Ecapture - Capture SSL/TLS Text Content Without CA Cert By eBPF

How eCapture works

  • SSL/TLS text context capture, support openssl\gnutls\nspr(nss) libraries.
  • bash audit, capture bash command for Host Security Audit.
  • mysql query SQL audit, support mysqld 5.6\5.7\8.0, and mariadDB.

eCapture Architecure

eCapture User Manual

Getting started

use ELF binary file

Download ELF zip file release , unzip and use by command ./ecapture --help.

check your server BTF config:

[email protected]:~$# uname -r4.18.0-305.3.1.el8.x86_64[email protected]:~$# cat /boot/config-`uname -r` | grep CONFIG_DEBUG_INFO_BTFCONFIG_DEBUG_INFO_BTF=y

tls command

capture tls text context. Step 1:

./ecapture tls --hex

Step 2:

curl https://github.com

bash command

capture bash command.

ps -ef | grep foo

What's eBPF


uprobe HOOK

openssl hook

eCapture hookSSL_write \ SSL_read function of shared library /lib/x86_64-linux-gnu/libssl.so.1.1. get text context, and send message to user space by eBPM map.

Probes: []*manager.Probe{    {        Section:          "uprobe/SSL_write",        EbpfFuncName:     "probe_entry_SSL_write",        AttachToFuncName: "SSL_write",        //UprobeOffset:     0x386B0,        BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",    },    {        Section:          "uretprobe/SSL_write",        EbpfFuncName:     "probe_ret_SSL_write",        AttachToFuncName: "SSL_write",        //UprobeOffset:     0x386B0,        BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",    },    {        Section:          "uprobe/SSL_read",        EbpfFuncName:     "probe_entry_SSL_read",        AttachToFuncName: "SSL_read",        //UprobeOffset:     0x38380,        BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",    },    {        Section:          "uretprobe/SSL_read",        EbpfFuncName:     "probe_ret_SSL_read",        AttachToFuncNa   me: "SSL_read",        //UprobeOffset:     0x38380,        BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",    },    /**/},

bash readline.so hook

hook /bin/bash readline symbol name.

How to compile

Linux Kernel: >= 4.18.


  • golang 1.16
  • gcc 10.3.0
  • clang 9.0.0
  • cmake 3.18.4
  • clang backend: llvm 9.0.0
  • pahole >= v1.13
  • kernel config:CONFIG_DEBUG_INFO_BTF=y (Optional, 2022-04-17)


git clone [email protected]:ehids/ecapture.gitcd ecapturemakebin/ecapture --help

compile without BTF

eCapture support NO BTF with command make nocore to compile on 2022/04/17.

make nocorebin/ecapture --help


See CONTRIBUTING for details on submitting patches and the contribution workflow.

Disqus Comments