Notes from the wire

Long-form deep dives on Kafka wire-level debugging, TLS visibility, and the design behind Kapture's tap mode.

  1. 01

    Decrypting Kafka TLS without a proxy

    · ~3 min read

    Why MITM proxies fall short for modern Kafka debugging, and how an in-process boundary hook captures plaintext without breaking encryption.

    kafka tls debugkafka ssl inspectkafka traffic capture
  2. 02

    Hooking SslTransportLayer via ByteBuddy

    · ~3 min read

    A concrete walkthrough of instrumenting the Kafka Java client's TLS boundary with ByteBuddy, including the two overload traps that nearly killed the POC.

  3. 03

    Why eBPF isn't needed for JVM TLS

    · ~4 min read

    When eBPF uprobes earn their cost for TLS observability, and when a Java agent does the same job with none of the operational tax.

    ebpf vs java agentjvm tls captureebpf uprobe ssl
  4. 04

    Kafka wire decode end-to-end without MITM

    · ~4 min read

    Kapture is becoming a three-mode observation platform (proxy, JVM tap, eBPF tap) sharing one Kafka wire decoder. Here is the shape that emerges.

    kafka traffic capturekafka observabilitykafka wire protocol
  5. 05

    Building dev tools that don't break TLS

    · ~5 min read

    Every dev tool that intercepts TLS pays a hidden tax. Here is what we lose, what we get back when we stop interposing, and the three techniques that observe without changing the wire.

    tls visibilitypassive tls decryptiondev tool design