Making encrypted Java traffic observable with eBPF

Coroot's open source node agent uses eBPF to capture network traffic at the kernel level. It hooks into syscalls like read and write , reads the first bytes of each payload, and detects the protocol: HTTP, MySQL, PostgreSQL, Redis, Kafka, and others. This works for any language and any framework without touching application code. For encrypted traffic, we attach eBPF uprobes to TLS library functions like SSL_write and SSL_read in OpenSSL, crypto/tls in Go , and rustls in Rust. The uprobes fire before encryption or after decryption, so we see the plaintext. Java is different. And it has been a blind spot until now. Why Java is special Java's TLS implementation (JSSE) is not a native shared library. It's Java code that runs inside the JVM. There are no exported symbols like SSL_write that eBPF could attach to. So when a Java app connects to MySQL or PostgreSQL over TLS, or makes HTTPS calls, eBPF tools cannot see the plaintext. All they see at the syscall level is encrypted data. Our app