explaingit

gojue/ecapture

Analysis updated 2026-06-24

15,163CAudience · ops devopsComplexity · 4/5LicenseSetup · hard

TLDR

eCapture is a Linux eBPF tool that captures plaintext from TLS, MySQL, Postgres, and shell traffic by hooking crypto libraries, without installing a CA certificate.

Mindmap

mindmap
  root((ecapture))
    Inputs
      Running processes
      OpenSSL GnuTLS NSS
      Go TLS binaries
    Outputs
      Plaintext text mode
      Pcap pcapng files
      TLS keylog files
    Use Cases
      Debug HTTPS traffic
      Audit shell commands
      Capture SQL queries
    Tech Stack
      eBPF
      Linux
      C
      Go
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Inspect plaintext HTTPS request bodies from a process that uses OpenSSL or BoringSSL.

USE CASE 2

Decrypt a captured pcap in Wireshark by exporting TLS master secrets via the keylog module.

USE CASE 3

Audit Bash and Zsh commands run on a Linux server for host security monitoring.

USE CASE 4

Capture MySQL or PostgreSQL queries on the wire without instrumenting the application.

What is it built with?

eBPFCGoLinux

How does it compare?

gojue/ecapturezephyrproject-rtos/zephyrbol-van/zapret
Stars15,16315,24215,243
LanguageCCC
Setup difficultyhardhardhard
Complexity4/55/54/5
Audienceops devopsdeveloperops devops

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1h+

Linux only with kernel 4.18+ on x86_64, root or specific capabilities required, does not run on Windows or macOS.

Apache 2.0 licensed: use freely in personal and commercial projects, including modified versions, as long as you keep the license notice.

In plain English

eCapture is a command-line tool that intercepts the plain text content of encrypted network traffic on a machine, without needing to install a special certificate authority (CA) certificate the way a typical traffic inspection proxy would. It does this using eBPF, a Linux kernel feature that lets a program hook into running code inside the kernel and inside other processes to observe what they are doing. By hooking into the standard cryptography libraries just before they encrypt outgoing data or just after they decrypt incoming data, eCapture sees the message in its readable form. The README states the supported environments. It works on Linux and Android on x86_64 with kernel 4.18 or newer and on aarch64 with kernel 5.5 or newer. It does not run on Windows or macOS. Running it requires root privileges or specific Linux capabilities, which is unavoidable because eBPF programs are loaded into the kernel. Distribution is either as a downloadable ELF binary from the GitHub releases page or as a Docker image, and a graphical front-end called eCaptureQ exists as a separate project. eCapture is built as a set of eight modules. The tls module covers OpenSSL, LibreSSL, and BoringSSL. The gnutls module targets the GnuTLS library and the nss module targets the NSS and NSPR libraries used by Firefox. The gotls module reads TLS traffic from Go programs, which use Go's own TLS implementation rather than OpenSSL. The bash and zsh modules record commands typed into those shells for host auditing. The mysqld module captures SQL queries sent to MySQL 5.6, 5.7, and 8.0 and MariaDB, and the postgres module does the same for PostgreSQL 10 and newer. The OpenSSL module supports three output modes. text mode prints captured plaintext directly to the console or a file. pcap or pcapng mode writes captured data in the standard packet-capture format that Wireshark can open. keylog mode writes out the TLS master secrets to a log file, which lets Wireshark or tshark decrypt a separately captured pcap of the encrypted traffic. By default eCapture searches the system's loader configuration to find the OpenSSL shared library, but a --libssl flag lets the user point at a specific library or a statically linked program directly. The README warns that the recommended Docker invocation uses --privileged=true, which grants full host access, and points to a separate guide on running with a narrower set of Linux capabilities for production use.

Copy-paste prompts

Prompt 1
Walk me through running eCapture in tls text mode on a Linux box to read plaintext HTTPS bodies from a Node.js process.
Prompt 2
Export TLS master secrets from a Go binary with the gotls module and decrypt the corresponding pcap in Wireshark.
Prompt 3
Run eCapture's mysqld module against MySQL 8 and stream the captured queries to a file.
Prompt 4
Run eCapture inside Docker with the narrowest set of Linux capabilities instead of --privileged.
Prompt 5
Compare eCapture's eBPF hooking approach to a man-in-the-middle proxy and explain when each is preferable.

Frequently asked questions

What is ecapture?

eCapture is a Linux eBPF tool that captures plaintext from TLS, MySQL, Postgres, and shell traffic by hooking crypto libraries, without installing a CA certificate.

What language is ecapture written in?

Mainly C. The stack also includes eBPF, C, Go.

What license does ecapture use?

Apache 2.0 licensed: use freely in personal and commercial projects, including modified versions, as long as you keep the license notice.

How hard is ecapture to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is ecapture for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.