pcap mode failed on Android App while hex mode works fine

[r0ysue]

Describe the bug
pcap mode failed on capture Android App traffic while hex mode works fine

To Reproduce

1. install coolapk app
2. try in defferent mode

Expected behavior
pcap mode should see the clear text in the save.pcapng file but not found
hex mode works fine find all clear text

Screenshots


save.pcapng.zip

Linux Server/Android (please complete the following information):

• Env: [run make env to get the environment variables]
• OS: latest android 14
• Arch: Pixel 6 oriole
• Kernel Version: 5.10.177-android13-4-00003
• Version: ga7208022a7ea-ab10815828

Additional context
Add any other context about the problem here.

[cfc4n]

I used the Android Studio emulator, and it seems to be running fine.

emu64a:/data/local/tmp # ./ecapture tls -p 6310 -m pcap -w 111.pcapng
2024/04/14 03:39:17 Your environment is like a container. We won't be able to detect the BTF configuration.
tls_2024/04/14 03:39:17 ECAPTURE :: ecapture Version : androidgki_aarch64:0.7.6-20240330-f1930dc:[CORE]
tls_2024/04/14 03:39:17 ECAPTURE :: Pid Info : 19764
tls_2024/04/14 03:39:17 ECAPTURE :: Kernel Info : 5.15.41
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL	module initialization
tls_2024/04/14 03:39:17 ECAPTURE ::	Module.Run()
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL	Pcapng MODEL
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL	OpenSSL/BoringSSL version found, ro.build.version.release=13
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL	HOOK type: 2, binrayPath: /apex/com.android.conscrypt/lib64/libssl.so
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL	PcapFilter:
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL	Ifname: wlan0, Ifindex: 16
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL	Hook masterKey function: [SSL_in_init]
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL	target PID:6310
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL	target all users.
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL	BPF bytecode filename:user/bytecode/boringssl_a_13_kern.o
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL	saving pcapng file: /data/local/tmp/111.pcapng
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL	perfEventReader created. mapSize:4 MB
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL	perfEventReader created. mapSize:4 MB
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL	module started successfully.
tls_2024/04/14 03:39:17 ECAPTURE :: 	start 1 modules
tls_2024/04/14 03:39:19 EBPFProbeOPENSSL	save pcapng success, count:1401
tls_2024/04/14 03:39:21 EBPFProbeOPENSSL	TLS1_2_VERSION: save CLIENT_RANDOM 1b10c325e39102d4f61cdce3fc53d72f0edac451653678ec7bdead64c3d7c391 to file success, 176 bytes
tls_2024/04/14 03:39:21 EBPFProbeOPENSSL	TLS1_2_VERSION: save CLIENT_RANDOM aada68773b012ddaba702e1fdfc61e099b1a18df0aaae71da286503143af41a3 to file success, 176 bytes
tls_2024/04/14 03:39:23 EBPFProbeOPENSSL	save pcapng success, count:415
tls_2024/04/14 03:39:25 EBPFProbeOPENSSL	save pcapng success, count:4
tls_2024/04/14 03:39:43 EBPFProbeOPENSSL	save pcapng success, count:1
tls_2024/04/14 03:39:45 EBPFProbeOPENSSL	save pcapng success, count:1
^Ctls_2024/04/14 03:39:55 EBPFProbeOPENSSL	close.
tls_2024/04/14 03:39:55 EBPFProbeOPENSSL	 save 1822 packets into pcapng file.
tls_2024/04/14 03:39:55 EBPFProbeOPENSSL	close
emu64a:/data/local/tmp # ps -ef|grep coolapk
u0_a172       6310   372 13 06:06:12 ?    00:43:49 com.coolapk.market
u0_a172       6336  6310 1 06:06:12 ?     00:02:44 com.coolapk.market
u0_a172       7055   372 0 06:06:23 ?     00:01:27 com.coolapk.market:xg_vip_service
u0_a172       7081  7055 0 06:06:23 ?     00:01:16 com.coolapk.market:xg_vip_service
root         19807  7708 3 11:40:00 pts/0 00:00:00 grep coolapk
emu64a:/data/local/tmp #

[cfc4n]

There is a possibility that the TLS handshake and key exchange are completed before eCapture runs, so eCapture cannot capture the key.

Make sure eCapture is running before the program, like start ecapture first, without specifying the PID parameter, then start the process.