eCapture v0.7.6

What's Changed

• fix #500 to avoid potential hang and event loss by @ruitianzhong in #501
• fix issue#504 by @sancppp in #506
• tentative fix to address bash problem #490 by @ruitianzhong in #510
• Fix cant found RET offset in gotls mode. fix #502. by @cfc4n in #512

Full Changelog: v0.7.5...v0.7.6

eCapture v0.7.5

What's Changed

• Improve makefile by @cfc4n in #488
• Fix: init GoTLSProbe.tcPacketsChan #492 by @ruitianzhong in #493
• fix: avoid printing confusing message when input contains special character by @ruitianzhong in #495
• correctly update ContentLength for uncompressed response body by @ruitianzhong in #498
• add -race flags for go test and fix data race warning by @ruitianzhong in #499
• openssl: encode the value of fd (ssl->wbio->num) to gen uuid, rather than an unexpected random number by @wuyexkx in #494

New Contributors

• @ruitianzhong made their first contribution in #493
• @wuyexkx made their first contribution in #494

Full Changelog: v0.7.4...v0.7.5

eCapture v0.7.4

🚀 Breaking Changes

eCapture supports Pcap Filter Syntax, and you can use the pcap filter expression to filter network packets like tcpdump.

In the tls\gotls module, when the running mode is pcap, the pcap filter expression is supported, which can be set in the last parameter of the command line, for example:

ecapture tls -m pcap -i wlan0 -w save.pcapng host 192.168.1.1 and tcp port 443

What's Changed

• Update probe_bash.go by @sancppp in #479
• docs: Optimized the error message in the gotls module.(fix: #482) by @cfc4n in #484
• feat: Support pcap-filter expression for pcap mode by @Asphaltt in #478
• chore: Pcap filter tidy,support ubuntu arm64 to make libpcap by @cfc4n in #487

New Contributors

• @sancppp made their first contribution in #479
• @Asphaltt made their first contribution in #478

Full Changelog: v0.7.3...v0.7.4

eCapture v0.7.3

What's Changed

• makefile: Optimize the feature list for the Android version by @cfc4n in #457
• user: support event processor by @cfc4n in #462
• chore: remove refs to deprecated io/ioutil by @testwill in #465
• user: fix concurrent map read and map write #467 by @cfc4n in #468
• utils: support openssl 3.1.0-3.1.4 and 3.0.9-3.0.12 by @cfc4n in #469
• user: imporve dynamic link library path loading logic on aarch64 ubuntu by @cfc4n in #470
• user: imporve #463, impact on the performance of the tested program by @cfc4n in #471
• kern: support openssl 3.2.x , change ssl_st to ssl_connection_st by @cfc4n in #472

New Contributors

• @testwill made their first contribution in #465

Full Changelog: v0.7.2...v0.7.3

eCapture v0.7.2

What's Changed

• user: improve pcapng writer, flush every 2s. by @cfc4n in #455
• builder: add debian package build script. by @cfc4n in #456

Full Changelog: v0.7.1...v0.7.2

eCapture v0.7.1

What's Changed

• cli: reduce mapsize to 1024 * PAGESIZE. by @cfc4n in #440
• Add optimization in openssl detection logic to consume less memory by @h0x0er in #438
• cli: fix nss module panic by @mannkafai in #444
• build(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 by @dependabot in #448
• pkg: support android on docker(redroid). by @cfc4n in #453

New Contributors

• @mannkafai made their first contribution in #444

Full Changelog: v0.7.0...v0.7.1

eCapture v0.7.0

🚀 Breaking Changes

• Split nss/gnutls/openssl into three separate submodules. Corresponding to the ./ecapture nss, ./ecapture gnutls, ecapture tls commands.
• Support keylog mode, equivalent to the functionality of the SSLKEYLOGFILE environment variable. Captures SSL/TLS communication keys directly without the need for changes in the target process.
• Refactor the mode parameters supported by the openssl(aka tls) module using the -mparameter, with values text, pcap,keylog.
  • pcap mode: Set with -m pcap or -m pcapng parameters. When using this mode, it is necessary to specify --pcapfile and -i parameters. The default value for the --pcapfile parameter is ecapture_openssl.pcapng.
  • keylog mode: Set with -m keylog or -m key parameters. When using this mode, it is necessary to specify --keylogfile, defaulting to ecapture_masterkey.log.
  • text mode: Default mode when -m parameter is unspecified. Outputs all plaintext packets in text form. (As of v0.7.0, no longer captures communication keys, please use keylog mode instead.)
• Refactor the mode parameters supported by the gotls module, similar to the openssl module, without further details.
• Optimize the memory size of eBPF Map, specify with the --mapsize parameter, defaulting to 5120 KB.
• Remove the -w parameter, use --pcapfile parameter instead.
• Change log-addr parameter to logaddr, with unchanged functionality.

Thanks to the genius idea from @blaisewang.

---

• 将nss/gnutls/openssl拆分为独立的三个子模块。分别对应./ecapture nss、./ecapture gnutls、ecapture tls三个子命令。
• 支持keylog模式，等同于SSLKEYLOGFILE环境变量的功能，无需目标进程改动，直接捕获SSL/TLS通信密钥。
• 重构openssl(aka tls)模块支持的模式参数，使用-m参数指定，分别为text,pcap,keylog三个值。
  • pcap模式：-m pcap或-m pcapng参数来设定。当使用本模式时，必需指定--pcapfile、-i这两个参数才能使用。 其中--pcapfile参数的默认值为ecapture_openssl.pcapng。
  • keylog模式：-m keylog或-m key参数来设定。当使用本模式时，必需指定--keylogfile，默认为ecapture_masterkey.log。
  • text模式：-m参数不指定时，默认为本模式。将以文本形式输出所有的明文数据包。（自v0.7.0起，不再捕获通讯密钥，请使用keylog模式代替）
• 重构gotls模块支持的模式参数，与openssl模块一样，不再赘述。
• 优化eBPF Map的内存大小，使用--mapsize参数指定，默认为5120 KB。
• 移除-w参数，请使用--pcapfile参数代替。
• 更改log-addr参数为logaddr，功能含义不变。

感谢 @blaisewang 的天才思路。

What's Changed

• ignore connect symbol cant found. by @cfc4n in #431
• Add support for stripped go binaries by @h0x0er in #426
• splitting gnutls/nss module from tls module lists. by @cfc4n in #434
• user: custom mapSize flag. improve memory usage #433 . by @cfc4n in #435
• add the model flag to distinguish the captured modes, support keylog captured. by @cfc4n in #436

Full Changelog: v0.6.6...v0.7.0

eCapture v0.6.6

What's Changed

• add ubunutu23.04 aarch64 clang-15 into init_env.sh by @BiteFoo in #413
• Decode kernel time to user time by @h0x0er in #418
• Fix : openssl event output invalid with hex mode by @cfc4n in #421
• user : Set the connect hook as an optional parameter. by @cfc4n in #423

New Contributors

• @BiteFoo made their first contribution in #413
• @h0x0er made their first contribution in #418

Full Changelog: v0.6.5...v0.6.6

eCapture v0.6.5

What's Changed

• supports all ports when target_port is set to 0. by @cfc4n in #409
• support for the boringssl library on Android 12\13\14. by @cfc4n in #410
• update golang version to 1.21 from 1.18 by @cfc4n in #412
• 支持所有端口的网络数据捕获(target_port为0时) by @cfc4n in #409
• 在Android 12\13\14上，支持borlingssl类库的明文捕获 by @cfc4n in #410
• 更新Golang类库到1.21，cilium/ebpf类库到0.12.3 by @cfc4n in #412

Full Changelog: v0.6.4...v0.6.5

eCapture v0.6.4

What's Changed

• bugfix: Hook the ssl_set_fd function to get FD. by @cfc4n in #399
• build(deps): bump golang.org/x/net from 0.7.0 to 0.17.0 by @dependabot in #402
• refactor : Shared Object (so) path load logic by @cfc4n in #401
• improve: add missing eBPF maps parameters. by @cfc4n in #405

Full Changelog: v0.6.3...v0.6.4