What it does

httptap is a small TUI that attaches to a Linux process and shows its HTTP/1.1 and HTTP/2 traffic, request and response, headers and body, in a scrolling pane that looks a bit like the Chrome network tab if you squint. You pick a PID, it wires up a filter, and the traffic starts rolling in. No mitmproxy, no fiddling with certificates, no restarting your service.

Why I made it

I was debugging a service that talked to three internal APIs and a vendor, and I kept finding myself doing the same dance: tcpdump, copy the pcap, open Wireshark, follow the stream, scroll, get lost. The information I wanted was “show me every request this process just made, in order, with status codes and latencies.” So I wrote the thing that does that.

How it works

It uses eBPF to attach a socket filter to the target process’s sockets, reassembles the TCP streams in userspace, and parses HTTP out of them. For TLS traffic it hooks SSL_read / SSL_write via uprobes on OpenSSL, which covers most Go and Python services. It doesn’t cover BoringSSL-linked binaries well yet; that’s in the issues.

The TUI is bubbletea with a couple of custom viewports. The request pane is just a scrollable list; hitting enter opens the body in a pager.

Install

No module hosting — browse or copy the source from /src/httptap/ and build it yourself:

# grab the tree (hand-assembled from /src/httptap/)
make bpf && make build
sudo ./bin/httptap --pid $(pgrep my-service)

Needs CAP_BPF and CAP_NET_ADMIN, which is why sudo. On kernels older than 5.15 the uprobe bits are flaky and I’ve stopped trying to support them.

Roadmap

  • gRPC framing (partial, good enough for unary calls)
  • filter DSL so you can do host=api.stripe.com and status>=400
  • a --save mode that writes a HAR file
  • figure out whether it’s worth supporting macOS (probably not; on macOS I just use Proxyman)

Known issues

  • Very chatty services (>2k req/s) drop events. The ring buffer needs tuning.
  • HTTP/2 trailers aren’t rendered.
  • If your process forks workers, you need to attach to each one. I want to make this automatic.