Show HN: Witr – Explain why a process is running on your Linux system
github.com352 points by pranshuparmar 21 hours ago
352 points by pranshuparmar 21 hours ago
Hi HN,
I built a small Linux CLI tool called witr (Why Is This Running?).
The idea came from a situation most of us have hit: you log into a machine, see a process or port running, and immediately wonder why it exists, who started it, and what is keeping it alive right now.
witr traces a process, service, or port back to its origin and responsibility chain and explains it in a way that’s quick to read, especially when you’re debugging under pressure.
This is v0.1.0. It’s intentionally small and focused. Feedback, criticism, and edge cases are very welcome.
Repo: https://github.com/pranshuparmar/witr
This is great. Small, trivial suggestion: the gif that loops in the README should pause on the screen w/ the output for a few seconds longer - it disappears (restarts) too quickly to take in all of the output. Thanks everyone for the feedback on the GIF! I though it looked good but when I went back to see it from a user's POV, it was really miserable, haha. I've already switched it to a static image, appreaciate everyone's input and suggestions. I would also argue it shouldn't be a gif. It's nice that it shows the command is fast I guess but it's one command that's still visible in the final frame. Not as bandwidth efficient and agreed I can't read it all in time You can make that problem irrelevant with the much, much simpler solution of not animating it at all. Stay paused on the output 100% of the time! The gif is adding no value. I already know what typing text into a terminal looks like. https://github.com/charmbracelet/vhs is a really good utility for automatically making these gifs. I'm a big fan of svg-term myself: https://github.com/marionebl/svg-term-cli Hm, very interesting! This only converts asciinema recordings, though, right? It doesn't automatically record anything? If you have asciinema already installed then you can invoke it through svg-term like this! Also the pause button seems to take the GIF back to its first frame, then resume from where I paused... either that or I need a good sleep. A quick note on scope: this is not meant to replace existing monitoring or observability tools. It’s designed for those moments when you SSH into a box and need to quickly understand “why is this running” without digging through configs, cron jobs, or service trees manually. Happy to answer questions or adjust direction based on feedback. This is very clever. I've often needed to figure out what some running process was actually for (e.g. because it just started consuming a lot of some limited resource) but it never occurred to me that one could have a tool to answer that question. Well done. --- Edit: Ah, ok, I slightly misunderstood - skimmed the README too quickly. I thought it was also explaining what the process did :D Still a clever tool, but thought it went a step further. Perhaps you should add that though - combine Man page output with a database of known processes that run on various Linux systems and a mechanism for contributing PRs to extend that database...? Unlesss it's just me that often wants to know "what the fsck does /tmp/hax0r/deeploysketchyd actually do?" :P Looking up the binary in the package management system would also provide another source of useful information. Of course this would dramatically increase the complexity but would, I think, be useful. If you could look it up using APT/dpkg first, that would be lovely :-) If you have its path, dpkg already has an option to do that: "dpkg -S". Although some extra logic is needed for symlinks. Thanks, glad you liked it! As @darrenf mentioned, `whatis` can help with that use case. For now, I’m keeping `witr` focused on explaining PIDs. seems handy but mostly the ppid is outputted as the reason for starting. its 'who dun it', not really _why_ it was started. (service file, autorun, execve etc.) i see you support multiple output format including json thats nice. id recommend to assume automation (ssh script/commands) and make the default output really easily greppable , or json (jq) since itll be more appealing to parse (shouldnt reduce readability, for the default output it looks like just removing some linebreaks to make it parse more consistently. (maybe the lines are wrapped tho? unclear from the img) Thanks for the feedback! I’ll look into showing who and why in a more distinct way.
The default output is human-first, hence some extra line breaks, but the JSON flag is already there for automation. We can also see if it can be made more easily greppable. Sounds like something I could use, but installing a binary via `curl` doesn't sit right with me. Next problem you have is "explain how this thing was installed on my system" followed "is it up to date (including security patches). I hope they have deb package or snap some day. I understand that installing via `curl` isn’t for everyone, but since this is the first release, I intentionally kept it simple. Now that the tool is gaining some traction, I can definitely plan proper packages for future releases. Thanks for your inputs. > witr is successful if users trust it during incidents. > This project was developed with assistance from AI/LLMs [...] supervised by a human who occasionally knew what he was doing. This seems contradictory to me. The last bit > supervised by a human who occasionally knew what he was doing. seems in jest but I could be wrong. If omitted or flagged as actual sarcasm I would feel a lot better about the project overall. As long as you’re auditing the LLM’s outputs and doing a decent code review I think it’s reasonable to trust this tool during incidents. I’ll admit I did go straight to the end of the readme to look for this exact statement. I appreciate they chose to disclose. Thank you, yes I added it in jest and still keeping it for sometime. It was always meant to be removed in future. If you're capable of auditing the LLM’s outputs and doing a decent code review then you don't need an LLM. Nobody who was writing code before LLMs existed "needs" an LLM, but they can still be handy. Procfs parsing trivialities are the kind of thing LLMs are good at, although apparently it still takes a human to say "why not using an existing library that solves this, like https://pkg.go.dev/github.com/prometheus/procfs" > Procfs parsing trivialities are the kind of thing LLMs are good at Have you tried it? Procfs trivialities is exactly the kind of thing where an LLM will hallucinate something plausible-looking. Fixing LLM hallucinations takes more work and time than just reading manpages and writing code yourself. Claude code can read manpages too If I'd ever feel the urge to misengineer a rube goldberg contraption to manage my vibe coder LLM output I'll get back to you. But at the moment I feel like all that sounds suspiciously like actual work. It cant "read" anything. It can include the man page in the prompt, but it can never "read" it. If the output is working code I don't really care whether it's reading, "reading", or """reading""" Neither do you need and IDE, syntax highlighting or third party libraries, yet you use all of them. There's nothing wrong for a software engineer about using LLMs as an additional tool in his toolbox. The problem arises when people stops doing software engineering because they believe the LLM is doing the engineering for them. I don't use IDEs that require more time and effort investment than they save. You mileage may vary, though. Lots of software engineers love those time and effort tarpits. Fair enough! That line was meant tongue‑in‑cheek, and to be transparent about LLM usage.
Rest assured, they were assistants, not authorities. No to me. It just has to demonstrate to work well, which is plenty possible with a developer focused on outcome rather than process (though hopefully they cared a bit about process/architecture too). Regardless of code correctness, it's easy enough for malware to spoof process relationships. I agree, the LLM probably has a much better idea of what's happening than any human If you're looking to build and install this from source, here's the incantation: CGO_ENABLED=0 go build -ldflags "-X main.version=dev -X main.commit=$(git rev-parse --short HEAD) -X 'main.buildDate=$(date +%Y-%m-%d)'" -o witr ./cmd/witr Call me old-fashioned, but if there's an install.sh, I would hope it would prefer the local src over binaries. Very cool utility! Simple tools like these keep me glued to the terminal. Thank you! Thanks! Glad you like it
Thanks to @sestep, Nix support is already added, so no need to worry about binaries. Alternatively you can use Nix! :P https://github.com/pranshuparmar/witr/pull/5 This is amazing and really useful to me.
Great job. However, I can’t use it in a production business environment for the same reasons other users mentioned earlier.
A Debian or RPM package would be fantastic. Thank you, glad you liked it. Since this is the first release, I intentionally kept it simple. Now that the tool is gaining some traction, I can definitely plan proper packages for future releases. Thanks for your inputs. What does this means for context:
“Git repository name and branch”
Does this mean it detects if something is running from within a git repository folder? Couldn’t find the code that checked this. It appears to walk up from the process's working directory searching for a .git directory: https://github.com/pranshuparmar/witr/blob/1e47bdb8fde179b17... Yes, that's correct! It walks up from the process’s working directory looking for a `.git` folder to detect the repo and branch. Thanks. Cool idea. Reminds me of my alias "whodis" which just lsofs a port to find out the pid who's got it open, but way more functional. Thanks! Glad you like it
Trying to make this a swiss army knife for PID information. This is amazing. Thank you for sharing this. Do you have any qualms about me making an entry in the AUR for this? Thanks! Really appreciate it.
No qualms at all — an AUR entry would be awesome! Im not the author but I would love for an AUR made for this ;) My favorite thing about arch is how insanely quickly AURs pop up for interesting tools. Brilliant stuff! Any plan to support macos? Thank you, yes coming soon - https://github.com/pranshuparmar/witr/pull/9 I'm really loving this! 'Responsibility chain' will become a trendy phrase. i definitely see the use for it, lots of moments where i wonder how or why something was started. This is extremely useful, will be added to the toolbox. Thanks for sharing. pstree doesn't answer the why? No, it does not. I'm on mobile, so it's not super easy to read the source, but it seems like it only checks for the parent processes? Also I don't think this approach works correctly, because a disowned/nohup process will show up as PPID 1 (systemd), which is not correct `ps uaxf` gives me pretty similar output. `witr` is trying to be a bit different. Here are few use cases to consider:
- When a process started.
- Which ports a process is using.
- Which user started it.
- From which directory it started.
- env flag to list all the variables attached to the process.
- json flag to use it programmatically. Worth mentioning: I had claude code find a crypto miner on an infected system which had been running for ~5 months undetected. Up-to-date windows 10 machine. Single prompt saying "This PC is using too much power or fans, investigate". Took minutes, completely cleaned up the infection (I hope) and identified its source. Fantastic use-case. You’re better off wiping and reinstalling the OS than trying to clean the system.
mh- - 14 hours ago
godelski - 10 hours ago
Honestly, I think a screenshot is better than a gif. That last frame says everything you need. > the gif that loops in the README should pause on the screen
pranshuparmar - an hour ago
Neywiny - 14 hours ago
thaumasiotes - 2 hours ago
stavros - 14 hours ago
sestep - 13 hours ago
stavros - 13 hours ago
sestep - 13 hours ago
But that has the aforementioned issues about not pausing enough, so I usually just record with asciinema first and then invoke svg-term. svg-term --command 'cowsay hey there'
rzzzt - 12 hours ago
pranshuparmar - 21 hours ago
dcminter - 17 hours ago
filterfish - 8 hours ago
ajb - 3 hours ago
pranshuparmar - an hour ago
saidnooneever - an hour ago
pranshuparmar - 17 minutes ago
vzaliva - 12 hours ago
pranshuparmar - an hour ago
zenoprax - 9 hours ago
zephyreon - 8 hours ago
pranshuparmar - 31 minutes ago
otabdeveloper4 - 5 hours ago
Retr0id - 5 hours ago
otabdeveloper4 - 5 hours ago
Retr0id - 4 hours ago
otabdeveloper4 - 7 minutes ago
delusional - 3 hours ago
Retr0id - 2 hours ago
littlestymaar - 4 hours ago
otabdeveloper4 - 5 minutes ago
pranshuparmar - an hour ago
solarkraft - 7 hours ago
Retr0id - 5 hours ago
guywithahat - 7 hours ago
be_erik - 14 hours ago
pranshuparmar - 42 minutes ago
sestep - 13 hours ago
cedsam - 4 hours ago
pranshuparmar - an hour ago
DougN7 - 14 hours ago
jackwilsdon - 14 hours ago
pranshuparmar - 40 minutes ago
epiccoleman - 7 hours ago
pranshuparmar - 38 minutes ago
TheCraiggers - 16 hours ago
pranshuparmar - 36 minutes ago
giancarlostoro - 15 hours ago
jsomedon - 2 hours ago
pranshuparmar - 35 minutes ago
techsystems - 15 hours ago
4ggr0 - 17 hours ago
properbrew - 12 hours ago
q2dg - 16 hours ago
mathfailure - 16 hours ago
tatref - 2 hours ago
wyldfire - 13 hours ago
pranshuparmar - 25 minutes ago
tototrains - 7 hours ago
jbnorth - 7 hours ago