Httptap: View HTTP/HTTPS requests made by any Linux program
46 comments
·February 3, 2025yoavm
abraae
Reminds me of a quote from "Soul of a new machine":
> During one period, when the microcode and logic were glitching at the nanosecond level, one of the overworked engineers departed the company, leaving behind a note on his terminal as his letter of resignation: "I am going to a commune in Vermont and will deal with no unit of time shorter than a season."
alexflint
Wow that's an incredible quote! It feels like that to me too.
erdii
To be honest: This sounds like just another of the many many other yoga/spiritual cults that currently exist all over the western world.
EDIT: typos and slight wording changes
quesera
There is absolutely nothing in their README to suggest that you are using the word "cult" properly.
MisterTea
Did you visit their website? https://www.monasticacademy.org/
While I cannot judge them outright, their article "Cyborgs Need a Trustworthy Religion" can appear cultist as they try to intertwine technology and religion.
2030ai
I sadly assumed the first countryside photo was generated but I assume now it is real!
The mix of tech and meditation would appeal to me. Maybe the idea does (actually doing it is probably hard!).
It seems like a "Buddhist Recurse"
alexflint
httptap is a process-scoped http tracer that you can run without root priveleges. You can run `httptap <command>` where <command> is a linux program and you get a trace of http/https requests and responses in standard output:
httptap -- python -c "import requests; requests.get('https://monasticacademy.org')"
---> GET https://monasticacademy.org/
<--- 308 https://monasticacademy.org/ (15 bytes)
---> GET https://www.monasticacademy.org/
<--- 200 https://www.monasticacademy.org/ (5796 bytes)
maxmcd
Do you know if it's possible to get this working on macos? I believe Tailscale uses gvisor's tcp/ip lib (as their netstack lib) on macos for certain things.
gear54rus
can it modify requests or responses? with the current web getting increasingly user-hostile a need for tool like this was never more apparent
especially if it doesn't require proxy configuration
alexflint
Agreed! So there isn't any interface for modifying requests/responses at present, but it's definitely possible given the underlying approach. If you consider [this line of code](https://github.com/monasticacademy/httptap/blob/main/http.go...) where you have an HTTP request parsed from the <command> that ran and are about to send it out to the public internet: you could modify the request (or the response that is received a few lines further) in just the way that you would modify a normal http.Request in Go.
knome
if the program doesn't pin certificates, you should be able to intercept them by telling your machine to trust a certificate authority of your own creation and performing a mitm attack on the process's traffic. if it does do certificate pinning, then it won't trust your home issued cert, and will refuse to send data through your proxy.
pcpuser
You might find mitmproxy useful.
wzyboy
It's a genius idea to run the process in a isolated network namespace!
I'm more interested in the HTTPS part. I see that it sets some common environment variables [1] to instruct the program to use the CA bundle in the temporary directory. This seems to pose a similar issue like all the variants of `http_proxy`: the program may simply choose to ignore the variable.
I see it also mounts an overlay fs for `/etc/resolv.conf` [2]. Does it help if httptap mounts `/etc/ca-certificates` directory with the temporary CA bundle?
[1] https://github.com/monasticacademy/httptap/blob/cb92ee3acfb2...
[2] https://github.com/monasticacademy/httptap/blob/cb92ee3acfb2...
eriksjolund
Another tool that can be used by an unprivileged user for analysing network traffic is rootless Podman with Pasta.
Just add the podman run option
--network=pasta:--pcap,myfile.pcap
Pasta then records the network traffic into a PCAP file that could later be analysed.
I wrote a simple example where I used tshark to analyse the recorded PCAP file https://github.com/eriksjolund/podman-networking-docs?tab=re...
alexflint
Very good to know about. But you still have the problem of decrypting TLS traffic.
mdaniel
I don't know if it's a standard but I believe a lot of tls libraries honor the SSLKEYLOGFILE env-var https://wiki.wireshark.org/TLS#:~:text=and%20curl%20when-,th...
2030ai
That seems like an unnecessary vulnerability waiting to happen.
extraduder_ire
Does this work with larger more complicated software like web browsers, skype, or discord?
I know I'd have to run firefox with --no-remote.
Very cool idea though, love tools with this sort of UX. I look forward to a V1 release in the future.
adtac
Using a TUN device for this is a really cool idea! And the "How it was made" section is one of the best things I've read in a Github README.
I'm building something called Subtrace [1] but it can intercept both incoming and outgoing requests automatically. Looks like we converged on the same interface for starting the program too lol [2]. Subtrace's purpose is kinda different from httptap's though (more observability / monitoring for cloud backend services, hence the emphasis on both incoming and outgoing). Also, it uses a different approach -- using Seccomp BPF to intercept the socket, connect, listen, accept, and ~10 other syscalls, all TCP connections get proxied through Subtrace. We then parse the HTTP requests out of the TCP stream and then show it to the user in the Chrome DevTools Network tab, which we repurposed to work in the browser like a regular webapp.
Any fun stories there from running programs under httptap? Who phones home the most?
afarah1
Reminds me of NetGuard, which uses Android's VPN service (instead of raw TUN) for packet filtering. https://github.com/M66B/NetGuard
alexflint
Wow, did not know about this!
alexflint
Super cool! Connecting what you capture to Chrome DevTools is fascinating, as is using eBPF. Great work getting the devtools to run as a standalone web app. You won't believe it but I have a half-finished attempt of the same thing for the firefox network tab - in the "networktab" dir of the repo!
Very cool project, would love to learn more and happy to chat more about it.
freedomben
Neat! This will immediately be used by me to debug nginx configs. Currently I use curl -v and have to manually skim the output to figure out what's wrong, but this would immediately make redirect loops and other things apparent. Cool tool!
q2dg
Mitmproxy v11.1 can do a similar thing
josephcsible
Is this implementing TCP in userspace?
notepad0x90
I really like their approach. other methods that might use something like LD_PRELOAD fail on statically linked ELF's, like golang binaries.
sevg
This looks great!
The GitHub profile points to https://www.monasticacademy.org/about which I have no particular opinion on but it did leave me wondering what the connection is between their monastic training retreat and their projects on GitHub.
Edit: Oh, I didn’t go to the bottom of the readme https://github.com/monasticacademy/httptap?tab=readme-ov-fil...
alexflint
Yeah, for other readers who are looking at this thread, the connection is just that this (httptap) is a Monastic Academy project, and what that means is that there is a group of people living on 123 acres in Vermont according to a fairly traditional Buddhist monastic structure (though we are not ordained monks), and during the day we work on a number of technology and non-technology projects together. The link to the readme that sevg posted above is a good overview:
https://github.com/monasticacademy/httptap?tab=readme-ov-fil...
ranger_danger
Why not use eBPF instead? Then you could see all http requests from all processes at once, including ones that are already running. Plus you wouldn't need to bother with TLS at all, just hook on e.g. write(2).
somanyphotons
Presumably eBPF requires root privs?
trallnag
I'm having a hard time coming up with a use case where I want to use a tool like that but I'm also lacking root privileges
freedomben
Inside most production environments. I could use this today inside a Pod that isn't allowed root privs.
TacticalCoder
Wouldn't this require root? A big "selling point" of httptap seems to be that precisely it doesn't require root.
Anyway the more options we have, the better.
The "How it was made" section of the README was not less interesting than the tool itself:
> The way we have set things up is that we live and practice together on a bit over a hundred acres of land. In the mornings and evenings we chant and meditate together, and for about one week out of every month we run and participate in a meditation retreat. The rest of the time we work together on everything from caring for the land, maintaining the buildings, cooking, cleaning, planning, fundraising, and for the past few years developing software together.