Comment by ev_dev3
1 year ago
I won't explain what ebpf is because google can do a better job of that than me but essentially this program hooks into the low-level system calls being made by your programs, so its able to grab un-encrypted network traffic before its encrypted and sent over the network. "zero-configuration" here mean you dont have to do much manual configuration to get this working.
Huh, is TLS being handled in the kernel these days? I thought most systems still used usermode libraries.
I'm using the term "low level system calls" loosely here since the poster asked for ELI5. Trayce actually uses a combination of kprobes for system calls and uprobes to monitor calls to OpenSSL or the Go crypto/tls package. More details are here: https://github.com/evanrolfe/trayce_agent/blob/main/docs/REA...