# eCapture — eBPF-Based SSL/TLS Plaintext Capture

> Capture SSL/TLS plaintext without CA certificates using eBPF on Linux and Android.

## Install

Save as a script file and run:

# eCapture — eBPF-Based SSL/TLS Plaintext Capture

## Quick Use
```bash
# Download latest release
wget https://github.com/gojue/ecapture/releases/latest/download/ecapture-linux-amd64.tar.gz
tar xzf ecapture-linux-amd64.tar.gz
# Capture TLS plaintext from OpenSSL
sudo ./ecapture tls
```

## Introduction
eCapture is an eBPF-based tool that captures SSL/TLS plaintext content without requiring CA certificates or modifying application code. It works by attaching eBPF probes to user-space SSL libraries (OpenSSL, GnuTLS, NSS, BoringSSL), intercepting data before encryption or after decryption at the library boundary.

## What eCapture Does
- Captures HTTPS plaintext traffic without installing custom CA certificates
- Supports OpenSSL, GnuTLS, NSS, and BoringSSL libraries
- Runs on both Linux (amd64/arm64) and Android kernels
- Captures bash command audit logs and DNS queries via eBPF
- Exports captured data as pcapng files for Wireshark analysis

## Architecture Overview
eCapture uses eBPF uprobe and kprobe programs attached to SSL/TLS library functions in user space. When an application calls SSL_read or SSL_write, the eBPF program copies the plaintext buffer to a perf event ring buffer. A user-space Go process reads from this buffer and reconstructs sessions. Since probes attach at the library level, no kernel TLS changes or MITM proxy is needed.

## Self-Hosting & Configuration
- Requires Linux kernel 4.18+ with BTF support (or Android kernel with eBPF)
- Run as root or with CAP_SYS_ADMIN and CAP_BPF capabilities
- Use `--hex` flag to display raw hex output of captured data
- Filter by PID with `--pid` or by UID with `--uid`
- Output pcapng files with `--pcapfile` for offline Wireshark analysis

## Key Features
- Zero-config TLS capture: no CA import, no app restart, no code changes
- Automatic detection of the SSL library version on the target system
- Android support for capturing HTTPS on mobile devices
- Bash audit mode captures terminal input keystrokes via eBPF
- DNS capture mode intercepts plaintext DNS queries at the resolver level

## Comparison with Similar Tools
- **mitmproxy** — requires proxy setup and CA certificate installation; eCapture needs neither
- **Wireshark with SSLKEYLOGFILE** — requires app cooperation to export keys; eCapture works transparently
- **tcpdump** — captures encrypted ciphertext only; eCapture captures plaintext
- **PolarProxy** — TLS termination proxy approach; eCapture is non-intrusive via eBPF

## FAQ
**Q: Does eCapture decrypt traffic?**
A: No. It intercepts plaintext data at the SSL library boundary before encryption (on write) or after decryption (on read), so it never breaks TLS itself.

**Q: Does it work with statically linked binaries?**
A: It works best with dynamically linked SSL libraries. For statically compiled binaries (like some Go apps using crypto/tls), support depends on the specific build configuration.

**Q: Is BTF required?**
A: BTF (BPF Type Format) is recommended for portable CO-RE operation. Without BTF, you may need to compile eCapture for your specific kernel version.

**Q: Can it capture traffic from containers?**
A: Yes. Since eBPF probes attach at the kernel level, eCapture can capture traffic from containerized applications as long as it runs on the host with appropriate privileges.

## Sources
- https://github.com/gojue/ecapture
- https://ecapture.cc

---
Source: https://tokrepo.com/en/workflows/asset-00f7dd8e
Author: Script Depot