Skip to content

Passive Capture Workflow

Passive capture is for understanding the traffic before touching it. Use it to answer:

  • which protocol is present: A2A, MCP, or unknown HTTP
  • which paths and methods matter
  • which decoded fields a future rule should match
  • whether SSE or WebSocket traffic carries complete JSON messages

HTTP/SSE/WebSocket Tap

seam tap --listen 127.0.0.1:8400 \
  --upstream http://127.0.0.1:8500 \
  --transcript tap.json \
  --schema schemas/transcript.schema.json

Inspect the transcript:

seam transcript inspect --transcript tap.json --schema schemas/transcript.schema.json --decoded
seam session status --transcript tap.json --schema schemas/transcript.schema.json

What To Look For

Safe decoded summaries should show protocol, kind, direction, and decoded keys:

seq=0 a2a/message request id=req-1 keys=correlation,json,path
seq=1 mcp/tool_result response id=call-1 keys=correlation,json,path

If the protocol is unknown, Seam still records raw bytes and metadata. Use that transcript for meshmapper context or to write a more precise decoder later.

Handoff

  • To graph structure: pass the transcript to meshmapper.
  • To prove a side effect: create an Assay case and route probes through Seam API /deliver.
  • To rewrite: use the decoded paths from transcript inspect --decoded as rule paths.