ecapture
by gojue
eCapture captures SSL/TLS plaintext data without needing a CA certificate by leveraging eBPF on Linux and Android systems.
Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64.
Primary Use Case
This tool is primarily used by security analysts and system administrators to monitor and capture decrypted SSL/TLS traffic in real-time on Linux and Android devices without installing CA certificates. It is especially useful for auditing encrypted communications and commands on hosts running supported kernels and architectures.
- Captures SSL/TLS plaintext from multiple SSL libraries including OpenSSL, LibreSSL, BoringSSL, GnuTLS, and NSS
- Supports GoTLS plaintext capture for Go language TLS programs
- Host security audit by capturing bash and zsh shell commands
- MySQL and MariaDB query auditing for versions 5.6, 5.7, and 8.0
- Works on Linux and Android kernels (x86_64 4.18+ and aarch64 5.5+)
- Uses eBPF technology to capture data without requiring CA certificates
- Requires root permissions for operation
- Provides both ELF binaries and Docker images for deployment
Installation
- Download the ELF binary zip file from the GitHub releases page
- Unzip the downloaded ELF binary package
- Run the tool using sudo privileges, e.g., sudo ecapture --help
- Alternatively, pull the Docker image with: docker pull gojue/ecapture:latest
- Run the Docker container with privileged mode and network host: docker run --rm --privileged=true --net=host -v ${HOST_PATH}:${CONTAINER_PATH} gojue/ecapture ARGS
Usage
>_ sudo ecapture tlsStarts capturing SSL/TLS plaintext traffic using eCapture with root privileges.
- Leverages eBPF for low-overhead, real-time plaintext capture without requiring CA certificates, enabling stealthy monitoring.
- Ideal for blue teams to audit encrypted traffic and detect suspicious command execution on Linux/Android hosts.
- Can be integrated into purple team exercises to validate detection capabilities against encrypted traffic interception.
- Root permission requirement suggests deployment in controlled environments or hardened hosts to minimize risk.
- Consider combining with SIEM tools to automate alerting on suspicious captured plaintext data or commands.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about ecapture. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
3 free chats per tool • Instant responses • No credit card
Related Tools
server
nextcloud/server
☁️ Nextcloud server, a safe home for all your data
gitleaks
gitleaks/gitleaks
Find secrets with Gitleaks 🔑
trufflehog
trufflesecurity/trufflehog
Find, verify, and analyze leaked credentials
Ciphey
bee-san/Ciphey
⚡ Automatically decrypt encryptions without knowing the key or cipher, decode encodings, and crack hashes ⚡
sops
getsops/sops
Simple and flexible tool for managing secrets
dotenv
motdotla/dotenv
Loads environment variables from .env for nodejs projects.