Probe Reference
Relevant source files
The following files were used as context for generating this wiki page:
eCapture utilizes eBPF uprobes to intercept plaintext data at the boundary of user-space libraries and applications. This reference provides an index of the specialized probe modules available in eCapture, categorized by their target protocols and applications.
Each probe follows a standardized lifecycle managed by the internal/probe framework, implementing the Probe interface to handle initialization, eBPF manager setup, and event dispatching internal/probe/openssl/openssl_probe.go:45-58, internal/probe/bash/bash_probe.go:39-49.
Probe Categories and Modules
The following table summarizes the available probes and their primary targets:
| Category | Module Name | Target Libraries / Applications |
|---|---|---|
| TLS/SSL | tls | OpenSSL, BoringSSL, LibreSSL |
| TLS/SSL | gotls | Go native crypto/tls |
| TLS/SSL | gnutls | GnuTLS |
| TLS/SSL | nss | NSS (Network Security Services) / NSPR |
| Database | mysqld | MySQL (5.6, 5.7, 8.0), MariaDB |
| Database | postgres | PostgreSQL (10+) |
| Shell | bash | Bash Shell |
| Shell | zsh | Zsh Shell |
Technical Architecture Mapping
The diagram below illustrates how userspace probe definitions in Go map to their corresponding eBPF kernel implementations and the functions they hook.
System to Code Entity Mapping
Sources: internal/probe/openssl/openssl_probe.go:45-68, internal/probe/bash/bash_probe.go:39-59, internal/probe/mysql/mysql_probe.go:37-50
Module Details
TLS/SSL Plaintext Capture
These probes target various cryptographic libraries to extract plaintext before encryption or after decryption.
- TLS/SSL Plaintext Capture (OpenSSL / BoringSSL): The primary probe for most Linux and Android applications. It hooks
SSL_readandSSL_writeinternal/probe/openssl/openssl_probe.go:115-140. - GoTLS Capture: Specifically designed for Go binaries, handling the unique calling conventions and internal
crypto/tlsstructures. - GnuTLS Capture: Targets applications like
wgetorcurlcompiled against GnuTLS. - NSS / NSPR Capture: Targets Firefox, Thunderbird, and other applications using the Network Security Services library.
Database Traffic Capture
These probes audit database queries by hooking the command dispatching logic within the database server process.
- Database Traffic Capture (MySQL / PostgreSQL): Hooks
dispatch_commandin MySQL internal/probe/mysql/mysql_probe.go:204-240 andexec_simple_queryin PostgreSQL internal/probe/postgres/postgres_probe.go:141-150 to capture SQL statements in plaintext.
Shell Auditing
Used for security compliance and host auditing by capturing user input at the shell level.
- Shell Auditing (Bash / Zsh): Hooks
readlinefunctions to capture interactive commands. The Bash probe specifically handles multi-line command accumulation using alineMapindexed by UUID internal/probe/bash/bash_probe.go:171-209.
Probe Execution Flow
The following diagram shows the common execution path for any probe module initialized via the CLI.
Probe Lifecycle and Data Path
Sources: main.go:9-11, internal/probe/openssl/openssl_probe.go:101-159, internal/probe/mysql/mysql_probe.go:88-136
Common Caveats
- Kernel Versions: Most probes require Linux kernel >= 4.18 (x86_64) or >= 5.5 (aarch64) README.md:12-13.
- BTF Support: eCapture attempts to use CO-RE (Compile Once – Run Everywhere) if BTF is available, otherwise it falls back to non-CO-RE bytecode internal/probe/postgres/postgres_probe.go:171-188.
- Symbol Tables: For
uprobesto work, the target binary must either have a symbol table or the user must provide manual offsets via configuration internal/probe/mysql/mysql_probe.go:75-82.
Sources: README.md:12-13, internal/probe/openssl/openssl_probe.go:43-159, internal/probe/bash/bash_probe.go:39-127, internal/probe/mysql/mysql_probe.go:37-136, internal/probe/postgres/postgres_probe.go:37-111, internal/probe/zsh/zsh_probe.go:37-121