Capture SSL/TLS text content without a CA certificate using eBPF. This tool is compatible with Linux/Android x86_64/Aarch64.

中文介绍 | English | 日本語

GitHub stars GitHub forks CI Github Version

eCapture(旁观者): capture SSL/TLS text content without CA cert Using eBPF.


Supports Linux/Android kernel versions x86_64 4.18 and above, aarch64 5.5 and above. Does not support Windows and macOS system.

How eCapture works

  • SSL/TLS plaintext capture, support openssl\libressl\boringssl\gnutls\nspr(nss) libraries.
  • GoTLS plaintext support go tls library, which refers to encrypted communication in https/tls programs written in the golang language.
  • bash audit, capture bash command for Host Security Audit.
  • mysql query SQL audit, support mysqld 5.6\5.7\8.0, and mariadDB.

eCapture Architecture

eCapture User Manual

eCapture User Manual

Getting started

use ELF binary file

Download ELF zip file release , unzip and use by command ./ecapture --help.

Command line options


Need ROOT permission.

eCapture search /etc/ file default, to search load directories of SO file, and search openssl shard libraries location. or you can use --libssl flag to set shard library path.

If target program is compile statically, you can set program path as --libssl flag value directly。

Pcapng result

./ecapture tls -i eth0 -w pcapng -p 443 capture plaintext packets save as pcapng file, use Wireshark read it directly.

plaintext result

./ecapture tls will capture all plaintext context ,output to console, and capture Master Secret of openssl TLS save to ecapture_masterkey.log. You can also use tcpdump to capture raw packet,and use Wireshark to read them with Master Secret settings.

check your server BTF config:

cfc4n@vm-server:~$# uname -r
cfc4n@vm-server:~$# cat /boot/config-`uname -r` | grep CONFIG_DEBUG_INFO_BTF

tls command

capture tls text context. Step 1:

./ecapture tls --hex

Step 2:



# for installed libressl, is the dynamic ssl lib
vm@vm-server:~$ ldd /usr/local/bin/openssl (0x00007ffc82985000) => /usr/local/lib/ (0x00007f1730f9f000) => /usr/local/lib/ (0x00007f1730d8a000) => /lib/x86_64-linux-gnu/ (0x00007f1730b62000)
	/lib64/ (0x00007f17310b2000)

# use the libssl to config the path
vm@vm-server:~$ sudo ./ecapture tls --libssl="/usr/local/lib/" --hex

# in another terminal, use the command, then type some string, watch the output of ecapture
vm@vm-server:~$ /usr/local/bin/openssl s_client -connect

# for installed boringssl, usage is the same
/path/to/bin/bssl s_client -connect

bash command

capture bash command.

ps -ef | grep foo

What's eBPF


How to compile

Linux Kernel: >= 4.18.


  • golang 1.18 or newer
  • clang 9.0 or newer
  • cmake 3.18.4 or newer
  • clang backend: llvm 9.0 or newer
  • kernel config:CONFIG_DEBUG_INFO_BTF=y (Optional, 2022-04-17)



If you are using Ubuntu 20.04 or later versions, you can use a single command to complete the initialization of the compilation environment.

/bin/bash -c "$(curl -fsSL"

other Linux

In addition to the software listed in the 'Toolchain Version' section above, the following software is also required for the compilation environment. Please install it yourself.

  • linux-tools-common
  • linux-tools-generic
  • pkgconf
  • libelf-dev

Clone the repository code and compile it

git clone [email protected]:gojue/ecapture.git
cd ecapture

compile without BTF

eCapture support BTF disabled with command make nocore to compile at 2022/04/17. It can work normally even on Linux systems that do not support BTF.

make nocore
bin/ecapture --help

Stargazers over time

Stargazers over time


See CONTRIBUTING for details on submitting patches and the contribution workflow.

Popular Ebpf Projects
Popular Ssl Projects
Popular Software Performance Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.
Security Audit