|
| 1 | +--- |
| 2 | +title: 'subtrace run' |
| 3 | +description: 'Run a command with HTTP traffic tracing enabled' |
| 4 | +--- |
| 5 | + |
| 6 | +The `subtrace run` command allows you to trace HTTP traffic from any application without modifying its code. It works by intercepting network syscalls at runtime and capturing details about HTTP requests and responses. |
| 7 | + |
| 8 | +## Usage |
| 9 | + |
| 10 | +```bash |
| 11 | +subtrace run [flags] -- <command> [arguments] |
| 12 | +``` |
| 13 | + |
| 14 | +The double dash (`--`) is required to separate subtrace flags from the command you want to run. |
| 15 | + |
| 16 | +## Flags |
| 17 | + |
| 18 | +| Flag | Description | Default | |
| 19 | +|------|-------------|---------| |
| 20 | +| `-log` | Log trace events to stderr | `false` if `SUBTRACE_TOKEN` is set, `true` otherwise | |
| 21 | +| `-payload-limit` | Maximum size in bytes for request/response body capture | 4096 | |
| 22 | +| `-tls` | Enable TLS traffic interception | `true` | |
| 23 | +| `-v` | Enable verbose debug logging | `false` | |
| 24 | + |
| 25 | +## Examples |
| 26 | + |
| 27 | +### Trace a Python HTTP Server |
| 28 | + |
| 29 | +```bash |
| 30 | +subtrace run -- python -m http.server |
| 31 | +``` |
| 32 | + |
| 33 | +### Trace cURL Requests |
| 34 | + |
| 35 | +```bash |
| 36 | +subtrace run -- curl https://api.example.com |
| 37 | +``` |
| 38 | + |
| 39 | +### Trace a Node.js Application |
| 40 | + |
| 41 | +```bash |
| 42 | +subtrace run -- node server.js |
| 43 | +``` |
| 44 | + |
| 45 | +### Trace with Limited Payload Size |
| 46 | + |
| 47 | +```bash |
| 48 | +subtrace run -payload-limit 1024 -- ./myapp |
| 49 | +``` |
| 50 | + |
| 51 | +### Trace without TLS Interception |
| 52 | + |
| 53 | +```bash |
| 54 | +subtrace run -tls=false -- ./myapp |
| 55 | +``` |
| 56 | + |
| 57 | +## How It Works |
| 58 | + |
| 59 | +When you run an application with `subtrace run`: |
| 60 | + |
| 61 | +1. Subtrace creates a secure sandbox environment using Linux seccomp filters |
| 62 | +2. It intercepts network-related system calls like `socket()`, `connect()`, and `accept()` |
| 63 | +3. For HTTP traffic, it captures: |
| 64 | + - Request method, path, headers |
| 65 | + - Response status code, headers |
| 66 | + - Request and response bodies (up to payload limit) |
| 67 | + - Timing information |
| 68 | + - TLS server names and certificates |
| 69 | +4. All captured data is sent to the Subtrace backend for analysis |
| 70 | + |
| 71 | +## Requirements |
| 72 | + |
| 73 | +- Linux kernel version 5.14 or newer |
| 74 | +- `CAP_SYS_PTRACE` capability when running in production |
| 75 | +- Root access or `CAP_SYS_ADMIN` capability for TLS interception |
| 76 | + |
| 77 | +## Environment Variables |
| 78 | + |
| 79 | +| Variable | Description | |
| 80 | +|----------|-------------| |
| 81 | +| `SUBTRACE_TOKEN` | Authentication token for the Subtrace API | |
| 82 | +| `SUBTRACE_ENDPOINT` | Custom API endpoint (defaults to https://subtrace.dev) | |
| 83 | + |
| 84 | +## Limitations |
| 85 | + |
| 86 | +- Works only on Linux systems |
| 87 | +- Cannot trace statically linked binaries |
| 88 | +- May require configuration changes for applications that perform certificate pinning |
| 89 | + |
| 90 | +## Error Handling |
| 91 | + |
| 92 | +If subtrace encounters an error while tracing, it will: |
| 93 | + |
| 94 | +1. Log the error to stderr with context |
| 95 | +2. Continue tracing other requests if possible |
| 96 | +3. Preserve the original application behavior |
| 97 | + |
| 98 | +Common error scenarios: |
| 99 | + |
| 100 | +```bash |
| 101 | +# Missing SUBTRACE_TOKEN |
| 102 | +subtrace: error: SUBTRACE_TOKEN is empty |
| 103 | + |
| 104 | +# Insufficient kernel version |
| 105 | +subtrace: error: unsupported Linux kernel version (got 4.19, want 5.14+) |
| 106 | + |
| 107 | +# Missing capabilities |
| 108 | +subtrace: error: was subtrace started with the SYS_PTRACE capability? |
| 109 | +``` |
| 110 | + |
| 111 | +## Example Output |
| 112 | + |
| 113 | +When `-log` is enabled, subtrace prints trace events in a key-value format: |
| 114 | + |
| 115 | +``` |
| 116 | +time="2024-03-14T15:04:05Z" event_id="550e8400-e29b-41d4-a716-446655440000" http_req_method="GET" http_req_path="/api/users" http_resp_status_code=200 http_duration=127 |
| 117 | +``` |
| 118 | + |
| 119 | +## Best Practices |
| 120 | + |
| 121 | +1. Always use the latest version of subtrace for best compatibility |
| 122 | +2. Set appropriate payload size limits based on your application |
| 123 | +3. Consider disabling TLS interception if not needed |
| 124 | +4. Use verbose logging (-v) when debugging trace issues |
| 125 | +5. Set up proper access controls for the Subtrace API token |
| 126 | + |
| 127 | +## Security Considerations |
| 128 | + |
| 129 | +- Subtrace can see all HTTP traffic, including sensitive headers and payloads |
| 130 | +- TLS interception requires trust in Subtrace's certificate authority |
| 131 | +- API tokens should be treated as sensitive credentials |
| 132 | +- Consider using separate tokens for development and production |
| 133 | + |
| 134 | +## Related Commands |
| 135 | + |
| 136 | +- `subtrace proxy` - Run a reverse proxy with tracing |
| 137 | +- `subtrace version` - Show version information |
| 138 | +- `subtrace worker` - Start a worker node (for self-hosted setups) |
| 139 | + |
0 commit comments