Documentation
  • Introduction
    • How It Works
    • Architecture & Data Flow
    • Why another Agent?
    • eBPF Concepts
    • Use Cases
  • Deployment
  • Qtap
    • Getting Started
    • System Requirements
    • Installation
      • Linux Binary
      • Docker Container
      • Helm Chart
      • Kubernetes Manifest
    • Configuration
      • Storage Configuration
      • Traffic Processing with Plugins
      • Traffic Capture Settings
      • Configuration Examples
  • Qplane
    • Getting Started
      • Create an Account
      • Install Qtap
      • Review your Dashboards
    • Installation
      • Linux Binary
      • Docker Container
      • Helm Chart
    • Configuration
  • Security & Compliance
  • License
  • Appendix
    • Qcontrol (Beta)
    • Java
    • Object Storage
      • Google Cloud Storage
    • S3 Credentials for Qtap using Kubernetes Secrets
  • FAQ
Powered by GitBook
On this page
  • Connections
  • Payloads
  • Native TLS Integration
  • Egress Controller
  • Runtime Support Matrix
  1. Introduction

How It Works

PreviousIntroductionNextArchitecture & Data Flow

Last updated 23 days ago

Qtap is Qpoint's host-based agent that provides deep visibility into application traffic through various kernel and library integration points. The agent employs multiple complementary approaches to gather comprehensive data about application traffic, with all connections visible through base socket layer monitoring and extended payload visibility available through either native TLS integration or egress controller mode.

Connections

All outbound connections are visible through Qtap's eBPF-based socket layer integration, regardless of the runtime environment or TLS implementation.

What We Capture:

  • Connection establishment and teardown

  • Source and destination information

  • Bandwidth usage

  • Protocol details

  • Process attribution

How It Works:

  • eBPF programs attach to kernel socket functions

  • Captures events for TCP/IP operations

  • Provides real-time visibility into network flows

  • Associates connections with process context

This base layer ensures complete visibility into all network connections, forming the foundation for Qpoint's observability capabilities.

Payloads

Beyond connection visibility, Qtap can capture payload content through two different mechanisms:

Native TLS Integration

Qtap provides automatic payload visibility for applications using supported TLS libraries, requiring zero configuration. The process works by using eBPF uprobes to attach to specific SSL/TLS functions in the library, allowing us to capture data before encryption (for outbound traffic) or after decryption (for inbound traffic).

How It Works:

  1. When a program starts, Qtap scans its ELF (Executable and Linkable Format) file

  2. Qtap identifies and locates SSL/TLS-related functions in memory

  3. eBPF uprobes are attached to these functions (e.g., SSL_read, SSL_write)

  4. When the functions are called, Qtap captures the raw data buffer

  5. The captured data is processed locally on the host

Supported Libraries:

  • OpenSSL

  • GoTLS

  • NodeTLS

  • Java 17 - 21

Egress Controller

For runtimes where native TLS integration isn't possible or preferred, Qtap provides an egress controller mode:

How It Works:

  • Local HTTP(S) proxy on the host

  • Transparent traffic redirection

  • Local TLS termination and re-encryption

Configuration:

# Required Environment Variables
QPOINT_STRATEGY=forward    # Enables egress controller mode
TRUST_STORE=/path/to/certs # Certificate store location

Common Use Cases:

  • Custom TLS implementations

  • Legacy runtimes

Runtime Support Matrix

Runtime
Base Visibility
Payload Visibility
Configuration Needed

OpenSSL

Yes

Native TLS

None

GoTLS

Yes

Native TLS

None

NodeTLS

Yes

Native TLS

None

Java

Yes

Native TLS

None

Custom TLS

Yes

Egress Controller

Environment Vars

Other Runtimes

Yes

Egress Controller

Environment Vars

An example of Socket Layer Connection Attribution