ecapture获取的IP信息都是 0.0.0.0

[5crat]

Describe the bug
你好，在ecapture测试发现无法获取 IP信息，打印的Src 和 Dest 都是 0.0.0.0

下面是运行日志信息
`2025-12-30T14:02:45+08:00 INF AppName="eCapture(旁观者)"
2025-12-30T14:02:45+08:00 INF HomePage=https://ecapture.cc
2025-12-30T14:02:45+08:00 INF Repository=https://github.com/gojue/ecapture
2025-12-30T14:02:45+08:00 INF Author="CFC4N cfc4ncs@gmail.com"
2025-12-30T14:02:45+08:00 INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2025-12-30T14:02:45+08:00 INF Version=linux_amd64:v1.5.2-20251227-ca085d0:5.15.0-164-generic
2025-12-30T14:02:45+08:00 INF Listen=localhost:28256
2025-12-30T14:02:45+08:00 INF Listen for eCaptureQ=
2025-12-30T14:02:45+08:00 INF eCapture running logs logger=
2025-12-30T14:02:45+08:00 INF the file handler that receives the captured event eventCollector=
2025-12-30T14:02:45+08:00 INF listen=localhost:28256
2025-12-30T14:02:45+08:00 INF https server starting...You can upgrade the configuration file via the HTTP interface.
2025-12-30T14:02:45+08:00 WRN Kernel version is less than 5.2, Process filtering parameters do not take effect such as pid/uid. kernel=4.19.90
2025-12-30T14:02:45+08:00 INF Kernel Info=4.19.90 Pid=9151
2025-12-30T14:02:45+08:00 INF TruncateSize=0 Unit=bytes
2025-12-30T14:02:45+08:00 WRN Your environment is like a container. We won't be able to detect the BTF configuration.
If eCapture fails to run, try specifying the BTF mode. use '-b 2' to specify non-CORE mode.
2025-12-30T14:02:45+08:00 INF BTF bytecode mode: CORE. btfMode=0
2025-12-30T14:02:45+08:00 INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2025-12-30T14:02:45+08:00 INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2025-12-30T14:02:45+08:00 INF Module.Run()
2025-12-30T14:02:45+08:00 INF origin versionKey="openssl 1.1.1f" versionKeyLower="openssl 1.1.1f"
2025-12-30T14:02:45+08:00 INF OpenSSL/BoringSSL version found Android=false library version="openssl 1.1.1f"
2025-12-30T14:02:45+08:00 INF Hook masterKey function ElfType=2 Functions=["SSL_get_wbio","SSL_in_before","SSL_do_handshake"] binrayPath=/usr/lib64/libssl.so.1.1
2025-12-30T14:02:45+08:00 WRN Your kernel version is less than 5.2, GlobalVar is disabled, the following parameters will be ignored:[target_pid, target_uid, target_port]
2025-12-30T14:02:45+08:00 INF setupManagers eBPFProgramType=Text
2025-12-30T14:02:45+08:00 INF BPF bytecode file is matched. bpfFileName=user/bytecode/openssl_1_1_1d_kern_core.o
2025-12-30T14:02:46+08:00 INF perfEventReader created mapSize(MB)=4
2025-12-30T14:02:46+08:00 INF perfEventReader created mapSize(MB)=4
2025-12-30T14:02:46+08:00 INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
2025-12-30T14:02:58+08:00 ??? PID:7608, Comm:httpd, Src:0.0.0.0:0, Dest:0.0.0.0:0,
GET /aaaa HTTP/1.1
Host: 192.168.230.140
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,pl;q=0.5
Connection: keep-alive
Sec-Ch-Ua: "Microsoft Edge";v="143", "Chromium";v="143", "Not A(Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36 Edg/143.0.0.0

2025-12-30T14:02:58+08:00 ??? PID:7608, Comm:httpd, Src:0.0.0.0:0, Dest:0.0.0.0:0,
HTTP/1.1 404 Not Found
Content-Length: 196
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Date: Tue, 30 Dec 2025 06:02:57 GMT
Keep-Alive: timeout=5, max=100
Server: Apache

<title>404 Not Found</title>

Not Found

The requested URL was not found on this server.

`

此次测试是在vmware虚拟机中，虚拟机允许linux系统，通过yum安装httpd程序，修改配置文件启用https，然后直接通过宿主机访问该虚拟机的https服务，发现日志中的ip信息都是0.0.0.0 ，

• Device: Kylin-V10-Sp3
• Kernel Info: 4.19.90-89.11.v2401.ky10.x86_64
• eCapture Version: linux_amd64:v1.5.2-20251227-ca085d0:5.15.0-164-generic

[dosubot]

Hi @5crat! I'm Dosu and I’m helping the ecapture team.

你的环境（4.19 内核 + VMware 虚拟机）会导致 eBPF 在抓取连接元数据（如 IP 地址）时受限，ecapture 很容易出现 Src/Dest 都是 0.0.0.0 的情况。这是已知限制，不是配置或用法错误，常见于低于 5.2 的内核和容器/虚拟化环境中，eBPF 很难正确追踪 socket 结构体和网络命名空间，导致 IP 信息丢失或为零[相关说明][相关说明2]。

可尝试的办法有：

• 用 --pthread 参数指定 libpthread.so 路径（有时能改善 IP 抓取，但在 VM/容器中不一定有效）[说明]。
• 用 --mapsize 增大 eBPF map，减少丢包（对高并发有帮助，但不一定解决 IP 问题）。
• 如果只是需要明文抓包，建议用 ecapture 的 keylog 模式导出密钥，同时用 tcpdump 抓包，最后用 Wireshark 分析。
• 如果日志里五元组信息都为 0，可以用 pcapng 模式抓包再用 Wireshark 分析[说明]。

根本解决办法是升级到 5.2 以上内核，并尽量在物理机环境运行。如果还有疑问，可以开启 --debug 日志，进一步排查丢包或 hook 失败的细节[说明]。

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[cfc4n]

预计在v2版本中解决。