Protocol Support Matrix

This guide explains what level of visibility Qtap provides for different network protocols commonly found in enterprise environments.

Quick Reference Table

* gRPC uses HTTP/2 framing (detected), but payloads are binary protobuf (not parsed as JSON/text) ** Some databases support TLS; detection depends on the specific configuration

Protocol Categories

✅ Full Visibility (HTTP/HTTPS)

Qtap provides complete application-level visibility for HTTP/1.1 and HTTP/2 traffic over HTTPS.

What You Get:

• Connection Event: Process attribution, endpoints, byte counts, TLS version

• HttpTransaction Object: Complete request and response

  • Request: method, URL, headers, body (base64-encoded)

  • Response: status code, headers, body (base64-encoded)

• ArtifactRecord Event: Transaction summary with status, duration, content types

Supported Protocols:

• Standard HTTP/1.1 over HTTPS

• HTTP/2 over HTTPS

• WebSocket upgrade requests (initial HTTP upgrade captured)

• REST APIs, GraphQL endpoints, web applications

Key Feature:

TLS inspection without proxies - Qtap uses eBPF to hook TLS libraries (OpenSSL, Go TLS, Java SSL, Node TLS) and sees plaintext data before encryption, eliminating the need for MITM proxies or certificate management.

⚠️ Partial Visibility (gRPC, WebSocket Data)

Some protocols use HTTP/2 framing but have binary or non-standard payloads.

gRPC

l7Protocol: http2 What You Get:

• HTTP/2 connection detected and framed

• Initial HTTP headers (:method, :path, :authority)

• Connection metadata, process attribution, TLS detection

What You Don't Get:

• Parsed protobuf messages (binary encoded)

• RPC method arguments or return values

• Business logic data

Why: gRPC uses HTTP/2 as transport but encodes data in binary Protocol Buffers. Qtap detects the HTTP/2 framing but cannot decode protobuf without schema definitions.

WebSocket (After Upgrade)

l7Protocol: http2 or http1 What You Get:

• Initial HTTP upgrade request (full capture)

• Connection metadata for the WebSocket session

What You Don't Get:

• WebSocket frame payloads after the upgrade

• Real-time messages sent over the WebSocket

Why: After the HTTP upgrade completes, WebSocket uses its own binary framing. Qtap captures the upgrade handshake as HTTP but does not parse the subsequent WebSocket protocol.

⚠️ Metadata Only (Databases, SSH, SMTP)

For non-HTTP protocols, Qtap captures connection-level metadata but cannot parse application-layer data.

What You Get:

• Connection Event with:

  • Source process executable path and user ID (source.exe, source.userId)

  • Destination IP, port, and resolved domain (destination.address, endpointId)

  • Byte counts (bytesSent, bytesReceived)

  • TLS version and library detection (if applicable)

  • Connection timestamps and duration

  • Traffic direction (egress, ingress, etc.)

What You Don't Get:

• SQL queries (MySQL, PostgreSQL)

• Database commands (MongoDB, Redis)

• SSH commands or terminal output

• Email message content (SMTP)

• Any application-level protocol data

Example: MySQL Connection

Interpretation: A Python process connected to localhost MySQL, sent 1KB and received 4KB. You know the process, destination, and data volume, but not the SQL queries.

Configuration Considerations

Localhost Database Connections

By default, Qtap ignores localhost connections (tap.ignore_loopback: true).

If you want to monitor local databases:

Common localhost scenarios:

• Local MySQL/PostgreSQL during development

• Redis on localhost

• MongoDB running locally

• Microservices communicating within the same host

Use Case: What Qtap is Best For

✅ Ideal Use Cases

1. HTTP/HTTPS API Monitoring

   • Full request/response capture for debugging

   • Error detection (4xx, 5xx status codes)

   • Performance monitoring (request duration)

   • Security analysis (authentication tokens, sensitive data)

2. Microservice Communication

   • Service-to-service HTTP calls

   • Process attribution (which service made the call)

   • TLS inspection without service mesh complexity

3. Third-Party API Integration

   • Complete visibility into external API calls

   • Debug integration issues with full payloads

   • Monitor API rate limits and errors

4. Compliance and Audit

   • Capture API transactions for audit trails

   • Store sensitive data in your S3 (data sovereignty)

   • Process-level attribution for security investigations

⚠️ Limited Use Cases

1. Database Query Analysis

   • Qtap shows which process connected to the database

   • Qtap shows data volume (bytes sent/received)

   • Qtap does not parse SQL queries or results

   • Use database-specific tools (pg_stat_statements, MySQL slow query log) for query analysis

2. SSH Session Monitoring

   • Qtap shows which user initiated SSH connections

   • Qtap shows destination servers

   • Qtap does not capture SSH commands or terminal output

   • Use SSH logging or session recording tools for command auditing

3. gRPC Method-Level Monitoring

   • Qtap detects gRPC connections

   • Qtap does not decode protobuf messages

   • Use gRPC-specific instrumentation (OpenTelemetry, gRPC interceptors) for method-level tracing

Combining Qtap with Other Tools

Qtap excels at HTTP/HTTPS visibility and provides valuable connection metadata for other protocols. For comprehensive monitoring:

Protocol Detection Deep Dive

How Qtap Detects Protocols

1. Syscall Hooking: Qtap uses eBPF to hook read/write syscalls

2. TLS Library Detection: Identifies OpenSSL, Go TLS, Java SSL, Node TLS libraries

3. Plaintext Interception: Captures data before TLS encryption

4. HTTP Parsing: Attempts to parse as HTTP/1.1 or HTTP/2

5. Classification: Sets l7Protocol to http1, http2, or other

When HTTP Parsing Fails

HTTP parsing can fail for legitimate reasons:

1. Binary Protocols: MySQL, PostgreSQL, Redis, MongoDB wire protocols

2. Custom Protocols: Proprietary application protocols

3. Encrypted Payloads: Application-level encryption on top of TLS

4. Non-Standard HTTP: Malformed HTTP or custom HTTP-like protocols

When HTTP Parsing Succeeds But Shows "other"

Rare cases where traffic is technically HTTP but shows as other:

1. Unsupported TLS Library: Application uses a TLS library Qtap doesn't hook

2. HTTP/3 (QUIC): Uses UDP, not TCP (not currently supported)

3. Custom HTTP Implementations: Non-standard HTTP libraries

Testing Protocol Support

To test what Qtap captures for your specific protocol:

Look for:

• l7Protocol: http1, http2, or other

• tlsVersion: TLS detected?

• tlsProbeTypesDetected: Which TLS library?

• bytesSent, bytesReceived: Data transferred?

Summary

Qtap is purpose-built for HTTP/HTTPS visibility with process attribution and TLS inspection. For non-HTTP protocols, it provides valuable connection metadata (which process, what destination, how much data) but cannot parse application-level content.

Key Takeaway: If you need deep visibility into HTTP APIs, microservices, or web traffic, Qtap is ideal. For databases, SSH, or custom protocols, Qtap gives you connection context that complements protocol-specific monitoring tools.

For questions about specific protocols, check the Qpoint Data Schema Reference or contact support.