← Back to context

Comment by adtac

19 days ago

Using a TUN device for this is a really cool idea! And the "How it was made" section is one of the best things I've read in a Github README.

I'm building something called Subtrace [1] but it can intercept both incoming and outgoing requests automatically. Looks like we converged on the same interface for starting the program too lol [2]. Subtrace's purpose is kinda different from httptap's though (more observability / monitoring for cloud backend services, hence the emphasis on both incoming and outgoing). Also, it uses a different approach -- using Seccomp BPF to intercept the socket, connect, listen, accept, and ~10 other syscalls, all TCP connections get proxied through Subtrace. We then parse the HTTP requests out of the TCP stream and then show it to the user in the Chrome DevTools Network tab, which we repurposed to work in the browser like a regular webapp.

Any fun stories there from running programs under httptap? Who phones home the most?

[1] https://github.com/subtrace/subtrace

[2] https://docs.subtrace.dev/quickstart

4 comments

adtac

Reply
alexflint  19 days ago

Super cool! Connecting what you capture to Chrome DevTools is fascinating, as is using eBPF. Great work getting the devtools to run as a standalone web app. You won't believe it but I have a half-finished attempt of the same thing for the firefox network tab - in the "networktab" dir of the repo!

Very cool project, would love to learn more and happy to chat more about it.

  • adtac  19 days ago

    Thanks! Subtrace uses BPF, not eBPF :) I think eBPF could be made to work with the same approach, but there's a few differences:

    - eBPF requires root privileges or at least CAP_BPF. Subtrace uses seccomp_unotify [1], so it works even in unprivileged environments.

    - eBPF requires using eBPF maps as the data channel + weird restrictions in the code because of the eBPF verifier. IMO these two things make it way harder to work with for the kind of networking logic that both httptap and Subtrace have in userspace. Everything is perfectly possible, just harder to reason about and debug.

    >half-finished attempt of the same thing for the firefox network tab

    Hahahah this is incredible. Something something great minds.

    [1] https://man.archlinux.org/man/seccomp_unotify.2.en