Thanks!
re the Wireshark analogy: the reason I used that was because: (1) Subtrace operates at roughly the same level in the operating system stack, (2) has similar capabilities, (3) has an overlap in use-cases, and (4) has been the most effective at communicating what Subtrace is in my experience so far. I can see why the analogy is not a perfect 1:1 mapping (obligatory xkcd: https://xkcd.com/624), but naming things is hard and taglines are just names in idea space :)
I'm struggling to understand why I wouldn't just use wireshark and specify the interface as well. Reading docs shows you need to invoke your container with this as a wrapper which to me is quite a bit scarier than attaching to an interface.
Can I download a pcap file? Being able to view and debug the application protocol is one thing, but I can use Wireshark to view and debug TCP itself.
Reading the documentation makes it sound like this sits one or two levels above where Wireshark usually operates, which is why I think the analogy is tough.
Wireshark is a weird choice in my opinion because you know, why would i use Subtrace if i can use Wireshark?
and People who don't know how to use Wireshark want probably a better motivation to use Subtrace than 'its like wireshark' because there is a reason why they don't use it.
My first impression with "Wireshark for Docker containers" is "... Well, Wireshark already works with Docker containers, so if your goal is to be Wireshark for Docker containers, you'll just fail by definition. Can't beat Wireshark at being Wireshark."
I'm saying this just FYI. I haven't actually looked at what your product does, but if it were to matter to me, it'd be based on what it can offer that Wireshark can't, rather than how similar it is to Wireshark.