Troubleshooting and FAQ
Relevant source files
The following files were used as context for generating this wiki page:
This page provides solutions to common problems encountered when using eCapture, along with debugging techniques and frequently asked questions. For information about system requirements and installation, see Dependencies and System Requirements. For build issues, refer to Build System.
Common Issues Decision Tree
The following diagram shows the decision tree for diagnosing common eCapture issues:
Sources: README.md:13-17, CHANGELOG.md:41-50, user/module/probe_openssl_lib.go:64-70
Kernel and System Requirements Issues
Issue: "kernel version is too low" or eCapture fails to start
Symptoms:
- Error message about kernel version
- Program exits immediately
- eBPF program load failures
Required Kernel Versions:
| Architecture | Minimum Kernel Version | CO-RE Support |
|---|---|---|
| x86_64 | 4.18 | Yes |
| aarch64 | 5.5 | Yes |
Solutions:
- Check your kernel version:
uname -r- Verify BTF support (required for CO-RE mode):
cat /boot/config-$(uname -r) | grep CONFIG_DEBUG_INFO_BTF
# Should return: CONFIG_DEBUG_INFO_BTF=y- If BTF is not available:
- Check if BTF data exists:
ls -l /sys/kernel/btf/vmlinux - eCapture automatically falls back to non-CO-RE mode if BTF is unavailable
- Check if BTF data exists:
Troubleshooting Diagram:
Sources: README.md:13-17, variables.mk:153-167, CHANGELOG.md:41
Permission Issues
Issue: "Operation not permitted" or "Permission denied"
Symptoms:
- Error when loading eBPF programs
- "failed to load BPF program" messages
- CAP_BPF related errors
Required Permissions:
eCapture requires ROOT privileges or specific capabilities:
- CAP_BPF - Load eBPF programs (Linux 5.8+)
- CAP_PERFMON - Access performance monitoring
- CAP_NET_ADMIN - Attach TC programs
- CAP_SYS_ADMIN - Legacy capability for older kernels
Solutions:
- Run with sudo:
sudo ecapture tls- Check capabilities (Linux 5.8+):
# eCapture automatically detects CAP_BPF
# If detection fails, you'll see a warning- For Docker containers:
docker run --rm --privileged=true --net=host gojue/ecapture tlsCapability Check Flow:
Sources: CHANGELOG.md:322-323, CHANGELOG.md:343, CHANGELOG.md:370
Version Detection Issues
Issue: "OpenSSL/BoringSSL version not found" or "used default version"
Symptoms:
- Warning: "OpenSSL/BoringSSL version not found from shared library file"
- Warning: "used default version"
- No data captured or incorrect data
Version Detection Process:
Solutions:
- Manually specify OpenSSL version:
# For OpenSSL 3.0.x
sudo ecapture tls --ssl_version="openssl 3.0.0"
# For OpenSSL 1.1.1
sudo ecapture tls --ssl_version="openssl 1.1.1"
# For Android BoringSSL
sudo ecapture tls --ssl_version="boringssl_a_14"- Specify library path explicitly:
# If library is in non-standard location
sudo ecapture tls --libssl=/usr/local/lib/libssl.so.3
# For statically linked binaries
sudo ecapture tls --libssl=/path/to/static/binary- Supported OpenSSL/BoringSSL Versions:
| Library Type | Supported Versions |
|---|---|
| OpenSSL 1.0.2 | 1.0.2a - 1.0.2u |
| OpenSSL 1.1.0 | 1.1.0a - 1.1.0l |
| OpenSSL 1.1.1 | 1.1.1a - 1.1.1w |
| OpenSSL 3.0.x | 3.0.0 - 3.0.17 |
| OpenSSL 3.1.x | 3.1.0 - 3.1.8 |
| OpenSSL 3.2.x | 3.2.0 - 3.2.5 |
| OpenSSL 3.3.x | 3.3.0 - 3.3.4 |
| OpenSSL 3.4.x | 3.4.0 - 3.4.2 |
| OpenSSL 3.5.x | 3.5.0 - 3.5.4 |
| BoringSSL (Android) | Android 12-16 (A12-A16) |
| BoringSSL (Non-Android) | Latest master branch |
- Version Downgrade Logic:
eCapture implements automatic version downgrade to find the closest supported version when exact match is not found.
Error Message Mapping:
| Error/Warning | Meaning | Solution |
|---|---|---|
OpenSSL/BoringSSL version not found from shared library file | Version string not found in .rodata section | Specify --ssl_version manually |
used default version | Using fallback bytecode | Verify capture works; if not, specify version |
Can not find Default BoringSSL version | sslVersionBpfMap missing Android default | Check Android version with --android_ver |
OpenSSL/BoringSSL version bytecode not found | No compiled bytecode for detected version | Use supported version or default |
Sources: user/module/probe_openssl_lib.go:189-282, user/module/probe_openssl_lib.go:284-317, user/module/probe_openssl_lib.go:341-369, user/module/probe_openssl_lib.go:44-62, variables.mk:190-212
Library Detection Issues
Issue: "couldn't find bpf bytecode file error" or library not found
Symptoms:
- Error: "couldn't find bpf bytecode file error"
- Library path detection fails
- No hooks attached
Library Search Order:
Solutions:
- Check library existence:
# Find OpenSSL libraries
ldconfig -p | grep libssl
# Check library version
strings /usr/lib/x86_64-linux-gnu/libssl.so.3 | grep "OpenSSL"- Fix /etc/ld.so.conf path issues:
# Verify ld.so.conf
cat /etc/ld.so.conf
# Update library cache
sudo ldconfig- Specify library path explicitly:
# For custom installation
sudo ecapture tls --libssl=/opt/openssl/lib/libssl.so
# For container environments with non-standard paths
sudo ecapture tls --libssl=/custom/path/libssl.so.1.1- Common library locations:
| Distribution | Typical Path |
|---|---|
| Ubuntu/Debian | /usr/lib/x86_64-linux-gnu/libssl.so.3 |
| CentOS/RHEL | /usr/lib64/libssl.so.1.1 |
| Alpine Linux | /usr/lib/libssl.so.3 |
| Android | /apex/com.android.conscrypt/lib64/libssl.so |
Sources: CHANGELOG.md:84, CHANGELOG.md:436, user/module/probe_openssl_lib.go:189-217
Runtime Errors
Issue: Nil Pointer Panics
Symptoms:
- Program crashes with nil pointer dereference
- Panic in probe initialization
Common Causes and Solutions:
- GnuTLS probe setup failure:
panic: runtime error: invalid memory address or nil pointer dereference
in gnutls probeSolution: Fixed in v1.5.0 - ensure you're using the latest version.
- Uninitialized channel:
panic: send on nil channelSolution: Module initialization order issue. File a bug report with reproduction steps.
Sources: CHANGELOG.md:20, CHANGELOG.md:603
Issue: Concurrent Map Access
Symptoms:
- Error: "concurrent map read and map write"
- Program crash during high load
- Data corruption
Solution:
This was a known issue fixed in v0.7.3. Update to the latest version:
# Check your version
ecapture -v
# Update to latest version
wget https://github.com/gojue/ecapture/releases/latest/download/ecapture-linux-amd64.tar.gzSources: CHANGELOG.md:650
Issue: "incoming chan is full" Error
Symptoms:
- Warning: "incoming chan is full"
- Process exits unexpectedly
- Data loss during capture
Solution:
This indicates the event processing pipeline is overwhelmed. Fixed in v0.9.0.
- Reduce capture scope:
# Filter by PID
sudo ecapture tls --pid=1234
# Filter by UID
sudo ecapture tls --uid=1000- Increase map size:
# Default is 5120 KB, increase if needed
sudo ecapture tls --mapsize=10240- Use pcap mode instead of text mode:
# PCAP mode has better performance for high-volume capture
sudo ecapture tls -m pcap -w output.pcapng -i eth0Sources: CHANGELOG.md:373, CHANGELOG.md:709
Module-Specific Troubleshooting
OpenSSL/TLS Module
Issue: No data captured despite successful start
Diagnostic Steps:
Example Commands:
# Capture all ports
sudo ecapture tls --target_port=0
# Capture specific process
sudo ecapture tls --pid=$(pgrep curl)
# Verbose output for debugging
sudo ecapture tls --log-level=debugSources: README.md:72-149, CHANGELOG.md:778
Issue: Keylog file empty or incomplete
Symptoms:
--keylogfilecreated but empty- Missing CLIENT_RANDOM entries
- Wireshark cannot decrypt traffic
Solutions:
- Verify keylog mode:
# Correct syntax for keylog mode
sudo ecapture tls -m keylog --keylogfile=keys.log- Check TLS version:
- TLS 1.2: Captures
CLIENT_RANDOMwith master secret - TLS 1.3: Captures traffic secrets (requires OpenSSL 3.0+)
- Common issues:
- OpenSSL 3.0.12 had a specific bug (fixed in v1.4.1)
- Missing trailing bytes in GoTLS keylog (fixed in v1.4.0)
- Keylog lost in certain OpenSSL versions (fixed in v1.3.0)
Sources: CHANGELOG.md:69, CHANGELOG.md:85, CHANGELOG.md:127
Issue: PCAP file corrupted or Wireshark cannot open
Symptoms:
- PCAP file cannot be opened in Wireshark
- "Invalid format" error
- Missing packets
Solutions:
- Ensure proper termination:
# Use Ctrl+C to properly close the PCAP file
# Don't use kill -9- Check disk space:
df -h /path/to/pcap/directory- Verify PCAP-NG format:
# eCapture uses PCAP-NG format
file output.pcapng
# Should show: pcapng capture file- DSB (Decryption Secrets Block): eCapture writes TLS keys as DSB in PCAP-NG files. Ensure you're using a recent version of Wireshark (3.0+).
Sources: CHANGELOG.md:161, CHANGELOG.md:542, CHANGELOG.md:664
GoTLS Module
Issue: "cant found RET offset" or stripped Go binary
Symptoms:
- Error: "cant found RET offset in gotls mode"
- Stripped Go binaries not working
- PIE executable offset errors
Solutions:
Stripped binary support: Added in v0.7.0 - update to latest version.
PIE executable issues:
# Check if binary is PIE
file /path/to/go/binary
# Should show: "dynamically linked" or "pie executable"Fixed in v0.7.7 for aarch64 PIE executables.
- Specify Go binary path:
sudo ecapture gotls --elfpath=/path/to/go/binarySources: CHANGELOG.md:593, CHANGELOG.md:752, CHANGELOG.md:573
Issue: No GoTLS data captured
Checklist:
Sources: README.md:259-276
Bash/Zsh Module
Issue: Bash commands not captured
Symptoms:
- No bash output
- Probe attachment fails
- "incorrect probe attachment" warning
Solutions:
- Check bash path:
which bash
# Common paths: /bin/bash, /usr/bin/bashImproved bash path detection: Fixed in v1.3.1 with better path detection and probe attachment.
Readline hook verification:
# Check if bash uses readline
ldd $(which bash) | grep readlineSources: CHANGELOG.md:114-115, CHANGELOG.md:592
MySQL/PostgreSQL Module
Issue: No SQL queries captured
Supported Versions:
| Database | Supported Versions |
|---|---|
| MySQL | 5.6, 5.7, 8.0 |
| MariaDB | All versions |
| PostgreSQL | 10+ |
Solutions:
- Verify mysqld process:
ps aux | grep mysqld- Check dispatch_command symbol:
# For MySQL
nm /usr/sbin/mysqld | grep dispatch_command- Module-specific flags:
# MySQL
sudo ecapture mysqld
# PostgreSQL
sudo ecapture postgresSources: README.md:42, README.md:157-159
Performance Issues
Issue: High CPU or Memory Usage
Symptoms:
- eCapture consuming excessive CPU
- Memory continuously growing
- System slowdown
Solutions:
- Memory optimization (v0.9.5+):
# Set truncate size to reduce memory cost
sudo ecapture tls --truncate_size=1024- Reduce map size:
# Default is 5120 KB
sudo ecapture tls --mapsize=2048- Use filters:
# Filter by PID
sudo ecapture tls --pid=1234
# Filter by UID
sudo ecapture tls --uid=1000
# Filter by port (pcap mode)
sudo ecapture tls -m pcap -i eth0 "tcp port 443"- Dual lifecycle management (v1.2.0+): eCapture now implements optimized event worker lifecycle management for better resource usage.
Sources: CHANGELOG.md:291, CHANGELOG.md:137, CHANGELOG.md:709
Issue: Incomplete SSL Data or Truncation
Symptoms:
- Truncated HTTP responses
- "incomplete SSL data for excessively long lengths"
- Missing data chunks
Solutions:
- Adjust truncate size:
# Default truncate size
sudo ecapture tls --truncate_size=4096- Fixed in v0.9.5: Bug with incomplete SSL data for long lengths was resolved.
Sources: CHANGELOG.md:289, CHANGELOG.md:154
Build and Compilation Issues
Issue: Build fails with "header not found"
Symptoms:
- Error during kernel header generation
- Missing vmlinux.h
- Cross-compilation failures
Solutions:
- Install required tools:
# Ubuntu/Debian
sudo apt-get install clang llvm libelf-dev linux-headers-$(uname -r)
# CentOS/RHEL
sudo yum install clang llvm elfutils-libelf-devel kernel-devel- Cross-compilation setup:
# For ARM64 on x86_64
sudo apt-get install gcc-aarch64-linux-gnu
# Set CROSS_ARCH
make CROSS_ARCH=arm64- Kernel headers path:
# Specify kernel headers if non-standard
make KERN_HEADERS=/path/to/kernel/headersSources: CHANGELOG.md:447, variables.mk:172-179
Issue: Docker build errors
Symptoms:
- Docker image build fails
- CVE vulnerabilities in base image
Solutions:
- Use official Docker image:
docker pull gojue/ecapture:latest- Build from source:
# Clone repository
git clone https://github.com/gojue/ecapture.git
cd ecapture
# Build
makeSources: CHANGELOG.md:372, README.md:59-68
Frequently Asked Questions
Q: Does eCapture support Windows or macOS?
A: No, eCapture only supports Linux and Android systems. It relies on eBPF technology which is Linux-specific. For cross-platform visualization, use eCaptureQ GUI in remote mode.
Sources: README.md:13-17
Q: Can I capture traffic without root privileges?
A: eCapture requires root privileges or specific capabilities (CAP_BPF, CAP_PERFMON, CAP_NET_ADMIN) to load eBPF programs. There is no way to bypass this requirement.
Sources: README.md:15
Q: Why does eCapture show "OpenSSL version not found"?
A: eCapture attempts to automatically detect the OpenSSL version by parsing the .rodata section of the library. If detection fails:
- It uses automatic downgrade logic to find the closest version
- Falls back to default version (usually 3.0 or 1.1.1)
- You can manually specify the version with
--ssl_version
Sources: user/module/probe_openssl_lib.go:189-282, user/module/probe_openssl_lib.go:284-317
Q: What's the difference between CO-RE and non-CO-RE mode?
A:
- CO-RE (Compile Once - Run Everywhere): Uses BTF information to make eBPF programs portable across different kernel versions. Requires kernel with BTF support (CONFIG_DEBUG_INFO_BTF=y).
- Non-CO-RE: Compiles eBPF programs with specific kernel headers. Works on older kernels without BTF but requires kernel-specific bytecode.
eCapture automatically detects BTF availability and selects the appropriate mode.
Sources: variables.mk:270-272
Q: Can I capture traffic from statically linked binaries?
A: Yes, for statically linked binaries, specify the binary path directly with --libssl:
sudo ecapture tls --libssl=/path/to/static/binarySources: README.md:169
Q: How do I use the captured keylog with Wireshark?
A:
- Capture TLS keys:
sudo ecapture tls -m keylog --keylogfile=keys.logIn Wireshark:
- Go to Edit → Preferences → Protocols → TLS
- Set "(Pre)-Master-Secret log filename" to the path of keys.log
- Reload the capture
Or use tshark directly:
tshark -o tls.keylog_file:keys.log -Y http -f "port 443" -i eth0Sources: README.md:235-247
Q: Does eCapture affect the performance of monitored applications?
A: eCapture has minimal performance impact because:
- eBPF runs in kernel space with low overhead
- Uses efficient perf ring buffers for data transfer
- Implements filtering at the eBPF level
- Memory-optimized truncation (v0.9.5+)
However, capturing very high-traffic applications may require tuning --mapsize and --truncate_size.
Sources: CHANGELOG.md:291, CHANGELOG.md:709
Q: Can I filter capture by process or user?
A: Yes, eCapture supports multiple filtering options:
# Filter by PID
sudo ecapture tls --pid=1234
# Filter by UID
sudo ecapture tls --uid=1000
# Filter by port (all modules)
sudo ecapture tls --target_port=443
# PCAP filter (pcap mode only)
sudo ecapture tls -m pcap -i eth0 "host 192.168.1.1 and port 443"Sources: README.md:183-184, CHANGELOG.md:472
Q: How do I capture HTTP/2 or HTTP/3 traffic?
A:
- HTTP/2: Automatically supported in text mode (v0.8.5+). eCapture parses HTTP/2 frames and displays headers/data.
- HTTP/3 (QUIC): Supported in PCAP mode. Use:
sudo ecapture tls -m pcap -i eth0 "udp port 443"Sources: README.md:179, CHANGELOG.md:487
Q: What Android versions are supported?
A: eCapture supports Android 12 through Android 16 with BoringSSL. Specify Android version:
sudo ecapture tls --android_ver=14Available versions: a_13 (Android 12/13), a_14 (Android 14), a_15 (Android 15), a_16 (Android 16).
Sources: variables.mk:94-97, CHANGELOG.md:23, CHANGELOG.md:305
Q: Can I use eCapture for security auditing?
A: Yes, eCapture is designed for security auditing scenarios:
- Host Security: Capture bash/zsh commands
- Database Audit: Capture MySQL/PostgreSQL queries
- Network Security: Capture and analyze encrypted traffic
- Compliance: Generate audit logs with
--eventcollectorflag
Sources: README.md:40-42
Q: Does eCapture work in containers?
A: Yes, but with considerations:
- Container must run in privileged mode or have BPF capabilities
- Can monitor processes both inside and outside containers
- Use host network mode for network capture
docker run --rm --privileged=true --net=host \
-v /path/to/output:/output \
gojue/ecapture tls --eventcollector=/output/events.logSources: README.md:63-68
Debugging Techniques
Enable Debug Logging
# Enable debug output
sudo ecapture tls --log-level=debug
# Save logs to file
sudo ecapture tls --logaddr=/var/log/ecapture.logVerify eBPF Program Loading
# Check loaded eBPF programs
sudo bpftool prog list | grep ecapture
# Check eBPF maps
sudo bpftool map list
# Dump map contents (advanced)
sudo bpftool map dump id <map_id>Trace System Calls
# Trace eCapture system calls
sudo strace -f ecapture tls
# Trace specific syscalls
sudo strace -e trace=bpf,perf_event_open ecapture tlsCheck Library Loading
# Verify library is loaded by target process
sudo lsof -p <PID> | grep libssl
# Check library dependencies
ldd /path/to/target/binary | grep sslNetwork Verification
# Verify network interface
ip link show
# Check TC filters (for packet capture)
sudo tc filter show dev eth0 ingress
sudo tc filter show dev eth0 egress
# Monitor network traffic
sudo tcpdump -i eth0 -n "port 443"Core Dump Analysis
If eCapture crashes:
# Enable core dumps
ulimit -c unlimited
# Run eCapture
sudo ecapture tls
# Analyze core dump (if crash occurs)
gdb ecapture coreUseful Diagnostic Commands
| Command | Purpose |
|---|---|
ecapture -v | Show version information |
uname -r | Check kernel version |
cat /boot/config-$(uname -r) | grep BTF | Verify BTF support |
ls -l /sys/kernel/btf/vmlinux | Check BTF availability |
sudo bpftool prog list | List eBPF programs |
ldd $(which ecapture) | Check dependencies |
file /path/to/libssl.so | Verify library architecture |
Sources: CHANGELOG.md:521, README_CN.md:84-126
Getting Help
If you encounter an issue not covered here:
- Check GitHub Issues: Search existing issues at https://github.com/gojue/ecapture/issues
- Create New Issue: Include:
- eCapture version (
ecapture -v) - Kernel version (
uname -r) - Distribution and architecture
- Complete error messages
- Steps to reproduce
- Output of debug logging
- eCapture version (
- Join Community: QQ群 or GitHub Discussions
- Review Changelog: Recent fixes may address your issue: CHANGELOG.md:1-782
Quick Reference: Error Messages
| Error Message | Page Section | Quick Fix |
|---|---|---|
| "kernel version is too low" | Kernel Requirements | Upgrade kernel |
| "Operation not permitted" | Permission Issues | Use sudo |
| "OpenSSL version not found" | Version Detection | Use --ssl_version flag |
| "couldn't find bpf bytecode" | Library Detection | Use --libssl flag |
| "incoming chan is full" | Runtime Errors | Reduce scope or increase mapsize |
| "concurrent map access" | Runtime Errors | Update to v0.7.3+ |
| "cant found RET offset" | GoTLS Module | Update to v0.7.0+ |
Sources: CHANGELOG.md:1-782, user/module/probe_openssl_lib.go:64-70, README.md:1-335