Insights > Network Visibility + Security

A Quick Look into ChatGPT's Network Traffic

2023-02-22  |  5 min read 

ChatGPT is making waves as the Internet's favorite chatbot. Apart from being hailed as the replacement for conventional Search Engines, its text generation capabilities are surprising everyone. To demonstrate how good it is, I have asked it to write the Introduction for this blog. Take a look:

ChatGPT Intro Example

In this blog, we will try to look at the network communications that happens in the background while people gleefully wait for the ChatGPT to respond to their questions. We also investigated the hostnames that it uses, custom HTTP headers, and its API traffic.

Network Traffic Analysis

We have analysed the ChatGPT web application traffic and found some interesting insights, which can be helpful for other researchers.

ChatGPT Workflow

Here are the findings for different actions – 

1. Login:

We have observed that when a user clicks “Login” on the ChatGPT webpage, it sends a POST request to the server including the username (email address) and the password in URL-encoded format (x-www-form-urlencoded) inside the payload. 

ChatGPT Login Request

Since the hostname related to this traffic is “” and “x-auth0-requestid” is used as one of the custom headers inside the Response, it seems that ChatGPT is using “Auth0” service (provided by Okta) to authenticate and authorize the user.

ChatGPT Login Response

2. Open ChatGPT Chat Session:

After the successful login, a new ChatGPT session starts using the “” host and the traffic looks like this –

ChatGPT Open Session Request

After that it sends a GET request to the conversation API of the server to get a list of the existing conversations setting the max limit to 20.

ChatGPT Max Limit 20 Request

Then the server replies with the list in JSON format including creation date, title, and a unique id (Version 4 UUID) for each.

ChatGPT Chat List Response

Next, the client also sends a GET request to the server to get the list of available AI models.

ChatGPT AI Models Request

And the server replies with the list of AI models like “text-davinci-002-render” in JSON format 

ChatGPT AI Models Response

3. Chat with Chatbot:

We have seen that ChatGPT is using QUIC Version 1 (RFC 9000) for the actual chatting with the Chatbot. 

ChatGPT QUIC Traffic

For each of the chat message we ask to the ChatGPT chatbot, it first sends a POST request to the conversation API of the server 

ChatGPT Conversion API Request

Also, in the payload part it sends the message in text format, the AI models that the client chooses from the previous request, a unique message id and the parent message id in JSON format. 

ChatGPT Send Message

Then, the message is sent to the moderation api through a POST request to check whether the message content complies with the set of predefined rules. 

The response is also sent through the moderation API again for checking the same.

ChatGPT Chat Response

4. Logout:

When the user clicks logout, it first sends GET request to the server followed by another GET to the server.

ChatGPT Logout Messages

ChatGPT in Keysight Technologies ATI:

At Keysight Technologies Application and Threat Intelligence (ATI), since we always try to deliver the hot trending application, we have published the ChatGPT application traffic in ATI-2023-02 StrikePack released in February 1, 2023 which includes both the generic QUIC traffic and the native ChatGPT traffic.

ChatGPT in BPS

We have also published another version of ChatGPT in ATI-2023-03 StrikePack which simulates the HAR collected from the ChatGPT web application as of February 2023 including different user actions like login, chatting with the ChatGPT bot and logout. Here all the HTTP transactions are replayed in HTTP1.1 over TLS1.2.

ChatGPT HAR Simulation

Leverage Subscription Service to Stay Ahead of Attacks

Keysight's Application and Threat Intelligence subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Centre continuously monitors threats as they appear in the wild. Customers of BreakingPoint now have access to attack campaigns for different advanced persistent threats, allowing them to test their currently deployed security control's ability to detect or block such attacks.