{"id":13416782,"url":"https://github.com/gojue/ecapture","last_synced_at":"2026-04-06T15:01:02.848Z","repository":{"id":36970957,"uuid":"469303019","full_name":"gojue/ecapture","owner":"gojue","description":"Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64.","archived":false,"fork":false,"pushed_at":"2026-03-31T01:57:17.000Z","size":17607,"stargazers_count":15075,"open_issues_count":10,"forks_count":1604,"subscribers_count":104,"default_branch":"master","last_synced_at":"2026-04-02T09:33:13.544Z","etag":null,"topics":["android","android-https-capture","ebpf","ebpf-go","ebpf-tc","ebpf-uprobe","golang","https","linux","network-capture","security-audit","ssl","ssldump","tcpdump","tls"],"latest_commit_sha":null,"homepage":"https://ecapture.cc","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gojue.png","metadata":{"files":{"readme":"README-zh_Hans.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2022-03-13T07:40:48.000Z","updated_at":"2026-04-02T09:31:28.000Z","dependencies_parsed_at":"2023-12-09T01:38:58.601Z","dependency_job_id":"8c662461-6b9c-42b0-9587-2f4f9629d528","html_url":"https://github.com/gojue/ecapture","commit_stats":null,"previous_names":["ehids/ecapture"],"tags_count":90,"template":false,"template_full_name":null,"purl":"pkg:github/gojue/ecapture","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gojue%2Fecapture","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gojue%2Fecapture/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gojue%2Fecapture/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gojue%2Fecapture/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gojue","download_url":"https://codeload.github.com/gojue/ecapture/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gojue%2Fecapture/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31477013,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-06T14:34:32.243Z","status":"ssl_error","status_checked_at":"2026-04-06T14:34:31.723Z","response_time":112,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","android-https-capture","ebpf","ebpf-go","ebpf-tc","ebpf-uprobe","golang","https","linux","network-capture","security-audit","ssl","ssldump","tcpdump","tls"],"created_at":"2024-07-30T22:00:22.079Z","updated_at":"2026-04-06T15:01:02.842Z","avatar_url":"https://github.com/gojue.png","language":"C","funding_links":[],"categories":["Popular","HarmonyOS","C","Other Lists","android"],"sub_categories":["Windows Manager","🧪 LAB"],"readme":"\u003cimg src=\"./images/ecapture-logo.png\" alt=\"eCapture Logo\" width=\"300\" height=\"300\"/\u003e\n\n 汉字 | [English](./README.md) \n\n[![GitHub stars](https://img.shields.io/github/stars/gojue/ecapture.svg?label=Stars\u0026logo=github)](https://github.com/gojue/ecapture)\n[![GitHub forks](https://img.shields.io/github/forks/gojue/ecapture?label=Forks\u0026logo=github)](https://github.com/gojue/ecapture)\n[![CI](https://github.com/gojue/ecapture/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/gojue/ecapture/actions/workflows/code-analysis.yml)\n[![Github Version](https://img.shields.io/github/v/release/gojue/ecapture?display_name=tag\u0026include_prereleases\u0026sort=semver)](https://github.com/gojue/ecapture/releases)\n[![Home Page](https://img.shields.io/badge/Home_Page-e0ad15)](https://v2.ecapture.cc)\n[![QQ 群](https://img.shields.io/badge/QQ群-%2312B7F5?logo=tencent-qq\u0026logoColor=white\u0026style=flat-square)](https://qm.qq.com/cgi-bin/qm/qr?k=iCu561fq4zdbHVdntQLFV0Xugrnf7Hpv\u0026jump_from=webapi\u0026authKey=YamGv189Cg+KFdQt1Qnsw6GZlpx8BYA+G2WZFezohY4M03V+l0eElZWOhZj/wR/5)\n\n### eCapture(旁观者): 基于eBPF技术实现SSL/TLS加密的明文捕获，无需CA证书。\n\n\u003e [!TIP]\n\u003e 支持Linux系统内核x86_64 4.18及以上版本，aarch64 5.5及以上版本；\n\u003e 需要ROOT权限或特定的 [Linux capabilities](docs/minimum-privileges.md)；\n\u003e 不支持Windows、macOS系统；\n\n----\n\u003c!-- MarkdownTOC autolink=\"true\" --\u003e\n\n- [介绍](#介绍)\n- [快速上手](#快速上手)\n  - [下载](#下载)\n    - [ELF可执行文件](#elf可执行文件)\n    - [Docker容器镜像](#docker容器镜像)\n  - [小试身手](#小试身手)\n  - [模块介绍](#模块介绍)\n    - [openssl  模块](#openssl--模块)\n    - [gotls 模块](#gotls-模块)\n    - [其他模块](#其他模块)\n  - [使用演示](#使用演示)\n- [星标成长曲线](#星标成长曲线)\n- [安全与运维](#安全与运维)\n- [贡献](#贡献)\n- [二次开发](#二次开发)\n- [微信公众号](#微信公众号)\n\u003c!-- /MarkdownTOC --\u003e\n----\n\n# 介绍\n\neCapture的汉字名字为**旁观者**，即「**当局者迷，旁观者清**」，与其本身功能**旁路、观察**\n契合，且发音与英文有相似之处。eCapture使用eBPF `Uprobe`/`Traffic Control`技术，实现各种用户空间/内核空间的数据捕获，无需改动原程序。\n\n\n# 快速上手\n\n## 下载\n\n### ELF可执行文件\n\n\u003e [!IMPORTANT]\n\u003e 支持 Linux/Android的x86_64/aarch64 CPU架构。\n\n下载 [release](https://github.com/gojue/ecapture/releases) 的二进制包，可直接使用。\n\n### Docker容器镜像\n\n\u003e [!TIP]\n\u003e 仅支持Linux x86_64/aarch64。\n\n```shell\n# 拉取镜像\ndocker pull gojue/ecapture:latest\n# 运行\ndocker run --rm --privileged=true --net=host -v ${宿主机文件路径}:${容器内路径} gojue/ecapture ARGS\n```\n\n\u003e **⚠️ 安全提醒**: `--privileged=true` 会授予容器完整的宿主机访问权限。在生产环境中，建议使用特定的 capabilities 替代。参阅 [最小权限指南](docs/minimum-privileges.md#method-3-docker-with-specific-capabilities)。\n\n## 小试身手\n\n![](./images/ecapture-help-v0.8.9.svg)\n\n捕获基于Openssl动态链接库加密的网络通讯。\n\n```shell\nsudo ecapture tls\n```\n\neCapture 会自动检测系统的 OpenSSL 库并开始捕获明文。当你发起 HTTPS 请求时（如 `curl https://baidu.com`），捕获到的请求和响应将会显示：\n\n```\n...\nINF module started successfully. moduleName=EBPFProbeOPENSSL\n??? UUID:233479_233479_curl_5_1_39.156.66.10:443, Name:HTTPRequest, Type:1, Length:73\nGET / HTTP/1.1\nHost: baidu.com\nAccept: */*\nUser-Agent: curl/7.81.0\n...\n```\n\n\u003e 📄 完整的输出示例请参阅 [docs/example-outputs.md](docs/example-outputs.md)。\n\n## 模块介绍\neCapture 有8个模块，分别支持openssl/gnutls/nspr/boringssl/gotls等类库的TLS/SSL加密类库的明文捕获、Bash、Mysql、PostGres软件审计。\n\n* bash 捕获bash命令行的输入输出\n* gnutls 捕获基于gnutls类库加密通讯的明文内容\n* gotls 捕获使用Golang语言编写的，基于内置crypt类库实现TLS/HTTPS加密通讯的明文内容\n* mysqld 捕获Mysqld的SQL查询，适用于数据库审计场景，支持Mysqld 5.6/5.7/8.0等\n* nss 捕获基于nss类库加密通讯的明文内容\n* postgres 支持postgres 10+的数据库审计，捕获查询语句\n* tls 捕获基于Openssl/Boringssl的加密通讯的明文内容，支持Openssl 1.0.x/1.1.x/3.x以及更新版本，支持BoringSSL所有发行版本\n\n你可以通过`ecapture -h`来查看这些自命令列表。\n\n### openssl  模块\n\n执行`sudo ecapture -h`查看详细帮助文档。\n\neCapture默认查找`/etc/ld.so.conf`文件，查找SO文件的加载目录，并查找`openssl`等动态链接路位置。你也可以通过`--libssl`\n参数指定动态链接库路径。\n\n如果目标程序使用静态编译方式，则可以直接将`--libssl`参数设定为该程序的路径。\n\nopenssl模块支持3种捕获模式\n\n- pcap/pcapng模式，将捕获的明文数据以pcap-NG格式存储。\n- keylog/key模式，保存TLS的握手密钥到文件中。\n- text模式，直接捕获明文数据，输出到指定文件中，或者打印到命令行。\n\n#### Pcap 模式\n\n支持了TLS加密的基于TCP的http `1.0/1.1/2.0`应用层协议, 以及基于UDP的 http3 `QUIC`应用层协议。\n你可以通过`-m pcap`或`-m pcapng`参数来指定，需要配合`--pcapfile`、`-i`参数使用。其中`--pcapfile`参数的默认值为`ecapture_openssl.pcapng`。\n```shell\nsudo ecapture tls -m pcap -i eth0 --pcapfile=ecapture.pcapng tcp port 443\n```\n\n\u003e 📄 完整的 pcapng 模式输出请参阅 [docs/example-outputs.md](docs/example-outputs.md#tls-module--pcapng-mode)。\n\n将捕获的明文数据包保存为pcapng文件，再使用`Wireshark`打开查看，之后就可以看到明文的网络包了。\n\n#### keylog 模式\n你可以通过`-m keylog`或`-m key`参数来指定，需要配合`--keylogfile`参数使用，默认为`ecapture_masterkey.log`。\n捕获的openssl TLS的密钥`Master Secret`信息，将保存到`--keylogfile`中。你也可以同时开启`tcpdump`抓包，再使用`Wireshark`打开，设置`Master Secret`路径，查看明文数据包。\n```shell\nsudo ecapture tls -m keylog -keylogfile=openssl_keylog.log\n```\n\n也可以直接使用`tshark`软件实时解密展示。\n```shell\ntshark -o tls.keylog_file:ecapture_masterkey.log -Y http -T fields -e http.file_data -f \"port 443\" -i eth0\n```\n\n#### text 模式\n\n`sudo ecapture tls -m text ` 将会输出所有的明文数据包。（v0.7.0起，不再捕获SSLKEYLOG信息。）\n\n### gotls 模块\n与openssl模块类似。\n\n#### 验证方法：\n\n```shell\ncfc4n@vm-server:~$# uname -r\n4.18.0-305.3.1.el8.x86_64\ncfc4n@vm-server:~$# cat /boot/config-`uname -r` | grep CONFIG_DEBUG_INFO_BTF\nCONFIG_DEBUG_INFO_BTF=y\n```\n\n#### 启动eCapture\n```shell\nsudo ecapture gotls --elfpath=/home/cfc4n/go_https_client --hex\n```\n\n#### 启动该程序:\n确保该程序会触发https请求。\n```shell\n/home/cfc4n/go_https_client\n```\n\n#### 更多帮助\n```shell\nsudo ecapture gotls -h\n```\n\n### 其他模块\n\neCapture 还支持其他模块，如`bash`、`mysql`、`nss`、`postgres`等，你可以通过`ecapture -h`查看详细帮助文档。\n\n## 使用演示\n\n### 介绍文章\n\n[eCapture：无需CA证书抓https明文通讯](https://mp.weixin.qq.com/s/DvTClH3JmncpkaEfnTQsRg)\n\n### 视频：Linux上使用eCapture\n\n[![eCapture User Manual](./images/ecapture-user-manual.png)](https://www.bilibili.com/video/BV1si4y1Q74a \"eCapture User Manual\")\n\n### 视频：Android上使用eCapture\n\n[![eCapture User Manual](./images/ecapture-user-manual-on-android.png)](https://www.bilibili.com/video/BV1xP4y1Z7HB \"eCapture for Android\")\n\n## eCaptureQ 界面程序\n\n[eCaptureQ](https://github.com/gojue/ecaptureq)是 eCapture 的跨平台图形界面客户端，将 eBPF TLS 抓包能力可视化呈现。采用\nRust + Tauri + React\n技术栈构建，提供实时响应式界面，无需 CA 证书即可轻松分析加密流量。让复杂的 eBPF 抓包技术变得简单易用。 支持两种模式：\n\n*\n* 集成模式：Linux/Android 一体化运行\n* 远程模式：Windows/macOS/Linux 客户端连接远程 eCapture 服务\n\n### 其他事件转发项目\n[事件转发优秀项目](./EVENT_FORWARD.md)\n\n### 视频演示\n\nhttps://github.com/user-attachments/assets/c8b7a84d-58eb-4fdb-9843-f775c97bdbfb\n\n🔗 [GitHub 仓库](https://github.com/gojue/ecaptureq)\n\n### Protobuf 协议说明\n\n关于 eCapture/eCaptureQ 使用的 Protobuf 日志模式的详细信息，请参见：\n\n- [protobuf/PROTOCOLS-zh_Hans.md](protobuf/PROTOCOLS-zh_Hans.md)\n\n## 星标成长曲线\n\n[![星标成长曲线](https://starchart.cc/gojue/ecapture.svg)](https://starchart.cc/gojue/ecapture)\n\n# 安全与运维\n\n- [**安全策略**](SECURITY.md) — 漏洞报告流程与支持的版本\n- [**最小权限指南**](docs/minimum-privileges.md) — 所需的 Linux capabilities 与最小权限配置\n- [**防御与检测**](docs/defense-detection.md) — 如何检测和防御未经授权的使用\n- [**性能基准测试**](docs/performance-benchmarks.md) — 性能开销测量方法与预期特征\n- [**发布验证**](docs/release-verification.md) — 如何验证发布产物的完整性\n\n# 贡献\n\n参考 [CONTRIBUTING](./CONTRIBUTING.md)的介绍，提交缺陷、补丁、建议等，非常感谢。\n\n# 二次开发\n## 自行编译\n你可以定制自己想要的功能，比如设定`uprobe`\n的偏移地址，用来支持被静态编译的Openssl类库。编译方法可以参考 [编译指南](docs/compilation-zh_Hans.md) 的介绍。\n\n## 动态修改配置\n当eCapture运行后，你可以通过HTTP接口动态修改配置，参考[HTTP API 文档](docs/remote-config-update-api-zh_Hans.md)。\n\n## 事件转发\neCapture支持多种事件转发方式，你可以将事件转发至Burp Suite等抓包软件，详情参考[事件转发API 文档](docs/event-forward-api-zh_Hans.md)。\n\n# 微信公众号\n![](./images/wechat_gzhh.png)\n\n## 感谢\n\n本项目获得 [JetBrains IDE](https://www.jetbrains.com) 许可证的支持。感谢 JetBrains 对开源社区的贡献。\n\n![JetBrains 徽标](https://resources.jetbrains.com/storage/products/company/brand/logos/jetbrains.svg)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgojue%2Fecapture","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgojue%2Fecapture","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgojue%2Fecapture/lists"}