Network Traffic Analysis of Perplexity AI: The Next-Gen Search Engine

Perplexity AI is an AI-powered search engine that combines the capabilities of large language models (LLMs) with real-time web data retrieval to deliver accurate, cited and contextual relevant responses to user queries. The platform uses multi-model strategy integrating various LLMs such as GPT-3.5, GPT-4, Claude 3.7 Sonnet, Gemini Flash 2.0, Llama 3 and DeepSeek R1 to generate comprehensive output. Its core architecture is built on Retrieval-Augmented Generation (RAG) framework, which blends real-time external data sources with LLMs to generate more accurate and up-to-date responses.

As of October 2024, Perplexity commands over 60% of AI research traffic [1], processing nearly 100 million search queries weekly [1]. While the United States is Perplexity’s largest market by absolute numbers, 80% of its traffic originates from outside the U.S. [1].

Network Traffic Analysis

We have performed extensive user interactions with the Perplexity AI web application. The captured traffic was completely TLS 1.3 encrypted. We have further analysed the traffic based on host names.

Overall Analysis

We have performed extensive user interactions with the Perplexity AI web application. The captured traffic was completely TLS encrypted. We have further analysed the traffic based on host names.

Figure 1: Request-Response count per host

In the figure above we observe the maximum number of request-responses was seen by pplx-next-static-public.perplexity.ai followed by perplexity.ai.

While the first host was serving a large number of web artifacts to be loaded, the latter was used for login, preferences, feed, suggestions, interactions etc.

Figure 2: Cumulative payload per host

Analyzing Endpoints

By examining the HAR file, we gain a detailed view of the HTTP requests and responses between the client and Perplexity AI servers. This analysis focuses on critical endpoints and their roles in the platform's functionality.

Login using Google account:

Figure 3: Get request for login

• Endpoint: /api/auth
• Method: GET
• Purpose: Initiates a new user login and establishes necessary session parameters for communication with Perplexity AI services.

User Interaction Models:

Figure 4: Post request for user interaction

• Endpoint: /rest/sse/perplexity_ask
• Method: POST
• Purpose: Submit a natural language query to Perplexity’s backend for streamed answer.
• Request Headers:
• Content-Type: application/json
• Accept: text/event-stream
• Request Payload: JSON object containing event details.
• Response Status: 200

In the request postData parameter, we found some interesting fields:

Figure 5: PostData parameter for user interaction request

• query_str: This field holds the actual user query, e.g., "what is model context protocol and a2a by google". It is the input the user submits to the system. This query string drives the downstream processing and determines the nature of the result returned.
• model_preference: This directly influences the model selection logic. Values like "pplx_pro" or "pplx_alpha" hint at internal model names or tiers — possibly distinguishing between standard, premium, or experimental LLMs. It plays a role in routing the query to the intended LLM, if permitted.
• search_focus: This controls the scope of the search. For instance, when set to "internet", it likely tells the backend to include or prioritize live, online search results — potentially integrating web data alongside model-generated content.

User Interaction Analytics:

Figure 6: Post request for analytics

• Endpoint: /rest/event/analytics
• Method: POST
• Purpose: Used for analytics, debugging, usage patterns etc
• Request Headers:
• Content-Type: application/json
• Response Status: 200 OK

Discover:

Figure 7: Post request for discover

• Endpoint: /discover
• Method: POST
• Purpose: This endpoint routes to the discover page, curated content hub, allowing users to explore trending topics and personalized content across categories

NOTE: While Perplexity AI can be useful it is a prohibited tool by many companies and government entities. Policy and technical systems must be in place to prevent usage, and it is vital to confirm this via test using BreakingPoint. These tests help validate the security measures and help organizations prevent accidental or malicious use of the platform.

Perplexity AI Traffic Simulation in Keysight ATI

At Keysight Technologies Application and Threat Intelligence (ATI), since we always try to deliver the hot trending application, we have published the PerplexityAI application in ATI-2025-06 which simulates the HAR collected from the Perplexity web application as of April 2025 including different user actions like performing text-based queries, uploading multimedia files, using the generate image feature to create custom visuals and refining search results. Here all the HTTP transactions are replayed in HTTP/2 over TLS1.2.

Figure 8: PerplexityAI Apr25 HAR Replay HTTP/2 over TLS1.2 Superflow in BPS  

Perplexity AI application and its 4 new Superflows as shown below:

Figure 9: Perplexity AI App and its Superflows in BPS

Leverage Subscription Service to Stay Ahead of Attacks

Keysight's Application and Threat Intelligence subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Centre continuously monitors threats as they appear in the wild. Customers of BreakingPoint now have access to attack campaigns for different advanced persistent threats, allowing BreakingPoint Customers to test their currently deployed security control's ability to detect or block such attacks.

References:

[1]: https://www.flexos.work/learn/ai-for-work-top-100-october-2024

Related Content

Related Posts