eCapture is a tool to capture SSL/TLS text content without CA cert Using eBPF.

How eCapture works

  • SSL/TLS text context capture, support openssl\libressl\boringssl\gnutls\nspr(nss) libraries.
  • bash audit, capture bash command for Host Security Audit.
  • mysql query SQL audit, support mysqld 5.6\5.7\8.0, and mariadDB.

eCapture Architecure

Getting started

use ELF binary file

Download ELF zip file release , unzip and use by command ./ecapture --help.

  • Linux kernel version >= 4.18
  • Enable BTF BPF Type Format (BTF) (Optional, 2022-04-17)

check your server BTF config

cfc4n@vm-server:~$# uname -r
cfc4n@vm-server:~$# cat /boot/config-uname -r | grep CONFIG_DEBUG_INFO_BTF

tls command

capture tls text context. Step 1:

./ecapture tls –hex

Step 2:



for installed libressl, is the dynamic ssl lib
vm@vm-server:~$ ldd /usr/local/bin/openssl (0x00007ffc82985000) => /usr/local/lib/ (0x00007f1730f9f000) => /usr/local/lib/ (0x00007f1730d8a000) => /lib/x86_64-linux-gnu/ (0x00007f1730b62000)
/lib64/ (0x00007f17310b2000)
use the libssl to config the path
vm@vm-server:~$ sudo ./ecapture tls –libssl=”/usr/local/lib/″ –hex
in another terminal, use the command, then type some string, watch the output of ecapture
vm@vm-server:~$ /usr/local/bin/openssl s_client -connect
for installed boringssl, usage is the same
/path/to/bin/bssl s_client -connect

bash command

capture bash command.

ps -ef | grep foo

uprobe HOOK

openssl\libressl\boringssl hook

eCapture hookSSL_write \ SSL_read function of shared library /lib/x86_64-linux-gnu/ get text context, and send message to user space by eBPF maps.

Probes: []manager.Probe{ { Section: “uprobe/SSL_write”, EbpfFuncName: “probe_entry_SSL_write”, AttachToFuncName: “SSL_write”, //UprobeOffset: 0x386B0, BinaryPath: “/lib/x86_64-linux-gnu/”, }, { Section: “uretprobe/SSL_write”, EbpfFuncName: “probe_ret_SSL_write”, AttachToFuncName: “SSL_write”, //UprobeOffset: 0x386B0, BinaryPath: “/lib/x86_64-linux-gnu/”, }, { Section: “uprobe/SSL_read”, EbpfFuncName: “probe_entry_SSL_read”, AttachToFuncName: “SSL_read”, //UprobeOffset: 0x38380, BinaryPath: “/lib/x86_64-linux-gnu/”, }, { Section: “uretprobe/SSL_read”, EbpfFuncName: “probe_ret_SSL_read”, AttachToFuncName: “SSL_read”, //UprobeOffset: 0x38380, BinaryPath: “/lib/x86_64-linux-gnu/”, }, /*/

bash hook

hook /bin/bash symbol name readline.

How to compile

Linux Kernel: >= 4.18.


  • golang 1.16
  • clang 9.0.0
  • cmake 3.18.4
  • clang backend: llvm 9.0.0
  • kernel config:CONFIG_DEBUG_INFO_BTF=y (Optional, 2022-04-17)


git clone
cd ecapture
bin/ecapture –help

compile without BTF

eCapture support NO BTF with command make nocore to compile on 2022/04/17.

make nocore
bin/ecapture –help