Qtap Output Examples

This appendix provides real-world examples of qtap output for different plugins, formats, and log levels. All examples are captured from actual qtap runs.

http_capture Plugin

The http_capture plugin captures HTTP traffic with configurable detail levels and output formats.

Configuration Parameters

level: Controls capture detail (none, summary, details, full)
format: Output format (text, json)

Text Format

Summary Level

Shows basic transaction information without headers or bodies.

Configuration:

plugins:
  - type: http_capture
    config:
      level: summary    # Basic info only
      format: text      # Human-readable format

Example Output:

HTTP Transaction
================
Metadata:
  Transaction Time: 2025-10-28T16:13:51Z
  Duration: 98ms
  Direction: egress-external
  Process ID: 1134827
  Process: /usr/bin/curl
  Bytes Sent: 41
  Bytes Received: 395
Request:
  Method: GET
  URL: https://httpbin.org/get
Response:
  Status: 200
  Content-Type: application/json

Details Level

Includes HTTP headers but no request/response bodies.

Configuration:

plugins:
  - type: http_capture
    config:
      level: headers    # Includes headers
      format: text

Example Output:

HTTP Transaction
================
Metadata:
  Transaction Time: 2025-10-28T16:16:33Z
  Duration: 4241ms
  Direction: egress-external
  Process ID: 1136045
  Process: /usr/bin/curl
  Bytes Sent: 41
  Bytes Received: 395

Request:
  Method: GET
  URL: https://httpbin.org/get
  Protocol: http2
  User-Agent: curl/8.10.1
  Request Headers:
    :authority: httpbin.org
    :method: GET
    :path: /get
    :scheme: https
    Accept: */*
    User-Agent: curl/8.10.1

Response:
  Status: 200
  Content-Type: application/json
  Response Headers:
    :status: 200
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Origin: *
    Content-Length: 255
    Content-Type: application/json
    Date: Tue, 28 Oct 2025 16:16:37 GMT
    Server: gunicorn/19.9.0

Full Level

Captures everything: headers and request/response bodies.

Configuration:

plugins:
  - type: http_capture
    config:
      level: full       # Everything including bodies
      format: text

Example Output:

HTTP Transaction
================
Metadata:
  Transaction Time: 2025-10-28T15:56:48Z
  Duration: 1006ms
  Direction: egress-external
  Process ID: 1115662
  Process: /usr/bin/curl
  Bytes Sent: 41
  Bytes Received: 395
  Connection ID: d40dobo7p3qp5ufu7dtg
  Endpoint ID: httpbin.org

Request:
  Method: GET
  URL: https://httpbin.org/get
  Protocol: http2
  User-Agent: curl/8.10.1
  Request Headers:
    :authority: httpbin.org
    :method: GET
    :path: /get
    :scheme: https
    Accept: */*
    User-Agent: curl/8.10.1
  Request Body:
    (empty)

Response:
  Status: 200 OK
  Content-Type: application/json
  Response Headers:
    :status: 200
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Origin: *
    Content-Length: 255
    Content-Type: application/json
    Date: Mon, 28 Oct 2025 15:56:49 GMT
    Server: gunicorn/19.9.0
  Response Body:
    {
      "args": {},
      "headers": {
        "Accept": "*/*",
        "Host": "httpbin.org",
        "User-Agent": "curl/8.10.1",
        "X-Amzn-Trace-Id": "Root=1-6900e621-3b1f78f52ad26b0b437b65ac"
      },
      "origin": "73.71.138.108",
      "url": "https://httpbin.org/get"
    }

JSON Format

Summary Level

Structured JSON output with basic information.

Configuration:

plugins:
  - type: http_capture
    config:
      level: summary
      format: json      # Machine-readable format

Example Output:

{
  "metadata": {
    "process_id": "1139807",
    "process_exe": "/usr/bin/curl",
    "bytes_sent": 41,
    "bytes_received": 395,
    "connection_id": "d40er1g7p3qq0j13j5rg",
    "endpoint_id": "httpbin.org"
  },
  "request": {
    "method": "GET",
    "url": "https://httpbin.org/get",
    "scheme": "https",
    "path": "/get",
    "authority": "httpbin.org",
    "protocol": "http2",
    "request_id": "d40er1o7p3qq0j13j5s0",
    "user_agent": "curl/8.10.1"
  },
  "response": {
    "status": 200,
    "content_type": "application/json"
  },
  "transaction_time": "2025-10-28T16:21:55.351700841Z",
  "duration_ms": 28122,
  "direction": "egress-external"
}

Details Level

Includes request and response headers.

Configuration:

plugins:
  - type: http_capture
    config:
      level: headers    # Adds header fields
      format: json

Example Output:

{
  "metadata": {
    "process_id": "1140745",
    "process_exe": "/usr/bin/curl",
    "bytes_sent": 41,
    "bytes_received": 395,
    "connection_id": "d40erq07p3qq81aqqj20",
    "endpoint_id": "httpbin.org"
  },
  "request": {
    "method": "GET",
    "url": "https://httpbin.org/get",
    "scheme": "https",
    "path": "/get",
    "authority": "httpbin.org",
    "protocol": "http2",
    "request_id": "d40erq07p3qq81aqqj2g",
    "user_agent": "curl/8.10.1",
    "headers": {
      ":authority": "httpbin.org",
      ":method": "GET",
      ":path": "/get",
      ":scheme": "https",
      "Accept": "*/*",
      "User-Agent": "curl/8.10.1"
    }
  },
  "response": {
    "status": 200,
    "content_type": "application/json",
    "headers": {
      ":status": "200",
      "Access-Control-Allow-Credentials": "true",
      "Access-Control-Allow-Origin": "*",
      "Content-Length": "255",
      "Content-Type": "application/json",
      "Date": "Tue, 28 Oct 2025 16:23:26 GMT",
      "Server": "gunicorn/19.9.0"
    }
  },
  "transaction_time": "2025-10-28T16:23:26.351652939Z",
  "duration_ms": 21744,
  "direction": "egress-external"
}

Full Level

Complete capture including base64-encoded request/response bodies.

Configuration:

plugins:
  - type: http_capture
    config:
      level: full       # Complete capture
      format: json

Example Output:

{
  "metadata": {
    "process_id": "1143058",
    "process_exe": "/usr/bin/curl",
    "bytes_sent": 41,
    "bytes_received": 395,
    "connection_id": "d40eto87p3qr61us0r5g",
    "endpoint_id": "httpbin.org"
  },
  "request": {
    "method": "GET",
    "url": "https://httpbin.org/get",
    "scheme": "https",
    "path": "/get",
    "authority": "httpbin.org",
    "protocol": "http2",
    "request_id": "d40eto87p3qr61us0r70",
    "user_agent": "curl/8.10.1",
    "headers": {
      ":authority": "httpbin.org",
      ":method": "GET",
      ":path": "/get",
      ":scheme": "https",
      "Accept": "*/*",
      "User-Agent": "curl/8.10.1"
    }
  },
  "response": {
    "status": 200,
    "content_type": "application/json",
    "headers": {
      ":status": "200",
      "Access-Control-Allow-Credentials": "true",
      "Access-Control-Allow-Origin": "*",
      "Content-Length": "255",
      "Content-Type": "application/json",
      "Date": "Tue, 28 Oct 2025 16:27:14 GMT",
      "Server": "gunicorn/19.9.0"
    },
    "body": "ewogICJhcmdzIjoge30sIAogICJoZWFkZXJzIjogewogICAgIkFjY2VwdCI6ICIqLyoiLCAKICAgICJIb3N0IjogImh0dHBiaW4ub3JnIiwgCiAgICAiVXNlci1BZ2VudCI6ICJjdXJsLzguMTAuMSIsIAogICAgIlgtQW16bi1UcmFjZS1JZCI6ICJSb290PTEtNjkwMGVlZTEtMmVkNjgyN2Y2NjVhOTY5NjZkMTUxNTVkIgogIH0sIAogICJvcmlnaW4iOiAiNzMuNzEuMTM4LjEwOCIsIAogICJ1cmwiOiAiaHR0cHM6Ly9odHRwYmluLm9yZy9nZXQiCn0K"
  },
  "transaction_time": "2025-10-28T16:27:14.951732976Z",
  "duration_ms": 1428,
  "direction": "egress-external"
}

Note: Response body is base64-encoded. Decoded value:

{
  "args": {},
  "headers": {
    "Accept": "*/*",
    "Host": "httpbin.org",
    "User-Agent": "curl/8.10.1",
    "X-Amzn-Trace-Id": "Root=1-6900eee1-2ed6827f665a96966d15155d"
  },
  "origin": "73.71.138.108",
  "url": "https://httpbin.org/get"
}

access_logs Plugin

The access_logs plugin formats HTTP traffic as access log entries, similar to web server logs.

Configuration Parameters

mode: Controls capture detail (summary, details, full)
format: Output format (console, json)

Console Format

Summary Mode

Single-line access log format.

Configuration:

plugins:
  - type: access_logs
    config:
      mode: summary     # Minimal access log format
      format: console   # Terminal-friendly output

Example Output:

■ /usr/bin/curl → GET https://httpbin.org/get 503 Service Unavailable

Details Mode

Includes metadata, request headers, and response headers.

Configuration:

plugins:
  - type: access_logs
    config:
      mode: details     # Adds headers
      format: console

Example Output:

=========================================================================
■ /usr/bin/curl → GET https://httpbin.org/get 503 Service Unavailable
=========================================================================

------------------ META ------------------
PID: 1145353
Exe: /usr/bin/curl
Direction: egress-external
Bytes Sent: 41
Bytes Received: 232

------------------ REQUEST ------------------
GET httpbin.org http2
User-Agent: curl/8.10.1
Accept: */*
:authority: httpbin.org
:method: GET
:path: /get
:scheme: https

------------------ RESPONSE ------------------
503 Service Unavailable
Content-Type: text/html
Content-Length: 162
:status: 503
Server: awselb/2.0
Date: Tue, 28 Oct 2025 16:31:49 GMT

Full Mode

Includes everything: metadata, headers, and request/response bodies.

Configuration:

plugins:
  - type: access_logs
    config:
      mode: full        # Complete access log entry
      format: console

Example Output:

=========================================================================
■ /usr/bin/curl → GET https://httpbin.org/get 503 Service Unavailable
=========================================================================

------------------ META ------------------
PID: 1145889
Exe: /usr/bin/curl
Direction: egress-external
Bytes Sent: 41
Bytes Received: 232

------------------ REQUEST ------------------
GET httpbin.org http2
User-Agent: curl/8.10.1
Accept: */*
:authority: httpbin.org
:method: GET
:path: /get
:scheme: https

------------------ REQUEST BODY ------------------
(empty)

------------------ RESPONSE ------------------
503 Service Unavailable
:status: 503
Server: awselb/2.0
Date: Tue, 28 Oct 2025 16:32:35 GMT
Content-Type: text/html
Content-Length: 162

------------------ RESPONSE BODY ------------------
<html>
<head><title>503 Service Temporarily Unavailable</title></head>
<body>
<center><h1>503 Service Temporarily Unavailable</h1></center>
</body>
</html>

JSON Format

Summary Mode

Minimal structured JSON access log.

Configuration:

plugins:
  - type: access_logs
    config:
      mode: summary
      format: json      # Machine-readable logs

Example Output:

{"msg":"HTTP transaction","bin":"/usr/bin/curl","direction":"egress-external","method":"GET","url":"https://httpbin.org/get","status":200,"request_id":"d40f0mo7p3qrr3bnbhcg"}

Details Mode

Includes metadata and headers in JSON structure.

Configuration:

plugins:
  - type: access_logs
    config:
      mode: details     # Adds headers to JSON
      format: json

Example Output:

{"msg":"HTTP transaction","meta":{"bytes_received":"395","bytes_sent":"41","exe":"/usr/bin/curl","pid":1147175},"direction":"egress-external","request":{"headers":{":authority":"httpbin.org",":method":"GET",":path":"/get",":scheme":"https","Accept":"*/*","User-Agent":"curl/8.10.1"},"method":"GET","proto":"http2","request_id":"d40f13g7p3qk61jv5dg0","url":"https://httpbin.org/get"},"response":{"headers":{":status":"200","Access-Control-Allow-Credentials":"true","Access-Control-Allow-Origin":"*","Content-Length":"255","Content-Type":"application/json","Date":"Tue, 28 Oct 2025 16:35:04 GMT","Server":"gunicorn/19.9.0"},"status":200}}

Full Mode

Complete JSON access log with request/response bodies.

Configuration:

plugins:
  - type: access_logs
    config:
      mode: full        # Complete JSON entry
      format: json

Example Output:

{"msg":"HTTP transaction","meta":{"bytes_received":"395","bytes_sent":"41","exe":"/usr/bin/curl","pid":1148159},"direction":"egress-external","request":{"body":"","headers":{":authority":"httpbin.org",":method":"GET",":path":"/get",":scheme":"https","Accept":"*/*","User-Agent":"curl/8.10.1"},"method":"GET","proto":"http2","request_id":"d40f1qo7p3qkfi948ivg","url":"https://httpbin.org/get"},"response":{"body":"{\n  \"args\": {}, \n  \"headers\": {\n    \"Accept\": \"*/*\", \n    \"Host\": \"httpbin.org\", \n    \"User-Agent\": \"curl/8.10.1\", \n    \"X-Amzn-Trace-Id\": \"Root=1-6900f0eb-0f9ef3c911f3581220130d55\"\n  }, \n  \"origin\": \"73.71.138.108\", \n  \"url\": \"https://httpbin.org/get\"\n}\n","headers":{":status":"200","Access-Control-Allow-Credentials":"true","Access-Control-Allow-Origin":"*","Content-Length":"255","Content-Type":"application/json","Date":"Tue, 28 Oct 2025 16:36:06 GMT","Server":"gunicorn/19.9.0"},"status":200}}

Note: Bodies are plain text in JSON string fields (not base64-encoded like http_capture).

Comparison: http_capture vs access_logs

Feature

http_capture

access_logs

Purpose

Detailed HTTP transaction capture

Log-style access recording

Formats

text, json

console, json

Levels/Modes

summary, details, full

Body encoding (JSON)

base64-encoded

Plain text in JSON strings

Use case

Deep inspection, debugging

Monitoring, log aggregation

Readability

More structured

More compact

When to use http_capture

Need complete transaction details for debugging
Require structured data for analysis
Want base64-encoded bodies for binary safety

When to use access_logs

Need familiar web server log format
Want quick visibility into traffic patterns
Prefer compact single-line summaries (summary mode)
Integrating with log aggregation tools

Configuration Examples

Capture Only Errors (Full Detail)

Use http_capture with rulekit to capture only failed requests:

version: 2

services:
  event_stores:
    - type: stdout
  object_stores:
    - type: stdout

rulekit:
  macros:
    - name: is_error
      expr: http.res.status >= 400 && http.res.status < 600

stacks:
  error_capture:
    plugins:
      - type: http_capture
        config:
          level: none           # Don't capture by default
          format: json
          rules:
            - name: "Capture errors"
              expr: is_error()
              level: full       # But capture errors fully

tap:
  direction: egress
  ignore_loopback: true
  audit_include_dns: false
  http:
    stack: error_capture

Dual Output: Summary Access Logs + Full Error Capture

Combine access_logs for general visibility with http_capture for detailed error capture:

version: 2

services:
  event_stores:
    - type: stdout
  object_stores:
    - type: stdout

rulekit:
  macros:
    - name: is_error
      expr: http.res.status >= 400

stacks:
  dual_output:
    plugins:
      - type: access_logs        # First: Log everything as summary
        config:
          mode: summary
          format: console
      - type: http_capture       # Second: Capture errors fully
        config:
          level: none
          format: json
          rules:
            - name: "Error detail"
              expr: is_error()
              level: full

tap:
  direction: egress
  ignore_loopback: true
  audit_include_dns: false
  http:
    stack: dual_output

Notes

All examples captured from real qtap v0 runs
Timestamps reflect UTC timezone
Process IDs (PID) are unique to the execution environment
Some examples show 503 errors due to httpbin.org service issues during testing
Base64 decoding required for http_capture JSON bodies
access_logs JSON bodies are plain text strings

Last updated 4 months ago

hashtaghttp_capture Plugin

hashtagConfiguration Parameters

hashtagText Format

hashtagSummary Level

hashtagDetails Level

hashtagFull Level

hashtagJSON Format

hashtagSummary Level

hashtagDetails Level

hashtagFull Level

hashtagaccess_logs Plugin

hashtagConfiguration Parameters

hashtagConsole Format

hashtagSummary Mode

hashtagDetails Mode

hashtagFull Mode

hashtagJSON Format

hashtagSummary Mode

hashtagDetails Mode

hashtagFull Mode

hashtagComparison: http_capture vs access_logs

hashtagWhen to use http_capture

hashtagWhen to use access_logs

hashtagConfiguration Examples

hashtagCapture Only Errors (Full Detail)

hashtagDual Output: Summary Access Logs + Full Error Capture

hashtagNotes

http_capture Plugin

Configuration Parameters

Text Format

Summary Level

Details Level

Full Level

JSON Format

Summary Level

Details Level

Full Level

access_logs Plugin

Configuration Parameters

Console Format

Summary Mode

Details Mode

Full Mode

JSON Format

Summary Mode

Details Mode

Full Mode

Comparison: http_capture vs access_logs

When to use http_capture

When to use access_logs

Configuration Examples

Capture Only Errors (Full Detail)

Dual Output: Summary Access Logs + Full Error Capture

Notes