# How It Works

Qtap is Qpoint's host-based eBPF sensor that provides deep visibility into application traffic through various kernel and library integration points. The sensor employs multiple complementary approaches to gather comprehensive data about application traffic, with all connections visible through base socket layer monitoring and extended payload visibility available through either native TLS integration or egress controller mode.

## Connections

All outbound connections are visible through Qtap's eBPF-based socket layer integration, regardless of the runtime environment or TLS implementation.

**What We Capture:**

* Connection establishment and teardown
* Source and destination information
* Bandwidth usage
* Protocol details
* Process attribution

**How It Works:**

* eBPF programs attach to kernel socket functions
* Captures events for TCP/IP operations
* Provides real-time visibility into network flows
* Associates connections with process context

This base layer ensures complete visibility into all network connections, forming the foundation for Qpoint's observability capabilities.

<figure><img src="/files/YT0sF2PaUPMMzN9vYxkb" alt=""><figcaption><p>An example of Socket Layer Connection Attribution</p></figcaption></figure>

## Payloads

Beyond connection visibility, Qtap can capture payload content through two different mechanisms:

### **Native TLS Integration**

Qtap provides automatic payload visibility for applications using supported TLS libraries, requiring zero configuration. The process works by using eBPF uprobes to attach to specific SSL/TLS functions in the library, allowing us to capture data before encryption (for outbound traffic) or after decryption (for inbound traffic).

**How It Works:**

1. When a program starts, Qtap scans its ELF (Executable and Linkable Format) file
2. Qtap identifies and locates SSL/TLS-related functions in memory
3. eBPF uprobes are attached to these functions (e.g., SSL\_read, SSL\_write)
4. When the functions are called, Qtap captures the raw data buffer
5. The captured data is processed locally on the host

**Supported Libraries:**

* OpenSSL
* GoTLS
* NodeTLS
* Java 11 - 21

### **Egress Controller**

For runtimes where native TLS integration isn't possible or preferred, Qtap provides an egress controller mode:

**How It Works:**

* Local HTTP(S) proxy on the host
* Transparent traffic redirection
* Local TLS termination and re-encryption

**Configuration:**

```bash
# Required Environment Variables
QPOINT_STRATEGY=forward    # Enables egress controller mode
TRUST_STORE=/path/to/certs # Certificate store location
```

**Common Use Cases:**

* Custom TLS implementations
* Legacy runtimes

## Runtime Support Matrix

| Runtime        | Base Visibility | Payload Visibility | Configuration Needed |
| -------------- | --------------- | ------------------ | -------------------- |
| OpenSSL        | Yes             | Native TLS         | None                 |
| GoTLS          | Yes             | Native TLS         | None                 |
| NodeTLS        | Yes             | Native TLS         | None                 |
| Java           | Yes             | Native TLS         | None                 |
| Custom TLS     | Yes             | Egress Controller  | Environment Vars     |
| Other Runtimes | Yes             | Egress Controller  | Environment Vars     |

***

## Try It Yourself

Ready to see this in action?

**Quick Start (Cloud Management):**

* [POC Kick Off Guide](/guides/qplane-guides/poc-kick-off-guide.md) - Deploy your first eBPF sensor and see TLS visibility in 10 minutes

**Self-Managed (YAML):**

* [Complete Guide](/guides/qtap-guides/getting-started/getting-started-complete-guide.md) - Progressive tutorial from basics to production (4 levels, 50 minutes)

**Deep Dive:**

* [Architecture Overview](/readme/architecture-overview.md) - Understand the complete system architecture
* [eBPF Concepts](/readme/ebpf-concepts.md) - Learn about the underlying eBPF technology


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.qpoint.io/readme/how-it-works.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.