Qtap: An eBPF Agent for Capturing Linux Kernel Network Traffic Without App Modifications
Qtap is an eBPF-based agent that captures network traffic flowing through the Linux kernel without requiring application modifications, proxy installations, or certificate management. It intercepts data before and after encryption by attaching to TLS/SSL functions, passing it to flexible plugins with comprehensive context (process/container/host/user/protocol, etc.). Qtap displays raw, unencrypted data with minimal overhead and zero latency, augmenting existing observability pipelines and enabling uses like security auditing, network debugging, API development, and troubleshooting third-party integrations. Currently in early development, some APIs may change, and documentation might be incomplete, but community contributions and feedback are welcome.