Support
API Discovery

Network Traffic Analyzer: Tap Plugin FAQs

This document is for:
Invicti Enterprise On-Demand

This feature is available with Invicti API Security Standalone or Bundle

The Invicti Network Traffic Analyzer (NTA) utilizes a tap plugin to detect API traffic in your Kubernetes cluster. This document answers common questions about how the tap plugin works. If your Kubernetes environment leverages Istio Service Mesh, ensure you enable and configure this component of the Invicti NTA. For instructions, refer to How to configure and enable the Istio Service Mesh Envoy.

What does the tap plugin actually do?

The tap plugin monitors and analyzes network traffic by listening to all network interfaces and ports in your Kubernetes cluster. When the tap plugin identifies unencrypted API communications, it captures those packets and extracts a limited set of telemetry (meta)data relevant to API discovery. Then the NTA uses the extracted telemetry data to reconstruct OpenAPI3 specs, which are forwarded to your API Inventory in Invicti Enterprise.

Does the tap plugin capture internal and external APIs?

Depending on how the APIs are triggered, the tap plugin can capture both internal and external APIs. Traffic between pods in this case would be considered internal, whereas traffic reaching the edge of the Kubernetes cluster is considered external. Because the tap plugin operates within the boundaries of your Kubernetes cluster, it can capture both internal and external APIs running over HTTP.  

If an application is set with port forwarding, APIs will be found and reported on the internal port, not the port they are being forwarded to.

Which network interfaces does the tap plugin listen to in Kubernetes?

By default, the tap plugin is configured to sniff all API traffic across all available network interfaces. This ensures comprehensive monitoring of your API traffic by capturing all API communications that occur through your Kubernetes network connections.

If you want to narrow down the monitoring scope to specific network channels, you can specify particular interfaces separated by commas using the INVICTI_TAP_INTERFACES environment variable.

Does the tap plugin listen to all ports?

Yes, the tap plugin listens on all network ports. This ensures all API communications that traverse any port are captured. If you want more targeted monitoring, you can specify individual ports or a range of ports using the INVICTI_TAP_PORTS environment variable.  

Specifying Ports

  • Individual Ports: List the ports separated by commas (e.g., 80,443,8080) to monitor API traffic on specific ports.
  • Port Ranges: To monitor all API traffic on ports within a range, specify a range using a dash (e.g., 5005-6000).

This flexibility allows you to tailor the monitoring process to specific needs, focusing on particular areas of network traffic or broadening the scope as necessary.

Which requests are being captured?

The tap plugin is set to only capture requests with 2XX HTTP status codes.

For more targeted traffic analysis, you can adjust the INVICTI_TAP_HTTP_STATUS_CODES environment variable to focus on monitoring responses with HTTP status codes that fall within a specified range or specific status codes.

Configuration Options

  • Specific Status Code: Specify an exact status code to monitor particular responses. For example, setting 200 will limit the monitoring to successful OK responses.
  • Status Code Wildcard 'x': Use the 'x' character as a wildcard to define a range of status codes, for example:
  • 20x: This configuration covers all status codes from 200 to 209, inclusive.
  • 2xx: This broader range includes all status codes from 200 to 299, capturing all successful responses classified under HTTP 2XX status codes.

Does the tap plugin support encrypted traffic?

No, the tap plugin does not support encrypted traffic. It supports HTTP 1.x unencrypted traffic.

What technology does the tap plugin use?

The tap plugin is based on open-source packed-capture technology called pcap (packet capture).

Can I exclude traffic with specific HTTP headers?

Yes. The environment variable INVICTI_TAP_EXCLUDE_TRAFFIC_WITH_HEADERS can be used to specify HTTP headers that, when present in traffic, will exclude that traffic from being monitored or captured. The headers should be specified as a comma-separated list. By default, this list is empty, meaning no traffic is excluded based on headers unless explicitly specified.

How is the tap plugin deployed?

The Invicti Network Traffic Analyzer (which includes the tap plugin component) is installed within your Kubernetes cluster using a helm chart. For more information, refer to Installing the Invicti Network Traffic Analyzer.