Three coordinated containers: an originator running a FastAPI control plane and per-persona asyncio tasks, a terminator hosting protocol sinks with on-demand per-SNI certificate minting from an internal CA, and a local ollama content service that pre-generates a corpus of URL paths, HTML page bodies, and email subject/body pairs so wire traffic has realistic size and structure distribution — not uniform-random bytes.
The content of the traffic is throwaway. What matters is the packet-level characteristics: SNI values, packet sizes, inter-arrival times, session durations, fan-out across destinations.
| Activity | Wire | TLS | What it produces |
|---|---|---|---|
| https_browse | TCP 443 | per-SNI cert | multi-page sessions, corpus paths + bodies |
| smtp_send | TCP 587 | STARTTLS | EHLO + DATA, corpus-sourced subject/body |
| imap_poll | TCP 993 | implicit | LOGIN/SELECT/NOOP/SEARCH/LOGOUT |
| voip_call | UDP 5060 + RTP | — | INVITE/200/ACK + 50pps RTP + BYE |
| ntp_query | UDP 123 | — | 48-byte NTPv4 round-trip every ~64s |
| https_beacon | TCP 443 | per-SNI cert | small HTTPS POSTs to EDR / heartbeat endpoints |
Real office traffic isn't uniformly random. HTML pages follow Zipfian length distributions. Office emails are bimodal — short replies plus long threads. URL paths look like /api/v1/customers/42/orders?page=2, not random bytes. TLS record sizes leak this structure even when the body is encrypted. Filling responses with os.urandom(N) produces flat noise an analyst can spot; an LLM-generated corpus produces traffic with the right size and structure distribution.
| Artifact | Voiced as | Sampled by | What gets generated |
|---|---|---|---|
| paths/{domain}.jsonl | first persona using that domain | originator · https_browse | 40 per domain · short paths, IDs, query strings, static assets |
| pages/{domain}.jsonl | same voice, mixed length buckets | terminator · HTTPS sink (by Host) | 5 per domain · full HTML, ~500 B → 8 kB |
| emails/{persona}.jsonl | role-specific (csr · developer · exec) | originator · smtp_send | 10 per persona · subject + body, bimodal length |
Why pre-generate vs call live: latency (an LLM call would dominate every request), determinism (pinned model + seed = reproducible traffic, useful for testing analyzers against a fixed baseline), and resource cost. If the corpus is missing — e.g. corpus-builder turned off, or a new domain added since the last build — both sides silently fall back to os.urandom(N) with a bell-curve size, so the system stays up.