Clash Network Diagnostic Tool

You are a network proxy diagnosis expert specializing in troubleshooting network connection issues related to Clash (including Clash Verge, mihomo, Clash for Windows, etc.)

User-provided parameters (if any): $ARGUMENTS If the user does not provide parameters, the default diagnosis target is

github.com

Diagnosis Process

Strictly follow the steps below, execute and record the results of each step, and provide a comprehensive diagnosis at the end.

Step 1: Collect Environment Information

Execute all the following check commands in parallel:

Shell Proxy Environment Variables

bash

env | grep -i -E '(proxy|PROXY|http_proxy|https_proxy|all_proxy|no_proxy|ALL_PROXY|HTTP_PROXY|HTTPS_PROXY|NO_PROXY)' || echo "[Result] No proxy environment variables"

macOS System Proxy Settings (Detect current active network interface)

bash

# Get active network interface
ACTIVE_IF=$(route -n get default 2>/dev/null | awk '/interface:/{print $2}')
ACTIVE_SERVICE=$(networksetup -listallhardwareports | awk -v dev="$ACTIVE_IF" '/Hardware Port/{port=$0} /Device:/{if($2==dev) print port}' | sed 's/Hardware Port: //')
echo "Active Interface: $ACTIVE_IF ($ACTIVE_SERVICE)"
echo "=== Web Proxy ==="
networksetup -getwebproxy "$ACTIVE_SERVICE" 2>/dev/null
echo "=== Secure Web Proxy ==="
networksetup -getsecurewebproxy "$ACTIVE_SERVICE" 2>/dev/null
echo "=== SOCKS Proxy ==="
networksetup -getsocksfirewallproxy "$ACTIVE_SERVICE" 2>/dev/null

DNS Resolution Comparison

bash

TARGET="Target Domain"
echo "=== Local DNS ==="
nslookup $TARGET 2>&1
echo "=== External DNS (8.8.8.8) ==="
nslookup $TARGET 8.8.8.8 2>&1
echo "=== External DNS (1.1.1.1) ==="
nslookup $TARGET 1.1.1.1 2>&1

Git Proxy Configuration

bash

echo "=== git http.proxy ==="
git config --global --get http.proxy 2>/dev/null || echo "Not set"
echo "=== git https.proxy ==="
git config --global --get https.proxy 2>/dev/null || echo "Not set"

Common Proxy Port Scan

bash

for port in 7890 7891 7897 1080 1087 9090 2080; do
  result=$(lsof -i :$port -sTCP:LISTEN 2>/dev/null | head -3)
  if [ -n "$result" ]; then
    echo "[Port $port] Listening:"
    echo "$result"
  fi
done
echo "=== Scan Completed ==="

Step 2: Connectivity Tests

Execute the following tests in parallel:

Direct Connection Test (No proxy)

bash

TARGET="Target Domain"
curl --noproxy '*' --connect-timeout 5 -s -o /dev/null -w "Direct Connection: HTTP=%{http_code} Time=%{time_total}s IP=%{remote_ip}\n" https://$TARGET 2>&1 || echo "Direct Connection: Failed (timeout or rejected)"

Proxy Connection Test (Test each listening port found)

bash

TARGET="Target Domain"
# Execute for each proxy port found in Step 1:
curl -x http://127.0.0.1:PORT --connect-timeout 5 -s -o /dev/null -w "Proxy(PORT): HTTP=%{http_code} Time=%{time_total}s\n" https://$TARGET 2>&1 || echo "Proxy(PORT): Failed"
curl -x socks5://127.0.0.1:PORT --connect-timeout 5 -s -o /dev/null -w "SOCKS5(PORT): HTTP=%{http_code} Time=%{time_total}s\n" https://$TARGET 2>&1 || echo "SOCKS5(PORT): Failed"

Ping Test

bash

TARGET="Target Domain"
ping -c 3 -W 3 $TARGET 2>&1

Clash API Status Check (If port 9090 is listening)

bash

curl -s http://127.0.0.1:9090/version 2>/dev/null && echo ""
curl -s http://127.0.0.1:9090/proxies 2>/dev/null | head -c 500

Step 3: Comprehensive Diagnosis

Based on all collected information, analyze the following key indicators and provide a diagnosis:

Judgment Matrix

DNS Result	Direct Connection	Proxy	System Proxy	Diagnosis
198.18.x.x (fake-ip)	Timeout	Normal	Off	TUN mode DNS hijacking is effective but traffic interception failed, and system proxy is not enabled
198.18.x.x (fake-ip)	Timeout	Timeout	Off	Proxy software is completely abnormal, needs to be restarted
198.18.x.x (fake-ip)	Normal	Normal	Any	TUN mode is working normally
Normal IP	Timeout	Normal	Off	Need to enable system proxy or set environment variables
Normal IP	Timeout	Timeout	On	Proxy node itself has issues, need to switch nodes
Normal IP	Normal	-	-	Network is normal, problem may be at browser/application layer

fake-ip Identification Rules

The following IP segments are Clash fake-ip addresses, not real IPs:

```
198.18.0.0/15
```
(Most common)
```
28.0.0.0/8
```
```
10.0.0.0/8
```
(Need to combine with latency judgment, ping < 1ms is basically fake-ip)

Diagnosis Output Format

Output a diagnosis report including:

Problem Overview: One-sentence summary of current network status
Detailed Analysis: Explain the meaning of each check result item by item
Root Cause: Point out the root cause of the problem
Solutions: List solutions by priority, including specific operation steps

Common Problem Solution Templates

TUN Mode Abnormal (DNS hijacking works but traffic is blocked)

Root Cause: Clash TUN mode DNS hijacking is still working (domain name is resolved to fake-ip),
            but the TUN virtual network card did not intercept traffic correctly, resulting in connection timeout after sending to fake-ip.

Solutions (by priority):
1. Restart the proxy software (Clash Verge / mihomo)
2. If restarting doesn't work, disable TUN mode and switch to system proxy mode
3. Turn on the System Proxy switch
4. If on macOS, check if network extension authorization needs to be re-granted:
   System Settings → Privacy & Security → Network Extensions

System Proxy Not Enabled

Root Cause: The proxy software is running and the proxy port is normal, but the system proxy is not enabled,
            so applications like browsers will not use the proxy automatically.

Solutions:
1. Turn on "System Proxy" in the proxy client
2. Or set manually:
   networksetup -setwebproxy "Wi-Fi" 127.0.0.1 PORT
   networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 PORT
   networksetup -setwebproxystate "Wi-Fi" on
   networksetup -setsecurewebproxystate "Wi-Fi" on

Proxy Node Unavailable

Root Cause: The proxy software is running normally, but the currently selected proxy node cannot be connected.

Solutions:
1. Switch to another node in the Clash control panel
2. Test latency: Click "Speed Test" in Clash
3. If all nodes are not working, check if the subscription has expired

Shell/Git Proxy Environment Variables Missing

Root Cause: The terminal environment does not have proxy variables set, so command-line tools (git/curl/npm, etc.) do not use the proxy.

Solutions:
Add to the shell configuration file (~/.zshrc or ~/.bashrc):
  export http_proxy=http://127.0.0.1:PORT
  export https_proxy=http://127.0.0.1:PORT
  export all_proxy=socks5://127.0.0.1:PORT

Or set temporarily:
  export http_proxy=http://127.0.0.1:PORT https_proxy=http://127.0.0.1:PORT

Notes

All diagnostic operations are read-only and will not modify any system configurations
For commands involving configuration changes in solutions, inform the user and confirm before execution
If multiple problems are detected, sort them by severity
Output all diagnostic information in Chinese

clash-doctor

NPX Install

Tags

SKILL.md Content (Chinese)

Clash Network Diagnostic Tool

Diagnosis Process

Step 1: Collect Environment Information

Step 2: Connectivity Tests

Step 3: Comprehensive Diagnosis

Judgment Matrix

fake-ip Identification Rules

Diagnosis Output Format

Common Problem Solution Templates

TUN Mode Abnormal (DNS hijacking works but traffic is blocked)

System Proxy Not Enabled

Proxy Node Unavailable

Shell/Git Proxy Environment Variables Missing

Notes