Full Changelog: https://github.com/gojue/ecapture/compare/v0.9.0...v0.9.1
- fix: pcap filter not work as expected by @yuweizzz in gojue#680
- feat support capture zsh command by @SenberHu in gojue#683
- feat: detect CAP_BPF by @Asphaltt in gojue#681
- feat: Enrich addr info with remote addr info by @Asphaltt in gojue#684
- fix ecapture docker images CVE-2024-24790 by @cfc4n in gojue#687
- fix #685, the Processor print "incoming chan is full",and exit. by @cfc4n in gojue#686
- feat: Support for new version detection feature. by @cfc4n in gojue#688
- build(deps): bump golang.org/x/crypto from 0.23.0 to 0.31.0 by @dependabot in gojue#690
- feat: Clean map when destroy socket by @Asphaltt in gojue#691
- @SenberHu made their first contribution in gojue#683
Full Changelog: https://github.com/gojue/ecapture/compare/v0.8.12...v0.9.0
- Fix the version number string cannot be found in the dynamic library of boringssl. by @cfc4n in gojue#679
Full Changelog: https://github.com/gojue/ecapture/compare/v0.8.11...v0.8.12
- fix(user/module): read version from libcrypto.so by @xxxxxliil in gojue#661
- fix MariaDB typo in README.md by @robertsilen in gojue#672
- Add a reminder for failure when hooking libnss3.so. by @cfc4n in gojue#677
- @robertsilen made their first contribution in gojue#672
Full Changelog: https://github.com/gojue/ecapture/compare/v0.8.10...v0.8.11
- feat(user/module): add ossl version 3.4.0 support by @xxxxxliil in gojue#660
- docs: fix jp translation by @ame-yu in gojue#663
- feat: support keylog and pcap mode in gnutls by @yuweizzz in gojue#654
- Fix the parameter error issue of the uprobe type hook. by @cfc4n in gojue#665
- chore: remove unused flags
BuildRequiresin rpmBuild.spec by @cfc4n in gojue#666 - builder: fix init script fails to run on ubuntu 24.04 system #667 by @cfc4n in gojue#668
- @ame-yu made their first contribution in gojue#663
Full Changelog: https://github.com/gojue/ecapture/compare/v0.8.9...v0.8.10
- typo: 3中 --> 3种 by @CC11001100 in gojue#641
- fix: SSLDataEvent's fd is 0 Error by @yuweizzz in gojue#642
- fix: couldn't find bpf bytecode file error by @yuweizzz in gojue#650
- @CC11001100 made their first contribution in gojue#641
Full Changelog: https://github.com/gojue/ecapture/compare/v0.8.8...v0.8.9
- Fix the bug that the arm64 version cannot work (#649) by @cfc4n in gojue#648
- builder: docerk build error: header not found by @cfc4n in gojue#648
Full Changelog: https://github.com/gojue/ecapture/compare/v0.8.7...v0.8.8
- feat: remove tcp packet limitation by @yuweizzz in gojue#619
- kern: support openssl 3.3.2/3.2.3/3.1.7/3.0.15 by @cfc4n in gojue#624
- workflows: update linux source tgz file version. by @cfc4n in gojue#644
- fix the issue with retrieving the return value of the Read function in the Golang TLS module. by @cfc4n in gojue#646
Full Changelog: https://github.com/gojue/ecapture/compare/v0.8.6...v0.8.7
- GitHub action codecov by @cfc4n in gojue#594
- fix: fix undeclared identifier error when make in debug mode by @yuweizzz in gojue#593
- user: adjusted the timing of the display of the kernel version is too low by @cfc4n in gojue#607
- kern: support uid/pid filter in ebpf TC hook. by @cfc4n in gojue#606
- fix: fallback to default version with warn by @xxxxxliil in gojue#613
- chore: Use
-tags 'netgo'in bulding process to avoid SIGSEGV because of the different version of glibc in dfferent Linux distros by @Zheaoli in gojue#616
- @xxxxxliil made their first contribution in gojue#613
- @Zheaoli made their first contribution in gojue#616
Full Changelog: https://github.com/gojue/ecapture/compare/v0.8.5...v0.8.6
- feat: parse http2 data in text mode by @yuweizzz in gojue#580
- pkg: add http2 request/response unit test. by @cfc4n in gojue#583
- feat: allow capture ipv6 packet by @yuweizzz in gojue#586
- workflows: remove Qodana CI workflow. by @cfc4n in gojue#589
- Constant parameter notice by @cfc4n in gojue#591
- user: split loggers, which are divided into loggers and event collectors by @cfc4n in gojue#592
Full Changelog: https://github.com/gojue/ecapture/compare/v0.8.4...v0.8.5
- add possible linux kernel config path by @w568w in gojue#561
- workflows: add Qodana by @cfc4n in gojue#563
- fix create output.log failed. by @cfc4n in gojue#566
- pkg: fix send on closed channel by @cfc4n in gojue#567
- fix: DumpResponse error in HEAD request by @yuweizzz in gojue#572
- fix: truncated body dump error by @yuweizzz in gojue#573
- kern: support openssl 3.3.* by @cfc4n in gojue#575
- kern: Adjust the timing of key acquisition to distinguish between TLS by @cfc4n in gojue#576
- @w568w made their first contribution in gojue#561
- @yuweizzz made their first contribution in gojue#572
Full Changelog: https://github.com/gojue/ecapture/compare/v0.8.3...v0.8.4
- user: fix #553,
hashLenis not allowed to be more than 64 bytes by @cfc4n in gojue#554 - cli: update docker usage by @cfc4n in gojue#556
- kern: Support for the non-Android boringssl library has been added. by @cfc4n in gojue#555
- user: format clientRandom string in gotls module by @cfc4n in gojue#557
- cli: support logger level by @cfc4n in gojue#558
- use kprobe/__sys_connect inseated uprobe/connect. by @cfc4n in gojue#559
Full Changelog: https://github.com/gojue/ecapture/compare/v0.8.2...v0.8.3
- android version compilation has failed. by @cfc4n in gojue#548
Full Changelog: https://github.com/gojue/ecapture/compare/v0.8.1...v0.8.2
- makefile: Optimized the generation mechanism of kernel header files by @cfc4n in gojue#536
- add dockerfile by @sancppp in gojue#537
- cli: Use a formatted logger rs/zerolog by @cfc4n in gojue#539
- utils: supported openssl 1.1.1w, 3.0.13, 3.1.5, 3.2.1 by @cfc4n in gojue#540
- BPF name should be appended after _core/_noncore by @darren in gojue#545
- user: fixed #542, masterkey being written to pcapng multiple times. by @cfc4n in gojue#546
- user: prepare for service-oriented architecture. by @cfc4n in gojue#541
- @darren made their first contribution in gojue#545
Full Changelog: https://github.com/gojue/ecapture/compare/v0.8.0...v0.8.1
- for User: No need to distinguish between CO-RE and non-CO-RE versions, automatically identified by eCapture.
- 无需区分CO-RE和non-CO-RE版本,由eCapture自动识别。
- for Developer: Supports cross-compilation for both amd64 and arm64 CPU architectures, building CO-RE and non-CO-RE versions respectively.
- 支持在amd64\arm64两个CPU架构下的交叉编译,分别构建CO-RE和non-CO-RE版本
- chore: rename ecapture module name. by @cfc4n in gojue#530
- Fix keylog mode not working correctly on certain OpenSSL versions by @AmazingPP in gojue#534
- feat: support CORE and non-CORE mode in one by @cfc4n in gojue#532
- workflows: change steps.get_tags.outputs.VERSION to github.ref_name by @sancppp in gojue#535
- @AmazingPP made their first contribution in gojue#534
Full Changelog: https://github.com/gojue/ecapture/compare/v0.7.7...v0.8.0
- [Fix] get textStart from pclnTable by @wlingze in gojue#516
- fix: amd64, offset read error issue for PIE executable. PR #516 by @cfc4n in gojue#517
- makefile: used CC=$(CROSS_COMPILE)gcc for CGO compile. by @cfc4n in gojue#519
- user: return error when detect openssl version failed. by @cfc4n in gojue#521
- user : fixed the invalid address reference of the SSL_in_before symbol OpenSSL 1.0.2k. by @cfc4n in gojue#520
- feat: support cross-compilation for workflows. by @cfc4n in gojue#523
- readme: improve English README.md translation and add TOCs by @zhoukuncheng in gojue#525
- build(deps): bump golang.org/x/net from 0.17.0 to 0.23.0 by @dependabot in gojue#528
- @wlingze made their first contribution in gojue#516
- @zhoukuncheng made their first contribution in gojue#525
Full Changelog: https://github.com/gojue/ecapture/compare/v0.7.6...v0.7.7
- fix #500 to avoid potential hang and event loss by @ruitianzhong in gojue#501
- fix issue#504 by @sancppp in gojue#506
- tentative fix to address bash problem #490 by @ruitianzhong in gojue#510
- Fix cant found RET offset in gotls mode. fix #502. by @cfc4n in gojue#512
Full Changelog: https://github.com/gojue/ecapture/compare/v0.7.5...v0.7.6
- Improve makefile by @cfc4n in gojue#488
- Fix: init GoTLSProbe.tcPacketsChan #492 by @ruitianzhong in gojue#493
- fix: avoid printing confusing message when input contains special character by @ruitianzhong in gojue#495
- correctly update ContentLength for uncompressed response body by @ruitianzhong in gojue#498
- add -race flags for
go testand fix data race warning by @ruitianzhong in gojue#499 - openssl: encode the value of fd (ssl->wbio->num) to gen uuid, rather than an unexpected random number by @wuyexkx in gojue#494
- @ruitianzhong made their first contribution in gojue#493
- @wuyexkx made their first contribution in gojue#494
Full Changelog: https://github.com/gojue/ecapture/compare/v0.7.4...v0.7.5
eCapture supports [Pcap Filter Syntax] (https://www.tcpdump.org/manpages/pcap-filter.7.html), and you can use the pcap filter expression to filter network packets like tcpdump.
In the tls\gotls module, when the running mode is 'pcap', the pcap filter expression is supported, which can be set in the last parameter of the command line, for example:
eCapture支持Pcap Filter Syntax,你可以像tcpdump一样使用pcap filter表达式来过滤网络包。
在tls\gotls模块中,当运行模式为pcap时,支持pcap filter表达式,在命令行最后的参数中设定,例如:
ecapture tls -m pcap -i wlan0 -w save.pcapng host 192.168.1.1 and tcp port 443
- Update probe_bash.go by @sancppp in gojue#479
- docs: Optimized the error message in the gotls module.(fix: #482) by @cfc4n in gojue#484
- feat: Support pcap-filter expression for pcap mode by @Asphaltt in gojue#478
- chore: Pcap filter tidy,support ubuntu arm64 to make libpcap by @cfc4n in gojue#487
- @sancppp made their first contribution in gojue#479
- @Asphaltt made their first contribution in gojue#478
Full Changelog: https://github.com/gojue/ecapture/compare/v0.7.3...v0.7.4
- makefile: Optimize the feature list for the Android version by @cfc4n in gojue#457
- user: support event processor by @cfc4n in gojue#462
- chore: remove refs to deprecated io/ioutil by @testwill in gojue#465
- user: fix concurrent map read and map write #467 by @cfc4n in gojue#468
- utils: support openssl 3.1.0-3.1.4 and 3.0.9-3.0.12 by @cfc4n in gojue#469
- user: imporve dynamic link library path loading logic on aarch64 ubuntu by @cfc4n in gojue#470
- user: imporve #463, impact on the performance of the tested program by @cfc4n in gojue#471
- kern: support openssl 3.2.x , change ssl_st to ssl_connection_st by @cfc4n in gojue#472
- @testwill made their first contribution in gojue#465
Full Changelog: https://github.com/gojue/ecapture/compare/v0.7.2...v0.7.3
- user: improve pcapng writer, flush every 2s. by @cfc4n in gojue#455
- builder: add debian package build script. by @cfc4n in gojue#456
Full Changelog: https://github.com/gojue/ecapture/compare/v0.7.1...v0.7.2
- cli: reduce mapsize to 1024 * PAGESIZE. by @cfc4n in gojue#440
- Add optimization in openssl detection logic to consume less memory by @h0x0er in gojue#438
- cli: fix nss module panic by @mannkafai in gojue#444
- build(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 by @dependabot in gojue#448
- pkg: support android on docker(redroid). by @cfc4n in gojue#453
- @mannkafai made their first contribution in gojue#444
Full Changelog: https://github.com/gojue/ecapture/compare/v0.7.0...v0.7.1
- Split
nss/gnutls/opensslinto three separate submodules. Corresponding to the./ecapture nss,./ecapture gnutls,ecapture tlscommands. - Support
keylogmode, equivalent to the functionality of theSSLKEYLOGFILEenvironment variable. Captures SSL/TLS communication keys directly without the need for changes in the target process. - Refactor the mode parameters supported by the
openssl(aka tls) module using the-mparameter, with valuestext,pcap,keylog.pcapmode: Set with-m pcapor-m pcapngparameters. When using this mode, it is necessary to specify--pcapfileand-iparameters. The default value for the--pcapfileparameter isecapture_openssl.pcapng.keylogmode: Set with-m keylogor-m keyparameters. When using this mode, it is necessary to specify--keylogfile, defaulting toecapture_masterkey.log.textmode: Default mode when-mparameter is unspecified. Outputs all plaintext packets in text form. (As of v0.7.0, no longer captures communication keys, please usekeylogmode instead.)
- Refactor the mode parameters supported by the
gotlsmodule, similar to theopensslmodule, without further details. - Optimize the memory size of eBPF Map, specify with the
--mapsizeparameter, defaulting to 5120 KB. - Remove the
-wparameter, use--pcapfileparameter instead. - Change
log-addrparameter tologaddr, with unchanged functionality.
Thanks to the genius idea from @blaisewang.
- 将nss/gnutls/openssl拆分为独立的三个子模块。分别对应
./ecapture nss、./ecapture gnutls、ecapture tls三个子命令。 - 支持
keylog模式,等同于SSLKEYLOGFILE环境变量的功能,无需目标进程改动,直接捕获SSL/TLS通信密钥。 - 重构
openssl(aka tls)模块支持的模式参数,使用-m参数指定,分别为text,pcap,keylog三个值。pcap模式:-m pcap或-m pcapng参数来设定。当使用本模式时,必需指定--pcapfile、-i这两个参数才能使用。 其中--pcapfile参数的默认值为ecapture_openssl.pcapng。keylog模式:-m keylog或-m key参数来设定。当使用本模式时,必需指定--keylogfile,默认为ecapture_masterkey.log。text模式:-m参数不指定时,默认为本模式。将以文本形式输出所有的明文数据包。(自v0.7.0起,不再捕获通讯密钥,请使用keylog模式代替)
- 重构
gotls模块支持的模式参数,与openssl模块一样,不再赘述。 - 优化eBPF Map的内存大小,使用
--mapsize参数指定,默认为5120 KB。 - 移除
-w参数,请使用--pcapfile参数代替。 - 更改
log-addr参数为logaddr,功能含义不变。
感谢 @blaisewang 的天才思路。
Using eCapture to capture communication keys in real-time and combining it with tshark for real-time decryption enables the real-time plaintext output of encrypted traffic. The steps are as follows:
使用eCapture实时捕获通信密钥,并结合tshark实时解密,可以做到实时的加密流量明文输出。步骤如下:
Start the keylog mode of eCapture first.
先启动eCapture的keylog模式
ecapture tls -m keylog --keylogfile=ecapture_masterkey.logStart the tshark tool by specifying tls.keylog_file as the captured key file by eCapture, named ecapture_masterkey.
再启动tshark工具,指定tls.keylog_file为eCapture捕获的密钥文件ecapture_masterkey
http 1.x
tshark -o tls.keylog_file:ecapture_masterkey.log -Y http -T fields -e http.file_data -f "port 443" -i eth0http 2.0
tshark -o tls.keylog_file:ecapture_masterkey.log -Y http2 -T fields -e http2.data.data -f "port 443" -i eth0Afterward, any software that uses the eCapture HOOK with OpenSSL libraries can achieve real-time decryption and display of all encrypted communication traffic without requiring any modifications to these software applications.
之后,其他使用eCapture HOOK的openssl类库的软件,所有加密通讯的流量,都可以实现实时解密并展示了,无需这些软件做任何改动。
See issue #432 for more detail.
- ignore connect symbol cant found. by @cfc4n in gojue#431
- Add support for stripped go binaries by @h0x0er in gojue#426
- splitting gnutls/nss module from tls module lists. by @cfc4n in gojue#434
- user: custom mapSize flag. improve memory usage #433 . by @cfc4n in gojue#435
- add the
modelflag to distinguish the captured modes, support keylog captured. by @cfc4n in gojue#436
Full Changelog: https://github.com/gojue/ecapture/compare/v0.6.6...v0.7.0
- add ubunutu23.04 aarch64 clang-15 into init_env.sh by @BiteFoo in gojue#413
- Decode kernel time to user time by @h0x0er in gojue#418
- Fix : openssl event output invalid with hex mode by @cfc4n in gojue#421
- user : Set the connect hook as an optional parameter. by @cfc4n in gojue#423
- @BiteFoo made their first contribution in gojue#413
- @h0x0er made their first contribution in gojue#418
Full Changelog: https://github.com/gojue/ecapture/compare/v0.6.5...v0.6.6
- supports all ports when target_port is set to 0. by @cfc4n in gojue#409
- support for the boringssl library on Android 12\13\14. by @cfc4n in gojue#410
- update golang version to 1.21 from 1.18 by @cfc4n in gojue#412
- 支持所有端口的网络数据捕获(target_port为0时) by @cfc4n in gojue#409
- 在Android 12\13\14上,支持borlingssl类库的明文捕获 by @cfc4n in gojue#410
- 更新Golang类库到1.21,cilium/ebpf类库到0.12.3 by @cfc4n in gojue#412
Full Changelog: https://github.com/gojue/ecapture/compare/v0.6.4...v0.6.5
- bugfix: Hook the ssl_set_fd function to get FD. by @cfc4n in gojue#399
- build(deps): bump golang.org/x/net from 0.7.0 to 0.17.0 by @dependabot in gojue#402
- refactor : Shared Object (so) path load logic by @cfc4n in gojue#401
- improve: add missing eBPF maps parameters. by @cfc4n in gojue#405
Full Changelog: https://github.com/gojue/ecapture/compare/v0.6.3...v0.6.4
- fix : out of silice range. by @cfc4n in gojue#398
Full Changelog: https://github.com/gojue/ecapture/compare/v0.6.2...v0.6.3
- openssl module: add some prompts when the kernel is less than 5.2 by @cfc4n in gojue#387
- refactor: removal of deprecated flag support. by @cfc4n in gojue#388
- Revert ip address by @cfc4n in gojue#391
- fix : OpenSSL's file descriptor is always 0 by @cfc4n in gojue#393
Full Changelog: https://github.com/gojue/ecapture/compare/v0.6.1...v0.6.2
- fix #378 , error: use of undeclared identifier 'KBUILD_MODNAME' by @cfc4n in gojue#379
- feat:add openssl 1.1.1u and 3.0.9 by @cfc4n in gojue#380
Full Changelog: https://github.com/gojue/ecapture/compare/v0.6.0...v0.6.1
Associating process information with network packets. usage: cp utils/ecapture.lua ~/.wireshark/plugins .
- code refactoring by @cfc4n in gojue#371
- Tls response unexpected eof by @cfc4n in gojue#372
- modify func isCOntainerCgroup to isContainerCgroup, and where referenced by @chusyclub in gojue#374
- feat: Associate corresponding process information with each network packet. by @cfc4n in gojue#376
Full Changelog: https://github.com/gojue/ecapture/compare/v0.5.3...v0.6.0
- user: fixes slice out of range by @cfc4n in gojue#366
Full Changelog: https://github.com/gojue/ecapture/compare/v0.5.2...v0.5.3
- add CircleLinux rpm and mannul build support by @bella485 in gojue#345
- gomod: update github.com/mdlayher/netlink to v1.7.1 by @cfc4n in gojue#348
- use makefile to build rpm by @xjas in gojue#344
- fix : DumpResponse error: unexpected EOF by @cfc4n in gojue#349
- bugfix: Error unknown flag gobin (fixes #354 ) by @cfc4n in gojue#355
- GitHub actions deprecating by @cfc4n in gojue#356
- kern : support gotls request and response by @cfc4n in gojue#357
- user: fixes the network card ID cannot be found when writing to a pcapng file. (#347) by @cfc4n in gojue#358
Full Changelog: https://github.com/gojue/ecapture/compare/v0.5.1...v0.5.2
- user: add ifname's default value of gotls module. by @cfc4n in gojue#332
- kern: fix wrong uid by @lazybetrayer in gojue#334
- support rpm build by @xjas in gojue#341
- pkg : add proc(go version) unit testing by @cfc4n in gojue#342
Full Changelog: https://github.com/gojue/ecapture/compare/v0.5.0...v0.5.1
- fix: typo in the section name by @spacewander in gojue#311
- user : increase buffer size of ebpf map. (improve #291 , #314) by @cfc4n in gojue#315
- build(deps): bump golang.org/x/net from 0.0.0-20211112202133-69e39bad7dc2 to 0.7.0 by @dependabot in gojue#320
- refactor : rename Golang TLS module name to gotls from gossl . by @cfc4n in gojue#319
- refactor: Use camel case instead of snake case. by @cfc4n in gojue#321
- kern: fix typo in bpf_tracing.h by @eltociear in gojue#323
- Add JA readme by @eltociear in gojue#324
- Gotls crash : incorrect variable used. (fixes:#322) by @cfc4n in gojue#325
- kern: refactor golang ABI by register and stack. by @cfc4n in gojue#326
- feat: add Gotls master secrets module. by @cfc4n in gojue#329
Full Changelog: https://github.com/gojue/ecapture/compare/v0.4.12...v0.5.0
- pkg: get GoVersion by
buildinfopackage from ELF (by golang compiled) (#262) by @cfc4n in gojue#295 - docs: fixes supported kernel version on arm64(aarch64). (#296) by @cfc4n in gojue#298
- user: fixes slice bounds out of range bug (#297) by @cfc4n in gojue#299
- kern: fixes constant value of type uint64. (#301) by @cfc4n in gojue#302
- package: update gojue/ebpfmanager to v0.4.1 by @cfc4n in gojue#305
- docs: update README.md by @onism68 in gojue#306
Full Changelog: https://github.com/gojue/ecapture/compare/v0.4.11...v0.4.12
- builder: fix typos (#285) by @cfc4n in gojue#286
- Tls 13 masterkey is taken wrong (fixes #283) by @cfc4n in gojue#284
- fix(gossl): invalid memory address or nil pointer by @luckymrwang in gojue#288
Full Changelog: https://github.com/gojue/ecapture/compare/v0.4.10...v0.4.11
- builder: add curl shell to install develop environment. by @cfc4n in gojue#272
- docs : update minimal kernel version as 4.18 (#274) by @cfc4n in gojue#275
- kern: capture https plaintext failed with boringssl TLS 1.3 on android #271 by @cfc4n in gojue#279
Full Changelog: https://github.com/gojue/ecapture/compare/v0.4.9...v0.4.10
- constant value has to be of type uint64 (#261) by @cfc4n in gojue#264
- builder: rename android non-core archive file name by @cfc4n in gojue#266
- chore(openssl/boringssl): remove redundant calculation by @blaisewang in gojue#267
- makefile : support make parallel (#265) by @cfc4n in gojue#268
- disable gnutls/nss modules on Android. by @cfc4n in gojue#269
Full Changelog: https://github.com/gojue/ecapture/compare/v0.4.8...v0.4.9
- Changed license to Apache License 2.0 from AGPL 3.0.
- Supported versions of openssl are 1.1.0* , 1.0.2* .
- Supported minimum version of Clang is 9.0.
- Added GitHub release action of Android X86_64 binaries(default: non-CORE version).
- user : Tolower openssl version strings. by @cfc4n in gojue#250
- cli : remove other modules on android. by @cfc4n in gojue#251
- utils: add eCapture lua script for wireshark plugin. by @cfc4n in gojue#248
- feat: updated new openssl version by @cfc4n in gojue#255
- feat : support openssl 1.1.0* and 1.0.2* by @cfc4n in gojue#257
- fix: Build failed on clang10 (#256) by @cfc4n in gojue#258
- docs : Change license to Apache License 2.0 by @cfc4n in gojue#259
- workflows : release Android x86_64 use nocore model. by @cfc4n in gojue#260
Full Changelog: https://github.com/gojue/ecapture/compare/v0.4.7...v0.4.8
add --ssl_version flag to set the SSL libraries version
supported ssl libraries version lists:
- openssl 1.1.1* , (1.1.1a - 1.1.1r)
- openssl 3.0.* , (3.0.0 - 3.0.6)
- boringssl 1.1.1
ecapture tls
ecapture tls --hex --pid=3423
ecapture tls -l save.log --pid=3423
ecapture tls --libssl=/lib/x86_64-linux-gnu/libssl.so.1.1
ecapture tls -w save_3_0_5.pcapng --ssl_version="openssl 3.0.5" --libssl=/lib/x86_64-linux-gnu/libssl.so.3
ecapture tls -w save_android.pcapng -i wlan0 --libssl=/apex/com.android.conscrypt/lib64/libssl.so --ssl_version="boringssl 1.1.1" --port 443- feat : support openssl 3.0 @cfc4n in gojue#244
- feat: automate openssl offset header file generation @blaisewang in gojue#241
- user/module : compatiable Linux kernel less or more than 5.2 @cfc4n in gojue#238
- kern: capture master secrets for tls 1.3 @cfc4n in gojue#232
- feat: add support TLSv1.3 decryption by @blaisewang in gojue#209
- user/module : hex model output. by @cfc4n in gojue#220
- user/module : use const for SSL masterKey function hook. by @cfc4n in gojue#217
- kern: rodata map not supported on kernel 4.19 or older by @cfc4n in gojue#223
- kern: http2 response packet decode failed. by @cfc4n in gojue#225
- fix: use cipher id to derive secret by @blaisewang in gojue#192
- kern: get ssl_session in the
*SSL_get_session()order . by @cfc4n in gojue#193
- refactor user package. by @cfc4n in gojue#183
- pkg/event_processor: DefaultParser init(). by @cfc4n in gojue#186
- Fix: correct ssl_st member offsets by @blaisewang in gojue#184
- Boringssl decrypt failed by @cfc4n in gojue#188
- kern : define variable target_port always. by @cfc4n in gojue#157
- workflows : build nocore version for Android default. by @cfc4n in gojue#159
- pkg : Ifname default value. by @cfc4n in gojue#161
- user : skip loopback network interface by @cfc4n in gojue#163
- user : tls models exit gracefully. by @cfc4n in gojue#165
- git: ignore .check* files by @blaisewang in gojue#168
- pkg : fix config file parse failed, when as gzip format. by @cfc4n in gojue#169
- fix gzip read err by @4ft35t in gojue#175
- pkg/util/ebpf : add unit testing for kernel CONFIG reader by @cfc4n in gojue#176
- user : fix incorrect TimeStamp by @cfc4n in gojue#179
- cli/cmd : print version info by @cfc4n in gojue#177
- kern : support boringssl offset for Android 12. by @cfc4n in gojue#181
Support : capture plaintext packet as pcapng files for openssl TLS encryption.
Note:
Support
Wiresharkto open directly. Do not need to setting upMaster Secretsfiles.Capture
raw packetby Traffic Control eBPF filter. AddedMaster Secretsinformation into pcapng withDecryption Secrets Block(DSB).
Warning
change
loggerFileflag as-lfrom-w, because-wis reserved forWireshark, and keep same as-wfortcpdump. useecapture -hfor help. changemaster secretsfilename fromecapture_masterkey_[pid].logtoecapture_masterkey.log.
- new feature: capture TLS 1.3 master secret by @cfc4n in gojue#143
- user : echo String() or StringHex() by CLI argument. by @cfc4n in gojue#149
- cli/cmd : clean up all probe while process exit. (#150) by @cfc4n in gojue#151
- save as Pcapng files #145 by @cfc4n in gojue#148
- user : Support writing pcapng files with Decryption Secrets Block (DSB). by @cfc4n in gojue#153
Capture TLS master_key ,save to file. Support openssl 1.1.1.X . TLS 1.2 .
Quick Guide:
- use
ecaptureto capture TLS master_key, will save master secret toecapture_masterkey_[pid].log. - use
tcpdumpto capture and save packets toxxx.pcapngfile. - open
xxx.pcapngfile withwireshark. - Setting :
Wireshark-->Preferences-->Protocols-->TLS-->(Pre)-Master-Secret log filename, selectecapture_masterkey_[pid].log. - Using : right click packet item, select
follow->HTTP Stream/HTTP/2 Stream
- all : refactor event_processor EventType. by @cfc4n in gojue#134
- fixed #138 : You have an error in your yaml syntax on line 79 by @cfc4n in gojue#139
- New feature: capture openssl masterkey #27 by @cfc4n in gojue#140
Full Changelog: https://github.com/gojue/ecapture/compare/v0.2.2...v0.3.0
- workflows: build failed on aarch 64 ubuntu : 'linux/kconfig.h' file not found #125 by @cfc4n in gojue#126
- Makefile: shell running,with a unexcepted result: lost DKERNEL_LESS_5_2 on kernel 4.15 #129 by @cfc4n in gojue#132
- ebpf: remove detection of BPF config when running at container #127 by @cfc4n in gojue#128
Full Changelog: https://github.com/gojue/ecapture/compare/v0.2.1...v0.2.2
- pkg : fix Kernel config read failed, error:Config not found #117 by @cfc4n in gojue#123
- user : Clean up unnecessary information. fix #122 by @cfc4n in gojue#124
Full Changelog: https://github.com/gojue/ecapture/compare/v0.2.0...v0.2.1
- Directly search so in search path when /usr/bin/curl is not exist by @tiann in gojue#97
- Add GitHub Action :Golangci lint by @cfc4n in gojue#99
- Add Chinese name 旁观者. by @cfc4n in gojue#103
- build: change tar.gz file path in checksum.txt by @cfc4n in gojue#104
- Support Golang HTTPS introspection by @chenhengqi in gojue#100
- New Feature: support Android without GKI (kernel version > 4.18) by @cfc4n in gojue#107
- fixed :#108 tls module cannot to capture payload on Aarch64 kernel 4.18 by @huzai9527 in gojue#109
- fixed #108: ip address lost on aarch64 kernel 4.18 by @cfc4n in gojue#111
- New feature: add payload parser. by @cfc4n in gojue#113
- document: message friendly by @cfc4n in gojue#119
- @tiann made their first contribution in gojue#97
- @chenhengqi made their first contribution in gojue#100
Full Changelog: https://github.com/gojue/ecapture/compare/v0.1.10...v0.2.0
- user : fixed bug. #76 libpthread.so not found. by @cfc4n in gojue#77
- Support for ARM64 architecture by @cfc4n in gojue#75
- fixed: outputing blank text on linux 4.18 #81 by @cfc4n in gojue#82
- New feature: update ebpfmanager package to 0.3.0 by @cfc4n in gojue#83
- New feature: #80 event filter by uid by @cfc4n in gojue#84
- New feature: #85 event filter by uid for module tls by @cfc4n in gojue#86
- New feature: #87 support Android GKI by @cfc4n in gojue#88
- fixed: #92 github checkout error while a PR sent. by @cfc4n in gojue#93
- New Feature: #79 Auto release for android gki by @cfc4n in gojue#94
Full Changelog: https://github.com/gojue/ecapture/compare/v0.1.9...v0.1.10
-
code refactoring: event dispatcher
- PR: #58
-
add notes for how to use ecapture in other libs
- PR: #60
-
- : add TLS/SSL Version info (openssl).
- PR: #62
- Add nosearch argument to skip auto search lib path
- PR: #70
- code refactoring: event dispatcher by @cfc4n in gojue#58
- add notes for how to use ecapture in other libs by @xjas in gojue#60
- add TLS/SSL Version info (openssl). by @cfc4n in gojue#62
- Update README.md by @nfsec in gojue#63
- fix some typos by @cuishuang in gojue#68
- Add nosearch argument to skip auto search lib path by @vincentmli in gojue#70
- @xjas made their first contribution in gojue#60
- @nfsec made their first contribution in gojue#63
- @cuishuang made their first contribution in gojue#68
- @vincentmli made their first contribution in gojue#70
Full Changelog: https://github.com/gojue/ecapture/compare/v0.1.8...v0.1.9
- ADD mysqld dispatch_command return value. by @cfc4n in gojue#44
- autogen vmlinux header file to compatible current OS by @cfc4n in gojue#50
- feat: support postgres query hook by @yihong0618 in gojue#51
- added return value of bash module. by @huzai9527 in gojue#52
- change bash line size to 256 bytes by @yindex in gojue#55
- add errnumber flag for command bash by @huzai9527 in gojue#56
- @huzai9527 made their first contribution in gojue#52
- @yindex made their first contribution in gojue#55
Full Changelog: https://github.com/gojue/ecapture/compare/v0.1.7...v0.1.8
- user: fix #29 ubuntu21.10 error :connect symbol cant found by @cfc4n in gojue#30
- support no co-re version on linux kernel >= 5.2 by @cfc4n in gojue#32
- merge two Makefile files. by @cfc4n in gojue#33
- images : fix #34 Inaccurate/Confusing Diagrams by @cfc4n in gojue#36
- Fix #37 Shared object dependence by @cfc4n in gojue#38
- README grammar fix by @chriskaliX in gojue#35
- Fix #39 .rodata: map create: read- and write-only maps not supported (requires >= v5.2) by @cfc4n in gojue#40
- set clang version lower to 9 from 12 by @cfc4n in gojue#41
- @cfc4n made their first contribution in gojue#30
Full Changelog: https://github.com/gojue/ecapture/compare/v0.1.6...v0.1.7
- 更新mysqld数据库审计模块
- 更新tls网络捕获模块
- 支持mysql5.7/8.0, MariadDB 10.5+的Mysqld数据库的查询审计。
- 自动识别mysqld版本 。
- 自动查找hook的sql 查询函数。
- 支持openssl的IP地址关联
- 支持网络IP地址的存储、关联到网络数据中。
- 支持自定义libpthread.so路径指定(定位connect函数)。
- 增加mysqld数据库审计模块
- 支持mysql5.6的mariaDB数据库的查询审计
- 默认path目录为/usr/sbin/mariadb 。
- 支持function name、offset两个参数自定义。
- 调整运行环境检测方式
- 判断BTF支持的方法,改为优先判断
/sys/kernel/btf/vmlinux文件,以及其他BTF特征的vmlinux-*目录等 。 - 增加运行原理图。
- 判断BTF支持的方法,改为优先判断
- 支持gnutls 、 nspr 两个类库的数据捕获
- 重命名子命令,由
openssl改为tls
- 增加运行环境检测
- 检测linux kernel必须大于4.18 。
- 检测kernel config中CONFIG_DEBUG_INFO_BTF必须有,且值为y。
- 去除编译生成的文件(./bin/、./assets/、./user/bytecode/)
- 整理go mod依赖文件
- 模块拆分,启用子命令模式
- 增加全局可选PID参数,针对特定PID进行数据捕获
- 增加hexdump打印模式
- 支持自定义openssl的so路径。
- 支持hex进制的数据输出
- 支持自定义bash路径参数
- 支持自定义readline.so路径参数
- 支持hex进制的数据输出
- 增加openssl的libssl.so的SSL/TLS数据抓包功能。
- 根据wget路径,自动选择libssl.so路径。
- 自动根据ENV查找bash
- 根据bash自动查找
readline.so,并进行bash命令捕获