Analysis updated 2026-06-24
Inspect plaintext HTTPS request bodies from a process that uses OpenSSL or BoringSSL.
Decrypt a captured pcap in Wireshark by exporting TLS master secrets via the keylog module.
Audit Bash and Zsh commands run on a Linux server for host security monitoring.
Capture MySQL or PostgreSQL queries on the wire without instrumenting the application.
| gojue/ecapture | zephyrproject-rtos/zephyr | bol-van/zapret | |
|---|---|---|---|
| Stars | 15,163 | 15,242 | 15,243 |
| Language | C | C | C |
| Setup difficulty | hard | hard | hard |
| Complexity | 4/5 | 5/5 | 4/5 |
| Audience | ops devops | developer | ops devops |
Figures from each repo's GitHub metadata at analysis time.
Linux only with kernel 4.18+ on x86_64, root or specific capabilities required, does not run on Windows or macOS.
eCapture is a command-line tool that intercepts the plain text content of encrypted network traffic on a machine, without needing to install a special certificate authority (CA) certificate the way a typical traffic inspection proxy would. It does this using eBPF, a Linux kernel feature that lets a program hook into running code inside the kernel and inside other processes to observe what they are doing. By hooking into the standard cryptography libraries just before they encrypt outgoing data or just after they decrypt incoming data, eCapture sees the message in its readable form. The README states the supported environments. It works on Linux and Android on x86_64 with kernel 4.18 or newer and on aarch64 with kernel 5.5 or newer. It does not run on Windows or macOS. Running it requires root privileges or specific Linux capabilities, which is unavoidable because eBPF programs are loaded into the kernel. Distribution is either as a downloadable ELF binary from the GitHub releases page or as a Docker image, and a graphical front-end called eCaptureQ exists as a separate project. eCapture is built as a set of eight modules. The tls module covers OpenSSL, LibreSSL, and BoringSSL. The gnutls module targets the GnuTLS library and the nss module targets the NSS and NSPR libraries used by Firefox. The gotls module reads TLS traffic from Go programs, which use Go's own TLS implementation rather than OpenSSL. The bash and zsh modules record commands typed into those shells for host auditing. The mysqld module captures SQL queries sent to MySQL 5.6, 5.7, and 8.0 and MariaDB, and the postgres module does the same for PostgreSQL 10 and newer. The OpenSSL module supports three output modes. text mode prints captured plaintext directly to the console or a file. pcap or pcapng mode writes captured data in the standard packet-capture format that Wireshark can open. keylog mode writes out the TLS master secrets to a log file, which lets Wireshark or tshark decrypt a separately captured pcap of the encrypted traffic. By default eCapture searches the system's loader configuration to find the OpenSSL shared library, but a --libssl flag lets the user point at a specific library or a statically linked program directly. The README warns that the recommended Docker invocation uses --privileged=true, which grants full host access, and points to a separate guide on running with a narrower set of Linux capabilities for production use.
eCapture is a Linux eBPF tool that captures plaintext from TLS, MySQL, Postgres, and shell traffic by hooking crypto libraries, without installing a CA certificate.
Mainly C. The stack also includes eBPF, C, Go.
Apache 2.0 licensed: use freely in personal and commercial projects, including modified versions, as long as you keep the license notice.
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.