ecapture: Capturing SSL/TLS plaintext without a CA certificate using eBPF


capture SSL/TLS text content without CA cert by eBPF. eBPF is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules.

How eCapture works

  • SSL/TLS plaintext capture, support openssl\libressl\boringssl\gnutls\nspr(nss) libraries.
  • GoTLS plaintext support go tls library, which refers to encrypted communication in https/tls programs written in the golang language.
  • bash audit, capture bash command for Host Security Audit.
  • mysql query SQL audit, support mysqld 5.6\5.7\8.0, and mariadDB.



The eCapture tool comprises 8 modules that respectively support plaintext capture for TLS/SSL encryption libraries like OpenSSL, GnuTLS, NSPR, BoringSSL, and GoTLS. Additionally, it facilitates software audits for Bash, MySQL, and PostgreSQL applications.

  • bash capture bash command
  • gnutls capture gnutls text content without CA cert for gnutls libraries.
  • gotls Capturing plaintext communication from Golang programs encrypted with TLS/HTTPS.
  • mysqld capture sql queries from mysqld 5.6/5.7/8.0 .
  • nss capture nss/nspr encrypted text content without CA cert for nss/nspr libraries.
  • postgres capture sql queries from postgres 10+.
  • tls use to capture tls/ssl text content without CA cert. (Support openssl 1.0.x/1.1.x/3.0.x or newer). You can use ecapture -h to view the list of subcommands.

Install & Use

Copyright (C) 2022 cfc4n