Traffic Capture Settings
The tap section in your Qtap configuration controls what traffic is processed. This section provides fine-grained control over which network connections to monitor, what traffic to include or exclude, and how to apply different processing stacks to specific domains.
Basic Configuration
Here's the structure of a basic tap configuration:
tap:
direction: egress
ignore_loopback: false
audit_include_dns: true
http:
stack: default_stackTraffic Direction Settings
The direction parameter controls which traffic flows Qtap captures:
egress
Captures all outgoing traffic (both internal and external)
egress-external
Only captures traffic to external networks
egress-internal
Only captures traffic to internal networks
ingress
Only captures inbound traffic
all
Captures all traffic (inbound and outbound)
tap:
direction: egress-external # Only capture traffic going to external networksNetwork Interface Settings
Loopback Traffic
The ignore_loopback parameter controls whether traffic on the loopback interface (localhost) is captured:
tap:
ignore_loopback: true # Don't capture localhost trafficWhen set to
true, traffic to addresses like127.0.0.1orlocalhostis ignoredWhen set to
false, local traffic is included in capture
DNS Traffic
The audit_include_dns parameter controls whether DNS queries are captured:
tap:
audit_include_dns: true # Include DNS traffic in audit logsThis is useful for:
Troubleshooting DNS resolution issues
Tracking which domains your applications are trying to reach
Identifying potential DNS-based data exfiltration
Process Filtering
The filters section allows you to control which processes Qtap monitors:
tap:
filters:
groups:
- kubernetes
- qpoint
custom:
- exe: /usr/bin/curl
strategy: exact
- exe: /usr/bin/python3
strategy: prefix
- exe: .*ruby.*
strategy: regexPredefined Process Groups
The groups parameter allows you to ignore specific types of processes:
kubernetes
Standard Kubernetes processes
container
Container runtime processes
gke
Google Kubernetes Engine processes
eks
Amazon Elastic Kubernetes Service processes
qpoint
Qpoint's own processes (prevents self-monitoring)
When a group is included in the list, traffic from those processes is ignored.
Custom Process Filters
The custom parameter allows you to define specific processes to ignore:
custom:
- exe: /usr/bin/curl
strategy: exactEach entry requires:
exe: The executable pathstrategy: Matching strategy, which can be:exact: Exact path matchprefix: Path prefix matchregex: Regular expression match
Strategy Examples
Exact Match - Blocks only the specific path:
filters:
custom:
- exe: /usr/bin/curl
strategy: exactBlocks:
/usr/bin/curlDoes NOT block:
/usr/local/bin/curl,/bin/curl,/opt/curl/bin/curl
Prefix Match - Blocks anything starting with the prefix:
filters:
custom:
- exe: /usr/bin/
strategy: prefixBlocks:
/usr/bin/curl,/usr/bin/wget,/usr/bin/python3Does NOT block:
/usr/local/bin/curl,/bin/sh
Regex Match - Blocks paths matching the regex pattern:
filters:
custom:
- exe: .*curl.*
strategy: regexBlocks:
/usr/bin/curl,/usr/local/bin/curl,/opt/my-curl-app/bin/appDoes NOT block:
/usr/bin/wget,/usr/bin/python3
Common Use Cases
Development - Filter CLI tools to reduce noise:
filters:
custom:
# Block common HTTP clients
- exe: /usr/bin/curl
strategy: exact
- exe: /usr/bin/wget
strategy: exact
# Block package managers
- exe: /usr/bin/apt
strategy: exact
- exe: /usr/bin/yum
strategy: exactProduction - Filter system processes:
filters:
groups:
- kubernetes
- qpoint
custom:
# Block monitoring agents
- exe: /opt/datadog-agent
strategy: prefix
- exe: /usr/bin/node_exporter
strategy: exact
# Block backup tools
- exe: .*backup.*
strategy: regexContainer environments - Filter by container tools:
filters:
custom:
# Docker containers often have curl at /usr/bin/curl
- exe: /usr/bin/curl
strategy: exact
# Alpine-based containers
- exe: /bin/wget
strategy: exactMultiple installations - Use regex to catch all variants:
filters:
custom:
# Catch curl wherever it's installed
- exe: .*curl.*
strategy: regex
# Catch Python anywhere (python, python3, /opt/python, etc.)
- exe: .*python.*
strategy: regexFinding the correct path:
To determine what path Qtap sees for a process, check the logs:
# Start Qtap and generate traffic
docker logs qtap-container 2>&1 | grep '"exe"' | head -20
# Look for exe field in output:
# "exe":"/usr/bin/curl" <- This is what you filter onOr find the path on your system:
which curl # Shows: /usr/bin/curl
readlink -f $(which curl) # Shows real path if it's a symlinkDomain-Specific Rules
The endpoints section allows you to apply different processing stacks to specific domains or patterns:
tap:
http:
stack: default_stack # Default stack for most traffic
endpoints:
- domain: 'api.payment-processor.com'
http:
stack: payment_stack # Special stack for payment processor traffic
- domain: 'internal-api.example.com'
http:
stack: debug_stack # Debug stack for internal API trafficEach endpoint entry consists of:
domain: The domain pattern to match (supports wildcards)http.stack: The stack to apply for matching HTTP traffic
This allows you to:
Apply detailed logging to specific APIs
Handle sensitive traffic differently
Focus debugging efforts on problematic domains
Complete Example
Here's a comprehensive example that demonstrates all the main features:
tap:
direction: egress
ignore_loopback: true
audit_include_dns: true
http:
stack: default_stack
filters:
groups:
- qpoint
- kubernetes
custom:
- exe: /usr/bin/wget
strategy: exact
- exe: /usr/bin/curl
strategy: exact
endpoints:
- domain: 'api.github.com'
http:
stack: debug_stack
- domain: 'api.google.com'
http:
stack: debug_stackThis configuration:
Captures all outgoing traffic (
direction: egress)Ignores localhost traffic (
ignore_loopback: true)Includes DNS queries in audit logs (
audit_include_dns: true)Applies the
default_stackto most HTTP trafficIgnores traffic from Kubernetes and Qpoint processes
Ignores traffic from specific executables (wget, curl)
Applies the
debug_stackto all traffic toapi.github.comandapi.google.comdomains
Last updated