Comment by iamcreasy
1 year ago
Cool!
> It uses EBPF to achieve zero-configuration sniffing of TLS-encrypted traffic.
Can someone ELI5 this?
1 year ago
Cool!
> It uses EBPF to achieve zero-configuration sniffing of TLS-encrypted traffic.
Can someone ELI5 this?
I won't explain what ebpf is because google can do a better job of that than me but essentially this program hooks into the low-level system calls being made by your programs, so its able to grab un-encrypted network traffic before its encrypted and sent over the network. "zero-configuration" here mean you dont have to do much manual configuration to get this working.
Huh, is TLS being handled in the kernel these days? I thought most systems still used usermode libraries.
I'm using the term "low level system calls" loosely here since the poster asked for ELI5. Trayce actually uses a combination of kprobes for system calls and uprobes to monitor calls to OpenSSL or the Go crypto/tls package. More details are here: https://github.com/evanrolfe/trayce_agent/blob/main/docs/REA...
1 reply →
IIRC EBPF is an enhanced version of the Berkeley Packet filter. In this scenario I believe it is being used for sandboxing a low level process to allow for TLS "decryption" on network connections related to Docker.