gojue/ecapture

eCapture is a command-line tool that intercepts the plain text content of encrypted network traffic on a machine, without needing to install a special certificate authority (CA) certificate the way a typical traffic inspection proxy would. It does this using eBPF, a Linux kernel feature that lets a program hook into running code inside the kernel and inside other processes to observe what they are doing. By hooking into the standard cryptography libraries just before they encrypt outgoing data or just after they decrypt incoming data, eCapture sees the message in its readable form. The README states the supported environments. It works on Linux and Android on x86_64 with kernel 4.18 or newer and on aarch64 with kernel 5.5 or newer. It does not run on Windows or macOS. Running it requires root privileges or specific Linux capabilities, which is unavoidable because eBPF programs are loaded into the kernel. Distribution is either as a downloadable ELF binary from the GitHub releases page or as a Docker image, and a graphical front-end called eCaptureQ exists as a separate project. eCapture is built as a set of eight modules. The tls module covers OpenSSL, LibreSSL, and BoringSSL. The gnutls module targets the GnuTLS library and the nss module targets the NSS and NSPR libraries used by Firefox. The gotls module reads TLS traffic from Go programs, which use Go's own TLS implementation rather than OpenSSL. The bash and zsh modules record commands typed into those shells for host auditing. The mysqld module captures SQL queries sent to MySQL 5.6, 5.7, and 8.0 and MariaDB, and the postgres module does the same for PostgreSQL 10 and newer. The OpenSSL module supports three output modes. text mode prints captured plaintext directly to the console or a file. pcap or pcapng mode writes captured data in the standard packet-capture format that Wireshark can open. keylog mode writes out the TLS master secrets to a log file, which lets Wireshark or tshark decrypt a separately captured pcap of the encrypted traffic. By default eCapture searches the system's loader configuration to find the OpenSSL shared library, but a --libssl flag lets the user point at a specific library or a statically linked program directly. The README warns that the recommended Docker invocation uses --privileged=true, which grants full host access, and points to a separate guide on running with a narrower set of Linux capabilities for production use.