An Open-Source Tool to See Through Encrypted Traffic in Linux systems

Qpoint has released Qtap, an open-source eBPF agent for monitoring network traffic in Linux systems. It hooks into TLS/SSL functions to capture data before and after encryption, showing unencrypted traffic with details like process, container, host, user, and protocol.

Qtap runs out-of-band with low overhead, adding no latency or disrupting apps.

Qtap makes it easy to see what’s happening in your network, especially for complex apps, third-party services, or legacy systems. It’s lightweight, secure, and works without invasive setup.

What Qtap Does

Qtap empowers developers, security professionals, and system administrators to gain deep insights into egress traffic without modifying applications, installing proxies, or managing certificates. Whether you’re auditing sensitive data, debugging network issues, or exploring legacy systems, Qtap provides a clear view of what’s happening in your network.

Key Features and Use Cases

Qtap’s versatility makes it a foundational component for observability pipelines and custom solutions like Qpoint. Its key use cases include:

• Security Auditing: Verify that sensitive data isn’t being exposed in network communications.
• Network Debugging: Diagnose API errors, misconfigured parameters, or unexpected responses with real-time traffic insights.
• API Development: Ensure applications send correctly formatted requests and handle responses as expected.
• Third-Party Integrations: Confirm data exchanges with external services align with documentation.
• Learning & Exploration: Study protocol behavior by observing live traffic.
• Legacy Systems: Gain insights into poorly documented systems without source code access.
• Validation Testing: Confirm application changes don’t disrupt network communication patterns.

How to Start

Try Qtap in Demo Mode to see traffic in your terminal:

bash

$ curl -s https://get.qpoint.io/demo | sudo sh

To install and run:

bash

# Install Qtap
$ curl -s https://get.qpoint.io/install | sudo sh

# Run with defaults
$ sudo qtap

Qtap needs Linux kernel 5.10+ with BTF and eBPF enabled (check /sys/kernel/btf/vmlinux). It requires elevated permissions: sudo on the host or CAP_BPF and privileged mode in Docker.

Developing Qtap

Qtap is on GitHub. Developers can contribute using:

• OS: Linux (kernel 5.10+). MacOS users can use Lima for a Linux VM.
• Tools: Go 1.24+, make, clang 14 (required), clang-tidy (optional).

bash

Clone and build:

$ git clone https://github.com/qpoint-io/qtap.git
$ make build

Common make commands:

• build: Builds eBPF binaries and Go app.
• generate: Creates eBPF binaries.
• run: Starts a debug instance.
• ci: Runs CI checks.

Qtap is in early development. APIs may change, and documentation might be incomplete. Feedback is welcome via GitHub Issues or Discussions. Contributors agree to a Contributor License Agreement for open-source and commercial use.

Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access