LINUX  ยท  FTRACE UPROBES  ยท  OPENSSL  ยท  ZERO EBPF

proc-trace-tls

Intercept plaintext TLS traffic before it's encrypted โ€” per-process, in real time. Shows the remote host via SNI or /proc/net/tcp. Hooks SSL_read / SSL_write via ftrace uprobes. No eBPF. No ptrace. No CA install.

๐Ÿ“ฆ Install โญ GitHub Screenshots โ†’ Usage โ†’
proc-trace-tls โ€” bash 
$ sudo proc-trace-tls -p $(pgrep curl)
proc-trace-tls v0.1.0
  lib : /lib/x86_64-linux-gnu/libssl.so.3
  pids: 14821
Watching 4 probe(s). Press Ctrl-C to stop.

14:23:01.441  14821  curl      RX  SSL_read     api.github.com:443
14:23:01.442  14821  curl      TX  SSL_write    api.github.com:443
14:23:01.449  14821  curl      RX  SSL_read     api.github.com:443
14:23:01.458  14905  python3   TX  SSL_write    pypi.org:443
14:23:01.462  14905  python3   RX  SSL_read_ex  pypi.org:443
^C
captured 5 TLS events
CAPABILITIES
๐Ÿ”“

Plaintext Before Crypto

Hooks SSL_read / SSL_write at the function boundary โ€” you see data exactly as the application sees it, before OpenSSL touches it.

๐Ÿ“

ftrace Uprobes

Uses the kernel's built-in uprobe infrastructure via /sys/kernel/debug/tracing. Available on every Linux distro since kernel 4.17 โ€” no eBPF, no kernel modules, no extra packages.

๐ŸŽฏ

Per-Process Filter

Use -p PID[,PID,...] to watch only specific processes, or omit it to catch all TLS calls system-wide.

๐ŸŒ

Remote Host Resolution

Shows the hostname being connected to on every event. Uses SNI from SSL_get_servername first; falls back to /proc/<pid>/net/tcp + reverse DNS for non-SNI connections. Use -R to show raw IPs.

๐Ÿ›ก๏ธ

Bypasses Cert Pinning

Works regardless of cipher suite or certificate pinning. The uprobe fires on the function, not the network packet โ€” TLS fingerprinting and pinning are irrelevant.

๐Ÿ”Œ

Zero Dependencies

Single static binary. Requires only debugfs (mounted by default) and root. No BCC tools. No kernel headers. No Python.

WHY THIS EXISTS

See what your app is actually sending over HTTPS

Every HTTPS request your app makes is encrypted. But somewhere between your application code and the network, there's a moment when the data is plaintext โ€” right at the OpenSSL function boundary.

Existing approaches are painful: MitM proxies break cert pinning. Wireshark needs TLS key material. strace works but is slow and verbose. eBPF-based tools like bcc/ssl_sniff require kernel headers and a working BCC install.

proc-trace-tls uses the same kernel mechanism as eBPF uprobes โ€” but accessed via the much simpler ftrace interface that's been in every kernel since 4.17, with no compiler, no headers, and no extra packages.

How it works in one sentence: ftrace uprobes insert a kernel hook at the entry point of SSL_read / SSL_write in libssl.so; proc-trace-tls reads the resulting event stream from /sys/kernel/debug/tracing/trace_pipe.
Architecture diagram
App โ†’ libssl.so:SSL_write
โ†“ [ uprobe hook ]
ftrace trace_pipe
โ†“
proc-trace-tls
โ€” โ€” โ€” โ€” โ€” โ€” โ€” โ€” โ€” โ€” โ€”
ciphertext โ†’ ๐ŸŒ network
VS THE ALTERNATIVES
Tool Mechanism eBPF req. Affects app Cert pinning Static binary
proc-trace-tls ftrace uprobes โœ“ no โœ“ no โœ“ works โœ“ yes
bcc ssl_sniff eBPF uprobes โœ— required โœ“ no โœ“ works โœ— no
mitmproxy MitM proxy โœ“ no โœ— yes โœ— breaks โœ“ yes
ssldump pcap + key file โœ“ no โœ“ no โœ— needs keys โœ“ yes
strace -e read ptrace โœ“ no โœ— slow โœ“ works โœ“ yes
USE CASES
๐Ÿ”

Security Research

See exactly what a binary sends over HTTPS without setting up a proxy or installing a custom CA. Works even with certificate pinning.

๐Ÿ›

API Debugging

Inspect the raw HTTP/1.1 frames your application sends and receives โ€” without modifying the app, its config, or its certificate store.

๐Ÿ“ฆ

Third-Party Auditing

Verify what a closed-source binary transmits before you trust it. See every TLS call it makes, what it reads, and what it writes.

๐Ÿ”

Incident Response

On a compromised host, see exactly what malware exfiltrates over HTTPS without needing to decrypt the packet capture.

๐ŸŽ“

Learning TLS

Watch the actual HTTP request / response plaintext flow in real time. A hands-on way to understand what lives inside a TLS connection.

๐Ÿค–

Automated Monitoring

Pipe events to a log file with -o for long-running monitoring. Integrate with alerting pipelines to catch unexpected data exfiltration.