witr-process-inspector
CLI and TUI tool that explains why processes, services, and ports are running by tracing causality chains across supervisors, containers, and shells.
Best use case
witr-process-inspector is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
CLI and TUI tool that explains why processes, services, and ports are running by tracing causality chains across supervisors, containers, and shells.
Teams using witr-process-inspector should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/witr-process-inspector/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How witr-process-inspector Compares
| Feature / Agent | witr-process-inspector | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
CLI and TUI tool that explains why processes, services, and ports are running by tracing causality chains across supervisors, containers, and shells.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# witr — Why Is This Running?
> Skill by [ara.so](https://ara.so) — Daily 2026 Skills collection.
**witr** is a Go CLI/TUI tool that answers "why is this running?" for any process, service, or port. Instead of leaving you to correlate `ps`, `lsof`, `ss`, `systemctl`, and `docker ps` manually, witr makes the causality chain explicit — showing where a running thing came from, how it was started, and what chain of supervisors/containers/shells is responsible.
---
## Installation
### Quickest (Unix)
```bash
curl -fsSL https://raw.githubusercontent.com/pranshuparmar/witr/main/install.sh | bash
```
### Quickest (Windows PowerShell)
```powershell
irm https://raw.githubusercontent.com/pranshuparmar/witr/main/install.ps1 | iex
```
### Package Managers
```bash
# Homebrew (macOS/Linux)
brew install witr
# Conda
conda install -c conda-forge witr
# Arch Linux (AUR)
yay -S witr-bin
# Windows winget
winget install -e --id PranshuParmar.witr
# Windows Scoop
scoop install main/witr
# Alpine / apk
sudo apk add --allow-untrusted ./witr-*.apk
# Go source install
go install github.com/pranshuparmar/witr/cmd/witr@latest
```
---
## Key Commands & Flags
### Basic Usage
```bash
# Inspect a process by PID
witr <pid>
# Inspect by process name (substring match)
witr <name>
# Inspect what's bound to a port
witr --port <port>
witr -p <port>
# Launch interactive TUI dashboard
witr --interactive
witr -i
# Show all running processes with causality info
witr --all
witr -a
# Output as JSON (for scripting)
witr --json <pid>
# Follow/watch mode — refresh automatically
witr --watch <pid>
witr -w <pid>
# Verbose output — show full environment and metadata
witr --verbose <pid>
witr -v <pid>
# Filter processes by user
witr --user <username>
# Show version
witr --version
```
### Common Flag Reference
| Flag | Short | Description |
|------|-------|-------------|
| `--port` | `-p` | Inspect by port number |
| `--interactive` | `-i` | Launch TUI dashboard |
| `--all` | `-a` | Show all processes |
| `--json` | | Output as JSON |
| `--watch` | `-w` | Auto-refresh/follow |
| `--verbose` | `-v` | Full metadata output |
| `--user` | | Filter by OS user |
| `--version` | | Print version |
---
## Interactive TUI Mode
Launch the full dashboard:
```bash
witr -i
# or
witr --interactive
```
**TUI Keybindings:**
| Key | Action |
|-----|--------|
| `↑` / `↓` | Navigate process list |
| `Enter` | Expand process detail / causality chain |
| `f` | Filter/search processes |
| `s` | Sort by column |
| `r` | Refresh |
| `j` | Toggle JSON view |
| `q` / `Ctrl+C` | Quit |
---
## Example Outputs
### Inspect a PID
```bash
witr 1234
```
```
PID: 1234
Name: node
Binary: /usr/local/bin/node
Started: 2026-03-18 09:12:44
User: ubuntu
Why is this running?
└─ Started by: npm (PID 1200)
└─ Started by: bash (PID 1180)
└─ Started by: sshd (PID 980)
└─ Started by: systemd (PID 1) [service: sshd.service]
```
### Inspect by Port
```bash
witr --port 8080
```
```
Port: 8080 (TCP, LISTEN)
Process: python3 (PID 4512)
Binary: /usr/bin/python3
User: deploy
Why is this running?
└─ Started by: gunicorn (PID 4490)
└─ Started by: systemd (PID 1) [service: myapp.service]
Unit file: /etc/systemd/system/myapp.service
ExecStart: /usr/bin/gunicorn app:app --bind 0.0.0.0:8080
```
### JSON Output (for scripting)
```bash
witr --json 4512
```
```json
{
"pid": 4512,
"name": "python3",
"binary": "/usr/bin/python3",
"user": "deploy",
"started_at": "2026-03-18T09:00:00Z",
"causality_chain": [
{"pid": 4490, "name": "gunicorn", "type": "parent"},
{"pid": 1, "name": "systemd", "type": "supervisor", "service": "myapp.service"}
]
}
```
### Watch/Follow a Process
```bash
# Refresh every 2 seconds
witr --watch 4512
```
---
## Common Patterns
### Find Who Started a Port Listener
```bash
# Quick check: who owns port 5432 (Postgres)?
witr --port 5432
# Get machine-readable output for automation
witr --json --port 5432 | jq '.causality_chain[-1].service'
```
### Audit All Running Services
```bash
# List everything with causality, pipe to less
witr --all | less
# Export full audit to JSON
witr --all --json > audit.json
```
### Inspect a Docker/Container Process
```bash
# witr understands container boundaries
witr <pid-of-containerized-process>
# Output will show: container → container runtime → systemd chain
```
### Use in a Shell Script
```bash
#!/usr/bin/env bash
# Check if port 8080 is in use and why
if witr --json --port 8080 > /tmp/witr_out.json 2>/dev/null; then
SERVICE=$(jq -r '.causality_chain[-1].service // "unknown"' /tmp/witr_out.json)
echo "Port 8080 is owned by service: $SERVICE"
else
echo "Port 8080 is not in use"
fi
```
### Filter Processes by User
```bash
# Show only processes owned by www-data and why they're running
witr --all --user www-data
```
---
## Platform Support
| Platform | Architectures | Notes |
|----------|--------------|-------|
| Linux | amd64, arm64 | Full support |
| macOS | amd64, arm64 (Apple Silicon) | Full support |
| Windows | amd64 | Full support |
| FreeBSD | amd64, arm64 | Full support |
---
## Go Integration (Embedding witr Logic)
If you want to use witr programmatically in a Go project:
```bash
go get github.com/pranshuparmar/witr
```
```go
package main
import (
"fmt"
"github.com/pranshuparmar/witr/pkg/inspector"
)
func main() {
// Inspect a process by PID
result, err := inspector.InspectPID(1234)
if err != nil {
panic(err)
}
fmt.Printf("Process: %s\n", result.Name)
for _, link := range result.CausalityChain {
fmt.Printf(" └─ %s (PID %d)\n", link.Name, link.PID)
}
}
```
```go
// Inspect by port
result, err := inspector.InspectPort(8080, "tcp")
if err != nil {
panic(err)
}
fmt.Printf("Port 8080 owned by PID %d (%s)\n", result.PID, result.Name)
```
---
## Troubleshooting
### Permission Denied on Some PIDs
```bash
# witr needs read access to /proc (Linux) or equivalent
# Run with sudo for system-level processes
sudo witr <pid>
sudo witr --port 80
```
### Binary Not Found After Install
```bash
# Ensure install location is in PATH
export PATH="$PATH:/usr/local/bin" # Unix default install
# or for Go installs:
export PATH="$PATH:$(go env GOPATH)/bin"
```
### Port Not Found / No Output
```bash
# Confirm port is actually listening first
ss -tlnp | grep <port> # Linux
netstat -an | grep <port> # macOS/Windows
# Then retry
witr --port <port>
```
### TUI Not Rendering Correctly
```bash
# Ensure terminal supports 256 colors
export TERM=xterm-256color
witr --interactive
# If on Windows, use Windows Terminal for best TUI experience
```
### Process Exited Before Inspection
```bash
# witr can only inspect currently running processes
# Use --watch on a long-running process to monitor it
witr --watch <pid>
```
### macOS: Requires Elevated Access for Some Processes
```bash
# System Integrity Protection may restrict some process metadata
sudo witr <pid>
```
---
## Quick Reference Card
```
witr <pid> # Why is PID X running?
witr <name> # Why is process "nginx" running?
witr -p <port> # What's on port 8080 and why?
witr -i # Interactive TUI dashboard
witr -a # Show all processes + causality
witr --json <pid> # Machine-readable output
witr -w <pid> # Watch/follow a process
witr -v <pid> # Verbose: full env + metadata
witr --user <user> # Filter by OS user
```Related Skills
whatcable-macos-usb-inspector
macOS menu bar app that identifies USB-C cable capabilities and charging diagnostics using IOKit
```markdown
---
zeroboot-vm-sandbox
Sub-millisecond VM sandboxes for AI agents using copy-on-write KVM forking via Zeroboot
yourvpndead-vpn-detection
Android app that detects VPN/proxy servers (VLESS/xray/sing-box) via local SOCKS5 vulnerability, exposing exit IPs and server configs without root
xata-postgres-platform
Expert skill for Xata open-source cloud-native Postgres platform with copy-on-write branching, scale-to-zero, and Kubernetes deployment
x-mentor-skill-nuwa
AI-powered X (Twitter) content strategy skill that distills methodologies from 6 top creators + open-source algorithm data into actionable writing, growth, and monetization guidance.
wx-favorites-report
End-to-end pipeline to extract, decrypt, and visualize WeChat Mac favorites from encrypted SQLite DB into an interactive HTML report.
wterm-web-terminal
Web terminal emulator with Zig/WASM core, DOM rendering, and React/vanilla JS bindings
worldmonitor-intelligence-dashboard
Real-time global intelligence dashboard with AI-powered news aggregation, geopolitical monitoring, and infrastructure tracking
wildworld-dataset
WildWorld large-scale action-conditioned world modeling dataset with 108M+ frames from a photorealistic ARPG game, featuring per-frame annotations, 450+ actions, and explicit state information for generative world modeling research.
wewrite-wechat-ai-publishing
Full-pipeline AI skill for WeChat Official Account articles — hotspot fetching, topic selection, writing, SEO, image generation, formatting, and draft box publishing.
weixin-agent-sdk
Bridge any AI agent backend to WeChat using the weixin-agent-sdk framework with simple Agent interface, login, and message loop.