Show HN: Dialtone watcher – what is my laptop doing and am I normal
fcpguru Sunday, March 15, 2026Hi HN we are Andrew and Dex. We built dialtone watcher, a small Go agent for macOS and Linux with a very specific goal: tell me what my machine is doing all day and help me compare that with others.
What it does so far:
- Watches running processes, CPU and memory use, and active network endpoints.
- Groups traffic into human sized summaries by process, domain, and coarse protocol like HTTPS, DNS, QUIC, and Postgres.
- Stores a local summary and can post bounded rollups to the dialtoneapp.com api so enough installs can turn the fleet view into something real.
We kept circling the same question: why is there no simple tool that answers "what does this machine actually spend its day doing?" Activity Monitor shows one slice. Little Snitch shows another. Fleet tools exist, but usually behind a corporate wall. We wanted something more honest and inspectable. The real motivating question was not just "what is my laptop doing?" but "am I normal?"
Say I have a MacBook Pro with 14 cores and 36 GB of memory and I run Docker all day. Why is Docker chewing so much more CPU and RAM on my machine than on similar developer machines? Why do I have some weird helper process that keeps hanging around? Why is my laptop talking to domains I do not recognize? You cannot answer those questions from one machine alone. You need a baseline from many machines with comparable hardware and comparable work.
Open source MIT License: https://github.com/andrewarrow/dialtone-watcher
Andrew and I kept a history of our conversations in:
https://github.com/andrewarrow/dialtone-watcher/tree/main/pr...
The big idea is crowdsourced threat intelligence. Every installed agent becomes a sensor. Each one reports process to domain connections, DNS activity, connection frequency, bytes transferred, and basic IP context like ASN and country. On one machine that data is mildly interesting. Across thousands of machines it becomes powerful very fast.
Security companies like CrowdStrike and SentinelOne do exactly this. But those products are enterprise-only, expensive, and opaque.
If some unknown helper suddenly starts talking to the same odd domain on 27 machines in an hour, it's a pattern. If a so called PDF viewer is uploading 18 MB to a domain almost nobody has seen before, that starts to look like exfiltration. If a new VSCode release is the only build talking to some random domain, that starts to smell like a supply chain problem. If Slack or Docker suddenly behaves nothing like the baseline for similar developer machines, you can flag that too.
We think there is room for something more open, inspectable, and useful for normal developers. If you try this, feedback should focus on readability of the summary, correctness of process and domain attribution, whether the upload payload feels proportionate, and what comparisons would actually help you decide "am I normal?" If enough people install it, run it, and send data, the demo becomes real and the real product gets much smarter.
I'll leave you with the following question. Should modern software projects include a prompts directory like this? It takes so little effort to capture the prompts used and they tell a story like git history does.