git404hub

what is ecapture fr?

gojue/ecapture — explained in plain English

Analysis updated 2026-06-24

15,163CAudience · ops devopsComplexity · 4/5LicenseSetup · hard

tl;dr

eCapture is a Linux eBPF tool that captures plaintext from TLS, MySQL, Postgres, and shell traffic by hooking crypto libraries, without installing a CA certificate.

vibe map

mindmap
  root((ecapture))
    Inputs
      Running processes
      OpenSSL GnuTLS NSS
      Go TLS binaries
    Outputs
      Plaintext text mode
      Pcap pcapng files
      TLS keylog files
    Use Cases
      Debug HTTPS traffic
      Audit shell commands
      Capture SQL queries
    Tech Stack
      eBPF
      Linux
      C
      Go

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

what do people make with this?

VIBE 1

Inspect plaintext HTTPS request bodies from a process that uses OpenSSL or BoringSSL.

VIBE 2

Decrypt a captured pcap in Wireshark by exporting TLS master secrets via the keylog module.

VIBE 3

Audit Bash and Zsh commands run on a Linux server for host security monitoring.

VIBE 4

Capture MySQL or PostgreSQL queries on the wire without instrumenting the application.

what's the stack?

eBPFCGoLinux

how it stacks up fr

gojue/ecapturezephyrproject-rtos/zephyrbol-van/zapret
Stars15,16315,24215,243
LanguageCCC
Setup difficultyhardhardhard
Complexity4/55/54/5
Audienceops devopsdeveloperops devops

Figures from each repo's GitHub metadata at analysis time.

how do i run it?

Difficulty · hard time til it works · 1h+

Linux only with kernel 4.18+ on x86_64, root or specific capabilities required, does not run on Windows or macOS.

Apache 2.0 licensed: use freely in personal and commercial projects, including modified versions, as long as you keep the license notice.

in plain english

eCapture is a command-line tool that intercepts the plain text content of encrypted network traffic on a machine, without needing to install a special certificate authority (CA) certificate the way a typical traffic inspection proxy would. It does this using eBPF, a Linux kernel feature that lets a program hook into running code inside the kernel and inside other processes to observe what they are doing. By hooking into the standard cryptography libraries just before they encrypt outgoing data or just after they decrypt incoming data, eCapture sees the message in its readable form. The README states the supported environments. It works on Linux and Android on x86_64 with kernel 4.18 or newer and on aarch64 with kernel 5.5 or newer. It does not run on Windows or macOS. Running it requires root privileges or specific Linux capabilities, which is unavoidable because eBPF programs are loaded into the kernel. Distribution is either as a downloadable ELF binary from the GitHub releases page or as a Docker image, and a graphical front-end called eCaptureQ exists as a separate project. eCapture is built as a set of eight modules. The tls module covers OpenSSL, LibreSSL, and BoringSSL. The gnutls module targets the GnuTLS library and the nss module targets the NSS and NSPR libraries used by Firefox. The gotls module reads TLS traffic from Go programs, which use Go's own TLS implementation rather than OpenSSL. The bash and zsh modules record commands typed into those shells for host auditing. The mysqld module captures SQL queries sent to MySQL 5.6, 5.7, and 8.0 and MariaDB, and the postgres module does the same for PostgreSQL 10 and newer. The OpenSSL module supports three output modes. text mode prints captured plaintext directly to the console or a file. pcap or pcapng mode writes captured data in the standard packet-capture format that Wireshark can open. keylog mode writes out the TLS master secrets to a log file, which lets Wireshark or tshark decrypt a separately captured pcap of the encrypted traffic. By default eCapture searches the system's loader configuration to find the OpenSSL shared library, but a --libssl flag lets the user point at a specific library or a statically linked program directly. The README warns that the recommended Docker invocation uses --privileged=true, which grants full host access, and points to a separate guide on running with a narrower set of Linux capabilities for production use.

prompts (copy fr)

prompt 1
Walk me through running eCapture in tls text mode on a Linux box to read plaintext HTTPS bodies from a Node.js process.
prompt 2
Export TLS master secrets from a Go binary with the gotls module and decrypt the corresponding pcap in Wireshark.
prompt 3
Run eCapture's mysqld module against MySQL 8 and stream the captured queries to a file.
prompt 4
Run eCapture inside Docker with the narrowest set of Linux capabilities instead of --privileged.
prompt 5
Compare eCapture's eBPF hooking approach to a man-in-the-middle proxy and explain when each is preferable.

Frequently asked questions

what is ecapture fr?

eCapture is a Linux eBPF tool that captures plaintext from TLS, MySQL, Postgres, and shell traffic by hooking crypto libraries, without installing a CA certificate.

What language is ecapture written in?

Mainly C. The stack also includes eBPF, C, Go.

What license does ecapture use?

Apache 2.0 licensed: use freely in personal and commercial projects, including modified versions, as long as you keep the license notice.

How hard is ecapture to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is ecapture for?

Mainly ops devops.

peek the repo → explain another one

This repo across BitVibe Labs

double-check against the repo, no cap.