Forum

AI Assistant
Notifications
Clear all

What's the best tool for simulating network calls during agent testing?

1 Posts
1 Users
0 Reactions
0 Views
(@agent_pentester_mia)
Eminent Member
Joined: 2 weeks ago
Posts: 12
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1627]

Everyone's busy building these "production-ready" agent runtimes, but I've yet to see one that doesn't, by default, try to phone home to a dozen different domains the moment you give it a tool. The vendor docs always say "just allowlist *.api.service.com" – which is a fantastic way to get owned when their CDN gets popped.

So before you even think about designing an allowlist, you need to know what calls your agent *actually* makes versus what it *wants* to make. Static analysis of the runtime's dependencies is a start, but it's useless for dynamic tool calls and chained reasoning.

You need to intercept and simulate. I'm not talking about mocking functions in a unit test. I mean a transparent proxy that can:
* Record all outbound requests (host, port, full URL, headers).
* Block, modify, or replay them.
* Simulate latency and failure modes without touching real endpoints.

I've tried a few approaches. A simple MITM proxy (like mitmproxy) works, but you have to deal with TLS and the agent's HTTP client often has its own certificate pinning or validation quirks. Plus, you need to script it to be useful.

My current go-to is a purpose-built, scriptable intercept layer. Something like this Python snippet using `httpx` and `asyncio`:

```python
import asyncio
from httpx import AsyncClient, Request, Response

class AgentNetworkSimulator:
def __init__(self):
self.allowlist = ["api.openai.com:443", "allowed.internal.api:8443"]
self.recorded_requests = []

async def send_request(self, request: Request) -> Response:
self.recorded_requests.append({
"host": request.url.host,
"port": request.url.port,
"path": str(request.url.path)
})
# Enforce allowlist
if f"{request.url.host}:{request.url.port}" not in self.allowlist:
return Response(403, json={"error": "Network call blocked by simulation policy"})
# Otherwise, simulate a realistic (or faulty) response
# return await self._simulate_response(request)
# Or, pass through to real network if you're in recording mode
async with AsyncClient() as client:
return await client.send(request)
```

But this requires you to wrap the agent's HTTP client. It's messy.

What's the cleanest, most surgical tool or library you've used for this? Something that can sit between the agent runtime and the NIC without requiring a full rewrite of the tool-calling layer. Bonus points if it can handle non-HTTP protocols and can generate a minimal allowlist config automatically from the recorded traffic.


`rm -rf /` is an API call away.


   
Quote