←back to thread

Show HN: Subtrace – Wireshark for Docker Containers

(github.com)
364 points adtac | 5 comments | 18 Feb 25 23:29 UTC | HN request time: 0.254s | source

Hey HN, we built Subtrace (https://subtrace.dev) to let you see all incoming and outgoing requests in your backend server—like Wireshark, but for Docker containers. It comes with a Chrome DevTools-like interface. Check out this video: https://www.youtube.com/watch?v=OsGa6ZwVxdA, and see our docs for examples: https://docs.subtrace.dev.

Subtrace lets you see every request with full payload, headers, status code, and latency details. Tools like Sentry and OpenTelemetry often leave out these crucial details, making prod debugging slow and annoying. Most of the time, all I want to see are the headers and JSON payload of real backend requests, but it's impossible to do that in today's tools without excessive logging, which just makes everything slower and more annoying.

Subtrace shows you every backend request flowing through your system. You can use simple filters to search for the requests you care about and inspect their details.

Internally, Subtrace intercepts all network-related Linux syscalls using Seccomp BPF so that it can act as a proxy for all incoming and outgoing TCP connections. It then parses HTTP requests out of the proxied TCP stream and sends them to the browser over WebSocket. The Chrome DevTools Network tab is already ubiquitous for viewing HTTP requests in the frontend, so we repurposed it to work in the browser like any other app (we were surprised that it's just a bunch of TypeScript).

Setup is just one command for any Linux program written in any language.

You can use Subtrace by adding a `subtrace run` prefix to your backend server startup command. No signup required. Try for yourself: https://docs.subtrace.dev

Show context
qwertox ◴[19 Feb 25 20:49 UTC] No.43107465[source]
Wireshark seems a bit misleading. More like a "network inspector" if one leans towards the browser's network tab in the inspector?

But it really looks useful and I'll definitely play with it to see if I put it into my toolbox.

replies(2): >>43108688 #>>43111633 #
1. adtac ◴[19 Feb 25 22:40 UTC] No.43108688[source]
Thanks!

re the Wireshark analogy: the reason I used that was because: (1) Subtrace operates at roughly the same level in the operating system stack, (2) has similar capabilities, (3) has an overlap in use-cases, and (4) has been the most effective at communicating what Subtrace is in my experience so far. I can see why the analogy is not a perfect 1:1 mapping (obligatory xkcd: https://xkcd.com/624), but naming things is hard and taglines are just names in idea space :)

replies(3): >>43109396 #>>43109805 #>>43112680 #
2. conradev ◴[19 Feb 25 23:56 UTC] No.43109396[source]
Can I download a pcap file? Being able to view and debug the application protocol is one thing, but I can use Wireshark to view and debug TCP itself.

Reading the documentation makes it sound like this sits one or two levels above where Wireshark usually operates, which is why I think the analogy is tough.

3. jolmg ◴[20 Feb 25 00:51 UTC] No.43109805[source]
My first impression with "Wireshark for Docker containers" is "... Well, Wireshark already works with Docker containers, so if your goal is to be Wireshark for Docker containers, you'll just fail by definition. Can't beat Wireshark at being Wireshark."

I'm saying this just FYI. I haven't actually looked at what your product does, but if it were to matter to me, it'd be based on what it can offer that Wireshark can't, rather than how similar it is to Wireshark.

replies(1): >>43111359 #
4. beardedwizard ◴[20 Feb 25 05:14 UTC] No.43111359[source]
I'm struggling to understand why I wouldn't just use wireshark and specify the interface as well. Reading docs shows you need to invoke your container with this as a wrapper which to me is quite a bit scarier than attaching to an interface.
5. Mekoloto ◴[20 Feb 25 09:13 UTC] No.43112680[source]
Wireshark is a weird choice in my opinion because you know, why would i use Subtrace if i can use Wireshark?

and People who don't know how to use Wireshark want probably a better motivation to use Subtrace than 'its like wireshark' because there is a reason why they don't use it.