Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add ecapture binary #169

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,9 @@ COPY --from=fetcher /tmp/grpcurl /usr/local/bin/grpcurl
# Installing fortio
COPY --from=fetcher /tmp/fortio /usr/local/bin/fortio

# Installing ecapture
COPY --from=fetcher /tmp/ecapture /usr/local/bin/ecapture

# Setting User and Home
USER root
WORKDIR /root
Expand Down
81 changes: 81 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,7 @@ To troubleshoot these issues, `netshoot` includes a set of powerful tools as rec
curl \
dhcping \
drill \
ecapture \
ethtool \
file\
fping \
Expand Down Expand Up @@ -753,6 +754,86 @@ All done 40 calls (plus 4 warmup) 60.588 ms avg, 7.9 qps

More info, examples and lots of documentation on `Fortio` [here](https://github.com/fortio/fortio)

## Ecapture

Capture SSL/TLS text content without a CA certificate using eBPF.
> [!WARNING]
> Supports Linux/Android kernel versions x86_64 4.18 and above, aarch64 5.5 and above.
> Need `--privileged` mode to run

```bash
$ ecapture tls -m text -i eth0 &
2024-09-16T13:07:00Z INF AppName="eCapture(旁观者)"
2024-09-16T13:07:00Z INF HomePage=https://ecapture.cc
2024-09-16T13:07:00Z INF Repository=https://github.com/gojue/ecapture
2024-09-16T13:07:00Z INF Author="CFC4N <[email protected]>"
2024-09-16T13:07:00Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-09-16T13:07:00Z INF Version=linux_amd64:v0.8.6:6.5.0-1025-azure
2024-09-16T13:07:00Z INF Listen=localhost:28256
2024-09-16T13:07:00Z INF eCapture running logs logger=
2024-09-16T13:07:00Z INF the file handler that receives the captured event eventCollector=
2024-09-16T13:07:00Z INF listen=localhost:28256
2024-09-16T13:07:00Z INF https server starting...You can update the configuration file via the HTTP interface.
2024-09-16T13:07:00Z WRN ========== module starting. ==========
2024-09-16T13:07:00Z INF Kernel Info=5.10.209 Pid=111
2024-09-16T13:07:00Z WRN Your environment is like a container. We won't be able to detect the BTF configuration.
If eCapture fails to run, try specifying the BTF mode. use `-b 2` to specify non-CORE mode.
2024-09-16T13:07:00Z INF BTF bytecode mode: CORE. btfMode=0
2024-09-16T13:07:00Z INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2024-09-16T13:07:00Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-09-16T13:07:00Z INF Module.Run()
2024-09-16T13:07:00Z WRN OpenSSL/BoringSSL version not found from shared library file, used default version OpenSSL Version=linux_default_3_0
2024-09-16T13:07:00Z INF Hook masterKey function ElfType=2 Functions=["SSL_get_wbio","SSL_in_before","SSL_do_handshake"] binrayPath=/usr/lib/libssl.so.3
2024-09-16T13:07:00Z INF target all process.
2024-09-16T13:07:00Z INF target all users.
2024-09-16T13:07:00Z INF setupManagers eBPFProgramType=Text
2024-09-16T13:07:00Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/openssl_3_0_0_kern_core.o
2024-09-16T13:07:00Z INF perfEventReader created mapSize(MB)=4
2024-09-16T13:07:00Z INF perfEventReader created mapSize(MB)=4
2024-09-16T13:07:00Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL

$ curl -Lso /dev/null https://www.google.com
Frame Type => SETTINGS

Frame Type => WINDOW_UPDATE

Frame Type => HEADERS
header field ":method" = "GET"
header field ":scheme" = "https"
header field ":authority" = "www.google.com"
header field ":path" = "/"
header field "user-agent" = "curl/8.9.1"
header field "accept" = "*/*"

Frame Type => SETTINGS

Frame Type => GOAWAY

2024-09-16T13:07:52Z ??? UUID:293216_293216_curl_3841860423_0_0.0.0.0, Name:HTTP2Response, Type:4, Length:22692

Frame Type => SETTINGS

Frame Type => WINDOW_UPDATE

Frame Type => SETTINGS

Frame Type => HEADERS
header field ":status" = "200"
header field "p3p" = "CP=\"This is not a P3P policy! See g.co/p3phelp for more info.\""
header field "x-xss-protection" = "0"
header field "x-frame-options" = "SAMEORIGIN"
header field "set-cookie" = "AEC=AVYB7cqtr_ifXJKex2MyxFtJ6nX0UyPecEbQGVQ0cc0p583fYikTPKRsKg; expires=Sat, 15-Mar-2025 13:07:50 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax"
header field "alt-svc" = "h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000"
header field "accept-ranges" = "none"
header field "vary" = "Accept-Encoding"

Frame Type => PING

Frame Type => DATA
<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="fr"><head><meta content="text/html; charset=UTF-8"
...
```

## Contribution

Feel free to provide to contribute networking troubleshooting tools and use-cases by opening PRs. If you would like to add any package, please follow these steps:
Expand Down
9 changes: 9 additions & 0 deletions build/fetch_binaries.sh
Original file line number Diff line number Diff line change
Expand Up @@ -77,9 +77,18 @@ get_fortio() {
chmod +x /tmp/fortio
}

get_ecapture() {
VERSION=$(get_latest_release gojue/ecapture)
LINK="https://github.com/gojue/ecapture/releases/download/${VERSION}/ecapture-${VERSION}-linux-${ARCH}.tar.gz"
wget "$LINK" -O /tmp/ecapture.tar.gz && \
tar -zxvf /tmp/ecapture.tar.gz && \
mv ecapture-${VERSION}-linux-${ARCH}/ecapture "/tmp/ecapture" && \
chmod +x /tmp/ecapture
}

get_ctop
get_calicoctl
get_termshark
get_grpcurl
get_fortio
get_ecapture