eCapture: Capture SSL/TLS Plaintext Without CA Certificates Using eBPF (Linux & Android)
Are you tired of the complexity of analyzing encrypted traffic? Traditional methods like MITM (Man-in-the-Middle) proxies require installing CA certificates, while "hot-patching" can be intrusive and unstable for production environments.
Meet eCapture (旁观者) — A non-intrusive, zero-configuration solution built on eBPF technology. It allows you to capture SSL/TLS plaintext directly from the kernel without any CA certificates.
🌟 Why eCapture?
• Non-Intrusive: No need to modify binaries or restart services.
• Technological Edge: Supports Linux (4.18+ for x86_64, 5.5+ for aarch64) and Android.
• Modern Protocols: Full support for HTTP/1.0, 1.1, 2.0, and HTTP/3 (QUIC), as well as TLS 1.3.
• Dynamic Updates: Modify configurations via a built-in HTTP interface while running.
🛠️ How to Use (ROOT Permission Required)
1. OpenSSL / BoringSSL Module Easily capture plaintext or export for Wireshark analysis.
• Text Mode: sudo ecapture tls -m text
• Pcap Mode: sudo ecapture tls -m pcap -i eth0 --pcapfile=ecapture.pcapng
2. GoTLS Module Specifically designed for capturing plaintext from Golang programs encrypted with TLS/HTTPS.
• Usage: sudo ecapture gotls --elfpath=/path/to/go_binary --hex
3. Android BoringSSL Seamlessly capture HTTPS traffic on Android (arm64) devices, bypassing modern certificate pinning.
4. Other Audit Modules eCapture also supports auditing Bash/Zsh commands and SQL queries for MySQL (5.6/5.7/8.0) and PostgreSQL (10+).
📈 Project Milestones
eCapture is a leading open-source security tool trusted by developers worldwide.
• ⭐ GitHub Stars: 15,000+
• 💻 Code Repository: https://github.com/gojue/ecapture
• 🌐 Official Website: https://ecapture.cc
Join the eCapture community and simplify your encrypted traffic analysis today!
#eBPF #SSL #TLS #CyberSecurity #Linux #Android #OpenSource #eCapture #Wireshark #Golang