[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-6114":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":25,"hasPages":25,"topics":26,"createdAt":10,"pushedAt":10,"updatedAt":42,"readmeContent":43,"aiSummary":44,"trendingCount":16,"starSnapshotCount":16,"syncStatus":45,"lastSyncTime":46,"discoverSource":47},6114,"ecapture","gojue\u002Fecapture","gojue","Capturing SSL\u002FTLS plaintext without a CA certificate using eBPF. Supported on Linux\u002FAndroid kernels for amd64\u002Farm64.","https:\u002F\u002Fecapture.cc",null,"C",15236,1611,102,11,0,10,21,81,35,44.62,"Apache License 2.0",false,"master",true,[27,28,29,30,31,32,33,34,35,36,37,38,39,40,41],"android","android-https-capture","ebpf","ebpf-go","ebpf-tc","ebpf-uprobe","golang","https","linux","network-capture","security-audit","ssl","ssldump","tcpdump","tls","2026-06-12 02:01:16","\u003Cimg src=\".\u002Fimages\u002Fecapture-logo.png\" alt=\"eCapture Logo\" width=\"300\" height=\"300\"\u002F>\n\n[汉字](README-zh_Hans.md) | English \n\n[![GitHub stars](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fstars\u002Fgojue\u002Fecapture.svg?label=Stars&logo=github)](https:\u002F\u002Fgithub.com\u002Fgojue\u002Fecapture)\n[![GitHub forks](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fforks\u002Fgojue\u002Fecapture?label=Forks&logo=github)](https:\u002F\u002Fgithub.com\u002Fgojue\u002Fecapture)\n[![CI](https:\u002F\u002Fgithub.com\u002Fgojue\u002Fecapture\u002Factions\u002Fworkflows\u002Fcodeql-analysis.yml\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002Fgojue\u002Fecapture\u002Factions\u002Fworkflows\u002Fcode-analysis.yml)\n[![Github Version](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fv\u002Frelease\u002Fgojue\u002Fecapture?display_name=tag&include_prereleases&sort=semver)](https:\u002F\u002Fgithub.com\u002Fgojue\u002Fecapture\u002Freleases)\n\n### eCapture(旁观者): capture SSL\u002FTLS text content without a CA certificate using eBPF.\n\n> [!IMPORTANT]  \n> Supports Linux\u002FAndroid kernel versions x86_64 4.18 and above, **aarch64 5.5** and above.\n> Need ROOT permission or specific [Linux capabilities](docs\u002Fminimum-privileges.md).\n> Does not support Windows and macOS system.\n\n----\n\n\u003C!-- MarkdownTOC autolink=\"true\" -->\n- [Introduction](#introduction)\n- [Getting started](#getting-started)\n  - [Download](#download)\n    - [ELF binary file](#elf-binary-file)\n    - [Docker image](#docker-image)\n  - [Capture openssl text content.](#capture-openssl-text-content)\n  - [Modules](#modules)\n    - [OpenSSL Module](#openssl-module)\n    - [GoTLS Module](#gotls-module)\n    - [Other Modules](#bash-module)\n  - [Videos](#videos)\n- [Security & Operations](#security--operations)\n- [Contributing](#contributing)\n- [Compilation](#compilation)\n\u003C!-- \u002FMarkdownTOC -->\n\n# Introduction\n\n* SSL\u002FTLS plaintext capture, support openssl\\libressl\\boringssl\\gnutls\\nspr(nss) libraries.\n* GoTLS plaintext support go tls library, which refers to encrypted communication in https\u002Ftls programs written in the golang language.\n* Bash audit, capture bash command for Host Security Audit.\n* Zsh audit, capture zsh command for Host Security Audit.\n* MySQL query SQL audit, support mysqld 5.6\\5.7\\8.0, and MariaDB.\n\n![](.\u002Fimages\u002Fecapture-help-v0.8.9.svg)\n\n# Getting started\n\n## Download\n\n### ELF binary file\n\n> [!TIP]\n> support Linux\u002FAndroid x86_64\u002Faarch64.\n\nDownload ELF zip file [release](https:\u002F\u002Fgithub.com\u002Fgojue\u002Fecapture\u002Freleases) , unzip and use by\ncommand `sudo ecapture --help`.\n\n### Docker image\n\n> [!TIP]\n> Linux only.\n\n```shell\n# pull docker image\ndocker pull gojue\u002Fecapture:latest\n# run\ndocker run --rm --privileged=true --net=host -v ${HOST_PATH}:${CONTAINER_PATH} gojue\u002Fecapture ARGS\n```\n\n> **⚠️ Security Note**: `--privileged=true` grants full host access. For production use, consider specific capabilities instead. See [Minimum Privileges Guide](docs\u002Fminimum-privileges.md#method-3-docker-with-specific-capabilities).\n\nsee [Docker Hub](https:\u002F\u002Fhub.docker.com\u002Fr\u002Fgojue\u002Fecapture) for more information.\n\n## Capture openssl text content.\n\n```shell\nsudo ecapture tls\n```\n\neCapture will automatically detect the system's OpenSSL library and start capturing plaintext. When you make an HTTPS request (e.g., `curl https:\u002F\u002Fgoogle.com`), the captured request and response will be displayed:\n\n```\n...\nINF module started successfully. moduleName=EBPFProbeOPENSSL\n??? UUID:233851_233851_curl_5_1_172.16.71.1:51837, Name:HTTP2Request, Type:2, Length:304\nheader field \":method\" = \"GET\"\nheader field \":path\" = \"\u002F\"\nheader field \":authority\" = \"google.com\"\n...\n```\n\n> 📄 For complete output examples, see [docs\u002Fexample-outputs.md](docs\u002Fexample-outputs.md).\n\n## Modules\nThe eCapture tool comprises 8 modules that respectively support plaintext capture for TLS\u002FSSL encryption libraries like OpenSSL, GnuTLS, NSPR, BoringSSL, and GoTLS. Additionally, it facilitates software audits for Bash, MySQL, and PostgreSQL applications.\n* bash\t\tcapture bash command\n* zsh\t\tcapture zsh command\n* gnutls\tcapture gnutls text content without CA cert for gnutls libraries.\n* gotls\t\tCapturing plaintext communication from Golang programs encrypted with TLS\u002FHTTPS.\n* mysqld\tcapture sql queries from mysqld 5.6\u002F5.7\u002F8.0 .\n* nss\t\tcapture nss\u002Fnspr encrypted text content without CA cert for nss\u002Fnspr libraries.\n* postgres\tcapture sql queries from postgres 10+.\n* tls\t\tuse to capture tls\u002Fssl text content without CA cert. (Support openssl 1.0.x\u002F1.1.x\u002F3.0.x or newer).\n  You can use `ecapture -h` to view the list of subcommands.\n\n### OpenSSL Module\n\neCapture search `\u002Fetc\u002Fld.so.conf` file default, to search load directories of  `SO` file, and search `openssl` shard\nlibraries location. or you can use `--libssl`\nflag to set shard library path.\n\nIf target program is compile statically, you can set program path as `--libssl` flag value directly。\n\nThe OpenSSL module supports three capture modes:\n\n- `pcap`\u002F`pcapng` mode stores captured plaintext data in `pcap-NG` format.\n- `keylog`\u002F`key` mode saves the TLS handshake keys to a file.\n- `text` mode directly captures plaintext data, either outputting to a specified file or printing to the command line.\n\n#### Pcap Mode\n\nSupported TLS encrypted http `1.0\u002F1.1\u002F2.0` over TCP, and http3 `QUIC` protocol over UDP.\nYou can specify `-m pcap` or `-m pcapng` and use it in conjunction with `--pcapfile` and `-i` parameters. The default value for `--pcapfile` is `ecapture_openssl.pcapng`.\n\n```shell\nsudo ecapture tls -m pcap -i eth0 --pcapfile=ecapture.pcapng tcp port 443\n```\n\nThis command saves captured plaintext data packets as a pcapng file, which can be viewed using `Wireshark`.\n\n> 📄 For complete pcapng mode output, see [docs\u002Fexample-outputs.md](docs\u002Fexample-outputs.md#tls-module--pcapng-mode).\n\n#### Keylog Mode\n\nYou can specify `-m keylog` or `-m key` and use it in conjunction with the `--keylogfile` parameter, which defaults to `ecapture_masterkey.log`.\n\nThe captured OpenSSL TLS `Master Secret` information is saved to `--keylogfile`. You can also enable `tcpdump` packet capture and then use `Wireshark` to open the file and set the `Master Secret` path to view plaintext data packets.\n\n```shell\nsudo ecapture tls -m keylog -keylogfile=openssl_keylog.log\n```\n\nYou can also directly use the `tshark` software for real-time decryption and display:\n\n```shell\ntshark -o tls.keylog_file:ecapture_masterkey.log -Y http -T fields -e http.file_data -f \"port 443\" -i eth0\n```\n\n#### Text Mode\n\n`sudo ecapture tls -m text` will output all plaintext data packets. (Starting from v0.7.0, it no longer captures\nSSLKEYLOG information.)\n\n### GoTLS Module\n\nSimilar to the OpenSSL module.\n\n#### gotls command\n\ncapture tls text context.\n\nStep 1:\n```shell\nsudo ecapture gotls --elfpath=\u002Fhome\u002Fcfc4n\u002Fgo_https_client --hex\n```\n\nStep 2:\n```shell\n\u002Fhome\u002Fcfc4n\u002Fgo_https_client\n```\n\n#### more help\n```shell\nsudo ecapture gotls -h\n```\n\n### Other Modules\n\nsuch as `bash\\mysqld\\postgres` modules, you can use `ecapture -h` to view the list of subcommands.\n\n## Videos\n\n* Youtube video: [How to use eCapture v0.1.0](https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=CoDIjEQCvvA \"eCapture User Manual\")\n* [eCapture:supports capturing plaintext of Golang TLS\u002FHTTPS traffic](https:\u002F\u002Fmedium.com\u002F@cfc4ncs\u002Fecapture-supports-capturing-plaintext-of-golang-tls-https-traffic-f16874048269)\n\n\n## eCaptureQ GUI Application\n\n[eCaptureQ](https:\u002F\u002Fgithub.com\u002Fgojue\u002Fecaptureq) is a cross-platform graphical user interface client for eCapture,\nvisualizing eBPF TLS capture\ncapabilities. Built using the Rust + Tauri + React technology stack, it provides a real-time, responsive interface,\nenabling easy analysis of encrypted traffic without the need for CA certificates. It simplifies complex eBPF capture\ntechniques, making them easy to use. Supports two modes:\n\n* Integrated Mode: Unified Linux\u002FAndroid execution\n* Remote Mode: Windows\u002FmacOS\u002FLinux client connects to a remote eCapture service\n\n### Event Forwarding\n[Event Forwarding Projects](.\u002FEVENT_FORWARD.md)\n\n### Video Demonstration\n\nhttps:\u002F\u002Fgithub.com\u002Fuser-attachments\u002Fassets\u002Fc8b7a84d-58eb-4fdb-9843-f775c97bdbfb\n\n🔗 [GitHub Repository](https:\u002F\u002Fgithub.com\u002Fgojue\u002Fecaptureq)\n\n### Protobuf Protocols\n\nFor details of the Protobuf log schema used by eCapture\u002FeCaptureQ, see:\n\n- [protobuf\u002FPROTOCOLS.md](.\u002Fprotobuf\u002FPROTOCOLS.md)\n\n## Stargazers over time\n[![Stargazers over time](https:\u002F\u002Fstarchart.cc\u002Fgojue\u002Fecapture.svg)](https:\u002F\u002Fstarchart.cc\u002Fgojue\u002Fecapture)\n\n# Security & Operations\n\n- [**Security Policy**](SECURITY.md) — Vulnerability reporting and supported versions\n- [**Minimum Privileges**](docs\u002Fminimum-privileges.md) — Required Linux capabilities and least-privilege configuration\n- [**Defense & Detection**](docs\u002Fdefense-detection.md) — How to detect and defend against unauthorized usage\n- [**Performance Benchmarks**](docs\u002Fperformance-benchmarks.md) — Overhead measurement methodology and expected characteristics\n- [**Release Verification**](docs\u002Frelease-verification.md) — How to verify the integrity of release artifacts\n\n# Contributing\nSee [CONTRIBUTING](.\u002FCONTRIBUTING.md) for details on submitting patches and the contribution workflow.\n\n# Compilation\n## Custom Compilation\n\nYou can customize the features you want, such as setting the offset address for `uprobe` to support statically compiled OpenSSL libraries. Refer to the [compilation guide](.\u002Fdocs\u002Fcompilation.md) for compilation instructions.\n\n## Configurations Remote Update\n\nAfter eCapture is running, you can dynamically modify the configurations through HTTP interfaces. Refer to the [HTTP API Documentation](.\u002Fdocs\u002Fremote-config-update-api.md).\n\n## Event Forwarding\n\neCapture supports multiple event forwarding methods. You can forward events to packet capture software such as Burp Suite. For details, refer to the [Event Forwarding API Documentation](.\u002Fdocs\u002Fevent-forward-api.md).\n\n## Acknowledgements\n\nThis project is supported by a [JetBrains IDE](https:\u002F\u002Fwww.jetbrains.com) license. We thank JetBrains for their\ncontributions to the open-source community.\n\n![JetBrains logo](https:\u002F\u002Fresources.jetbrains.com\u002Fstorage\u002Fproducts\u002Fcompany\u002Fbrand\u002Flogos\u002Fjetbrains.svg)\n","eCapture 是一个使用 eBPF 技术在没有 CA 证书的情况下捕获 SSL\u002FTLS 明文内容的工具，支持 Linux 和 Android 内核的 amd64\u002Farm64 架构。其核心功能包括对 OpenSSL、LibreSSL、BoringSSL、GnuTLS 和 NSS 库的 SSL\u002FTLS 明文捕获，以及 Go 语言 TLS 库的支持，同时具备 Bash\u002FZsh 命令审计和 MySQL 查询 SQL 审计能力。该工具适用于网络安全审计、加密通信分析等场景，需要 ROOT 权限或特定的 Linux 能力才能运行。",2,"2026-06-11 03:05:43","top_language"]