oneplus 13 kernelsu 看不到抓包

[evi1owl]

一加13 root 采用kernelsu

命令如下 ：./ecapture tls --ssl_version='boringssl_a_15' -b 1 -m text

日志如下：
···
OP5D0DL1:/data/local/tmp # ./ecapture tls --ssl_version='boringssl_a_15' -b 1 -m text
2025-05-20T10:15:58Z INF AppName="eCapture(旁观者)"
2025-05-20T10:15:58Z INF HomePage=https://ecapture.cc
2025-05-20T10:15:58Z INF Repository=https://github.com/gojue/ecapture
2025-05-20T10:15:58Z INF Author="CFC4N cfc4ncs@gmail.com"
2025-05-20T10:15:58Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2025-05-20T10:15:58Z INF Version=androidgki_arm64:v1.0.2:6.8.0-1027-azure
2025-05-20T10:15:58Z INF Listen=localhost:28256
2025-05-20T10:15:58Z INF eCapture running logs logger=
2025-05-20T10:15:58Z INF the file handler that receives the captured event eventCollector=
2025-05-20T10:15:58Z INF Kernel Info=6.6.30 Pid=31053
2025-05-20T10:15:58Z INF TruncateSize=0 Unit=bytes
2025-05-20T10:15:58Z INF listen=localhost:28256
2025-05-20T10:15:58Z INF BTF bytecode mode: CORE. btfMode=1
2025-05-20T10:15:58Z INF https server starting...You can upgrade the configuration file via the HTTP interface.
2025-05-20T10:15:58Z INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2025-05-20T10:15:58Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2025-05-20T10:15:58Z INF Module.Run()
2025-05-20T10:15:58Z INF OpenSSL/BoringSSL version found sslVersion=boringssl_a_15
2025-05-20T10:15:58Z INF Hook masterKey function ElfType=2 Functions=["SSL_in_init"] binrayPath=/apex/com.android.conscrypt/lib64/libssl.so
2025-05-20T10:15:58Z INF target all process.
2025-05-20T10:15:58Z INF target all users.
2025-05-20T10:15:58Z INF setupManagers eBPFProgramType=Text
2025-05-20T10:15:58Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_15_kern_core.o
2025-05-20T10:15:59Z INF perfEventReader created mapSize(MB)=4
2025-05-20T10:15:59Z INF perfEventReader created mapSize(MB)=4
2025-05-20T10:15:59Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL

···

然后怎么搞都抓不到包，打开app啥的，指定pid也不行

• Device: oneplus 13
• Kernel Info: Linux localhost 6.6.30-android15-8-g013ec21bba94-abogki383916444-4k

[dosubot]

Hello @evi1owl! I'm here to help you tackle bugs, answer questions, and assist you in becoming a contributor while you wait for a human maintainer. Let's get started! 🚀

I couldn't find specific information about eCapture's compatibility with KernelSU or detailed troubleshooting steps for Android devices. However, here are some general suggestions that might help:

1. Kernel Version Compatibility: Ensure that your kernel version is compatible with eCapture. For arm64 architecture, eCapture requires the kernel version to be greater than 5.5 ^[1].

2. Permissions and Capabilities: Make sure that the application has the necessary permissions and capabilities to run eBPF programs. This might include having the CAP_BPF capability, which was a known issue resolved in a previous update ^[2].

3. Targeting Specific Processes: If you are trying to capture packets from a specific application, ensure that you are correctly specifying the PID. eCapture uses the target_pid variable to determine which processes to target ^[3].

4. eBPF Program Loading: Check if the eBPF programs are being loaded correctly. The logs indicate that the BPF bytecode file is matched, which is a good sign, but ensure that there are no errors related to loading eBPF programs.

5. Debugging Logs: Review the logs for any error messages or warnings that might indicate what is going wrong. Look for messages related to bpf_probe_read_user failures or map lookup failures, as these can indicate issues with data capture ^[4].

If these steps do not resolve the issue, you might need to look into more specific configurations or updates related to KernelSU and eCapture's compatibility with it.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[evi1owl]

经过大量测试，发现只有部分app能抓到，比如zhihu、xhs，像什么weibo还有疼讯系的都不行

[cfc4n]

你需要确认，被抓包的app使用的tls类库是不是默认的/apex/com.android.conscrypt/lib64/libssl.so，如果不是，那么你需要通过libssl参数指定。

[evi1owl]

还是不生效，比如 ./ecapture tls -b 1 --libssl=/data/app/~~q9Ymt6VldLuEBAnE9vN3BQ==/tv.danmaku.bili-IYKfkoUY0fJ53ToswUOtWA==/lib/arm64/libssl.so --pid=29814 --ssl_version='boringssl_a_15'

怎么让它输出更多的日志，目前日志输出看起来都是正常的

[evi1owl]

2025-05-21T11:28:11Z INF AppName="eCapture(旁观者)"
2025-05-21T11:28:11Z INF HomePage=https://ecapture.cc
2025-05-21T11:28:11Z INF Repository=https://github.com/gojue/ecapture
2025-05-21T11:28:11Z INF Author="CFC4N cfc4ncs@gmail.com"
2025-05-21T11:28:11Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2025-05-21T11:28:11Z INF Version=androidgki_arm64:v1.0.2:6.8.0-1027-azure
2025-05-21T11:28:11Z INF Listen=localhost:28256
2025-05-21T11:28:11Z INF eCapture running logs logger=
2025-05-21T11:28:11Z INF the file handler that receives the captured event eventCollector=
2025-05-21T11:28:11Z INF listen=localhost:28256
2025-05-21T11:28:11Z INF https server starting...You can upgrade the configuration file via the HTTP interface.
2025-05-21T11:28:11Z INF Kernel Info=6.6.30 Pid=16910
2025-05-21T11:28:11Z INF TruncateSize=0 Unit=bytes
2025-05-21T11:28:11Z INF BTF bytecode mode: CORE. btfMode=1
2025-05-21T11:28:11Z INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2025-05-21T11:28:11Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2025-05-21T11:28:11Z INF Module.Run()
2025-05-21T11:28:11Z INF OpenSSL/BoringSSL version found sslVersion=boringssl_a_15
2025-05-21T11:28:11Z INF Hook masterKey function ElfType=2 Functions=["SSL_in_init"] binrayPath=/data/app/~~q9Ymt6VldLuEBAnE9vN3BQ==/tv.danmaku.bili-IYKfkoUY0fJ53ToswUOtWA==/lib/arm64/libssl.so
2025-05-21T11:28:11Z INF target all process.
2025-05-21T11:28:11Z INF target all users.
2025-05-21T11:28:11Z INF setupManagers eBPFProgramType=Text
2025-05-21T11:28:11Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_15_kern_core.o
2025-05-21T11:28:12Z INF perfEventReader created mapSize(MB)=4
2025-05-21T11:28:12Z INF perfEventReader created mapSize(MB)=4
2025-05-21T11:28:12Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL

[cfc4n]

是不是 流量并没有使用这个ssl链接库呢？ 能不能查看一下这个app内是不是有其他的加密类库，或者这是静态编译的？