Show HN: Witr – Explain why a process is running on your Linux system (github.com)

526 points by pranshuparmar ↗ HN
Hi HN,

I built a small Linux CLI tool called witr (Why Is This Running?).

The idea came from a situation most of us have hit: you log into a machine, see a process or port running, and immediately wonder why it exists, who started it, and what is keeping it alive right now.

witr traces a process, service, or port back to its origin and responsibility chain and explains it in a way that’s quick to read, especially when you’re debugging under pressure.

This is v0.1.0. It’s intentionally small and focused. Feedback, criticism, and edge cases are very welcome.

Repo: https://github.com/pranshuparmar/witr

56 comments

[ 0.20 ms ] story [ 119 ms ] thread
A quick note on scope: this is not meant to replace existing monitoring or observability tools. It’s designed for those moments when you SSH into a box and need to quickly understand “why is this running” without digging through configs, cron jobs, or service trees manually.

Happy to answer questions or adjust direction based on feedback.

I left a different comment, but I think this is good. You're example is 3306 and has a useful breakdown. Not everyone has that port memorized by trauma, and not every mysql instance uses that port.

New tools are always welcome, and having a purpose to explain a purpose seems like a good pitch.

i definitely see the use for it, lots of moments where i wonder how or why something was started.
Thank you, please feel free to share any feedback/ideas.
pstree doesn't answer the why?
Nice and installed then starred.
Thank you, please feel free to share any feedback/ideas.
This is amazing. Thank you for sharing this.

Do you have any qualms about me making an entry in the AUR for this?

Thanks! Really appreciate it. No qualms at all — an AUR entry would be awesome!
I'm really loving this!

'Responsibility chain' will become a trendy phrase.

Haha, glad you like it! Maybe "responsibility chain" will catch on.
This is great. Small, trivial suggestion: the gif that loops in the README should pause on the screen w/ the output for a few seconds longer - it disappears (restarts) too quickly to take in all of the output.
You can make that problem irrelevant with the much, much simpler solution of not animating it at all. Stay paused on the output 100% of the time!

The gif is adding no value. I already know what typing text into a terminal looks like.

Thanks everyone for the feedback on the GIF! I though it looked good but when I went back to see it from a user's POV, it was really miserable, haha. I've already switched it to a static image, appreaciate everyone's input and suggestions.
What does this means for context: “Git repository name and branch” Does this mean it detects if something is running from within a git repository folder? Couldn’t find the code that checked this.
If you're looking to build and install this from source, here's the incantation:

CGO_ENABLED=0 go build -ldflags "-X main.version=dev -X main.commit=$(git rev-parse --short HEAD) -X 'main.buildDate=$(date +%Y-%m-%d)'" -o witr ./cmd/witr

Call me old-fashioned, but if there's an install.sh, I would hope it would prefer the local src over binaries.

Very cool utility! Simple tools like these keep me glued to the terminal. Thank you!

Thanks! Glad you like it Thanks to @sestep, Nix support is already added, so no need to worry about binaries.
`ps uaxf` gives me pretty similar output.
`witr` is trying to be a bit different. Here are few use cases to consider: - When a process started. - Which ports a process is using. - Which user started it. - From which directory it started. - env flag to list all the variables attached to the process. - json flag to use it programmatically.
This is extremely useful, will be added to the toolbox. Thanks for sharing.
Thank you, please feel free to share any feedback/ideas.
Sounds like something I could use, but installing a binary via `curl` doesn't sit right with me. Next problem you have is "explain how this thing was installed on my system" followed "is it up to date (including security patches).

I hope they have deb package or snap some day.

I understand that installing via `curl` isn’t for everyone, but since this is the first release, I intentionally kept it simple. Now that the tool is gaining some traction, I can definitely plan proper packages for future releases. Thanks for your inputs.
Just to update, witr is currently available on brew and AUR. deb, rpm and apk packages are also available in the release, and can be run directly via nix without installation.
I really like this. Something like this should already exist, stock.
Thanks! Funny enough, that was my thought too when creating it.
> witr is successful if users trust it during incidents.

> This project was developed with assistance from AI/LLMs [...] supervised by a human who occasionally knew what he was doing.

This seems contradictory to me.

Fair enough! That line was meant tongue‑in‑cheek, and to be transparent about LLM usage. Rest assured, they were assistants, not authorities.
Worth mentioning: I had claude code find a crypto miner on an infected system which had been running for ~5 months undetected. Up-to-date windows 10 machine. Single prompt saying "This PC is using too much power or fans, investigate". Took minutes, completely cleaned up the infection (I hope) and identified its source. Fantastic use-case.
Cool idea. Reminds me of my alias "whodis" which just lsofs a port to find out the pid who's got it open, but way more functional.
Thanks! Glad you like it Trying to make this a swiss army knife for PID information.
This is amazing and really useful to me. Great job.

However, I can’t use it in a production business environment for the same reasons other users mentioned earlier. A Debian or RPM package would be fantastic.

Thank you, glad you liked it. Since this is the first release, I intentionally kept it simple. Now that the tool is gaining some traction, I can definitely plan proper packages for future releases. Thanks for your inputs.
seems handy but mostly the ppid is outputted as the reason for starting. its 'who dun it', not really _why_ it was started. (service file, autorun, execve etc.)

i see you support multiple output format including json thats nice. id recommend to assume automation (ssh script/commands) and make the default output really easily greppable , or json (jq) since itll be more appealing to parse (shouldnt reduce readability, for the default output it looks like just removing some linebreaks to make it parse more consistently. (maybe the lines are wrapped tho? unclear from the img)

Very nice README, too.
This is great. One of those things that just formats and does all the little niggling things you have to do sometimes. I like that it is simple, and doesn't (thank god) need npm or some other package manager.

to quote the top comment: just show a screenshot of its results, if its useful its fine, being fast is just gravy.