FAQ
What is Qtap?
Qtap is a lightweight agent that uses eBPF to tap into network traffic at the kernel level. It hooks into common TLS libraries (like OpenSSL) before encryption and after decryption, providing visibility into the actual request/response payloads of HTTPS/TLS traffic without terminating connections or managing certificates.
What problem does Qtap solve?
Qtap solves the challenge of understanding what's happening inside the encrypted traffic leaving production systems. With modern applications relying heavily on third-party APIs, figuring out exactly what data is being sent, identifying PII exposure, or debugging integration issues becomes incredibly difficult once TLS kicks in. Traditional approaches like forward proxies introduce complexity and performance bottlenecks that Qtap avoids.
How is Qtap different from traditional monitoring approaches?
Unlike traditional approaches such as forward proxies (which require TLS termination, certificate management, and introduce performance bottlenecks) or network firewalls (which operate at L3/L4 and lack payload visibility), Qtap:
Does not require TLS termination or certificate management
Has minimal performance impact
Provides process-level attribution
Works without application modifications
Offers pre-encryption visibility
Is this a security vulnerability?
No. As noted by respected eBPF expert Brendan Gregg, "This is not a vulnerability: eBPF currently requires root access to do this. Also, eBPF makes this easy but does not make it possible, as debuggers, interposers/shims, and other tools can also attach to pre-encryption points, and therefore banning eBPF (as some people want to do after seeing projects like this) would not actually improve security, but it would instead reduce security as it would prevent eBPF-based security solutions from being used."
Technical Questions
How does Qtap work?
Qtap uses eBPF to hook into network traffic at the kernel level. The key idea is to attach to common TLS libraries (like OpenSSL) before encryption and after decryption using uprobes. This gives visibility into the actual request/response payloads without terminating the connection or managing certificates.
Which programming languages and TLS libraries does Qtap support?
Open Source Version: Currently supports OpenSSL
Pro Version: Supports Java, Go, NodeJS, and OpenSSL
How does Qtap handle statically linked binaries like Go?
For statically linked binaries like Go, Qtap scans the ELF binary to find function offsets. It maintains a database of offsets for different Go versions, which allows it to hook into the correct memory locations for TLS functions. This approach works because the offsets are consistent for each Go version across compilation targets.
Does Qtap support optimized binaries (with -O2 or -O3 flags)?
Yes. Qtap uses custom binary utilities that are optimized for fast symbol recognition, focusing only on the symbol locations needed. It also implements caching so frequently used binaries don't require multiple scans, which has proven effective with optimized binaries.
What's the performance impact of using Qtap?
Uprobes add a "statistically insignificant" amount of latency. In testing, the performance impact is nearly identical to native connections and significantly better than MITM proxies.
Can Qtap output pcap or HAR files for use with tools like Wireshark?
Not currently, but this is something the team is interested in adding in the future. These formats aren't on their near-term roadmap but are considered valuable additions.
Deployment Questions
What are the system requirements for Qtap?
Linux-based operating system (kernel 5.10+)
Root/sudo access
For containerized environments: Docker or Kubernetes
How do I install and run Qtap?
Qtap is packaged as:
A Linux binary
A Docker container
A Helm chart for Kubernetes deployment
Basic installation is as simple as running the agent on a Linux machine with the necessary permissions.
Does Qtap require root access?
Yes, Qtap requires root privileges to function as it uses eBPF to hook into kernel and userspace program functions.
Can Qtap run inside a container?
Yes, Qtap can run within a container.
Does Qtap work on non-Linux platforms?
Currently, Qtap is focused on Linux environments. The team has expressed interest in exploring Microsoft's eBPF implementation for potential Windows support in the future.
Do I need to modify my applications to use Qtap?
No. Qtap works without any application instrumentation or code changes.
Data and Security Questions
Where does Qtap send the captured data?
Qtap provides flexible options for data storage:
Event data (connection metadata): Can be sent to stdout or to the Qpoint control plane
Object data (actual request/response content): Can be sent to stdout or to any S3-compatible storage that you control
How does Qtap handle sensitive information?
Sensitive information captured by Qtap, such as HTTP bodies, can be uploaded to an S3-compliant bucket that you control. This could be AWS S3, MinIO, or any other service supporting the S3 API. The Qpoint team never sees this sensitive information.
Can I configure which traffic is captured?
Yes, Qtap provides configuration options to control which traffic is captured. It offers customizable rules for filtering traffic based on various criteria, and TLS inspection can be disabled with the --tls-probes=none
flag.
Feature Questions
What are the current log sink options for Qtap?
Currently, stdout is the primary log sink. The team is working on Fluentbit integration and has plans to add more options in the future.
Does Qtap provide traffic control capabilities beyond monitoring?
Yes, through Qcontrol (in beta), which provides security enforcement by allowing or denying traffic based on precise conditions. This is powered by the Rulekit project, which enables defining granular rules for traffic management.
Can I use Qtap for debugging without continuous monitoring?
While Qtap is designed as an "always running" solution, it can be deployed on-demand for debugging specific issues. The team has noted interest in supporting more ad-hoc debugging use cases.
Comparison Questions
How does Qtap compare to Wireshark + SSLKEYLOGFILE?
While SSLKEYLOGFILE can be effective in some scenarios, Qtap offers advantages:
Works with applications where SSLKEYLOGFILE isn't supported
Doesn't require modifying application startup environment
Can be attached to running processes without restarting them
Provides process-level attribution
Works without needing to configure each application
Licensing and Versions
What's the difference between the open-source and Pro versions?
Open Source: Supports OpenSSL
Pro Version: Adds support for Java, Go, NodeJS, additional plugins, and a cloud control plane for centralized management
Last updated