analysing-har

wiretrail

wiretrail is a fast, deterministic, agent-friendly HAR (HTTP Archive) analyzer for the command line. It answers narrow, repeatable questions about a network capture in a single command — storms, duplicates, retries, errors, auth flows, slow calls, what varies between repeated requests, ranked root-cause diagnosis, body search/extraction, and regression diff against a baseline — with structured terminal output and a stable --json schema, and no GUI.

It is HeapTrail for network captures. It reuses heaptrail's design philosophy: agentic/LLM-driven investigation, deterministic output that diffs cleanly, JSON for machine consumers, and fixed single-command answers instead of an interactive load-and-explore session.

Forked from mandrean/har-rs, which contributes the HAR 1.2/1.3 struct definitions; this fork replaces the parse path with an mmap single-pass loader and adds the analysis CLI documented below.

Motivation

Each log.entries[] item in a HAR already exposes the request, response, content, timings, cache metadata, headers, cookies, URL, method, status, and bodies — more than enough to reconstruct the kind of manual "what happened during this capture?" analysis a debugger does by hand. wiretrail turns that into single-command answers.

Sanitization is treated as core, not optional: HARs routinely contain cookies, auth headers, tokens, request/response bodies, and user data. wiretrail redacts by default across every output — including secret-bearing blobs hidden in URL path segments — and only reveals raw values with an explicit --unsafe-include-secrets flag.

When to use wiretrail

• Agentic / LLM-driven investigation. Structured terminal output (with --json) lets an agent run a command, read the result, and decide the next probe. Every command prints a "next useful commands" footer.
• Headless / CI. Single static binary, deterministic output, defined exit codes (0 clean, 1 findings, 2 invalid HAR). compare --fail-on <severity> turns a regression diff against a baseline HAR into a strict pass/fail gate.
• Large captures. mmap single-pass parse: a 143 MB capture (2237 entries) loads in ~0.5 s using ~2× the file size in RAM.
• Safe to share. Redact-by-default makes report, curl, and show-entry output safe to paste into a ticket; --unsafe-include-secrets when you actually need to replay a call.
• Narrow, repeatable questions. "What are the request storms?", "Which calls are wasteful duplicates vs retries?", "What's the auth/refresh story?", "What differs between these 27 identical-looking POSTs?" — one command each.

When to use browser DevTools / a proxy GUI

• Live, interactive inspection while reproducing a flow — Chrome DevTools, Charles, Proxyman, HTTP Toolkit stay in their column.
• Editing and re-sending requests interactively. wiretrail emits sanitized curl for replay but isn't an interactive client.

The tools complement each other: capture in a proxy/DevTools, then run wiretrail over the exported .har for fast, scriptable, agent-friendly post-mortem analysis.

Install

cargo install wiretrail

Or build from git:

git clone https://github.com/johnneerdael/wiretrail
cd wiretrail
cargo build --release   # ./target/release/wiretrail

Pre-built binaries for Linux/macOS/Windows are attached to each GitHub release.

Usage

wiretrail <FILE> [COMMAND] [OPTIONS]

<FILE> is a HAR (1.2 or 1.3) export. With no command, summary runs.

wiretrail capture.har                      # executive summary (default)
wiretrail capture.har auto                 # smart one-shot: summary + auto-drill the findings
wiretrail capture.har duplicates           # repeated calls, grouped
wiretrail capture.har errors --json        # 4xx/5xx grouped, as JSON
wiretrail capture.har show-entry e000123   # full redacted detail for one entry
wiretrail capture.har curl e000123 --unsafe-include-secrets  # replayable cURL

Start with auto for an unfamiliar capture: it prints the summary, ranks the likely problems, and inlines the relevant deeper analysis (errors, retries, auth, …) scoped to exactly where the trouble is — one command, no guessing what to run next. summary itself now ends with a ranked recommended next steps section, so even the default command tells you precisely which follow-ups matter.

Global options