Most active commenters
  • adtac(6)

←back to thread

Show HN: Subtrace – Wireshark for Docker Containers

(github.com)
364 points adtac | 17 comments | 18 Feb 25 23:29 UTC | HN request time: 0.488s | source | bottom

Hey HN, we built Subtrace (https://subtrace.dev) to let you see all incoming and outgoing requests in your backend server—like Wireshark, but for Docker containers. It comes with a Chrome DevTools-like interface. Check out this video: https://www.youtube.com/watch?v=OsGa6ZwVxdA, and see our docs for examples: https://docs.subtrace.dev.

Subtrace lets you see every request with full payload, headers, status code, and latency details. Tools like Sentry and OpenTelemetry often leave out these crucial details, making prod debugging slow and annoying. Most of the time, all I want to see are the headers and JSON payload of real backend requests, but it's impossible to do that in today's tools without excessive logging, which just makes everything slower and more annoying.

Subtrace shows you every backend request flowing through your system. You can use simple filters to search for the requests you care about and inspect their details.

Internally, Subtrace intercepts all network-related Linux syscalls using Seccomp BPF so that it can act as a proxy for all incoming and outgoing TCP connections. It then parses HTTP requests out of the proxied TCP stream and sends them to the browser over WebSocket. The Chrome DevTools Network tab is already ubiquitous for viewing HTTP requests in the frontend, so we repurposed it to work in the browser like any other app (we were surprised that it's just a bunch of TypeScript).

Setup is just one command for any Linux program written in any language.

You can use Subtrace by adding a `subtrace run` prefix to your backend server startup command. No signup required. Try for yourself: https://docs.subtrace.dev

1. smw ◴[19 Feb 25 17:36 UTC] No.43104857[source]
Can it decrypt tls? Perhaps by hooking the calls to common libraries?
replies(1): >>43105380 #
2. adtac ◴[19 Feb 25 18:17 UTC] No.43105380[source]
Yes, but we've managed to do it automatically without any library/language specific hooks! It's probably one of my favourite things in Subtrace :)

We generate an ephemeral TLS root CA certificate and inject it into the system store. The generated certificate is entirely in-memory and never leaves the machine. To make this work without root privileges, we intercept the open(2) syscall to see if it's /etc/ssl/certs/ca-certificates.crt (or equivalent). If so, we append the ephemeral root CA to the list of actual CA certificates; if not, we let the kernel handle the file open like usual. This way, none of the other programs are affected, so only the program you start with `subtrace run` sees and trusts the ephemeral root CA.

After we get the program to trust the ephemeral root CA, we can proxy outgoing TLS connections through Subtrace transparently but also read the cleartext bytes.

All of this is fully automatic, of course.

replies(6): >>43105428 #>>43105948 #>>43105989 #>>43106699 #>>43107159 #>>43111647 #
3. hassleblad23 ◴[19 Feb 25 18:21 UTC] No.43105428[source]
Wow. I think more network inspection tools should adopt an approach like this. Great job.
4. cyberax ◴[19 Feb 25 19:00 UTC] No.43105948[source]
I can't decide if I'm horrified or amazed by this :)
replies(1): >>43112658 #
5. memhole ◴[19 Feb 25 19:03 UTC] No.43105989[source]
Up front, this is not my area of expertise. You would still not want to run this on the same server as your containers since someone could inject their own cert? I think it allows someone to decrypt traffic that isn't just proxied to Subtrace?

Edit: I've reviewed the docs and it looks like you do run it on the same server. For clarity, I've used Sentry before.

replies(1): >>43106088 #
6. adtac ◴[19 Feb 25 19:11 UTC] No.43106088{3}[source]
Subtrace proxies the program's connection using a regular TLS connection to the upstream server. For example, if you do `subtrace run -- curl https://example.com`, curl thinks it's talking to example.com over TLS, but it's really talking to Subtrace locally. Since we injected the ephemeral root CA into the system store, curl will trust the valid TLS certificate that Subtrace presents for example.com. From within the same server, Subtrace will handle the actual TLS connection to upstream example.com. That upstream connection is undecipherable to outsiders.

Everything is exactly as secure as before Subtrace. In other words, using Subtrace doesn't make the NSA's job any easier ;)

replies(1): >>43106156 #
7. memhole ◴[19 Feb 25 19:16 UTC] No.43106156{4}[source]
That's helpful! Thanks for clarifying. I'll have to check it out.
8. Arnavion ◴[19 Feb 25 19:55 UTC] No.43106699[source]
This will not work with HPKP but hopefully nothing is using that any more. ( https://en.m.wikipedia.org/wiki/HTTP_Public_Key_Pinning )

It won't work with programs that defensively validate the cert chain but those are rare.

It won't work with programs that embed their own root cert store, which is also rare but I would guess less rare than the previous one. The usual reason to do this is to minimize OS deps, and in the case of Docker containers to save on container image size by only including the roots you care about.

But yes for the vast majority of programs it should work fine.

replies(1): >>43106868 #
9. adtac ◴[19 Feb 25 20:06 UTC] No.43106868{3}[source]
Yep, certificate pinning is the one scenario Subtrace can't handle in my experience, but thankfully, it's fairly rare like you said. And IMO there is no general solution to the problem [1], but it's one of those very interesting problems to daydream thinking about when you're stuck in traffic or whatever :)

We still try our best by handling as much of the long tail of environments with some library/framework specific workaround (e.g. Deno bundles all TLS certs in its binary so we set the DENO_CERT env var when applicable).

[1] https://news.ycombinator.com/item?id=42923998

replies(2): >>43111657 #>>43118244 #
10. TachyonicBytes ◴[19 Feb 25 20:26 UTC] No.43107159[source]
Is this a different method from the httptap [1] that was on hackernews a few weeks ago? Somebody in that post seemed to say that it also generates CA certificates on the fly.

[1] https://news.ycombinator.com/item?id=42919909

replies(1): >>43107430 #
11. adtac ◴[19 Feb 25 20:46 UTC] No.43107430{3}[source]
httptap is really cool! Their technique is different (they do a filesystem mount instead of intercepting syscalls like Subtrace does) but both tools effectively reach the same goal using different routes.
12. chatmasta ◴[20 Feb 25 06:11 UTC] No.43111647[source]
This is a great hack. It won’t work 100% of the time but it’ll be close, and damn it’s just so clean. Proxies and intercepts all the way down… I love this.
13. chatmasta ◴[20 Feb 25 06:13 UTC] No.43111657{4}[source]
No general solution? :) If you came up with this hack I’m sure you can extend it…

Cert pinning has to read a public cert from memory, right? And a public cert has a well-known shape… and you have bpf and access to the memory…

replies(1): >>43111986 #
14. adtac ◴[20 Feb 25 07:19 UTC] No.43111986{5}[source]
in a different context, maybe: https://news.ycombinator.com/item?id=38044786 :)
15. 1oooqooq ◴[20 Feb 25 09:09 UTC] No.43112658{3}[source]
as with anything too clever and undocumented, you will be amazed until you waste a few weeks debugging an issue caused by it.
16. smw ◴[20 Feb 25 18:25 UTC] No.43118244{4}[source]
kubeshark [0] is using ebpf to catch calls to openssl/go's tls lib and thus no need to juggle certs. Has pros and cons compared to your method, but an interesting comparison.

[0] https://www.kubeshark.co/

replies(1): >>43118481 #
17. ddelnano ◴[20 Feb 25 18:47 UTC] No.43118481{5}[source]
The approach you describe above is common for similar projects:

- Pixie (https://px.dev) -- which I contribute to

- Beyla (https://github.com/grafana/beyla)

- Coroot (https://github.com/coroot/coroot)

If you are interested in the details and how the strategy for this tracing has evolved, you can learn more in this blog (https://blog.px.dev/ebpf-tls-tracing-past-present-future/).