Qtap: See Through Encrypted Linux Traffic with eBPF for Unparalleled Observability and Security Auditing

by · Published · Updated

An eBPF agent that captures traffic flowing through the Linux kernel. By attaching to TLS/SSL functions, data is intercepted before and after encryption and then passed to flexible plugins with full visibility along with all of the available context – process/container/host/user/protocol/etc. Qtap makes it possible to understand what’s happening with your egress traffic, without modifying apps, installing proxies, or managing certs.

Network Observability

Qtap shows you exactly what data is being sent and received in its original, unencrypted form while operating out-of-band with minimal overhead, without adding latency or disrupting application performance.

Qtap can augment your existing observability piplines or can be used as a foundational component for a custom solution, like Qpoint, in a variety of ways, including:

  • Security auditing – Security professionals can verify sensitive data isn’t being unintentionally exposed in network communications.
  • Debugging network issues – When APIs return errors or connections fail, seeing the actual data being sent helps identify misconfigured parameters, malformed requests, or unexpected responses.
  • API development – Developers can verify their applications are sending correctly formatted requests and properly handling responses without modifying code.
  • Troubleshooting third-party integrations – When integrating with external services, Qtap helps confirm what data is actually being exchanged versus what documentation claims.
  • Learning and exploration – Understanding how protocols actually work by observing real traffic between applications and services.
  • Legacy system investigation – When working with poorly documented or legacy systems, Qtap provides insights into how they communicate without requiring source code access.
  • Validation testing – Confirming that application changes don’t unexpectedly alter network communication patterns.

Connections

All outbound connections are visible through Qtap’s eBPF-based socket layer integration, regardless of the runtime environment or TLS implementation.

What We Capture:

  • Connection establishment and teardown

  • Source and destination information

  • Bandwidth usage

  • Protocol details

  • Process attribution

How It Works:

  • eBPF programs attach to kernel socket functions

  • Captures events for TCP/IP operations

  • Provides real-time visibility into network flows

  • Associates connections with process context

This base layer ensures complete visibility into all network connections, forming the foundation for Qpoint’s observability capabilities.

Payloads

Beyond connection visibility, Qtap can capture payload content through two different mechanisms:

Native TLS Integration

Qtap provides automatic payload visibility for applications using supported TLS libraries, requiring zero configuration. The process works by using eBPF uprobes to attach to specific SSL/TLS functions in the library, allowing us to capture data before encryption (for outbound traffic) or after decryption (for inbound traffic).

How It Works:

  1. When a program starts, Qtap scans its ELF (Executable and Linkable Format) file

  2. Qtap identifies and locates SSL/TLS-related functions in memory

  3. eBPF uprobes are attached to these functions (e.g., SSL_read, SSL_write)

  4. When the functions are called, Qtap captures the raw data buffer

  5. The captured data is processed locally on the host

Supported Libraries:

  • OpenSSL

  • GoTLS

  • NodeTLS

  • Java 17 – 21

Egress Controller

For runtimes where native TLS integration isn’t possible or preferred, Qtap provides an egress controller mode:

How It Works:

  • Local HTTP(S) proxy on the host

  • Transparent traffic redirection

  • Local TLS termination and re-encryption

Install & Use

Tags: