Version

ecapture v1.3.1

Environment

• Ubuntu 25.04 (VirtualBox VM, ARM64)
• Kernel: 6.14.0-28-generic
• OpenSSL: 3.x

Bug Description

ecapture captures only ~25% of actual HTTPS traffic, losing 75% of packets consistently.

Steps to Reproduce

1. Start ecapture:

sudo ./ecapture tls \
    --libssl=/usr/lib/aarch64-linux-gnu/libssl.so.3 \
    -m pcap \
    -i enp0s10 \
    --pcapfile=test.pcapng \
    --mapsize=32768 \
    tcp port 443

2. Generate HTTPS traffic:

wrk -t2 -c4 -d300s https://192.168.10.145
# Sends 25,333 HTTP requests

3. Check captured packets:

tshark -r test.pcapng -Y "http.request" | wc -l
# Result: 5,930 (only 23.4% captured)

Actual Results

• wrk sent: 25,333 requests
• ecapture captured: 5,930 requests
• Loss rate: 76.6%

Expected Results

Should capture nearly 100% of packets with 32MB buffer and only 84 RPS traffic.

Additional Data

1. Packet Loss

Test with different configurations all show ~75% loss:

2. HTTP Request/Response Pairing Severely Broken

Even for the 25% packets that were captured, HTTP request/response pairing is completely broken:

Total HTTP Requests captured: 5,930
Total HTTP Responses captured: 5,079
Successfully paired: 879
Pairing rate: 15.97% (should be close to 100%)

Examples of extreme imbalance in TCP streams:

• Stream 21: 1000 requests, 1 response (missing 999 responses)
• Stream 18: 1000 requests, 2 responses (missing 998 responses)
• Stream 17: 23 requests, 1000 responses (missing 977 requests)
• Stream 28: 48 requests, 1000 responses (missing 952 requests)

This suggests packets are being randomly dropped, breaking the integrity of TCP connections.

Logs

No error messages in ecapture logs. The tool appears to run normally but silently loses packets.

System Info

uname -a
# Linux VboxUbuntu2504 6.14.0-28-generic #28-Ubuntu SMP PREEMPT_DYNAMIC Wed Jul 23 11:44:20 UTC 2025 aarch64 aarch64 aarch64 GNU/Linux