Skip to content
On this page


eCapture(旁观者): capture SSL/TLS text content without CA cert Using eBPF.

Home Page

  1. Source code:
  2. Documents:
  3. Library:

What is eCapture?

It supports TLS encryption libraries such as openssl/gnutls/nspr etc. The userspace code is written in Go and uses cilium/ebpf. It can work on Linux Kernel 4.18 and later, and supports CO-RE features. At the same time, it also works without BTF.

How to used?


open , and choose your version.

  • Android version ,Kernel > 4.18 , CO-RE Disabled :ecapture-v0.2.2-android-aarch64-4.18-5.4.tar.gz
  • Android version ,Kernel > 4.18 , CO-RE Enabled :ecapture-v0.2.2-android-aarch64.tar.gz
  • Linux Kernel > 4.18 , ARM64-aarch64 : ecapture-v0.2.2-linux-aarch64.tar.gz
  • Linux Kernel > 4.18 , X86_64 : ecapture-v0.2.2-linux-x86_64.tar.gz




cfc4n@vm-server:~/project/ssldump$ bin/ecapture -h
	eCapture - capture text SSL content without CA cert by ebpf hook.

	eCapture [flags]


	bash		capture bash command
	help		Help about any command
	mysqld		capture sql queries from mysqld 5.6/5.7/8.0 .
	postgres	capture sql queries from postgres 10+.
	tls		alias name:openssl , use to capture tls/ssl text content without CA cert.

	eCapture(旁观者) is a tool that can capture plaintext packets
	such as HTTPS and TLS without installing a CA certificate.
	It can also capture bash commands, which is suitable for
	security auditing scenarios, such as database auditing of mysqld, etc (disabled on Android).


  -d, --debug[=false]		enable debug logging
  -h, --help[=false]		help for eCapture
      --hex[=false]		print byte strings as hex encoded strings
      --nosearch[=false]	no lib search
  -p, --pid=0			if pid is 0 then we target all pids
  -u, --uid=0			if uid is 0 then we target all users
  -v, --version[=false]		version for eCapture
  -w, --write-file=""		-w file Write the packets to file

Still Got Questions?

Pick Your Learning Path

Different developers have different learning styles. Feel free to pick a learning path that suits your preference - although we do recommend going over all of the content, if possible!

Introduction has loaded