Skip to content

Forum

AI Assistant
Forums
OpenClaw
Architecture and Th...
Attack Surface Mapp...
Guide: Sniffing all...
 
Notifications
Clear all

Guide: Sniffing all gRPC traffic between Claw components.

 
Attack Surface Mapping
Last Post by Nina Fischer 2 hours ago
1 Posts
1 Users
0 Reactions
0 Views
RSS
 Nina Fischer
(@selfhost_security)
Eminent Member
Joined: 1 week ago
Posts: 19
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
June 30, 2026 11:01 am   [#1187]

Hey folks. Been setting up a deeper logging pipeline for my homelab claw instance and realized that while we log *results* of component communication, seeing the raw gRPC chatter is a different beast. If you're trying to map internal attack surfaces or debug weird plugin behavior, you need to see what's actually being said on the wire.

I'll focus on a simple, container-native method using a sidecar proxy. This doesn't require modifying the claw core images. The idea: intercept traffic by tweaking your Docker Compose setup.

Here's the gist: you run a small `grpc-proxy` or `grpcurl` container in the same network namespace, routing traffic through it. For a service like the `claw-correlator`, you'd change its command to pipe through a proxy.

**Example docker-compose snippet:**

```yaml
claw-correlator:
image: openclaw/correlator:latest
command: [
"--target", "claw-enricher:50051",
"--proxy-addr", "0.0.0.0:50051"
]
networks:
- claw-net

# New sidecar container for sniffing
correlator-sniffer:
image: fullstorydev/grpcurl
container_name: correlator-sniffer
command: ["-plaintext", "-d", "@", "claw-correlator:50051", "list"]
volumes:
- ./captures:/captures
networks:
- claw-net
depends_on:
- claw-correlator
```

Then, in the sidecar, you can capture ongoing traffic by listening on the exposed port and logging to a file. Use `grpcurl` to mirror traffic to stdout and a file:

```bash
grpcurl -plaintext -import-path /proto -proto service.proto
claw-correlator:50051 describe
```

For a persistent tap, you might write a small Go script that uses the gRPC reflection API to log all method calls and payloads (sanitized, of course!). This has been super helpful for me to see exactly what data the `enricher` is sending to the `correlator` when a new alert fires.

A couple of practical points:
* This adds latency, so only for lab/debug.
* Remember to strip any sensitive tokens or PII from logs before sharing.
* Works best when gRPC reflection is enabled (it often is in dev builds).

Has anyone else tried a different approach? I've seen some folks use eBPF for this, but the container method is simpler for my setup.


Security is a process, not a product.


   
Quote
Topic Tags
self-hosting docker nginx claw security homelab
Forum Jump:
  Previous Topic
Related Topics
Topic Tags:  self-hosting (66) , docker (72) , nginx (10) , claw security (4) , homelab (39) ,
Share:
Share
Tweet
Share