# gojue/ecapture

**Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/gojue-ecapture).**

15,283 stars · 1,620 forks · C · Apache-2.0

## Links

- GitHub: https://github.com/gojue/ecapture
- awesome-repositories: https://awesome-repositories.com/repository/gojue-ecapture.md

## Description

Ecapture is a suite of specialized auditing tools designed to capture plaintext database queries, log executed shell commands, forward packet captures, and decrypt TLS traffic.

The system extracts plaintext content from encrypted communications and TLS master secrets without requiring CA certificates. It further monitors data interactions by capturing SQL queries from database instances and recording commands from shell environments for host-level auditing.

The toolset includes capabilities for network traffic analysis, exporting captured data to pcapng files, and forwarding events to external packet analysis software. It also provides an interface to modify capture parameters and tool settings in real time via HTTP.

## Tags

### Security & Cryptography

- [Traffic Decryption](https://awesome-repositories.com/f/security-cryptography/message-decryption/traffic-decryption.md) — Hooks into library functions to intercept and decrypt TLS-encrypted network traffic for plaintext analysis.
- [TLS Plaintext Extractions](https://awesome-repositories.com/f/security-cryptography/credential-encryption/decryption-utilities/configuration-decryption/ephemeral-plaintext-handling/plaintext-file-emission/tls-plaintext-extractions.md) — Extracts plaintext content from encrypted communication across various libraries without needing CA certificates. ([source](https://cdn.jsdelivr.net/gh/gojue/ecapture@main/README.md))
- [TLS Session Key Extractions](https://awesome-repositories.com/f/security-cryptography/master-key-recovery/database-key-extractions/tls-session-key-extractions.md) — Extracts TLS master secrets from memory to enable external decryption of recorded network traffic.

### Operating Systems & Systems Programming

- [Library Function Hooking](https://awesome-repositories.com/f/operating-systems-systems-programming/library-function-hooking.md) — Uses library-level hooking to intercept and extract plaintext data from encryption and database libraries.

### System Administration & Monitoring

- [Database Query Logging](https://awesome-repositories.com/f/system-administration-monitoring/application-audit-logs/database-query-logging.md) — Captures plaintext SQL queries from database instances to audit data interactions.
- [Network Traffic Analysis](https://awesome-repositories.com/f/system-administration-monitoring/network-traffic-analysis.md) — Analyzes network traffic by exporting captured data to pcapng files or forwarding to external analysis tools.
- [Shell Command Auditing](https://awesome-repositories.com/f/system-administration-monitoring/shell-command-auditing.md) — Records executed shell commands to monitor system activity and facilitate host-level security auditing.
- [Dynamic Configuration APIs](https://awesome-repositories.com/f/system-administration-monitoring/administrative-operations/service-and-infrastructure-management/server-management/dynamic-configuration-apis.md) — Provides a dynamic configuration API via HTTP to update tool settings without restarting the capture process. ([source](https://cdn.jsdelivr.net/gh/gojue/ecapture@main/README.md))
- [Network Event Forwarders](https://awesome-repositories.com/f/system-administration-monitoring/network-event-forwarders.md) — Forwards captured network events to third-party software for detailed external analysis. ([source](https://cdn.jsdelivr.net/gh/gojue/ecapture@main/README.md))
- [Traffic Event Forwarders](https://awesome-repositories.com/f/system-administration-monitoring/observability-tracing/batch-export-utilities/trace-exporters/packet-capture-exporters/traffic-event-forwarders.md) — Acts as a bridge that forwards captured traffic events to third-party packet analysis software.

### Data & Databases

- [Pcapng File Exports](https://awesome-repositories.com/f/data-databases/network-traffic-export/pcapng-file-exports.md) — Saves captured network traffic into Pcapng format including embedded decryption secrets for analysis. ([source](https://cdn.jsdelivr.net/gh/gojue/ecapture@main/README.md))

### Development Tools & Productivity

- [Dynamic Configuration](https://awesome-repositories.com/f/development-tools-productivity/dynamic-configuration.md) — Allows the dynamic update of capture parameters and tool settings via HTTP while processes are actively running.

### Networking & Communication

- [Packet Stream Exports](https://awesome-repositories.com/f/networking-communication/http-traffic-inspection/real-time-traffic-dashboards/packet-stream-exports.md) — Provides real-time streaming of captured network packets to both local storage and external analysis software.
- [Packet Fragmentation and Reassembly](https://awesome-repositories.com/f/networking-communication/packet-fragmentation-and-reassembly.md) — Reassembles fragmented network traffic in user-space to reconstruct plaintext events for security auditing.

### Software Engineering & Architecture

- [Dynamic Configuration Interfaces](https://awesome-repositories.com/f/software-engineering-architecture/application-lifecycle-management/configuration-management/configuration-interfaces-and-editors/dynamic-configuration-interfaces.md) — Ships an HTTP-based interface for modifying capture parameters and tool settings during runtime without process restarts.

### Part of an Awesome List

- [Security Lab Environments](https://awesome-repositories.com/f/awesome-lists/devops/security-lab-environments.md) — Tool for capturing encrypted traffic using eBPF.
