Documentation
  • Introduction
    • How It Works
    • Architecture & Data Flow
    • Why another Agent?
    • eBPF Concepts
    • Use Cases
  • Deployment
  • Qtap
    • Getting Started
    • System Requirements
    • Installation
      • Linux Binary
      • Docker Container
      • Helm Chart
      • Kubernetes Manifest
    • Configuration
      • Storage Configuration
      • Traffic Processing with Plugins
      • Traffic Capture Settings
      • Configuration Examples
  • Qplane
    • Getting Started
      • Create an Account
      • Install Qtap
      • Review your Dashboards
    • Installation
      • Linux Binary
      • Docker Container
      • Helm Chart
    • Configuration
  • Security & Compliance
  • License
  • Appendix
    • Qcontrol (Beta)
    • Java
    • Object Storage
      • Google Cloud Storage
    • S3 Credentials for Qtap using Kubernetes Secrets
  • FAQ
Powered by GitBook
On this page
  • What is Qtap?
  • What problem does Qtap solve?
  • How is Qtap different from traditional monitoring approaches?
  • Is this a security vulnerability?
  • Technical Questions
  • How does Qtap work?
  • Which programming languages and TLS libraries does Qtap support?
  • How does Qtap handle statically linked binaries like Go?
  • Does Qtap support optimized binaries (with -O2 or -O3 flags)?
  • What's the performance impact of using Qtap?
  • Can Qtap output pcap or HAR files for use with tools like Wireshark?
  • Deployment Questions
  • What are the system requirements for Qtap?
  • How do I install and run Qtap?
  • Does Qtap require root access?
  • Can Qtap run inside a container?
  • Does Qtap work on non-Linux platforms?
  • Do I need to modify my applications to use Qtap?
  • Data and Security Questions
  • Where does Qtap send the captured data?
  • How does Qtap handle sensitive information?
  • Can I configure which traffic is captured?
  • Feature Questions
  • What are the current log sink options for Qtap?
  • Does Qtap provide traffic control capabilities beyond monitoring?
  • Can I use Qtap for debugging without continuous monitoring?
  • Comparison Questions
  • How does Qtap compare to Wireshark + SSLKEYLOGFILE?
  • Licensing and Versions
  • What's the difference between the open-source and Pro versions?

FAQ

What is Qtap?

Qtap is a lightweight agent that uses eBPF to tap into network traffic at the kernel level. It hooks into common TLS libraries (like OpenSSL) before encryption and after decryption, providing visibility into the actual request/response payloads of HTTPS/TLS traffic without terminating connections or managing certificates.

What problem does Qtap solve?

Qtap solves the challenge of understanding what's happening inside the encrypted traffic leaving production systems. With modern applications relying heavily on third-party APIs, figuring out exactly what data is being sent, identifying PII exposure, or debugging integration issues becomes incredibly difficult once TLS kicks in. Traditional approaches like forward proxies introduce complexity and performance bottlenecks that Qtap avoids.

How is Qtap different from traditional monitoring approaches?

Unlike traditional approaches such as forward proxies (which require TLS termination, certificate management, and introduce performance bottlenecks) or network firewalls (which operate at L3/L4 and lack payload visibility), Qtap:

  • Does not require TLS termination or certificate management

  • Has minimal performance impact

  • Provides process-level attribution

  • Works without application modifications

  • Offers pre-encryption visibility

Is this a security vulnerability?

No. As noted by respected eBPF expert Brendan Gregg, "This is not a vulnerability: eBPF currently requires root access to do this. Also, eBPF makes this easy but does not make it possible, as debuggers, interposers/shims, and other tools can also attach to pre-encryption points, and therefore banning eBPF (as some people want to do after seeing projects like this) would not actually improve security, but it would instead reduce security as it would prevent eBPF-based security solutions from being used."

Technical Questions

How does Qtap work?

Qtap uses eBPF to hook into network traffic at the kernel level. The key idea is to attach to common TLS libraries (like OpenSSL) before encryption and after decryption using uprobes. This gives visibility into the actual request/response payloads without terminating the connection or managing certificates.

Which programming languages and TLS libraries does Qtap support?

  • Open Source Version: Currently supports OpenSSL

  • Pro Version: Supports Java, Go, NodeJS, and OpenSSL

How does Qtap handle statically linked binaries like Go?

For statically linked binaries like Go, Qtap scans the ELF binary to find function offsets. It maintains a database of offsets for different Go versions, which allows it to hook into the correct memory locations for TLS functions. This approach works because the offsets are consistent for each Go version across compilation targets.

Does Qtap support optimized binaries (with -O2 or -O3 flags)?

Yes. Qtap uses custom binary utilities that are optimized for fast symbol recognition, focusing only on the symbol locations needed. It also implements caching so frequently used binaries don't require multiple scans, which has proven effective with optimized binaries.

What's the performance impact of using Qtap?

Uprobes add a "statistically insignificant" amount of latency. In testing, the performance impact is nearly identical to native connections and significantly better than MITM proxies.

Can Qtap output pcap or HAR files for use with tools like Wireshark?

Not currently, but this is something the team is interested in adding in the future. These formats aren't on their near-term roadmap but are considered valuable additions.

Deployment Questions

What are the system requirements for Qtap?

  • Linux-based operating system (kernel 5.10+)

  • Root/sudo access

  • For containerized environments: Docker or Kubernetes

How do I install and run Qtap?

Qtap is packaged as:

  • A Linux binary

  • A Docker container

  • A Helm chart for Kubernetes deployment

Basic installation is as simple as running the agent on a Linux machine with the necessary permissions.

Does Qtap require root access?

Yes, Qtap requires root privileges to function as it uses eBPF to hook into kernel and userspace program functions.

Can Qtap run inside a container?

Yes, Qtap can run within a container.

Does Qtap work on non-Linux platforms?

Currently, Qtap is focused on Linux environments. The team has expressed interest in exploring Microsoft's eBPF implementation for potential Windows support in the future.

Do I need to modify my applications to use Qtap?

No. Qtap works without any application instrumentation or code changes.

Data and Security Questions

Where does Qtap send the captured data?

Qtap provides flexible options for data storage:

  • Event data (connection metadata): Can be sent to stdout or to the Qpoint control plane

  • Object data (actual request/response content): Can be sent to stdout or to any S3-compatible storage that you control

How does Qtap handle sensitive information?

Sensitive information captured by Qtap, such as HTTP bodies, can be uploaded to an S3-compliant bucket that you control. This could be AWS S3, MinIO, or any other service supporting the S3 API. The Qpoint team never sees this sensitive information.

Can I configure which traffic is captured?

Yes, Qtap provides configuration options to control which traffic is captured. It offers customizable rules for filtering traffic based on various criteria, and TLS inspection can be disabled with the --tls-probes=none flag.

Feature Questions

What are the current log sink options for Qtap?

Currently, stdout is the primary log sink. The team is working on Fluentbit integration and has plans to add more options in the future.

Does Qtap provide traffic control capabilities beyond monitoring?

Yes, through Qcontrol (in beta), which provides security enforcement by allowing or denying traffic based on precise conditions. This is powered by the Rulekit project, which enables defining granular rules for traffic management.

Can I use Qtap for debugging without continuous monitoring?

While Qtap is designed as an "always running" solution, it can be deployed on-demand for debugging specific issues. The team has noted interest in supporting more ad-hoc debugging use cases.

Comparison Questions

How does Qtap compare to Wireshark + SSLKEYLOGFILE?

While SSLKEYLOGFILE can be effective in some scenarios, Qtap offers advantages:

  • Works with applications where SSLKEYLOGFILE isn't supported

  • Doesn't require modifying application startup environment

  • Can be attached to running processes without restarting them

  • Provides process-level attribution

  • Works without needing to configure each application

Licensing and Versions

What's the difference between the open-source and Pro versions?

  • Open Source: Supports OpenSSL

  • Pro Version: Adds support for Java, Go, NodeJS, additional plugins, and a cloud control plane for centralized management

PreviousS3 Credentials for Qtap using Kubernetes Secrets

Last updated 7 days ago