Capture system-wide Conscrypt/BoringSSL TLS traffic on Android using eBPF.
Like ecapture or peetch, but more simple, stable, and focused on Android.
This is a non-intrusive alternative to injecting root certs and generally works more reliably, but requires root and a modern kernel.
See here for a comparison to ecapture.
- Readable, non-vibecoded, and simple code.
- Focus on ARM64. ARMv7 support might be added later.
- Explicit focus on Android with boringssl and a non-ancient kernel version.
- Partial support for older kernels using ptrace or a more limited version of the probe.
- Wide boringssl version compatibility with automated offset analysis.
- Other native TLS libraries which apps may embed are out-of-scope (for now at least) (this is pretty rare, though).
- Only basic output formats, no application protocol parsing for simplicity (use Wireshark or something like pcapng_to_har if you want to look at HTTP traffic):
- SSLKEYLOGFILE.
- PCAPNG with dsb.
- Support for multiple copies of BoringSSL, including ones statically linked into apps.
- Carefully designed buffering to avoid dropped packets/secrets.