How to identify the payload to be used

Because some hotspots only allow https/443 traffic I wanted to put different services on the https port. I found some configuration example to allow access to sshd. But how/what traffic do I need to capture to find the payload for eg. rdp / terminal server traffic?

I tried grabbing some traffic with tcpdump, but the tcp connection seems to be the same for ssh/telnet. So where should I look for this payload specific to rdp.

Currently using sni on certificates to use the same port and ss

use_backend _recir_etherpad if { req.ssl_sni -i }

use_backend ssh if !{ req.ssl_hello_type 1 } { payload(0,7) -m bin 5353482d322e30 } { dst_port 443 }