Y Combinator startup Subtrace has released an open-source tool to help analyse network traffic from containerised applications. The creators have positioned it as “Wireshark for Containers” and aim to simplify network debugging in Docker and Kubernetes environments.
Subtrace combines system call tracing with network packet analysis in a single interface so that developers can see what applications are doing at the system level and how data flows across container networks. The tool uses eBPF to capture this information, theoretically with minimal performance impact on running containers.
The development team behind Subtrace says traditional network analysis tools struggle with containerised environments. Standard tools like Wireshark require manual configuration to access container network namespaces. This can be complex and time-consuming for developers working with multiple containers or Kubernetes clusters.
Subtrace addresses these challenges by providing native container integration. It understands container concepts and can automatically correlate network traffic with container identity, reducing the manual work required to analyse container network behaviour. Subtrace automatically discovers running containers and can attach to their network interfaces without manual namespace configuration. It also correlates network traffic with container metadata such as pod names and service labels in Kubernetes environments.
The tool offers both command-line and web interfaces. The web interface provides visual network flow analysis similar to Wireshark but designed specifically for container workloads. Users can filter traffic by container, service, or protocol and examine packet contents in detail.
The tool’s announcement on Hacker News has generated some discussion about its technical approach and positioning. Several users questioned the “Wireshark for Containers” comparison, with user jolmg commenting: “My first impression with ‘Wireshark for Docker containers’ is ‘… Well, Wireshark already works with Docker containers, so if your goal is to be Wireshark for Docker containers, you’ll just fail by definition. Can’t beat Wireshark at being Wireshark.'”
User sophacles provided detailed feedback about what they would expect from a true “Wireshark for containers,” noting: “It’s not wireshark, it’s not close to wireshark just because it can capture some tcp pcaps.” They highlighted the need for features like DNS traffic inspection, packet tracing through container network stacks, and NAT tracking capabilities.
However, other community members pointed out the niche into which Subtrace can fit. User chatmasta observed: “IMO the real UX problem is that there’s nothing in between ‘Wireshark’ and ‘DevTools.’ What would be cool is a program that renders the real DevTools UI from a .pcap file.”
One aspect that particularly impressed community members was Subtrace’s approach to TLS decryption. The tool generates ephemeral TLS root certificates and injects them into the system certificate store without requiring root privileges. User adtac, the project creator, explained: “We intercept the open(2) syscall to see if it’s /etc/ssl/certs/ca-certificates.crt (or equivalent). If so, we append the ephemeral root CA to the list of actual CA certificates.”
Reaction to this explanation was somewhat mixed. User cyberax commented: “I can’t decide if I’m horrified or amazed by this,” while user chatmasta praised it as “a great hack” that provides “clean” proxy functionality. User 1oooqooq offered a cautionary note, warning that “as with anything too clever and undocumented, you will be amazed until you waste a few weeks debugging an issue caused by it.”
The community discussion also raised data privacy concerns, with user gerwim pointing out that “it seems the subtrace process sends all data to your server. I’m reluctant to do that on a production environment, where API keys and personal data are being handled.” The developers addressed these concerns by explaining the tool’s local operation mode, which lets users run Subtrace entirely locally without sending data to external servers.
Other open-source tools have similar functionality for analysing container network traffic. Pixie offers comprehensive observability for Kubernetes clusters, including network tracing capabilities. Pixie captures a broader range of telemetry data beyond just network traffic ,including application metrics and distributed traces. However, Pixie needs more system resources and can be complex to deploy in some environments. Pixie also focuses primarily on Kubernetes, supporting 11 application protocols, while Subtrace supports both Docker and Kubernetes deployments.
Hubble provides network observability as part of the Cilium networking stack. Thanks to its close integration with Cilium’s network policies, it can provide detailed flow analysis between services. Hubble includes both command-line tools and a graphical interface for visualising network traffic. However, it does depend on Cilium being used as the container network interface, whereas Subtrace works with any container networking setup.
Microsoft’s Retina focuses specifically on network observability for Kubernetes clusters. It can capture packets and analyse network flows, and integrates well with Azure monitoring services. On the flip side, Retina is open-source but works best with Azure. It needs more configuration to run on other cloud providers and appears to have a steeper learning curve than Subtrace.
Subtrace uses eBPF programs to capture network data directly from the kernel. This method has lower overheads than traditional packet capture methods which run in user-space, so it can process high volumes of network traffic without significantly impacting application performance. Using eBPF does mean the tool needs to run on a recent Linux kernel version, and it requires appropriate permissions to load eBPF programs, which might be restricted in some environments.
Subtrace is now available as an open source project on GitHub and as a commercial offering at Subtrace.dev.