// the find
subtrace/subtrace
Network inspector for your backend
Subtrace wraps your backend process with `subtrace run -- <cmd>` and gives you an HTTP inspector in your browser, no code changes required. It works by intercepting syscalls via ptrace/seccomp to capture network traffic at the kernel level. Aimed at backend developers who want Wireshark-like visibility without touching their app.
- Zero-instrumentation approach via ptrace+seccomp is genuinely clever — it works across languages and frameworks without agents, sidecars, or SDK imports
- The TLS interception story is solid: because it hooks at the syscall boundary before encryption, you get plaintext even for HTTPS without certificate pinning gymnastics
- ClickHouse as the event store is the right call for this workload — time-series append-only traffic data maps well to its column-oriented layout
- The `subtrace run --` UX is dead simple and the Docker/Compose/K8s guides show they've thought through the actual deployment paths people use
- Linux-only for now (macOS is private beta/waitlist), which immediately rules it out for anyone whose dev machine isn't Linux — a real gap for the primary audience
- ptrace adds overhead: every socket syscall goes through the tracer process, and for high-throughput services this will show up in benchmarks, whatever the docs claim
- 2809 stars but only 64 forks and last push was January 2026 — activity has slowed noticeably and it's unclear whether this is a maintained product or approaching abandonment
- The worker component bundles ClickHouse, which means you're either pointing at their hosted service or running a ClickHouse instance yourself — there's no lightweight local-only mode for solo developers who just want a quick look at traffic