec.ConnID)
+	}
+	if got.SNI != rec.SNI {
+		t.Errorf("SNI = %v, want %v", got.SNI, rec.SNI)
+	}
 }
 
 // Test to verify optional fields are omitted when empty

internal/tlsparse/parser.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
+	tlsfingerprint "github.com/psanford/tlsfingerprint"
 )
 
 // ConnectionState represents the state of a TCP connection for TLS parsing
@@ -220,15 +221,31 @@ func (p *ParserImpl) Process(pkt api.RawPacket) (*api.TLSClientHello, error) {
 		flow.State = JA4_DONE
 		flow.HelloBuffer = clientHello
 
-		return &api.TLSClientHello{
-			SrcIP:   srcIP,
-			SrcPort: srcPort,
-			DstIP:   dstIP,
-			DstPort: dstPort,
-			Payload: clientHello,
-			IPMeta:  ipMeta,
-			TCPMeta: tcpMeta,
-		}, nil
+		// Extract TLS extensions (SNI, ALPN, TLS version)
+		extInfo, _ := extractTLSExtensions(clientHello)
+
+		// Generate ConnID from flow key
+		connID := key
+
+		ch := &api.TLSClientHello{
+			SrcIP:      srcIP,
+			SrcPort:    srcPort,
+			DstIP:      dstIP,
+			DstPort:    dstPort,
+			Payload:    clientHello,
+			IPMeta:     ipMeta,
+			TCPMeta:    tcpMeta,
+			ConnID:     connID,
+			SNI:        extInfo.SNI,
+			ALPN:       joinStringSlice(extInfo.ALPN, ","),
+			TLSVersion: extInfo.TLSVersion,
+		}
+
+		// Calculate SynToCHMs if we have timing info
+		synToCH := uint32(time.Since(flow.CreatedAt).Milliseconds())
+		ch.SynToCHMs = &synToCH
+
+		return ch, nil
 	}
 
 	// Check for fragmented ClientHello (accumulate segments)
@@ -257,15 +274,31 @@ func (p *ParserImpl) Process(pkt api.RawPacket) (*api.TLSClientHello, error) {
 			// Complete ClientHello found
 			flow.State = JA4_DONE
 
-			return &api.TLSClientHello{
-				SrcIP:   srcIP,
-				SrcPort: srcPort,
-				DstIP:   dstIP,
-				DstPort: dstPort,
-				Payload: clientHello,
-				IPMeta:  ipMeta,
-				TCPMeta: tcpMeta,
-			}, nil
+			// Extract TLS extensions (SNI, ALPN, TLS version)
+			extInfo, _ := extractTLSExtensions(clientHello)
+
+			// Generate ConnID from flow key
+			connID := key
+
+			ch := &api.TLSClientHello{
+				SrcIP:      srcIP,
+				SrcPort:    srcPort,
+				DstIP:      dstIP,
+				DstPort:    dstPort,
+				Payload:    clientHello,
+				IPMeta:     ipMeta,
+				TCPMeta:    tcpMeta,
+				ConnID:     connID,
+				SNI:        extInfo.SNI,
+				ALPN:       joinStringSlice(extInfo.ALPN, ","),
+				TLSVersion: extInfo.TLSVersion,
+			}
+
+			// Calculate SynToCHMs
+			synToCH := uint32(time.Since(flow.CreatedAt).Milliseconds())
+			ch.SynToCHMs = &synToCH
+
+			return ch, nil
 		}
 	}
 
@@ -377,6 +410,13 @@ func extractTCPMeta(tcp *layers.TCP) api.TCPMeta {
 	return meta
 }
 
+// TLSExtensionInfo contains parsed TLS extension information
+type TLSExtensionInfo struct {
+	SNI        string
+	ALPN       []string
+	TLSVersion string
+}
+
 // parseClientHello checks if the payload contains a TLS ClientHello and returns it
 func parseClientHello(payload []byte) ([]byte, error) {
 	if len(payload) < 5 {
@@ -419,6 +459,171 @@ func parseClientHello(payload []byte) ([]byte, error) {
 	return payload[:5+recordLength], nil
 }
 
+// extractTLSExtensions extracts SNI, ALPN, and TLS version from a ClientHello payload
+// Uses tlsfingerprint library for ALPN and TLS version, manual parsing for SNI value
+func extractTLSExtensions(payload []byte) (*TLSExtensionInfo, error) {
+	if len(payload) < 5 {
+		return nil, nil
+	}
+
+	// TLS record layer
+	contentType := payload[0]
+	if contentType != 22 {
+		return nil, nil // Not a handshake
+	}
+
+	version := binary.BigEndian.Uint16(payload[1:3])
+	recordLength := int(binary.BigEndian.Uint16(payload[3:5]))
+
+	if len(payload) < 5+recordLength {
+		return nil, nil // Incomplete record
+	}
+
+	handshakePayload := payload[5 : 5+recordLength]
+	if len(handshakePayload) < 1 {
+		return nil, nil
+	}
+
+	handshakeType := handshakePayload[0]
+	if handshakeType != 1 {
+		return nil, nil // Not a ClientHello
+	}
+
+	info := &TLSExtensionInfo{}
+
+	// Use tlsfingerprint to parse ALPN and TLS version
+	fp, err := tlsfingerprint.ParseClientHello(payload)
+	if err == nil && fp != nil {
+		// Extract ALPN protocols
+		if len(fp.ALPNProtocols) > 0 {
+			info.ALPN = fp.ALPNProtocols
+		}
+		// Extract TLS version
+		info.TLSVersion = tlsVersionToString(fp.Version)
+	}
+
+	// If tlsfingerprint didn't provide version, fall back to record version
+	if info.TLSVersion == "" {
+		info.TLSVersion = tlsVersionToString(version)
+	}
+
+	// Parse SNI manually (tlsfingerprint only provides HasSNI, not the value)
+	sniValue := extractSNIFromPayload(handshakePayload)
+	if sniValue != "" {
+		info.SNI = sniValue
+	}
+
+	return info, nil
+}
+
+// extractSNIFromPayload extracts the SNI value from a ClientHello handshake payload
+// handshakePayload starts at the handshake type byte (0x01 for ClientHello)
+func extractSNIFromPayload(handshakePayload []byte) string {
+	// handshakePayload structure:
+	// [0]: Handshake type (0x01 for ClientHello)
+	// [1:4]: Handshake length (3 bytes, big-endian)
+	// [4:6]: Version (2 bytes)
+	// [6:38]: Random (32 bytes)
+	// [38]: Session ID length
+	// ...
+	
+	if len(handshakePayload) < 40 { // type(1) + len(3) + version(2) + random(32) + sessionIDLen(1)
+		return ""
+	}
+
+	// Start after type (1) + length (3) + version (2) + random (32) = 38
+	offset := 38
+
+	// Session ID length (1 byte)
+	sessionIDLen := int(handshakePayload[offset])
+	offset++
+
+	// Skip session ID
+	offset += sessionIDLen
+
+	// Cipher suites length (2 bytes)
+	if offset+2 > len(handshakePayload) {
+		return ""
+	}
+	cipherSuiteLen := int(binary.BigEndian.Uint16(handshakePayload[offset : offset+2]))
+	offset += 2 + cipherSuiteLen
+
+	// Compression methods length (1 byte)
+	if offset >= len(handshakePayload) {
+		return ""
+	}
+	compressionLen := int(handshakePayload[offset])
+	offset++
+
+	// Skip compression methods
+	offset += compressionLen
+
+	// Extensions length (2 bytes) - optional
+	if offset+2 > len(handshakePayload) {
+		return ""
+	}
+	extensionsLen := int(binary.BigEndian.Uint16(handshakePayload[offset : offset+2]))
+	offset += 2
+
+	if extensionsLen == 0 || offset+extensionsLen > len(handshakePayload) {
+		return ""
+	}
+
+	extensionsEnd := offset + extensionsLen
+
+	// Debug: log extension types found
+	_ = extensionsEnd // suppress unused warning in case we remove debug code
+
+	// Parse extensions to find SNI (type 0)
+	for offset < extensionsEnd {
+		if offset+4 > len(handshakePayload) {
+			break
+		}
+
+		extType := binary.BigEndian.Uint16(handshakePayload[offset : offset+2])
+		extLen := int(binary.BigEndian.Uint16(handshakePayload[offset+2 : offset+4]))
+		offset += 4
+
+		if offset+extLen > len(handshakePayload) {
+			break
+		}
+
+		extData := handshakePayload[offset : offset+extLen]
+		offset += extLen
+
+		if extType == 0 && len(extData) >= 5 { // SNI extension
+			// SNI extension structure:
+			// - name_list_len (2 bytes)
+			// - name_type (1 byte)
+			// - name_len (2 bytes)
+			// - name (variable)
+			// Skip name_list_len (2), read name_type (1) + name_len (2)
+			nameLen := int(binary.BigEndian.Uint16(extData[3:5]))
+			if len(extData) >= 5+nameLen {
+				return string(extData[5 : 5+nameLen])
+			}
+		}
+	}
+
+	return ""
+}
+
+// tlsVersionToString converts a TLS version number to a string
+func tlsVersionToString(version uint16) string {
+	switch version {
+	case 0x0301:
+		return "1.0"
+	case 0x0302:
+		return "1.1"
+	case 0x0303:
+		return "1.2"
+	case 0x0304:
+		return "1.3"
+	default:
+		return ""
+	}
+}
+
 // IsClientHello checks if a payload contains a TLS ClientHello
 func IsClientHello(payload []byte) bool {
 	if len(payload) < 6 {

internal/tlsparse/parser_test.go

@@ -7,6 +7,7 @@ import (
 
 	"ja4sentinel/api"
 
+	tlsfingerprint "github.com/psanford/tlsfingerprint"
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 )
@@ -444,3 +445,272 @@ func buildRawPacket(t *testing.T, srcIP, dstIP string, srcPort, dstPort uint16,
 		Timestamp: time.Now().UnixNano(),
 	}
 }
+
+func TestTLSVersionToString(t *testing.T) {
+	tests := []struct {
+		version uint16
+		want    string
+	}{
+		{0x0301, "1.0"},
+		{0x0302, "1.1"},
+		{0x0303, "1.2"},
+		{0x0304, "1.3"},
+		{0x0300, ""},
+		{0x0305, ""},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.want, func(t *testing.T) {
+			got := tlsVersionToString(tt.version)
+			if got != tt.want {
+				t.Errorf("tlsVersionToString(%#x) = %v, want %v", tt.version, got, tt.want)
+			}
+		})
+	}
+}
+
+func TestExtractTLSExtensions(t *testing.T) {
+	tests := []struct {
+		name        string
+		payload     []byte
+		wantSNI     string
+		wantALPN    []string
+		wantVersion string
+		wantNil     bool
+	}{
+		{
+			name:    "empty payload",
+			payload: []byte{},
+			wantNil: true,
+		},
+		{
+			name:    "too short",
+			payload: []byte{0x16, 0x03, 0x03},
+			wantNil: true,
+		},
+		{
+			name:        "TLS 1.2 ClientHello without extensions",
+			payload:     createTLSClientHello(0x0303),
+			wantVersion: "1.2",
+			wantNil:     false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := extractTLSExtensions(tt.payload)
+			if err != nil {
+				t.Errorf("extractTLSExtensions() unexpected error = %v", err)
+				return
+			}
+			if (got == nil) != tt.wantNil {
+				t.Errorf("extractTLSExtensions() = %v, wantNil %v", got == nil, tt.wantNil)
+				return
+			}
+			if got != nil {
+				if got.TLSVersion != tt.wantVersion {
+					t.Errorf("TLSVersion = %v, want %v", got.TLSVersion, tt.wantVersion)
+				}
+			}
+		})
+	}
+}
+
+func TestParser_ExtractsTLSFields(t *testing.T) {
+	parser := NewParser()
+	defer parser.Close()
+
+	// Create a minimal valid TLS 1.2 ClientHello with SNI and ALPN extensions
+	// This is a real-world-like ClientHello structure
+	clientHelloWithExt := createMinimalTLSClientHelloWithSNIAndALPN("example.com", []string{"h2", "http/1.1"})
+
+	// Debug: Check what extractTLSExtensions returns
+	extInfo, err := extractTLSExtensions(clientHelloWithExt)
+	if err != nil {
+		t.Logf("extractTLSExtensions error: %v", err)
+	}
+	if extInfo != nil {
+		t.Logf("extInfo: SNI=%q, ALPN=%v, Version=%q", extInfo.SNI, extInfo.ALPN, extInfo.TLSVersion)
+	} else {
+		t.Log("extInfo is nil")
+	}
+
+	// Also test with tlsfingerprint directly
+	fp, err := tlsfingerprint.ParseClientHello(clientHelloWithExt)
+	if err != nil {
+		t.Logf("tlsfingerprint error: %v", err)
+	} else {
+		t.Logf("tlsfingerprint: ALPN=%v, Version=%#x, HasSNI=%v", fp.ALPNProtocols, fp.Version, fp.HasSNI)
+	}
+
+	// Debug: print first bytes of ClientHello
+	t.Logf("ClientHello hex: % x", clientHelloWithExt[:min(50, len(clientHelloWithExt))])
+
+	srcIP := "192.168.1.100"
+	dstIP := "10.0.0.1"
+	srcPort := uint16(54321)
+	dstPort := uint16(443)
+
+	pkt := buildRawPacket(t, srcIP, dstIP, srcPort, dstPort, clientHelloWithExt)
+
+	result, err := parser.Process(pkt)
+	if err != nil {
+		t.Fatalf("Process() error = %v", err)
+	}
+	if result == nil {
+		t.Fatal("Process() should return TLSClientHello")
+	}
+
+	// Verify new fields are populated
+	if result.SNI != "example.com" {
+		t.Errorf("SNI = %v, want example.com", result.SNI)
+	}
+	if result.ALPN == "" {
+		t.Error("ALPN should not be empty")
+	}
+	if result.TLSVersion != "1.2" {
+		t.Errorf("TLSVersion = %v, want 1.2", result.TLSVersion)
+	}
+	if result.ConnID == "" {
+		t.Error("ConnID should not be empty")
+	}
+	if result.SynToCHMs == nil {
+		t.Error("SynToCHMs should not be nil")
+	}
+}
+
+// createMinimalTLSClientHelloWithSNIAndALPN creates a minimal but valid TLS 1.2 ClientHello
+// with SNI and ALPN extensions
+func createMinimalTLSClientHelloWithSNIAndALPN(sni string, alpnProtocols []string) []byte {
+	// Build SNI extension
+	sniExt := buildSNIExtension(sni)
+
+	// Build ALPN extension
+	alpnExt := buildALPNExtension(alpnProtocols)
+
+	// Build supported_versions extension (TLS 1.2)
+	supportedVersionsExt := []byte{0x00, 0x2b, 0x00, 0x03, 0x02, 0x03, 0x03} // type=43, len=3, TLS 1.2
+
+	// Combine extensions
+	extensions := append(sniExt, alpnExt...)
+	extensions = append(extensions, supportedVersionsExt...)
+	extLen := len(extensions)
+
+	// Cipher suites (minimal set)
+	cipherSuites := []byte{0x00, 0x04, 0x13, 0x01, 0x13, 0x02, 0xc0, 0x2f}
+	// 4 cipher suites: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+
+	// Compression methods (null only)
+	compressionMethods := []byte{0x01, 0x00}
+
+	// Build ClientHello handshake (without length header first)
+	handshakeBody := []byte{
+		0x03, 0x03,             // Version: TLS 1.2
+		// Random (32 bytes)
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00,                   // Session ID length: 0
+	}
+
+	// Add cipher suites (with length prefix)
+	cipherSuiteLen := len(cipherSuites)
+	handshakeBody = append(handshakeBody, byte(cipherSuiteLen>>8), byte(cipherSuiteLen))
+	handshakeBody = append(handshakeBody, cipherSuites...)
+
+	// Add compression methods (with length prefix)
+	handshakeBody = append(handshakeBody, compressionMethods...)
+
+	// Add extensions (with length prefix)
+	handshakeBody = append(handshakeBody, byte(extLen>>8), byte(extLen))
+	handshakeBody = append(handshakeBody, extensions...)
+
+	// Now build full handshake with type and length
+	handshakeLen := len(handshakeBody)
+	handshake := append([]byte{
+		0x01,                   // Handshake type: ClientHello
+		byte(handshakeLen >> 16), byte(handshakeLen >> 8), byte(handshakeLen), // Handshake length
+	}, handshakeBody...)
+
+	// Build TLS record
+	recordLen := len(handshake)
+	record := make([]byte, 5+recordLen)
+	record[0] = 0x16 // Handshake
+	record[1] = 0x03 // Version: TLS 1.2
+	record[2] = 0x03
+	record[3] = byte(recordLen >> 8)
+	record[4] = byte(recordLen)
+	copy(record[5:], handshake)
+
+	return record
+}
+
+// buildSNIExtension builds a Server Name Indication extension
+func buildSNIExtension(sni string) []byte {
+	nameLen := len(sni)
+	// SNI extension structure:
+	// - name_list_len (2 bytes): total length of all names
+	// - name_type (1 byte): always 0x00 for host_name
+	// - name_len (2 bytes): length of this name
+	// - name (variable): the actual hostname
+	nameListLen := 1 + 2 + nameLen // name_type + name_len + name
+	
+	// Extension data = name_list_len (2) + name_type (1) + name_len (2) + name
+	extDataLen := 2 + nameListLen
+	// Full extension = type (2) + length (2) + data (variable)
+	ext := make([]byte, 4+extDataLen)
+	ext[0] = 0x00 // Extension type: SNI (0)
+	ext[1] = 0x00
+	ext[2] = byte(extDataLen >> 8)
+	ext[3] = byte(extDataLen)
+	ext[4] = byte(nameListLen >> 8)  // name_list_len (high byte)
+	ext[5] = byte(nameListLen)       // name_list_len (low byte)
+	ext[6] = 0x00                    // name_type: host_name (0)
+	ext[7] = byte(nameLen >> 8)      // name_len (high byte)
+	ext[8] = byte(nameLen)           // name_len (low byte)
+	copy(ext[9:], sni)
+
+	return ext
+}
+
+// buildALPNExtension builds an Application-Layer Protocol Negotiation extension
+func buildALPNExtension(protocols []string) []byte {
+	// Calculate ALPN data length
+	// ALPN data = alpn_list_len (2) + for each protocol: length (1) + data (variable)
+	alpnDataLen := 0
+	for _, proto := range protocols {
+		alpnDataLen += 1 + len(proto) // length byte + protocol string
+	}
+
+	// Extension data = alpn_list_len (2) + protocols
+	extDataLen := 2 + alpnDataLen
+	// Full extension = type (2) + length (2) + data (variable)
+	ext := make([]byte, 4+extDataLen)
+	ext[0] = 0x00 // Extension type: ALPN (16 = 0x10)
+	ext[1] = 0x10
+	ext[2] = byte(extDataLen >> 8)
+	ext[3] = byte(extDataLen)
+
+	// ALPN protocol list length (2 bytes)
+	ext[4] = byte(alpnDataLen >> 8)
+	ext[5] = byte(alpnDataLen)
+
+	offset := 6
+	for _, proto := range protocols {
+		ext[offset] = byte(len(proto))
+		offset++
+		copy(ext[offset:], proto)
+		offset += len(proto)
+	}
+
+	return ext
+}
+
+// min returns the minimum of two integers
+func min(a, b int) int {
+	if a < b {
+		return a
+	}
+	return b
+}