ζ±ε | English
Important
Supports Linux/Android kernel versions x86_64 4.18 and above, aarch64 5.5 and above. Need ROOT permission or specific Linux capabilities. Does not support Windows and macOS system.
- SSL/TLS plaintext capture, support openssl\libressl\boringssl\gnutls\nspr(nss) libraries.
- GoTLS plaintext support go tls library, which refers to encrypted communication in https/tls programs written in the golang language.
- Bash audit, capture bash command for Host Security Audit.
- Zsh audit, capture zsh command for Host Security Audit.
- MySQL query SQL audit, support mysqld 5.6\5.7\8.0, and MariaDB.
Tip
support Linux/Android x86_64/aarch64.
Download ELF zip file release , unzip and use by
command sudo ecapture --help.
Tip
Linux only.
# pull docker image
docker pull gojue/ecapture:latest
# run
docker run --rm --privileged=true --net=host -v ${HOST_PATH}:${CONTAINER_PATH} gojue/ecapture ARGS
β οΈ Security Note:--privileged=truegrants full host access. For production use, consider specific capabilities instead. See Minimum Privileges Guide.
see Docker Hub for more information.
sudo ecapture tlseCapture will automatically detect the system's OpenSSL library and start capturing plaintext. When you make an HTTPS request (e.g., curl https://google.com), the captured request and response will be displayed:
...
INF module started successfully. moduleName=EBPFProbeOPENSSL
??? UUID:233851_233851_curl_5_1_172.16.71.1:51837, Name:HTTP2Request, Type:2, Length:304
header field ":method" = "GET"
header field ":path" = "/"
header field ":authority" = "google.com"
...
π For complete output examples, see docs/example-outputs.md.
The eCapture tool comprises 8 modules that respectively support plaintext capture for TLS/SSL encryption libraries like OpenSSL, GnuTLS, NSPR, BoringSSL, and GoTLS. Additionally, it facilitates software audits for Bash, MySQL, and PostgreSQL applications.
- bash capture bash command
- zsh capture zsh command
- gnutls capture gnutls text content without CA cert for gnutls libraries.
- gotls Capturing plaintext communication from Golang programs encrypted with TLS/HTTPS.
- mysqld capture sql queries from mysqld 5.6/5.7/8.0 .
- nss capture nss/nspr encrypted text content without CA cert for nss/nspr libraries.
- postgres capture sql queries from postgres 10+.
- tls use to capture tls/ssl text content without CA cert. (Support openssl 1.0.x/1.1.x/3.0.x or newer).
You can use
ecapture -hto view the list of subcommands.
eCapture search /etc/ld.so.conf file default, to search load directories of SO file, and search openssl shard
libraries location. or you can use --libssl
flag to set shard library path.
If target program is compile statically, you can set program path as --libssl flag value directlyγ
The OpenSSL module supports three capture modes:
pcap/pcapngmode stores captured plaintext data inpcap-NGformat.keylog/keymode saves the TLS handshake keys to a file.textmode directly captures plaintext data, either outputting to a specified file or printing to the command line.
Supported TLS encrypted http 1.0/1.1/2.0 over TCP, and http3 QUIC protocol over UDP.
You can specify -m pcap or -m pcapng and use it in conjunction with --pcapfile and -i parameters. The default value for --pcapfile is ecapture_openssl.pcapng.
sudo ecapture tls -m pcap -i eth0 --pcapfile=ecapture.pcapng tcp port 443This command saves captured plaintext data packets as a pcapng file, which can be viewed using Wireshark.
π For complete pcapng mode output, see docs/example-outputs.md.
You can specify -m keylog or -m key and use it in conjunction with the --keylogfile parameter, which defaults to ecapture_masterkey.log.
The captured OpenSSL TLS Master Secret information is saved to --keylogfile. You can also enable tcpdump packet capture and then use Wireshark to open the file and set the Master Secret path to view plaintext data packets.
sudo ecapture tls -m keylog -keylogfile=openssl_keylog.logYou can also directly use the tshark software for real-time decryption and display:
tshark -o tls.keylog_file:ecapture_masterkey.log -Y http -T fields -e http.file_data -f "port 443" -i eth0sudo ecapture tls -m text will output all plaintext data packets. (Starting from v0.7.0, it no longer captures
SSLKEYLOG information.)
Similar to the OpenSSL module.
capture tls text context.
Step 1:
sudo ecapture gotls --elfpath=/home/cfc4n/go_https_client --hexStep 2:
/home/cfc4n/go_https_clientsudo ecapture gotls -hsuch as bash\mysqld\postgres modules, you can use ecapture -h to view the list of subcommands.
- Youtube video: How to use eCapture v0.1.0
- eCapture:supports capturing plaintext of Golang TLS/HTTPS traffic
eCaptureQ is a cross-platform graphical user interface client for eCapture, visualizing eBPF TLS capture capabilities. Built using the Rust + Tauri + React technology stack, it provides a real-time, responsive interface, enabling easy analysis of encrypted traffic without the need for CA certificates. It simplifies complex eBPF capture techniques, making them easy to use. Supports two modes:
- Integrated Mode: Unified Linux/Android execution
- Remote Mode: Windows/macOS/Linux client connects to a remote eCapture service
eCaptureQ.Demo.mp4
π GitHub Repository
For details of the Protobuf log schema used by eCapture/eCaptureQ, see:
- Security Policy β Vulnerability reporting and supported versions
- Minimum Privileges β Required Linux capabilities and least-privilege configuration
- Defense & Detection β How to detect and defend against unauthorized usage
- Performance Benchmarks β Overhead measurement methodology and expected characteristics
- Release Verification β How to verify the integrity of release artifacts
See CONTRIBUTING for details on submitting patches and the contribution workflow.
You can customize the features you want, such as setting the offset address for uprobe to support statically compiled OpenSSL libraries. Refer to the compilation guide for compilation instructions.
After eCapture is running, you can dynamically modify the configurations through HTTP interfaces. Refer to the HTTP API Documentation.
eCapture supports multiple event forwarding methods. You can forward events to packet capture software such as Burp Suite. For details, refer to the Event Forwarding API Documentation.
This project is supported by a JetBrains IDE license. We thank JetBrains for their contributions to the open-source community.
