Wireshark for AI Agents: passive eBPF observability
Heron is a passive network analyzer that reconstructs what your AI agents are actually doing. Zero SDKs. Zero proxy. Hook eBPF to see TLS-encrypted LLM calls and identify which agent process made them.
Hey PH! 👋 I'm sharing Heron today on behalf of the engineering team at Netis.
We built Heron because our team got tired of our AI agent loops looking like 200 OK in the logs while the actual agent was stuck replaying the same tool call for 47 seconds straight.
What Heron does: Heron is a passive analyzer that reconstructs what your AI agents are actually doing — from the network traffic itself. No SDK, no proxy, nothing in the request path. It captures LLM traffic (OpenAI, Anthropic, Gemini, vLLM, SGLang, Ollama…), parses the wire protocol, and stitches multi-call interactions into agent turns you can actually debug.
What's new in v0.7.0 (just shipped): 🌌 OpenTelemetry Native — We completely aligned our architecture with OTel standards. Agent turns are now traces, and LLM calls are now spans.
🔥 eBPF capture discoverability — hook SSL_read/SSL_write to see TLS-encrypted agent traffic as plaintext, with process attribution (which agent process made which call). No proxy, no TLS terminator.
📊 We discovered that ~73% of Claude Code's Opus turns in our production capture were hidden security-monitor sidecars — Heron now filters them automatically so you see real agent work, not housekeeping noise.
🧬 One-click SFT trajectory export — turn your production agent traffic into fine-tuning training data without re-running anything.
Built in Rust, ships as a single binary with the React console embedded. Apache-2.0. Would love your feedback!
“Wireshark for AI Agents: passive eBPF observability”
Heron launched on Product Hunt on June 25th, 2026 and earned 105 upvotes and 22 comments, placing #16 on the daily leaderboard. Heron is a passive network analyzer that reconstructs what your AI agents are actually doing. Zero SDKs. Zero proxy. Hook eBPF to see TLS-encrypted LLM calls and identify which agent process made them.
On the analytics side, Heron competes within Open Source, Developer Tools, Artificial Intelligence and GitHub — topics that collectively have 1.1M followers on Product Hunt. The dashboard above tracks how Heron performed against the three products that launched closest to it on the same day.
Who hunted Heron ?
Heron was hunted by Vincent Wu. A “hunter” on Product Hunt is the community member who submits a product to the platform — uploading the images, the link, and tagging the makers behind it. Hunters typically write the first comment explaining why a product is worth attention, and their followers are notified the moment they post. Around 79% of featured launches on Product Hunt are self-hunted by their makers, but a well-known hunter still acts as a signal of quality to the rest of the community. See the full all-time top hunters leaderboard to discover who is shaping the Product Hunt ecosystem.
For a complete overview of Heron including community comment highlights and product details, visit the product overview.
Hey PH! 👋 I'm sharing Heron today on behalf of the engineering team at Netis.
We built Heron because our team got tired of our AI agent loops looking like 200 OK in the logs while the actual agent was stuck replaying the same tool call for 47 seconds straight.
What Heron does: Heron is a passive analyzer that reconstructs what your AI agents are actually doing — from the network traffic itself. No SDK, no proxy, nothing in the request path. It captures LLM traffic (OpenAI, Anthropic, Gemini, vLLM, SGLang, Ollama…), parses the wire protocol, and stitches multi-call interactions into agent turns you can actually debug.
What's new in v0.7.0 (just shipped): 🌌 OpenTelemetry Native — We completely aligned our architecture with OTel standards. Agent turns are now traces, and LLM calls are now spans.
🔥 eBPF capture discoverability — hook SSL_read/SSL_write to see TLS-encrypted agent traffic as plaintext, with process attribution (which agent process made which call). No proxy, no TLS terminator.
📊 We discovered that ~73% of Claude Code's Opus turns in our production capture were hidden security-monitor sidecars — Heron now filters them automatically so you see real agent work, not housekeeping noise.
🧬 One-click SFT trajectory export — turn your production agent traffic into fine-tuning training data without re-running anything.
Built in Rust, ships as a single binary with the React console embedded. Apache-2.0. Would love your feedback!
🦩 Try it: curl -fsSL https://raw.githubusercontent.com/Netis/heron/main/install.sh | sh ⭐ GitHub: https://github.com/Netis/heron