Capture SSL/TLS text content without a CA certificate using eBPF. This tool is compatible with Linux/Android x86_64/aarch64.
Full Changelog: https://github.com/gojue/ecapture/compare/v0.7.7...v0.7.7
Full Changelog: https://github.com/gojue/ecapture/compare/v0.7.6...v0.7.7
Full Changelog: https://github.com/gojue/ecapture/compare/v0.7.5...v0.7.6
go test
and fix data race warning by @ruitianzhong in https://github.com/gojue/ecapture/pull/499
Full Changelog: https://github.com/gojue/ecapture/compare/v0.7.4...v0.7.5
eCapture supports Pcap Filter Syntax, and you can use the pcap filter expression to filter network packets like tcpdump.
In the tls\gotls module, when the running mode is pcap
, the pcap filter expression is supported, which can be set in the last parameter of the command line, for example:
ecapture tls -m pcap -i wlan0 -w save.pcapng host 192.168.1.1 and tcp port 443
Full Changelog: https://github.com/gojue/ecapture/compare/v0.7.3...v0.7.4
Full Changelog: https://github.com/gojue/ecapture/compare/v0.7.2...v0.7.3
Full Changelog: https://github.com/gojue/ecapture/compare/v0.7.1...v0.7.2
Full Changelog: https://github.com/gojue/ecapture/compare/v0.7.0...v0.7.1
nss/gnutls/openssl
into three separate submodules. Corresponding to the ./ecapture nss
, ./ecapture gnutls
, ecapture tls
commands.keylog
mode, equivalent to the functionality of the SSLKEYLOGFILE
environment variable. Captures SSL/TLS communication keys directly without the need for changes in the target process.openssl
(aka tls) module using the -m
parameter, with values text
, pcap
,keylog
.
pcap
mode: Set with -m pcap
or -m pcapng
parameters. When using this mode, it is necessary to specify --pcapfile
and -i
parameters. The default value for the --pcapfile
parameter is ecapture_openssl.pcapng
.keylog
mode: Set with -m keylog
or -m key
parameters. When using this mode, it is necessary to specify --keylogfile
, defaulting to ecapture_masterkey.log
.text
mode: Default mode when -m
parameter is unspecified. Outputs all plaintext packets in text form. (As of v0.7.0, no longer captures communication keys, please use keylog
mode instead.)gotls
module, similar to the openssl
module, without further details.--mapsize
parameter, defaulting to 5120 KB.-w
parameter, use --pcapfile
parameter instead.log-addr
parameter to logaddr
, with unchanged functionality.Thanks to the genius idea from @blaisewang.
./ecapture nss
、./ecapture gnutls
、ecapture tls
三个子命令。keylog
模式,等同于SSLKEYLOGFILE
环境变量的功能,无需目标进程改动,直接捕获SSL/TLS通信密钥。openssl
(aka tls)模块支持的模式参数,使用-m
参数指定,分别为text
,pcap
,keylog
三个值。
pcap
模式:-m pcap
或-m pcapng
参数来设定。当使用本模式时,必需指定--pcapfile
、-i
这两个参数才能使用。 其中--pcapfile
参数的默认值为ecapture_openssl.pcapng
。keylog
模式:-m keylog
或-m key
参数来设定。当使用本模式时,必需指定--keylogfile
,默认为ecapture_masterkey.log
。text
模式:-m
参数不指定时,默认为本模式。将以文本形式输出所有的明文数据包。(自v0.7.0起,不再捕获通讯密钥,请使用keylog
模式代替)gotls
模块支持的模式参数,与openssl
模块一样,不再赘述。--mapsize
参数指定,默认为5120 KB。-w
参数,请使用--pcapfile
参数代替。log-addr
参数为logaddr
,功能含义不变。感谢 @blaisewang 的天才思路。
model
flag to distinguish the captured modes, support keylog captured. by @cfc4n in https://github.com/gojue/ecapture/pull/436
Full Changelog: https://github.com/gojue/ecapture/compare/v0.6.6...v0.7.0
Full Changelog: https://github.com/gojue/ecapture/compare/v0.6.5...v0.6.6
Full Changelog: https://github.com/gojue/ecapture/compare/v0.6.4...v0.6.5