eCapture v0.4.0 release (Linux x86_64/aarch64, Android kernel 5.5+).

Note

Support Wireshark to open directly. Do not need to setting up Master Secrets files.

Capture raw packet by Traffic Control eBPF filter. Added Master Secrets information into pcapng
with Decryption Secrets Block (DSB).

Warning

change loggerFile flag as -l from -w , because -w is reserved for Wireshark, and keep same as -w
for tcpdump. use ecapture -h for help.
change master secrets filename from ecapture_masterkey_[pid].log to ecapture_masterkey.log.

What's Changed

• new feature: capture TLS 1.3 master secret by @cfc4n in #143
• user : echo String() or StringHex() by CLI argument. by @cfc4n in #149
• cli/cmd : clean up all probe while process exit. (#150) by @cfc4n in #151
• save as Pcapng files #145 by @cfc4n in #148
• user : Support writing pcapng files with Decryption Secrets Block (DSB). by @cfc4n in #153

Full Changelog: v0.3.0...v0.4.0

eCapture v0.3.0 release (Linux x86_64/aarch64, Android kernel 5.5+).

Breaking Changes

Capture TLS master_key ,save to file. Support openssl 1.1.1.X . TLS 1.2 .

Quick Guide:

• use ecapture to capture TLS master_key, will save master secret to ecapture_masterkey_[pid].log.
• use tcpdump to capture and save packets to xxx.pcapng file.
• open xxx.pcapng file with wireshark.
• Setting : Wireshark --> Preferences --> Protocols --> TLS --> (Pre)-Master-Secret log filename, select ecapture_masterkey_[pid].log.
• Using : right click packet item, select follow -> HTTP Stream / HTTP/2 Stream

What's Changed

• all : refactor event_processor EventType. by @cfc4n in #134
• fixed #138 : You have an error in your yaml syntax on line 79 by @cfc4n in #139
• New feature: capture openssl masterkey #27 by @cfc4n in #140

Full Changelog: v0.2.2...v0.3.0

eCapture v0.2.2 release (Linux x86_64/aarch64, Android kernel 5.5+).

What's Changed

• workflows: build failed on aarch 64 ubuntu : 'linux/kconfig.h' file not found #125 by @cfc4n in #126
• Makefile shell running,with a unexcepted result: lost DKERNEL_LESS_5_2 on kernel 4.15 #129 by @cfc4n in #132
• ebpf: remove detection of BPF config when running at container #127 by @cfc4n in #128

Full Changelog: v0.2.1...v0.2.2

eCapture v0.2.1 release (Linux x86_64/aarch64, Android kernel 4.18+).

What's Changed

• pkg : fix Kernel config read failed, error:Config not found #117 by @cfc4n in #123
• user : Clean up unnecessary information. fix #122 by @cfc4n in #124

Full Changelog: v0.2.0...v0.2.1

eCapture v0.2.0 release (Linux x86_64/aarch64, Android kernel 4.18+).

What's Changed

• Directly search so in search path when /usr/bin/curl is not exist by @tiann in #97
• Add GitHub Action ：Golangci lint by @cfc4n in #99
• Add Chinese name 旁观者. by @cfc4n in #103
• build: change tar.gz file path in checksum.txt by @cfc4n in #104
• Support Golang HTTPS introspection by @chenhengqi in #100
• New Feature: support Android without GKI (kernel version > 4.18) by @cfc4n in #107
• fixed :#108 tls module cannot to capture payload on Aarch64 kernel 4.18 by @huzai9527 in #109
• fixed #108: ip address lost on aarch64 kernel 4.18 by @cfc4n in #111
• New feature: add payload parser. by @cfc4n in #113
• document: message friendly by @cfc4n in #119

New Contributors

• @tiann made their first contribution in #97
• @chenhengqi made their first contribution in #100

Full Changelog: v0.1.10...v0.2.0

eCapture v0.1.10 release (Linux x86_64/aarch64, Android GKI).

What's Changed

• user : fixed bug. #76 libpthread.so not found. by @cfc4n in #77
• Support for ARM64 architecture by @cfc4n in #75
• fixed: outputing blank text on linux 4.18 #81 by @cfc4n in #82
• New feature: update ebpfmanager package to 0.3.0 by @cfc4n in #83
• New feature: #80 event filter by uid by @cfc4n in #84
• New feature: #85 event filter by uid for module tls by @cfc4n in #86
• New feature: #87 support Android GKI by @cfc4n in #88
• fixed: #92 github checkout error while a PR sent. by @cfc4n in #93
• New Feature: #79 Auto release for android gki by @cfc4n in #94

Full Changelog: v0.1.9...v0.1.10

eCapture v0.1.9 release (Linux x86_64/aarch64).

What's Changed

• code refactoring: event dispatcher by @cfc4n in #58
• add notes for how to use ecapture in other libs by @xjas in #60
• add TLS/SSL Version info (openssl). by @cfc4n in #62
• Update README.md by @nfsec in #63
• fix some typos by @cuishuang in #68
• Add nosearch argument to skip auto search lib path by @vincentmli in #70

New Contributors

• @xjas made their first contribution in #60
• @nfsec made their first contribution in #63
• @cuishuang made their first contribution in #68
• @vincentmli made their first contribution in #70

Full Changelog: v0.1.8...v0.1.9

eCapture v0.1.8 release.

What's Changed

• ADD mysqld dispatch_command return value. by @cfc4n in #44
• autogen vmlinux header file to compatible current OS by @cfc4n in #50
• feat: support postgres query hook by @yihong0618 in #51
• added return value of bash module. by @huzai9527 in #52
• change bash line size to 256 bytes by @yindex in #55
• add errnumber flag for command bash by @huzai9527 in #56

New Contributors

• @huzai9527 made their first contribution in #52
• @yindex made their first contribution in #55

Full Changelog: v0.1.7...v0.1.8

eCapture v0.1.7 release.

What's Changed

• user: fix #29 ubuntu21.10 error :connect symbol cant found by @cfc4n in #30
• support no co-re version on linux kernel >= 5.2 by @cfc4n in #32
• merge two Makefile files. by @cfc4n in #33
• images : fix #34 Inaccurate/Confusing Diagrams by @cfc4n in #36
• Fix #37 Shared object dependence by @cfc4n in #38
• README grammar fix by @chriskaliX in #35
• Fix #39 .rodata: map create: read- and write-only maps not supported (requires >= v5.2) by @cfc4n in #40
• set clang version lower to 9 from 12 by @cfc4n in #41

New Contributors

• @cfc4n made their first contribution in #30

Full Changelog: v0.1.6...v0.1.7

eCapture v0.1.6 release.

What's Changed

• access registers with PT_REGS macros & add LINUX_ARCH flags by @chriskaliX in #12
• fix: #14 to support some arch linux by @yihong0618 in #15
• cli: fix rootCmd.Long text typo by @xujiajiadexiaokeai in #22

New Contributors

• @xujiajiadexiaokeai made their first contribution in #22

Full Changelog: v0.1.5...v0.1.6

v0.1.6 (2022-04-07)

• 更新mysqld数据库审计模块
• 更新tls网络捕获模块

mysqld

• 支持mysql5.7/8.0, MariadDB 10.5+的Mysqld数据库的查询审计
  • 自动识别mysqld版本 。
  • 自动查找hook的sql 查询函数。

tls

• 支持openssl的IP地址关联
  • 支持网络IP地址的存储、关联到网络数据中。
  • 支持自定义libpthread.so路径指定（定位connect函数）。

checksum

MD5 (ecapture) = a091904b36ceaebbbd977e9eaac790b7