Supported Platforms and Versions ​

eCapture is designed for modern Linux environments, leveraging eBPF (Extended Berkeley Packet Filter) to intercept plaintext traffic. Because eBPF features are tightly coupled with the Linux kernel, support is determined primarily by kernel version and architecture rather than specific distribution names.

OS and Architecture Support ​

eCapture supports the following operating systems and CPU architectures. It specifically does not support Windows or macOS, as these systems lack the standard Linux eBPF subsystem.

Platform Verification List ​

The following distributions are regularly verified via CI or manual testing:

• Ubuntu: 20.04, 22.04, 24.04 builder/init_env.sh:18-35
• CentOS / RHEL: 8.x and above (Kernels 4.18+)
• Debian: 10 and above
• Android: Android 13, 14, 15, and 16 (BoringSSL specific hooks) variables.mk:190-193

Architecture and Code Mapping ​

The following diagram illustrates how platform-specific logic is branched within the Go userspace and the eBPF kernel space.

Platform Logic Dispatch ​

Title: Platform-Specific Entity Mapping

Sources: internal/probe/openssl/config_linux.go:40-75, internal/probe/openssl/config_ecandroid.go:89-105, variables.mk:147-166

CO-RE vs. Non-CO-RE Modes ​

eCapture provides two runtime modes to handle kernel compatibility:

1. CO-RE (Compile Once – Run Everywhere):
   • Requirement: Kernel must be compiled with CONFIG_DEBUG_INFO_BTF=y.
   • Mechanism: Uses BPF Type Format (BTF) to relocate struct offsets at load time.
   • Binary: Uses the standard .o files embedded in the binary.
2. Non-CO-RE:
   • Requirement: Used when BTF is unavailable (common in older 4.18+ kernels).
   • Mechanism: Compiles/links specifically for the target kernel's headers.
   • Binary: Uses .nocore variants generated during the build process variables.mk:233.

Feature Differences by Platform ​

While core TLS capture works across all supported platforms, certain advanced features are restricted by kernel version or OS variant.

Kernel Feature Gates ​

• PID/UID Filtering: Requires Kernel >= 5.2. On older kernels, these filters are silently ignored with a warning CHANGELOG.md:7.
• Cgroup Filtering: Supported on Linux for tls and gotls probes but explicitly disabled/unsupported on Android internal/probe/openssl/config_ecandroid.go:133-136.
• Network Interfaces: On Linux, interface detection is often automatic. On Android, eCapture specifically probes wlan0 or searches for active non-loopback interfaces like eth0 internal/probe/openssl/config_ecandroid.go:107-131.

Probe Availability ​

Sources: variables.mk:215-227, README.md:12-16, CHANGELOG.md:20

Implementation Details: Version Detection ​

eCapture performs runtime environment checks to select the correct eBPF bytecode.

Kernel Version Check ​

The pkg/util/kernel package parses /proc/version_signature (Ubuntu), /proc/version (Debian), or uname to determine the LINUX_VERSION_CODE pkg/util/kernel/kernel_version.go:113-131.

Android BoringSSL Detection ​

On Android, eCapture reads /system/build.prop to identify the OS version (e.g., ro.build.version.release=13) and maps it to a specific BoringSSL hook implementation like boringssl_a_13 internal/probe/openssl/config_ecandroid.go:77-80.

Code Entity Flow ​

Title: Kernel and Library Version Mapping

Sources: pkg/util/kernel/kernel_version.go:113-131, internal/probe/openssl/config_linux.go:40-75, .github/agents/pr-agent.md:115-118