←back to thread

664 points alexflint | 4 comments | | HN request time: 0.856s | source
Show context
alexflint ◴[] No.42919910[source]
httptap is a process-scoped http tracer that you can run without root priveleges. You can run `httptap <command>` where <command> is a linux program and you get a trace of http/https requests and responses in standard output:

    httptap -- python -c "import requests; requests.get('https://monasticacademy.org')"
    ---> GET https://monasticacademy.org/
    <--- 308 https://monasticacademy.org/ (15 bytes)
    ---> GET https://www.monasticacademy.org/
    <--- 200 https://www.monasticacademy.org/ (5796 bytes)
It works by running <command> in an isolated network namespace. It has its own TCP/IP stack (for which it uses gVisor). It is not an HTTP proxy and so does not rely on <command> being configured to use an HTTP proxy. It decrypts TLS traffic by generating a CA on the fly. It won't install any iptables rules or make other global system changes.
replies(3): >>42920666 #>>42921671 #>>42922996 #
maxmcd ◴[] No.42921671[source]
Do you know if it's possible to get this working on macos? I believe Tailscale uses gvisor's tcp/ip lib (as their netstack lib) on macos for certain things.
replies(1): >>42922112 #
1. mdaniel ◴[] No.42922112[source]
Does Darwin have network namespaces like the Linux kernel does? I get the impression that's an important component of this approach
replies(1): >>42922214 #
2. maxmcd ◴[] No.42922214[source]
Yes, good point, maybe that is the blocker.
replies(1): >>42923080 #
3. jshier ◴[] No.42923080[source]
No network namespaces, but the various Network Extension APIs might be able to do this, though it's difficult. RocketSim (I'm unaffiliated, just an example) recently added a simulator-specific network throttle (to replace the system-wide Network Link Conditioner Apple ships) using a content filter extension. Even though this is a system-wide API, it seems you can limit its impact to a single app. And it seemed to properly compose with Proxyman and Cloudflare's Warp VPN at the same time, so perhaps it could be a general solution.
replies(1): >>42923373 #
4. alexflint ◴[] No.42923373{3}[source]
Woah, this is super helpful info. Thanks. That sounds like a real possibility for a macOS port actually.