eCapture — eBPF-Based SSL/TLS Plaintext Capture

Introduction

eCapture is an eBPF-based tool that captures SSL/TLS plaintext content without requiring CA certificates or modifying application code. It works by attaching eBPF probes to user-space SSL libraries (OpenSSL, GnuTLS, NSS, BoringSSL), intercepting data before encryption or after decryption at the library boundary.

What eCapture Does

• Captures HTTPS plaintext traffic without installing custom CA certificates
• Supports OpenSSL, GnuTLS, NSS, and BoringSSL libraries
• Runs on both Linux (amd64/arm64) and Android kernels
• Captures bash command audit logs and DNS queries via eBPF
• Exports captured data as pcapng files for Wireshark analysis

Architecture Overview

eCapture uses eBPF uprobe and kprobe programs attached to SSL/TLS library functions in user space. When an application calls SSL_read or SSL_write, the eBPF program copies the plaintext buffer to a perf event ring buffer. A user-space Go process reads from this buffer and reconstructs sessions. Since probes attach at the library level, no kernel TLS changes or MITM proxy is needed.

Self-Hosting & Configuration

• Requires Linux kernel 4.18+ with BTF support (or Android kernel with eBPF)
• Run as root or with CAP_SYS_ADMIN and CAP_BPF capabilities
• Use --hex flag to display raw hex output of captured data
• Filter by PID with --pid or by UID with --uid
• Output pcapng files with --pcapfile for offline Wireshark analysis

Key Features

• Zero-config TLS capture: no CA import, no app restart, no code changes
• Automatic detection of the SSL library version on the target system
• Android support for capturing HTTPS on mobile devices
• Bash audit mode captures terminal input keystrokes via eBPF
• DNS capture mode intercepts plaintext DNS queries at the resolver level

Comparison with Similar Tools

• mitmproxy — requires proxy setup and CA certificate installation; eCapture needs neither
• Wireshark with SSLKEYLOGFILE — requires app cooperation to export keys; eCapture works transparently
• tcpdump — captures encrypted ciphertext only; eCapture captures plaintext
• PolarProxy — TLS termination proxy approach; eCapture is non-intrusive via eBPF

FAQ

Q: Does eCapture decrypt traffic? A: No. It intercepts plaintext data at the SSL library boundary before encryption (on write) or after decryption (on read), so it never breaks TLS itself.

Q: Does it work with statically linked binaries? A: It works best with dynamically linked SSL libraries. For statically compiled binaries (like some Go apps using crypto/tls), support depends on the specific build configuration.

Q: Is BTF required? A: BTF (BPF Type Format) is recommended for portable CO-RE operation. Without BTF, you may need to compile eCapture for your specific kernel version.

Q: Can it capture traffic from containers? A: Yes. Since eBPF probes attach at the kernel level, eCapture can capture traffic from containerized applications as long as it runs on the host with appropriate privileges.

Sources

• https://github.com/gojue/ecapture
• https://ecapture.cc