An eBPF agent that captures traffic flowing through the Linux kernel. By attaching to TLS/SSL functions, data is intercepted before and after encryption and then passed to flexible plugins with full visibility along with all of the available context – process/container/host/user/protocol/etc. Qtap makes it possible to understand what’s happening with your egress traffic, without modifying apps, installing proxies, or managing certs.
Qtap shows you exactly what data is being sent and received in its original, unencrypted form while operating out-of-band with minimal overhead, without adding latency or disrupting application performance.
Qtap can augment your existing observability piplines or can be used as a foundational component for a custom solution, like Qpoint, in a variety of ways, including:
- Security auditing – Security professionals can verify sensitive data isn’t being unintentionally exposed in network communications.
- Debugging network issues – When APIs return errors or connections fail, seeing the actual data being sent helps identify misconfigured parameters, malformed requests, or unexpected responses.
- API development – Developers can verify their applications are sending correctly formatted requests and properly handling responses without modifying code.
- Troubleshooting third-party integrations – When integrating with external services, Qtap helps confirm what data is actually being exchanged versus what documentation claims.
- Learning and exploration – Understanding how protocols actually work by observing real traffic between applications and services.
- Legacy system investigation – When working with poorly documented or legacy systems, Qtap provides insights into how they communicate without requiring source code access.
- Validation testing – Confirming that application changes don’t unexpectedly alter network communication patterns.
For more information see the “How It Works” section of our website.
Want to give Qtap a test run? Spin up a temporary instance in Demo mode! See the traffic in real time right in your terminal.
# Run Qtap in demo mode $ curl -s https://get.qpoint.io/demo | sudo sh
Or install and start running right away!
# Install the Qtap agent $ curl -s https://get.qpoint.io/install | sudo sh # Run with defaults! $ sudo qtap
Converse with Qpoint devs and the contributors in Github Discussions.
- Linux with Kernel 5.10+ with BPF Type Format (BTF) enabled. You can check if your kernel has BTF enabled by verifying if
/sys/kernel/btf/vmlinuxexists on your system. - eBPF enabled on the host.
- Elevated permissions on the host or within the Docker container running the agent:
- on host run with
sudo - within docker it’s best to run with
CAP_BPF, host pids, and privileged. For example:
docker run --user 0:0 --privileged --cap-add CAP_BPF --cap-add CAP_SYS_ADMIN --pid=host --network=host -v /sys:/sys --ulimit=memlock=-1 us-docker.pkg.dev/qpoint-edge/public/qpoint:v0 tap --log-level=info - on host run with
- linux (kernel 5.8+)
- MacOS developers at Qpoint have enjoyed using Lima as a quick, easy linux VM for development.
- go1.24+
- make
- clang14
- clang-tidy (optional/recommended)
$ git clone https://github.com/qpoint-io/qtap.git
$ cd agent/
$ make build
These are the most commonly used targets by Qpoint devs:
build– generates the eBPF binaries and builds the Go application
9 Comments
compscidr
Have been following this project for a while, cool stuff!
I work a bunch with vpn-like networking on Android phones and it would be cool to have a bit of info on how I might get something like working on phones. I guess its probably not your typical usecase.
Currently since the project is a VPN client, I already intercept all of the packets, I have a pcap writer and can write to files or a tcp sockets and connect wireshark to it – but it needs a bunch of complication to setup the keys so that I can see through encryption, so anything that would make that process easier would be great.
bbkane
Does this work for Go binaries? My understanding is that Go programs do all the encryption "in the process" so the data is encrypted before eBPF can intercept it. I'd love to be wrong about that!
pclmulqdq
To hook into OpenSSL, don't you either need dynamic linking or userspace programs to compile your hooks in? Go and many Rust and C++ binaries tend to prefer static linking, so I wonder if this solution is workable there.
adampk
How easy is the set up, does this need to be deeply integrated in each step of the life-cycle?
nikolayasdf123
sounds like a security breach. how you ensure this does not become link in some next complex CVE?
worldsavior
Isn't there already mechanisms for patching specific SSL libraries to view encrypted requests (e.g. frida)? What is the benefit of using eBPF?
0nethacker1
I like the fact this doesn't impact performance like MITM solutions do.
kristopolous
Just found out about a related things: https://github.com/cle-b/httpdbg
Anyone have any experience with it?
eptcyka
I know that arguing that SSLKEYLOGFILE is all you need will just be a different version of the rsync/dropbox comment, but I do wonder under what circumstances is one able to strace a binary and isn’t able to make it dump session keys? I read the headline and set high hopes on finding a nifty way to mitm apps on Android – alas, I’m not sure this would work there necessarily.