{"id":22237451,"url":"https://github.com/bengentil/wiretap","last_synced_at":"2026-04-24T21:31:59.822Z","repository":{"id":147864738,"uuid":"494743534","full_name":"bengentil/wiretap","owner":"bengentil","description":"an eBPF utility to capture TLS data","archived":false,"fork":false,"pushed_at":"2022-05-21T15:40:15.000Z","size":34,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-09T14:49:57.450Z","etag":null,"topics":["ebpf","go","golang","observability","openssl","uprobes"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bengentil.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-05-21T09:54:06.000Z","updated_at":"2022-05-21T13:40:09.000Z","dependencies_parsed_at":"2023-04-24T18:50:35.502Z","dependency_job_id":null,"html_url":"https://github.com/bengentil/wiretap","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/bengentil/wiretap","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bengentil%2Fwiretap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bengentil%2Fwiretap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bengentil%2Fwiretap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bengentil%2Fwiretap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bengentil","download_url":"https://codeload.github.com/bengentil/wiretap/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bengentil%2Fwiretap/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32241610,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-24T13:21:15.438Z","status":"ssl_error","status_checked_at":"2026-04-24T13:21:15.005Z","response_time":64,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ebpf","go","golang","observability","openssl","uprobes"],"created_at":"2024-12-03T03:09:38.748Z","updated_at":"2026-04-24T21:31:59.809Z","avatar_url":"https://github.com/bengentil.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# wiretap\n\n## Description\n\nwiretap is CLI utility to capture data before/after it has been en/decrypted by openssl.\nThe capture is done by attaching eBPF uprobes to SSL_read \u0026 SSL_write functions.\n\n## Goals\n\nBe able, **as the root user**, to inspect data in APIs connections in a end-to-end TLS setup,\nwithout:\n- Altering a program (adding logs)\n- Increasing the log level / slowing down execution / generating too much data\n- The need to expose the keys via the [`SSLKEYLOGFILE` environment variable](https://wiki.wireshark.org/TLS#using-the-pre-master-secret)\n\n## Non-Goals\n\nExploit openssl, capture keys, decrypt captured TLS data, give access to data that you don't already own.\n\n## Usage\n\n```\nwiretap [-o=\u003coutput\u003e] [\u003cprobe...\u003e]\n\n\u003coutput\u003e only stdout for now\n\u003cprobe\u003e is \u003cprobe_name\u003e:\u003csymbol\u003e:\u003cexecutable\u003e\n\u003cprobe_name\u003e only openssl for now\n\u003csymbol\u003e symbol to attach the probe\n\u003cexecutable\u003e file to lookup the symbol\n```\n\nWithout arguments, wiretap run with those probes:\n- openssl:SSL_read:/lib64/libssl.so\n- openssl:SSL_write:/lib64/libssl.so\n\n## Example\n\n```\n2022/05/21 10:57:27 [openssl:SSL_write:/lib64/libssl.so.3] returned in curl(1720), len=74\n00000000 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..|\n00000010 48 6f 73 74 3a 20 67 6f 6f 67 6c 65 2e 63 6f 6d |Host: google.com|\n00000020 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 63 75 |..User-Agent: cu|\n00000030 72 6c 2f 37 2e 38 32 2e 30 0d 0a 41 63 63 65 70 |rl/7.82.0..Accep|\n00000040 74 3a 20 2a 2f 2a 0d 0a 0d 0a |t: */*....|\n2022/05/21 10:57:27 [openssl:SSL_read:/lib64/libssl.so.3] returned in curl(1720), len=256\n00000000 48 54 54 50 2f 31 2e 31 20 33 30 31 20 4d 6f 76 |HTTP/1.1 301 Mov|\n00000010 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a |ed Permanently..|\n00000020 4c 6f 63 61 74 69 6f 6e 3a 20 68 74 74 70 73 3a |Location: https:|\n00000030 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d |//www.google.com|\n00000040 2f 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a |/..Content-Type:|\n00000050 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 | text/html; char|\n00000060 73 65 74 3d 55 54 46 2d 38 0d 0a 44 61 74 65 3a |set=UTF-8..Date:|\n00000070 20 53 61 74 2c 20 32 31 20 4d 61 79 20 32 30 32 | Sat, 21 May 202|\n00000080 32 20 31 32 3a 30 38 3a 35 32 20 47 4d 54 0d 0a |2 12:08:52 GMT..|\n00000090 45 78 70 69 72 65 73 3a 20 53 61 74 2c 20 32 31 |Expires: Sat, 21|\n000000a0 20 4d 61 79 20 32 30 32 32 20 31 32 3a 30 38 3a | May 2022 12:08:|\n000000b0 35 32 20 47 4d 54 0d 0a 43 61 63 68 65 2d 43 6f |52 GMT..Cache-Co|\n000000c0 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c 20 |ntrol: private, |\n000000d0 6d 61 78 2d 61 67 65 3d 32 35 39 32 30 30 30 0d |max-age=2592000.|\n000000e0 0a 53 65 72 76 65 72 3a 20 67 77 73 0d 0a 43 6f |.Server: gws..Co|\n000000f0 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 32 |ntent-Length: 22|\n2022/05/21 10:57:27 [openssl:SSL_read:/lib64/libssl.so.3] returned in curl(1720), len=256\n00000000 30 0d 0a 58 2d 58 53 53 2d 50 72 6f 74 65 63 74 |0..X-XSS-Protect|\n00000010 69 6f 6e 3a 20 30 0d 0a 58 2d 46 72 61 6d 65 2d |ion: 0..X-Frame-|\n00000020 4f 70 74 69 6f 6e 73 3a 20 53 41 4d 45 4f 52 49 |Options: SAMEORI|\n00000030 47 49 4e 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a |GIN..Set-Cookie:|\n00000040 20 43 4f 4e 53 45 4e 54 3d 50 45 4e 44 49 4e 47 | CONSENT=PENDING|\n00000050 2b 33 31 35 3b 20 65 78 70 69 72 65 73 3d 4d 6f |+315; expires=Mo|\n00000060 6e 2c 20 32 30 2d 4d 61 79 2d 32 30 32 34 20 31 |n, 20-May-2024 1|\n00000070 32 3a 30 38 3a 35 32 20 47 4d 54 3b 20 70 61 74 |2:08:52 GMT; pat|\n00000080 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 67 6f 6f |h=/; domain=.goo|\n00000090 67 6c 65 2e 63 6f 6d 3b 20 53 65 63 75 72 65 0d |gle.com; Secure.|\n000000a0 0a 50 33 50 3a 20 43 50 3d 22 54 68 69 73 20 69 |.P3P: CP=\"This i|\n000000b0 73 20 6e 6f 74 20 61 20 50 33 50 20 70 6f 6c 69 |s not a P3P poli|\n000000c0 63 79 21 20 53 65 65 20 67 2e 63 6f 2f 70 33 70 |cy! See g.co/p3p|\n000000d0 68 65 6c 70 20 66 6f 72 20 6d 6f 72 65 20 69 6e |help for more in|\n000000e0 66 6f 2e 22 0d 0a 41 6c 74 2d 53 76 63 3a 20 68 |fo.\"..Alt-Svc: h|\n000000f0 33 3d 22 3a 34 34 33 22 3b 20 6d 61 3d 32 35 39 |3=\":443\"; ma=259|\n2022/05/21 10:57:27 [openssl:SSL_read:/lib64/libssl.so.3] returned in curl(1720), len=256\n00000000 32 30 30 30 2c 68 33 2d 32 39 3d 22 3a 34 34 33 |2000,h3-29=\":443|\n00000010 22 3b 20 6d 61 3d 32 35 39 32 30 30 30 2c 68 33 |\"; ma=2592000,h3|\n00000020 2d 51 30 35 30 3d 22 3a 34 34 33 22 3b 20 6d 61 |-Q050=\":443\"; ma|\n00000030 3d 32 35 39 32 30 30 30 2c 68 33 2d 51 30 34 36 |=2592000,h3-Q046|\n00000040 3d 22 3a 34 34 33 22 3b 20 6d 61 3d 32 35 39 32 |=\":443\"; ma=2592|\n00000050 30 30 30 2c 68 33 2d 51 30 34 33 3d 22 3a 34 34 |000,h3-Q043=\":44|\n00000060 33 22 3b 20 6d 61 3d 32 35 39 32 30 30 30 2c 71 |3\"; ma=2592000,q|\n00000070 75 69 63 3d 22 3a 34 34 33 22 3b 20 6d 61 3d 32 |uic=\":443\"; ma=2|\n00000080 35 39 32 30 30 30 3b 20 76 3d 22 34 36 2c 34 33 |592000; v=\"46,43|\n00000090 22 0d 0a 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 |\"....\u003cHTML\u003e\u003cHEAD|\n000000a0 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 |\u003e\u003cmeta http-equi|\n000000b0 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 |v=\"content-type\"|\n000000c0 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 | content=\"text/h|\n000000d0 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d |tml;charset=utf-|\n000000e0 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 31 20 4d |8\"\u003e.\u003cTITLE\u003e301 M|\n000000f0 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 |oved\u003c/TITLE\u003e\u003c/HE|\n2022/05/21 10:57:27 [openssl:SSL_read:/lib64/libssl.so.3] returned in curl(1720), len=113\n00000000 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 |AD\u003e\u003cBODY\u003e.\u003cH1\u003e30|\n00000010 31 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 |1 Moved\u003c/H1\u003e.The|\n00000020 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f | document has mo|\n00000030 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 |ved.\u003cA HREF=\"htt|\n00000040 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e |ps://www.google.|\n00000050 63 6f 6d 2f 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d |com/\"\u003ehere\u003c/A\u003e..|\n00000060 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d |.\u003c/BODY\u003e\u003c/HTML\u003e.|\n00000070 0a |.|\n```\n\n## Acknowledgments\n\n- https://confused.ai/posts/intercepting-zoom-tls-encryption-bpf-uprobes\n- https://github.com/cilium/ebpf","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbengentil%2Fwiretap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbengentil%2Fwiretap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbengentil%2Fwiretap/lists"}