Customize Packet Capture

By default, the Akita CLI captures all HTTP traffic it observes; this covers both unencrypted traffic into your service, and any unencrypted outgoing traffic that the service sends. If the same host is serving multiple APIs, the trace may capture all of them.

Identifying inbound traffic

To limit the trace to a single API, it is usually sufficient to specify the port number on which that API is being served. You can accomplish this with the --filter option, which takes a Traceroute-style packet filter. For an introduction to the BPF format that is used in the filter, see BPF Packet Filtering Expressions.

The most common use is to specify a TCP port number, like --filter "port 80". This instructs the Akita CLI to treat any network traffic to or from port 80 as "incoming" traffic, while any HTTP requests between other port numbers are categorized as "outgoing" traffic.

You can also specify a particular IP address, so that only traffic to or from that IP address is treated as inbound traffic. Multiple filters should be combined with "and" or "or". For example, a complicated filter might look like this on the command line:

akita learn --filter "(port 80 or port 8080) and host 10.43.27.1" ...

The --filter option does not limit which traffic appears in the trace; it only identifies "inbound" traffic from which the model is built.

Limiting a trace to only a particular path or host

The Akita client also provides some HTTP-specific filtering. These cause particular hosts or paths to be removed from the trace entirely, lowering its size and helping you focus on a particular service or set of endpoints. Each takes a Go-style regular expression string, but usually it is sufficient to specify a literal string.

--host-allow RE: capture a HTTP request only if the host portion of the request URL contains a match for "RE". If multiple --host-allow arguments are specified, the request is captured if any of them match. The "host" portion of the URL may include a port number.

--path-allow RE: capture a HTTP request only if the path portion of the request URL contains a match for "RE". If multiple --host-allow arguments are specified, the request is captured if any of them match.

--host-exclusions RE: do not capture a HTTP request if the host portion of the request URL contains a match for "RE". If multiple --host-exclusions arguments are specified, then a request will not be traced if it matches any of the arguments.

--path-exclusions RE: do not capture a HTTP request if the path portion of the request URL contains a match for "RE". If multiple --path-exclusions arguments are specified, then a request will not be traced if it matches any of the arguments.

Each type of filter is applied independently. That means that a request which matches both an allow and an exclusions flag is excluded. If you specify both a --host-allow and a --path-allow filter, then the request must match both.


Did this page help you?