qtap
Qtap is an eBPF-based Linux agent that captures unencrypted network traffic by hooking TLS/SSL functions in the kernel, providing visibility into egress connections without modifying applications or managing certificates. It offers out-of-band traffic inspection with minimal overhead, suitable for security auditing, debugging, and observability.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | qpoint-io/qtap |
| Owner | qpoint-io |
| Primary language | C |
| License | AGPL-3.0 — OSI-approved |
| Stars | 1.4k |
| Forks | 55 |
| Open issues | 11 |
| Latest release | Unknown |
| Last updated | 2026-06-10 |
| Source | https://github.com/qpoint-io/qtap |
What qtap is
Qtap attaches to kernel TLS/SSL functions via eBPF probes to intercept plaintext data before encryption, correlating traffic with process, container, and host context. It exports metrics via Prometheus endpoints and supports OpenTelemetry trace export, integrating with standard observability pipelines.
Get the qtap source
Clone the repository and explore it locally.
git clone https://github.com/qpoint-io/qtap.gitcd qtap# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Kernel BTF support is mandatory; verify `/sys/kernel/btf/vmlinux` exists before deployment. Backports or kernel upgrades may be required for older distributions.
- Requires elevated privileges (sudo or CAP_BPF + CAP_SYS_ADMIN); in Kubernetes, enforce via workload identity and security policies.
- eBPF program lifecycle management: monitor for kernel memory constraints and eBPF verifier failures; test on target kernel versions before production rollout.
- DevTools provides local network tab interface; plan for multi-node deployments using metrics export to central observability systems (Prometheus, OpenTelemetry collector).
- Plaintext traffic capture implies data handling compliance; implement proper log rotation, retention policies, and access controls around captured data.
When to avoid it — and what to weigh
- Non-Linux or Older Kernels — Requires Linux 5.10+ with BTF (BPF Type Format) support. Not available on macOS, Windows, or older Linux distributions without kernel upgrades.
- Production with Strict Regulatory Constraints — Capturing unencrypted traffic—even kernel-side—raises compliance concerns in regulated industries (healthcare, finance). Verify your data handling and privacy policies support this approach before deploying.
- High-Throughput or Latency-Sensitive Workloads — While described as low-overhead, eBPF probes on every TLS function add overhead at scale. Not suitable where microsecond latencies or gigabit-plus throughput are critical to SLA.
- Application-Level Encryption Beyond TLS — Qtap only intercepts at TLS/SSL boundaries. If traffic is encrypted at the application layer (e.g., end-to-end encrypted messaging), it cannot provide plaintext visibility.
License & commercial use
Licensed under AGPL-3.0 (GNU Affero General Public License v3.0). AGPL requires that any derivative works or software linked with this agent must also be released under AGPL-3.0 and make source code available to users.
AGPL-3.0 is a copyleft license with network clause. Commercial use is permitted, but if you distribute or operate a modified version as a service or integrate it into proprietary products, you must disclose source code and license derivative works under AGPL-3.0. Consult legal counsel before integrating into closed-source commercial products. Qpoint offers a commercial SaaS product; clarify if you need proprietary licensing terms with them.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | High |
| DEV.co fit | Good |
| Assessment confidence | High |
Qtap captures plaintext traffic at kernel level, creating a sensitive data collection point. Implement: (1) strict access controls on metrics/logs; (2) compliance review for PII/credential exposure in regulated environments; (3) eBPF verifier best practices and kernel security updates; (4) network policies to isolate telemetry export. No audit trail of captured data documented; responsibility lies with operator. No explicit mention of encryption for exported metrics or traces—verify with your observability backend.
Alternatives to consider
Envoy Proxy / Service Mesh (Istio, Linkerd)
Provide encrypted traffic visibility via sidecar proxies with L7 inspection, but require app instrumentation and additional resource overhead. Trade: control over traffic routing vs. less kernel-level abstraction.
tcpdump + TLS termination proxy (mitmproxy, Fiddler)
Capture encrypted traffic by intercepting at proxy layer, with full certificate control. Trade: requires app reconfiguration, central trust store, and higher latency vs. kernel-level transparency.
eBPF-based alternatives (Falco, Cilium Hubble)
Cilium Hubble provides network observability via eBPF but focuses on policy and pod-to-pod visibility rather than TLS plaintext decryption. Falco is for runtime security. Trade: less deep packet inspection but broader cloud-native integration.
Build on qtap with DEV.co software developers
Try Qtap in demo mode with one command, or review the docs to integrate with your observability stack. Check kernel compatibility (5.10+ with BTF) and license requirements before production deployment.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
qtap FAQ
Does Qtap require me to install certificates or run a proxy?
Can Qtap see traffic from all processes or only specific ones?
Is Qtap suitable for production use?
What observability systems does Qtap integrate with?
Work with a software development agency
Need help beyond evaluating qtap? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source observability integrations — and maintain them long-term.
Ready to inspect your network traffic?
Try Qtap in demo mode with one command, or review the docs to integrate with your observability stack. Check kernel compatibility (5.10+ with BTF) and license requirements before production deployment.