Project Url: gojue/ecapture
Introduction: capture SSL/TLS text content without CA cert using eBPF. supports Linux/Android x86_64/Aarch64.
More: Author   ReportBugs   OfficialWebsite   

中文介绍 | English | 日本語

GitHub stars GitHub forks CI Github Version

eCapture(旁观者): capture SSL/TLS text content without CA cert Using eBPF.


Supports Linux/Android kernel versions x86_64 4.18 and above, aarch64 5.5 and above.

Does not support Windows and macOS system.

How eCapture works

  • SSL/TLS plaintext capture, support openssl\libressl\boringssl\gnutls\nspr(nss) libraries.
  • GoTLS plaintext support go tls library, which refers to encrypted communication in https/tls programs written in the golang language.
  • bash audit, capture bash command for Host Security Audit.
  • mysql query SQL audit, support mysqld 5.6\5.7\8.0, and mariadDB.

eCapture Architecture

eCapture User Manual

eCapture User Manual

Getting started

use ELF binary file

Download ELF zip file release , unzip and use by command ./ecapture --help.

Command line options


Need ROOT permission.

eCapture search /etc/ file default, to search load directories of SO file, and search openssl shard libraries location. or you can use --libssl flag to set shard library path.

If target program is compile statically, you can set program path as --libssl flag value directly。

Pcapng result

./ecapture tls -i eth0 -w pcapng -p 443 capture plaintext packets save as pcapng file, use Wireshark read it directly.

plaintext result

./ecapture tls will capture all plaintext context ,output to console, and capture Master Secret of openssl TLS save to ecapture_masterkey.log. You can also use tcpdump to capture raw packet,and use Wireshark to read them with Master Secret settings.


check your server BTF config:

cfc4n@vm-server:~$# uname -r
cfc4n@vm-server:~$# cat /boot/config-`uname -r` | grep CONFIG_DEBUG_INFO_BTF

tls command

capture tls text context. Step 1:

./ecapture tls --hex

Step 2:



# for installed libressl, is the dynamic ssl lib
vm@vm-server:~$ ldd /usr/local/bin/openssl (0x00007ffc82985000) => /usr/local/lib/ (0x00007f1730f9f000) => /usr/local/lib/ (0x00007f1730d8a000) => /lib/x86_64-linux-gnu/ (0x00007f1730b62000)
    /lib64/ (0x00007f17310b2000)

# use the libssl to config the path
vm@vm-server:~$ sudo ./ecapture tls --libssl="/usr/local/lib/" --hex

# in another terminal, use the command, then type some string, watch the output of ecapture
vm@vm-server:~$ /usr/local/bin/openssl s_client -connect

# for installed boringssl, usage is the same
/path/to/bin/bssl s_client -connect

bash command

capture bash command.

ps -ef | grep foo

What's eBPF


How to compile

Linux Kernel: >= 4.18.


  • golang 1.18 or newer
  • clang 9.0 or newer
  • cmake 3.18.4 or newer
  • clang backend: llvm 9.0 or newer
  • kernel config:CONFIG_DEBUG_INFO_BTF=y (Optional, 2022-04-17)



If you are using Ubuntu 20.04 or later versions, you can use a single command to complete the initialization of the compilation environment.

/bin/bash -c "$(curl -fsSL"

other Linux

In addition to the software listed in the 'Toolchain Version' section above, the following software is also required for the compilation environment. Please install it yourself.

  • linux-tools-common
  • linux-tools-generic
  • pkgconf
  • libelf-dev

Clone the repository code and compile it

git clone
cd ecapture

compile without BTF

eCapture support BTF disabled with command make nocore to compile at 2022/04/17. It can work normally even on Linux systems that do not support BTF.

make nocore
bin/ecapture --help

Stargazers over time

Stargazers over time


See CONTRIBUTING for details on submitting patches and the contribution workflow.

About Me
GitHub: Trinea
Facebook: Dev Tools