Regarding the problem of reading the request body and response body of the websocket

[ReverseFeng]

How do I get the request body and response body of the websocket? Now I can see the request header and response header

2025-02-10T06:24:29Z ??? UUID:31190_31224_.50.48:8765/..._0_1_0.0.0.0:0-0.0.0.0:0, Name:HTTPRequest, Type:1, Length:253
GET / HTTP/1.1
Host: 192.168.50.48:8765
Accept-Encoding: gzip
Connection: Upgrade
Sec-Websocket-Extensions: permessage-deflate
Sec-Websocket-Key: CXoMBJw8KI5uxzgYEr0wtw==
Sec-Websocket-Version: 13
Upgrade: websocket
User-Agent: okhttp/4.10.0


2025-02-10T06:24:29Z ??? UUID:31190_31224_.50.48:8765/..._0_0_0.0.0.0:0-0.0.0.0:0, Name:HTTPResponse, Type:3, Length:276
HTTP/1.1 101 Switching Protocols
Connection: Upgrade
Date: Mon, 10 Feb 2025 06:23:31 GMT
Sec-Websocket-Accept: b3tq/0dBMii9WoowBpA3NEbJdoM=
Sec-Websocket-Extensions: permessage-deflate; server_max_window_bits=12
Server: Python/3.10 websockets/14.2
Upgrade: websocket


2025-02-10T06:24:29Z ??? UUID:31190_31229_8765/... writer_0_1_0.0.0.0:0-0.0.0.0:0, Name:DefaultParser, Type:0, Length:146
00000000  81 8e db 40 e4 f8 93 25  88 94 b4 6c c4 ab be 32  |...@...%...l...2|
00000010  92 9d a9 61                                       |...a|

2025-02-10T06:24:34Z ??? UUID:31190_31232_8:8765/... ping_0_1_0.0.0.0:0-0.0.0.0:0, Name:DefaultParser, Type:0, Length:69
00000000  89 80 b3 b8 35 3c                                 |....5<|

2025-02-10T06:24:34Z ??? UUID:31190_31232_8765/... writer_0_1_0.0.0.0:0-0.0.0.0:0, Name:DefaultParser, Type:0, Length:227
00000000  81 a0 3c f2 a2 64 6c 97  d0 0d 53 96 cb 07 1c 9f  |..<..dl...S.....|
00000010  c7 17 4f 93 c5 01 1c 97  d4 01 4e 8b 82 51 1c 81  |..O.......N..Q..|
00000020  c7 07 53 9c c6 17                                 |..S...|

[cfc4n]

Accept-Encoding: gzip

Here is the decrypted text, but it is encoded. eCapture is not very perfect for parsing the encoded content. You can use the pcapng mode, save the results, and use Wireshark to open and view.

[ReverseFeng]

Okay, I'll try. Thank you~~~

[ReverseFeng]

Hi I tried it but it looks like this in pcapng and there is no decrypted content, how should I view the content after decryption?

[ReverseFeng]

This is the log of running the command

 ./ecapture tls  -m pcap -i wlan0 --pcapfile=ecaecapture.pcapng tcp port 443
2025-02-11T08:38:05Z INF AppName="eCapture(旁观者)"
2025-02-11T08:38:05Z INF HomePage=https://ecapture.cc
2025-02-11T08:38:05Z INF Repository=https://github.com/gojue/ecapture
2025-02-11T08:38:05Z INF Author="CFC4N <[email protected]>"
2025-02-11T08:38:05Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2025-02-11T08:38:05Z INF Version=androidgki_arm64:v0.9.3:6.5.0-1025-azure
2025-02-11T08:38:05Z INF Listen=localhost:28256
2025-02-11T08:38:05Z INF eCapture running logs logger=
2025-02-11T08:38:05Z INF the file handler that receives the captured event eventCollector=
2025-02-11T08:38:05Z INF Kernel Info=5.10.149 Pid=6562
2025-02-11T08:38:05Z INF listen=localhost:28256
2025-02-11T08:38:05Z INF https server starting...You can upgrade the configuration file via the HTTP interface.
2025-02-11T08:38:05Z WRN Your environment is like a container. We won't be able to detect the BTF configuration.
If eCapture fails to run, try specifying the BTF mode. use `-b 2` to specify non-CORE mode.
2025-02-11T08:38:05Z INF BTF bytecode mode: CORE. btfMode=0
2025-02-11T08:38:05Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2025-02-11T08:38:05Z INF Module.Run()
2025-02-11T08:38:05Z ERR OpenSSL/BoringSSL version not found, used default version.If you want to use the specific version, please set the sslVersion parameter with "--ssl_version='boringssl_a_13'" , "--ssl_version='boringssl_a_14'", or use "ecapture tls --help" for more help.
2025-02-11T08:38:05Z ERR bpfFile=boringssl_a_13_kern.o sslVersion=android_default
2025-02-11T08:38:05Z INF HOOK type:Openssl elf ElfType=2 IFindex=47 IFname=wlan0 PcapFilter="tcp port 443" binrayPath=/apex/com.android.conscrypt/lib64/libssl.so
2025-02-11T08:38:05Z INF Hook masterKey function Functions=["SSL_in_init"]
2025-02-11T08:38:05Z INF target all process.
2025-02-11T08:38:05Z INF target all users.
2025-02-11T08:38:05Z INF setupManagers eBPFProgramType=PcapNG
2025-02-11T08:38:05Z INF packets saved into pcapng file. pcapng path=/data/local/tmp/ecaecapture.pcapng
2025-02-11T08:38:05Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_13_kern_core.o
2025-02-11T08:38:06Z INF perfEventReader created mapSize(MB)=4
2025-02-11T08:38:06Z INF perfEventReader created mapSize(MB)=4
2025-02-11T08:38:06Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
2025-02-11T08:38:09Z INF CLIENT_RANDOM save success CLientRandom=b7fe4ef57b165fdbc72c059ae17321631dfc4cc597a6f6cfb3157b135462e488 bytes=938 eBPFProgramType=PcapNG sslVersion=TLS1_3_VERSION
2025-02-11T08:38:11Z INF packets saved into pcapng file. count=1
2025-02-11T08:38:21Z INF packets saved into pcapng file. count=4
2025-02-11T08:38:23Z INF packets saved into pcapng file. count=2
2025-02-11T08:38:27Z INF packets saved into pcapng file. count=2
2025-02-11T08:38:35Z INF packets saved into pcapng file. count=1
2025-02-11T08:38:37Z INF packets saved into pcapng file. count=1
2025-02-11T08:38:53Z INF packets saved into pcapng file. count=2
2025-02-11T08:38:55Z INF packets saved into pcapng file. count=2
2025-02-11T08:38:57Z INF packets saved into pcapng file. count=1
2025-02-11T08:39:01Z INF packets saved into pcapng file. count=1
2025-02-11T08:39:09Z INF packets saved into pcapng file. count=1
ç^C2025-02-11T08:39:18Z INF module close.
2025-02-11T08:39:18Z INF Module closed,message recived from Context
2025-02-11T08:39:18Z INF packets saved into pcapng file. count=18
2025-02-11T08:39:18Z INF iModule module close
2025-02-11T08:39:18Z INF bye bye.

[cfc4n]

As shown in the picture, you will see the record on the light green background.