README.md
汉字 | English
[!IMPORTANT]
Supports Linux/Android kernel versions x86_64 4.18 and above, aarch64 5.5 and above. Need ROOT permission or specific Linux capabilities. Does not support Windows and macOS system.
[!TIP] support Linux/Android x86_64/aarch64.
Download ELF zip file release , unzip and use by
command sudo ecapture --help.
[!TIP] Linux only.
# pull docker image
docker pull gojue/ecapture:latest
# run
docker run --rm --privileged=true --net=host -v ${HOST_PATH}:${CONTAINER_PATH} gojue/ecapture ARGS
⚠️ Security Note:
--privileged=truegrants full host access. For production use, consider specific capabilities instead. See Minimum Privileges Guide.
see Docker Hub for more information.
sudo ecapture tls
eCapture will automatically detect the system's OpenSSL library and start capturing plaintext. When you make an HTTPS request (e.g., curl https://google.com), the captured request and response will be displayed:
...
INF module started successfully. moduleName=EBPFProbeOPENSSL
??? UUID:233851_233851_curl_5_1_172.16.71.1:51837, Name:HTTP2Request, Type:2, Length:304
header field ":method" = "GET"
header field ":path" = "/"
header field ":authority" = "google.com"
...
📄 For complete output examples, see docs/example-outputs.md.
The eCapture tool comprises 8 modules that respectively support plaintext capture for TLS/SSL encryption libraries like OpenSSL, GnuTLS, NSPR, BoringSSL, and GoTLS. Additionally, it facilitates software audits for Bash, MySQL, and PostgreSQL applications.
ecapture -h to view the list of subcommands.eCapture search /etc/ld.so.conf file default, to search load directories of SO file, and search openssl shard
libraries location. or you can use --libssl
flag to set shard library path.
If target program is compile statically, you can set program path as --libssl flag value directly。
The OpenSSL module supports three capture modes:
pcap/pcapng mode stores captured plaintext data in pcap-NG format.keylog/key mode saves the TLS handshake keys to a file.text mode directly captures plaintext data, either outputting to a specified file or printing to the command line.Supported TLS encrypted http 1.0/1.1/2.0 over TCP, and http3 QUIC protocol over UDP.
You can specify -m pcap or -m pcapng and use it in conjunction with --pcapfile and -i parameters. The default value for --pcapfile is ecapture_openssl.pcapng.
sudo ecapture tls -m pcap -i eth0 --pcapfile=ecapture.pcapng tcp port 443
This command saves captured plaintext data packets as a pcapng file, which can be viewed using Wireshark.
📄 For complete pcapng mode output, see docs/example-outputs.md.
You can specify -m keylog or -m key and use it in conjunction with the --keylogfile parameter, which defaults to ecapture_masterkey.log.
The captured OpenSSL TLS Master Secret information is saved to --keylogfile. You can also enable tcpdump packet capture and then use Wireshark to open the file and set the Master Secret path to view plaintext data packets.
sudo ecapture tls -m keylog -keylogfile=openssl_keylog.log
You can also directly use the tshark software for real-time decryption and display:
tshark -o tls.keylog_file:ecapture_masterkey.log -Y http -T fields -e http.file_data -f "port 443" -i eth0
sudo ecapture tls -m text will output all plaintext data packets. (Starting from v0.7.0, it no longer captures
SSLKEYLOG information.)
Similar to the OpenSSL module.
capture tls text context.
Step 1:
sudo ecapture gotls --elfpath=/home/cfc4n/go_https_client --hex
Step 2:
/home/cfc4n/go_https_client
sudo ecapture gotls -h
such as bash\mysqld\postgres modules, you can use ecapture -h to view the list of subcommands.
eCaptureQ is a cross-platform graphical user interface client for eCapture, visualizing eBPF TLS capture capabilities. Built using the Rust + Tauri + React technology stack, it provides a real-time, responsive interface, enabling easy analysis of encrypted traffic without the need for CA certificates. It simplifies complex eBPF capture techniques, making them easy to use. Supports two modes:
https://github.com/user-attachments/assets/c8b7a84d-58eb-4fdb-9843-f775c97bdbfb
For details of the Protobuf log schema used by eCapture/eCaptureQ, see:
See CONTRIBUTING for details on submitting patches and the contribution workflow.
You can customize the features you want, such as setting the offset address for uprobe to support statically compiled OpenSSL libraries. Refer to the compilation guide for compilation instructions.
After eCapture is running, you can dynamically modify the configurations through HTTP interfaces. Refer to the HTTP API Documentation.
eCapture supports multiple event forwarding methods. You can forward events to packet capture software such as Burp Suite. For details, refer to the Event Forwarding API Documentation.
This project is supported by a JetBrains IDE license. We thank JetBrains for their contributions to the open-source community.