Heron
Wireshark for AI Agents: passive eBPF observability
123 followers
Wireshark for AI Agents: passive eBPF observability
123 followers
Heron is a passive network analyzer that reconstructs what your AI agents are actually doing. Zero SDKs. Zero proxy. Hook eBPF to see TLS-encrypted LLM calls and identify which agent process made them.









Passive observability for agents is a serious missing layer. The useful question is not just what the agent answered, but what it touched, fetched, mutated, or failed to see before it answered.
Heron
@krekeltronics Yes — that is the missing layer we care about.
For agents, the final answer is only one artifact. The more useful debugging trail is what happened before it: model calls, tool calls/results, service paths, timing, loops, failures, and process ownership.
Heron reconstructs that passively from observable LLM/agent traffic. Important boundary: if a local mutation never crosses an observed LLM/tool/API boundary, Heron cannot infer it from the wire alone. But the passive trail still gives teams an independent record of what the agent actually did before it answered.
What's the performance impact of running Heron alongside a live agent in production?
Heron
@pradyumna6 Great question. Heron is designed to avoid request-path impact: it does not sit between your agent and the model provider, and it does not proxy or mutate requests. It passively observes traffic, so it should not add latency to the live agent path.
That said, it is still a real observer process, so the impact depends on traffic volume, body sizes, capture mode, retention settings, and storage backend. In production we recommend starting with a passive/shadow deployment, tuning retention and body caps, and watching CPU, memory, and disk I/O before expanding coverage.
The main design goal is: if Heron is slow or fails, your agent traffic should keep flowing. Heron may lose observability data under resource pressure, but it should not block the agent itself.
Heron
@pradyumna6 Minimum, in real production environment, we record almost 0% cpu usage in 8xB300 production nodes while heron is working very well.
eBPF for agent observability is such a smart call. Going passive means I don't have to wrap or instrument anything, which is honestly the part that always scares me about adding monitoring to a live product.
Heron
@yibo_wang3 Yes — this is basically the Heron thesis. Agent observability shouldn’t require every team to rewrite their stack or trust framework-level logs. A passive eBPF layer can observe real behavior from below: outbound calls, process activity, file access, tool/API patterns. That gives teams a safer way to add governance and debugging to live agent systems without putting instrumentation in the critical path.
eBPF for agent observability is such a smart call. Going passive means I don't have to wrap or instrument anything, which is honestly the part that always scares me about adding monitoring to a live product.