Skip to main content

Splitting

The primary DPI bypass tool. The idea: break a TCP packet into pieces so the DPI cannot reassemble them and read the contents (in particular, the SNI field in the TLS ClientHello).

20260418235219

Splitting method

MethodDescription
tcpSplitting at the TCP segment layer. One packet becomes two TCP segments
ipSplitting at the IP layer. One IP packet is broken into IP fragments
tlsOne TLS record is broken into several TLS records inside a single TCP packet
oobOut-of-Band - inserts a byte with the TCP URG flag that throws off the DPI
comboCombination of several split points with decoys, shuffling, and fakes between fragments
hybridHybrid of combo and disorder - combined methods with reordered packets
disorderFragments are sent out of order with random delays
extsplitAutomatic splitting right before the SNI extension in the TLS ClientHello
firstbyteSend a single byte, pause, then the rest - a timing attack
noneNo splitting (use when only faking is needed)
How to pick a method

Use Discovery - it tests every method and finds one that works. Manual picking is for cases where discovery failed or you want to tune a specific case.

Strategy pool

When the pool is enabled, b4 picks a method at random from the pool for every new connection. This makes it harder for DPI to adapt to a specific method - each connection looks different.

tip

Pick a few strategies that work on your provider (via discovery) and include them in the pool. The pool is ignored when empty - in that case the method selected above is used.

Reverse order

Sends fragments in reverse order (last fragment first). A DPI that expects data in order cannot reassemble the content.


TCP/IP Segmentation

Available for the tcp or ip method.

Smart SNI splitting

Automatically finds the SNI field in the TLS ClientHello and splits in the middle of the hostname. Try this first - no manual tuning required.

Fixed split position

Manual offset of the split point (0-50 bytes from the start of the TLS payload). Use this when smart splitting does not work on your provider. Specified as a min-max range - each connection picks a random position from the range.

3 segments

When both options (smart SNI + fixed position) are enabled, the packet is split into 3 segments: at the fixed position and in the middle of the SNI.


Combo

Combines several split points with decoys and shuffling. The most flexible method.

Decoy

Sends a fake ClientHello with an allowed SNI before the real traffic:

  1. Fake packet (low TTL) -> DPI sees and analyzes it, but the packet does not reach the server
  2. Real packet (fragmented) -> passes the DPI and is delivered to the server

Split points

20260418235306

ParameterDescription
First ByteSplit after the first byte (timing-based desync)
Extension SplitSplit before the SNI extension
SNI SplitSplit in the middle of the SNI hostname

Each enabled split point adds another segment. The interface shows the number of active splits and the resulting number of segments.

warning

At least one split point must be enabled, otherwise combo sends the packet as a single segment.

Shuffle mode

ModeDescription
middleFirst and last segments keep their position, only the middle ones are shuffled
fullAll segments are shuffled randomly
reverseSegments are sent in reverse order

Timing

20260418235400

ParameterDescriptionRange
First segment delayPause after sending the first segment10-500 ms
Max jitterRandom delay between the other segments100-10000 us

Fake per segment (multidisorder)

Sends fake overlapping packets before every real segment, not only the first. Fills the DPI reassembler with junk.

ParameterDescriptionRange
Fake per segmentSend fakes between segments-
Fakes per segmentNumber of fake packets before each segment1-11

Disorder

Sends real TCP segments out of order with random delays. Unlike combo, disorder does not use fake packets (except in multidisorder) - it relies on the DPI expecting sequential data.

Disorder shuffle mode

ModeDescription
fullAll segments are shuffled randomly
reverseSegments are sent in reverse order

Timing jitter

Random delay between segments. Specified as a min-max range (us).

info

Jitter is used when Seg2Delay (inter-packet delay on the General tab) is 0. When Seg2Delay is set, it takes priority.

warning

The maximum jitter must be greater than the minimum.

Sequence overlap (seqovl)

Adds fake bytes with a decreased TCP sequence number. The DPI sees a fake protocol header while the server discards the overlap (it already has the correct data).

PatternWhat the DPI sees
tls12TLS 1.2 header
tls11TLS 1.1 header
tls10TLS 1.0 header
http_getHTTP GET request
zerosZero bytes
customCustom hex bytes

Multidisorder

Same as in combo - sends fake overlapping packets before each real segment.


Extension Split

Automatically splits the TLS ClientHello right before the SNI extension. The DPI sees an incomplete extension list and cannot parse the SNI.

[TLS Header] [Handshake] [Ciphers] [Ext1] [Ext2] | [SNI: youtube.com] [Ext...]
^ split here
No setup required

Extension Split works automatically. Use the Reverse order toggle and Inter-packet delay (Seg2Delay) on the General tab for extra tuning.


First-Byte Desync

Timing attack: sends a single byte (0x16 - the TLS record type), pauses, then sends the rest of the ClientHello. The DPI sees an incomplete TLS record and cannot parse the SNI before its timeout.

[0x16] ---- pause ---- [rest of the TLS ClientHello...]
No setup required

The delay is controlled by Seg2Delay on the General tab. A minimum of 100 ms is applied automatically - if Seg2Delay is lower, b4 uses 100 ms.


OOB (Out-of-Band)

Injects a byte with the TCP URG (urgent) flag into the data stream. The server ignores OOB data (it is handled separately from the main stream), but a stateful DPI gets confused - it sees an extra byte that shifts its parsing.

ParameterDescriptionRange
Insert positionNumber of bytes before the OOB insertion point. Specified as a min-max range1-50
OOB byteByte sent via OOB (symbol + hex are shown)-

TLS Record Splitting

Splits the ClientHello into several TLS records inside a single TCP packet. A DPI that expects a single-record handshake cannot match its signature.

ParameterDescriptionRange
Split positionSize of the first TLS record in bytes. Specified as a min-max range1-100