Tracing TLS Traffic — eBPF style

Bruno Teixeira
9 min readJun 6, 2022

Introduction

TLS traffic inspection — the holy grail of any troubleshooter deep in the network stack scratching his head in despair, or the chance for stealing confidential data and profiting in the black market for a more ill intended user.

Let me clarify before we move on. This article does not showcase or explain any way to intercept TLS traffic using man-in-the-middle setups. TLS was designed for end-to-end encryption so there is really no way to decrypt this information in a realistic time frame if the target is using up-to-date standards or without prior knowledge of the shared information.

However, if we have access to the hosts, or in this particular scenario, the linux kernel that is hosting the application, then the game changes completely.

In this small article, we will show how to intercept TLS communications in plain-text, without any awareness or extra instrumentation from the client-side application, or any TLS proxy that stands in between.

<Insert Dramatic Music>

eBPF — The Dark Knowledge

--

--

Bruno Teixeira

Principal Cloud Engineer with a distributed system’s background, a passion for working with the bleeding edge and an unhealthy obsession for automation.