Ctrlk

FAQ

What is Qtap?

Qtap is a lightweight eBPF sensor that taps into network traffic at the kernel level. It hooks into common TLS libraries (like OpenSSL) before encryption and after decryption, providing visibility into the actual request/response payloads of HTTPS/TLS traffic without terminating connections or managing certificates.

What problem does Qtap solve?

Qtap solves the challenge of understanding what's happening inside the encrypted traffic leaving production systems. With modern applications relying heavily on third-party APIs, figuring out exactly what data is being sent, identifying PII exposure, or debugging integration issues becomes incredibly difficult once TLS kicks in. Traditional approaches like forward proxies introduce complexity and performance bottlenecks that Qtap avoids.

How is Qtap different from traditional monitoring approaches?

Unlike traditional approaches such as forward proxies (which require TLS termination, certificate management, and introduce performance bottlenecks) or network firewalls (which operate at L3/L4 and lack payload visibility), Qtap:

  • Does not require TLS termination or certificate management

  • Has minimal performance impact

  • Provides process-level attribution

  • Works without application modifications

  • Offers pre-encryption visibility

Is this a security vulnerability?

No. As noted by respected eBPF expert Brendan Gregg, "This is not a vulnerability: eBPF currently requires root access to do this. Also, eBPF makes this easy but does not make it possible, as debuggers, interposers/shims, and other tools can also attach to pre-encryption points, and therefore banning eBPF (as some people want to do after seeing projects like this) would not actually improve security, but it would instead reduce security as it would prevent eBPF-based security solutions from being used."

How does eBPF ensure it won't crash my systems?

The Linux kernel includes a built-in verifier that analyzes every eBPF program before allowing it to run. The verifier mathematically proves that programs:

  • Cannot loop infinitely (bounded execution)

  • Cannot access invalid memory

  • Cannot modify kernel code

  • Cannot crash the system

If a program fails verification, the kernel rejects it entirely. This is fundamentally different from traditional kernel modules, which have unrestricted access and can crash your entire system. For more details, see eBPF Safety & Trust.

Is eBPF technology proven at enterprise scale?

Yes. eBPF is trusted by the world's largest technology companies and financial institutions:

  • Cloud Providers: All three major cloud providers use eBPF-based networking (Cilium) as their default or recommended Container Network Interface for Kubernetes

  • Financial Services: Major financial institutions run eBPF across thousands of developers and millions of containers

  • Infrastructure: Leading content delivery and streaming platforms rely on eBPF for production networking and security

Has eBPF been independently audited?

Yes. The eBPF ecosystem has undergone rigorous independent security review:

  • Independent security audits of the eBPF verifier have found no systemic weaknesses

  • Major eBPF-based projects have been audited by respected security firms

  • The eBPF community has published comprehensive threat models documenting security considerations

Will Qtap conflict with other eBPF tools like Cilium or Falco?

No. The Linux kernel is designed to support multiple eBPF programs running simultaneously. Qtap can run alongside Cilium (networking), Falco (security), or any other eBPF-based tools without conflicts.

Technical Questions

How does Qtap work?

Qtap uses eBPF to hook into network traffic at the kernel level. The key idea is to attach to common TLS libraries (like OpenSSL) before encryption and after decryption using uprobes. This gives visibility into the actual request/response payloads without terminating the connection or managing certificates.

Which programming languages and TLS libraries does Qtap support?

  • Open Source Version: Currently supports OpenSSL

  • Pro Version: Supports Java, Go, NodeJS, and OpenSSL

How does Qtap handle statically linked binaries like Go?

For statically linked binaries like Go, Qtap scans the ELF binary to find function offsets. It maintains a database of offsets for different Go versions, which allows it to hook into the correct memory locations for TLS functions. This approach works because the offsets are consistent for each Go version across compilation targets.

Does Qtap support optimized binaries (with -O2 or -O3 flags)?

Yes. Qtap uses custom binary utilities that are optimized for fast symbol recognition, focusing only on the symbol locations needed. It also implements caching so frequently used binaries don't require multiple scans, which has proven effective with optimized binaries.

What's the performance impact of using Qtap?

Uprobes add a "statistically insignificant" amount of latency. In testing, the performance impact is nearly identical to native connections and significantly better than MITM proxies.

Can Qtap output pcap or HAR files for use with tools like Wireshark?

Not currently, but this is something the team is interested in adding in the future. These formats aren't on their near-term roadmap but are considered valuable additions.

Deployment Questions

What are the system requirements for Qtap?

  • Linux-based operating system (kernel 5.10+)

  • Root/sudo access

  • For containerized environments: Docker or Kubernetes

How do I install and run Qtap?

Qtap is packaged as:

  • A Linux binary

  • A Docker container

  • A Helm chart for Kubernetes deployment

Basic installation is as simple as running the sensor on a Linux machine with the necessary permissions.

Does Qtap require root access?

Yes, Qtap requires root privileges to function as it uses eBPF to hook into kernel and userspace program functions.

Can Qtap run inside a container?

Yes, Qtap can run within a container.

Does Qtap work on non-Linux platforms?

Currently, Qtap is focused on Linux environments. The team has expressed interest in exploring Microsoft's eBPF implementation for potential Windows support in the future.

Do I need to modify my applications to use Qtap?

No. Qtap works without any application instrumentation or code changes.

Data and Security Questions

Where does Qtap send the captured data?

Qtap provides flexible options for data storage:

  • Event data (connection metadata): Can be sent to stdout or to the Qpoint control plane

  • Object data (actual request/response content): Can be sent to stdout or to any S3-compatible storage that you control

How does Qtap handle sensitive information?

Sensitive information captured by Qtap, such as HTTP bodies, can be uploaded to an S3-compliant bucket that you control. This could be AWS S3, MinIO, or any other service supporting the S3 API. The Qpoint team never sees this sensitive information.

Can I configure which traffic is captured?

Yes, Qtap provides configuration options to control which traffic is captured. It offers customizable rules for filtering traffic based on various criteria, and TLS inspection can be disabled with the --tls-probes=none flag.

Feature Questions

What are the current log sink options for Qtap?

Currently, stdout is the primary log sink. The team is working on Fluentbit integration and has plans to add more options in the future.

Does Qtap provide traffic control capabilities beyond monitoring?

Yes, through Qcontrol (in beta), which provides security enforcement by allowing or denying traffic based on precise conditions. This is powered by the Rulekit project, which enables defining granular rules for traffic management.

Can I use Qtap for debugging without continuous monitoring?

While Qtap is designed as an "always running" solution, it can be deployed on-demand for debugging specific issues. The team has noted interest in supporting more ad-hoc debugging use cases.

Comparison Questions

How does Qtap compare to Wireshark + SSLKEYLOGFILE?

While SSLKEYLOGFILE can be effective in some scenarios, Qtap offers advantages:

  • Works with applications where SSLKEYLOGFILE isn't supported

  • Doesn't require modifying application startup environment

  • Can be attached to running processes without restarting them

  • Provides process-level attribution

  • Works without needing to configure each application

Licensing and Versions

What's the difference between the open-source and Pro versions?

  • Open Source: Supports OpenSSL

  • Pro Version: Adds support for Java, Go, NodeJS, additional plugins, and a cloud control plane for centralized management

PreviousDevTools - Interactive Traffic InspectionNextSecurity & Compliance

Last updated