gotls 捕获golang程序,不能写pcapfile文件,不能看到响应的内容
Closed this issue · 4 comments
panzhengyu commented
root@test:~/ecapture-v0.7.0-linux-x86_64# ./ecapture gotls --elfpath=/opt/alibabacloud/hbrclient/client/hbrclient --pcapfile="/tmp/ecapture_gotls.pcapng"
tls_2023/12/15 18:41:01 ECAPTURE :: ecapture Version : linux_x86_64:0.7.0-20231203-2fbdf3f:5.15.0-1051-azure
tls_2023/12/15 18:41:01 ECAPTURE :: Pid Info : 5891
tls_2023/12/15 18:41:01 ECAPTURE :: Kernel Info : 5.15.126
tls_2023/12/15 18:41:01 EBPFProbeGoTLS module initialization
tls_2023/12/15 18:41:01 EBPFProbeGoTLS master key keylogger:
tls_2023/12/15 18:41:01 ECAPTURE :: Module.Run()
tls_2023/12/15 18:41:01 EBPFProbeGoTLS Text MODEL
tls_2023/12/15 18:41:01 EBPFProbeGoTLS eBPF Function Name:gotls_write_register, isRegisterABI:true
tls_2023/12/15 18:41:01 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x104
tls_2023/12/15 18:41:01 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x131
tls_2023/12/15 18:41:01 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x1B2
tls_2023/12/15 18:41:01 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x2FD
tls_2023/12/15 18:41:01 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x330
tls_2023/12/15 18:41:01 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x3AD
tls_2023/12/15 18:41:01 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x3CB
tls_2023/12/15 18:41:01 EBPFProbeGoTLS target all process.
tls_2023/12/15 18:41:01 EBPFProbeGoTLS target all users.
tls_2023/12/15 18:41:01 EBPFProbeGoTLS BPF bytecode filename:user/bytecode/gotls_kern.o
tls_2023/12/15 18:41:01 EBPFProbeGoTLS perfEventReader created. mapSize:20 MB
tls_2023/12/15 18:41:01 EBPFProbeGoTLS module started successfully.
tls_2023/12/15 18:41:10 PID: 5832, Comm: hbrclient, TID: 5843, PayloadType:1, Payload:
tls_2023/12/15 18:41:10 PID: 5832, Comm: hbrclient, TID: 5832, PayloadType:1, Payload:
tls_2023/12/15 18:41:13 PID: 5901, Comm: hbrclient, TID: 5911, PayloadType:0, Payload: GET / HTTP/1.1
Host: post-cn-45917akja09-internal.mqtt.aliyuncs.com:443
User-Agent: Go-http-client/1.1
Connection: Upgrade
Sec-WebSocket-Key: zNMWnxkSq66kNblaOIsyzQ==
Sec-WebSocket-Protocol: mqtt
Sec-WebSocket-Version: 13
Upgrade: websocket
tls_2023/12/15 18:41:13 PID: 5901, Comm: hbrclient, TID: 5911, PayloadType:1, Payload: HTTP/1.1 101 Switching Protocols
upgrade: websocket
connection: upgrade
sec-websocket-accept: I9smyYqRA7UaSEaGcrm21lq4BvU=
sec-websocket-protocol: mqtt
tls_2023/12/15 18:41:13 PID: 5901, Comm: hbrclient, TID: 5911, PayloadType:0, Payload: GET / HTTP/1.1
Host: post-cn-45917akja09-internal.mqtt.aliyuncs.com:443
User-Agent: Go-http-client/1.1
Connection: Upgrade
Sec-WebSocket-Key: aKyS+xYkOVmtqZImHnzZkw==
Sec-WebSocket-Protocol: mqtt
Sec-WebSocket-Version: 13
Upgrade: websocket
tls_2023/12/15 18:41:13 PID: 5901, Comm: hbrclient, TID: 5911, PayloadType:1, Payload:
tls_2023/12/15 18:41:13 PID: 5901, Comm: hbrclient, TID: 5911, PayloadType:1, Payload:
tls_2023/12/15 18:41:15 PID: 5901, Comm: hbrclient, TID: 5910, PayloadType:1, Payload:
tls_2023/12/15 18:41:15 PID: 5901, Comm: hbrclient, TID: 5910, PayloadType:1, Payload:
tls_2023/12/15 18:41:18 PID: 5901, Comm: hbrclient, TID: 5911, PayloadType:1, Payload:
tls_2023/12/15 18:41:19 PID: 5901, Comm: hbrclient, TID: 5901, PayloadType:1, Payload:
tls_2023/12/15 18:41:19 PID: 5901, Comm: hbrclient, TID: 5901, PayloadType:1, Payload:
tls_2023/12/15 18:41:33 PID: 5901, Comm: hbrclient, TID: 5901, PayloadType:1, Payload:
tls_2023/12/15 18:41:33 PID: 5901, Comm: hbrclient, TID: 5901, PayloadType:1, Payload:
tls_2023/12/15 18:41:33 PID: 5901, Comm: hbrclient, TID: 5911, PayloadType:1, Payload:
tls_2023/12/15 18:41:33 PID: 5901, Comm: hbrclient, TID: 5911, PayloadType:1, Payload:
tls_2023/12/15 18:41:33 PID: 5901, Comm: hbrclient, TID: 5911, PayloadType:1, Payload:
tls_2023/12/15 18:41:33 PID: 5901, Comm: hbrclient, TID: 5911, PayloadType:1, Payload:
tls_2023/12/15 18:41:33 PID: 5901, Comm: hbrclient, TID: 5911, PayloadType:1, Payload:
tls_2023/12/15 18:41:34 PID: 5901, Comm: hbrclient, TID: 5911, PayloadType:1, Payload:
tls_2023/12/15 18:41:34 PID: 5901, Comm: hbrclient, TID: 5911, PayloadType:1, Payload:
tls_2023/12/15 18:42:38 PID: 5901, Comm: hbrclient, TID: 5905, PayloadType:1, Payload:
^Ctls_2023/12/15 18:42:48 EBPFProbeGoTLS close.
tls_2023/12/15 18:42:48 EBPFProbeGoTLS close
root@test:~/ecapture-v0.7.0-linux-x86_64# ll /tmp/ecapture_gotls.pcapng
ls: cannot access '/tmp/ecapture_gotls.pcapng': No such file or directory
root@test:~/ecapture-v0.7.0-linux-x86_64#
我是用./ecapture gotls 命令想捕获一个是用golang编程的二进制程序https交互的流量,命令中使用了--pcapfile命令,但是不能写这个pcap文件。这是为什么呢
cfc4n commented
使用 -m
参数, 参考 https://github.com/gojue/ecapture/releases/tag/v0.7.0 里的使用说明。
panzhengyu commented
谢谢大佬,解决了。 顺便问一下,golang写的程序,tls一般不用openssl吗
cfc4n commented
go用自己实现的tls类库。
panzhengyu commented
好的