https://github.com/gojue/ecapture Skip to content Navigation Menu Toggle navigation Sign in * Product + Actions Automate any workflow + Packages Host and manage packages + Security Find and fix vulnerabilities + Codespaces Instant dev environments + GitHub Copilot Write better code with AI + Code review Manage code changes + Issues Plan and track work + Discussions Collaborate outside of code Explore + All features + Documentation + GitHub Skills + Blog * Solutions By size + Enterprise + Teams + Startups By industry + Healthcare + Financial services + Manufacturing By use case + CI/CD & Automation + DevOps + DevSecOps * Resources Topics + AI + DevOps + Innersource + Open Source + Security + Software Development Explore + Learning Pathways + White papers, Ebooks, Webinars + Customer Stories + Partners * Open Source + GitHub Sponsors Fund open source developers + The ReadME Project GitHub community articles Repositories + Topics + Trending + Collections * Enterprise + Enterprise platform AI-powered developer platform Available add-ons + Advanced Security Enterprise-grade security features + GitHub Copilot Enterprise-grade AI features + Premium Support Enterprise-grade 24/7 support * Pricing Search or jump to... Search code, repositories, users, issues, pull requests... Search [ ] Clear Search syntax tips Provide feedback We read every piece of feedback, and take your input very seriously. [ ] [ ] Include my email address so I can be contacted Cancel Submit feedback Saved searches Use saved searches to filter your results more quickly Name [ ] Query [ ] To see all available qualifiers, see our documentation. Cancel Create saved search Sign in Sign up You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert {{ message }} gojue / ecapture Public * Notifications You must be signed in to change notification settings * Fork 854 * Star 8.6k Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64. ecapture.cc License Apache-2.0 license 8.6k stars 854 forks Branches Tags Activity Star Notifications You must be signed in to change notification settings * Code * Issues 3 * Pull requests 0 * Discussions * Actions * Projects 0 * Wiki * Security * Insights Additional navigation options * Code * Issues * Pull requests * Discussions * Actions * Projects * Wiki * Security * Insights gojue/ecapture This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. master BranchesTags Go to file Code Folders and files Name Name Last commit Last commit message date Latest commit History 824 Commits .github .github assets assets bin bin builder builder cli cli deps deps images images kern kern lib lib pkg pkg tests tests user user utils utils .all-contributorsrc .all-contributorsrc .gitignore .gitignore .gitmodules .gitmodules CHANGELOG.md CHANGELOG.md CODE_OF_CONDUCT.md CODE_OF_CONDUCT.md CONTRIBUTING.md CONTRIBUTING.md LICENSE LICENSE Makefile Makefile README.md README.md README_CN.md README_CN.md README_JA.md README_JA.md SECURITY.md SECURITY.md configuration.json configuration.json functions.mk functions.mk go.mod go.mod go.sum go.sum main.go main.go variables.mk variables.mk View all files Repository files navigation * README * Code of conduct * Apache-2.0 license * Security [ecapture-l] Zhong Wen Jie Shao | English | Ri Ben Yu GitHub stars GitHub forks CI Github Version eCapture(Pang Guan Zhe ): capture SSL/TLS text content without a CA certificate using eBPF. Note Supports Linux/Android kernel versions x86_64 4.18 and above, aarch64 5.5 and above. Does not support Windows and macOS system. --------------------------------------------------------------------- * How eCapture works * eCapture User Manual * Getting started * eCapture Architecture * What's eBPF * How to compile * Contributing --------------------------------------------------------------------- How eCapture works [how-ecaptu] * SSL/TLS plaintext capture, support openssl\libressl\boringssl\ gnutls\nspr(nss) libraries. * GoTLS plaintext support go tls library, which refers to encrypted communication in https/tls programs written in the golang language. * bash audit, capture bash command for Host Security Audit. * mysql query SQL audit, support mysqld 5.6\5.7\8.0, and mariadDB. eCapture User Manual [ecapture-h] Youtube video: How to use eCapture v0.1.0 Getting started use ELF binary file Download ELF zip file release , unzip and use by command ./ecapture --help. * Linux kernel version >= 4.18 is required. * Enable BTF BPF Type Format (BTF) (Optional, 2022-04-17) use docker image # pull docker image docker pull gojue/ecapture:latest # run docker run --rm --privileged=true --net=host -v ${HOST_PATH}:${CONTAINER_PATH} gojue/ecapture ARGS Command line options Note Need ROOT permission. eCapture search /etc/ld.so.conf file default, to search load directories of SO file, and search openssl shard libraries location. or you can use --libssl flag to set shard library path. If target program is compile statically, you can set program path as --libssl flag value directly. Modules The eCapture tool comprises 8 modules that respectively support plaintext capture for TLS/SSL encryption libraries like OpenSSL, GnuTLS, NSPR, BoringSSL, and GoTLS. Additionally, it facilitates software audits for Bash, MySQL, and PostgreSQL applications. * bash capture bash command * gnutls capture gnutls text content without CA cert for gnutls libraries. * gotls Capturing plaintext communication from Golang programs encrypted with TLS/HTTPS. * mysqld capture sql queries from mysqld 5.6/5.7/8.0 . * nss capture nss/nspr encrypted text content without CA cert for nss/nspr libraries. * postgres capture sql queries from postgres 10+. * tls use to capture tls/ssl text content without CA cert. (Support openssl 1.0.x/1.1.x/3.0.x or newer). You can use ecapture -h to view the list of subcommands. OpenSSL Module The OpenSSL module supports three capture modes: * pcap/pcapng mode stores captured plaintext data in pcap-NG format. * keylog/key mode saves the TLS handshake keys to a file. * text mode directly captures plaintext data, either outputting to a specified file or printing to the command line. Pcap Mode You can specify -m pcap or -m pcapng and use it in conjunction with --pcapfile and -i parameters. The default value for --pcapfile is ecapture_openssl.pcapng. ./ecapture tls -m pcap -i eth0 --pcapfile=ecapture.pcapng tcp port 443 This command saves captured plaintext data packets as a pcapng file, which can be viewed using Wireshark. Keylog Mode You can specify -m keylog or -m key and use it in conjunction with the --keylogfile parameter, which defaults to ecapture_masterkey.log. The captured OpenSSL TLS Master Secret information is saved to --keylogfile. You can also enable tcpdump packet capture and then use Wireshark to open the file and set the Master Secret path to view plaintext data packets. ./ecapture tls -m keylog -keylogfile=openssl_keylog.log You can also directly use the tshark software for real-time decryption and display: tshark -o tls.keylog_file:ecapture_masterkey.log -Y http -T fields -e http.file_data -f "port 443" -i eth0 Text Mode ./ecapture tls -m text will output all plaintext data packets. (Starting from v0.7.0, it no longer captures SSLKEYLOG information.) GoTLS Module Similar to the OpenSSL module. check your server BTF config: cfc4n@vm-server:~$# uname -r 4.18.0-305.3.1.el8.x86_64 cfc4n@vm-server:~$# cat /boot/config-`uname -r` | grep CONFIG_DEBUG_INFO_BTF CONFIG_DEBUG_INFO_BTF=y gotls command capture tls text context. Step 1: ./ecapture gotls --elfpath=/home/cfc4n/go_https_client --hex Step 2: /home/cfc4n/go_https_client more help ./ecapture gotls -h bash Module capture bash command : ecapture bash ps -ef | grep foo eCapture Architecture [ecapture-a] What's eBPF eBPF How to compile Linux Kernel: >= 4.18. Tools * golang 1.21 or newer * clang 9.0 or newer * cmake 3.18.4 or newer * clang backend: llvm 9.0 or newer * kernel config:CONFIG_DEBUG_INFO_BTF=y (Optional, 2022-04-17) command ubuntu If you are using Ubuntu 20.04 or later versions, you can use a single command to complete the initialization of the compilation environment. /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/gojue/ecapture/master/builder/init_env.sh)" other Linux In addition to the software listed in the 'Toolchain Version' section above, the following software is also required for the compilation environment. Please install it yourself. * linux-tools-common * linux-tools-generic * pkgconf * libelf-dev Clone the repository code and compile it Caution: The following make command will install libpcap into the system directory if libpcap.a does not exist under /usr/local/lib. If you have installed libpcap in system without libpcap.a, it maybe break your libpcap's headers. git clone --recurse-submodules git@github.com:gojue/ecapture.git cd ecapture make bin/ecapture compile without BTF eCapture support BTF disabled with command make nocore to compile at 2022/04/17. It can work normally even on Linux systems that do not support BTF. make nocore bin/ecapture --help cross-compilation Kernel header files To cross-compile the eCapture tool, you need to install the kernel header files for the target architecture. you need to install the linux-source package. kernel_ver=`uname -r | cut -d'-' -f 1` sudo apt-get install -y linux-source-$kernel_ver cd /usr/src sudo tar -xf linux-source-${kernel_ver}.tar.bz2 cd /usr/src/linux-source-${kernel_ver} test -f .config || yes "" | sudo make oldconfig ToolChains To cross-compile binary files for the aarch64 architecture on an amd64 architecture system, you need to install the gcc-aarch64-linux-gnu toolchain. Similarly, to cross-compile binary files for the amd64 architecture on an aarch64 system, you need to install the gcc-x86-64-linux-gnu toolchain. * amd64 arch: gcc-aarch64-linux-gnu * arm64 arch: gcc-x86-64-linux-gnu Build Commands To build an arm64 artifact on an ubuntu amd64 system, you can set the CROSS_ARCH environment variable to achieve cross-compilation. CROSS_ARCH=arm64 make Stargazers over time Stargazers over time Contributing See CONTRIBUTING for details on submitting patches and the contribution workflow. About Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64. ecapture.cc Topics android linux tls golang ssl security-audit https ebpf tcpdump network-capture ssldump android-https-capture ebpf-uprobe ebpf-tc ebpf-go Resources Readme License Apache-2.0 license Code of conduct Code of conduct Security policy Security policy Activity Custom properties Stars 8.6k stars Watchers 83 watching Forks 854 forks Report repository Releases 52 eCapture v0.8.4 Latest Jul 9, 2024 + 51 releases Packages 0 No packages published Contributors 37 * @cfc4n * @ruitianzhong * @blaisewang * @allcontributors[bot] * @Asphaltt * @chriskaliX * @sancppp * @chenhengqi * @dependabot[bot] * @huzai9527 * @h0x0er * @vincentmli * @yihong0618 * @eltociear + 23 contributors Languages * C 93.9% * Go 5.4% * Shell 0.4% * Makefile 0.3% * C++ 0.0% * Lua 0.0% Footer (c) 2024 GitHub, Inc. Footer navigation * Terms * Privacy * Security * Status * Docs * Contact * Manage cookies * Do not share my personal information You can't perform that action at this time.