Documentation
  • 🍻Intro
    • Why API Security is Critical?
    • Pynt at a Glance
    • Who Should Use Pynt?
  • 👩‍💻API Security Testing
    • Security Testing Overview
    • Prerequisites for Running Pynt Scans
    • How to Install Pynt CLI
    • How to install Pynt Binary (Linux only)
    • Pynt CLI Modes
      • 🔵Pynt Command CLI Mode
      • 🔵Pynt Listen CLI Mode
    • Pynt Security Tests Coverage
      • Business Logic Tests
      • Injection Tests
      • Authentication Bypass Tests
      • Mass Assignment Tests
      • Server-Side Request Forgery Tests
      • Stack Trace In Response
      • Lack of Resources and Rate Limiting
      • File Path Manipulation
      • GraphQL Introspection Vulnerability
      • GraphQL Alias Overloading
      • LLM APIs Vulnerabilities
      • Insecure Transport Scheme
      • Basic Authentication
      • HTTP Desynchronization (Desync) Attack
    • Sensitive Data Exposure Detection
    • Pynt Scans Troubleshooting
      • Pynt CLI Troubleshooting
      • Pynt for Postman Troubleshooting
        • Troubleshoot Pynt Container not Running Error
        • Troubleshoot Empty API Key Error
        • Troubleshoot Unauthorized API Key Error
        • Troubleshoot Collection Not Found Error
        • Troubleshoot Non-Unique Collection Name Error
        • Troubleshoot Empty Collection Identifier Error
        • Troubleshoot Unreachable Target Error
        • Troubleshoot Target Responds with Errors Error
        • Troubleshoot Unresolved Target Domain Error
        • Troubleshoot Unresolved Variable Error
        • Troubleshoot TLS Handshake Fail Error
        • Troubleshoot Few Requests Error
        • Troubleshoot One User Only Error
        • Troubleshoot Failed Assertions Error
    • How To
      • How to Run Business Logic Tests with Pynt
      • How to associate a Pynt scan to an Application in Pynt Dashboard
      • How to tag a scan in Pynt
    • Benchmarks
      • Pynt vs OWASP crAPI
  • 🤲Security Testing Integrations
    • 🟠Pynt with API Testing Tools
      • 🔘Pynt for Postman
        • Fork Pynt Collection
        • Run Pynt Container
        • Run Pynt in Postman
        • View Scan Results in Postman
      • 🔘Pynt for Insomnia
      • 🔘Pynt for ReadyAPI
    • 🟠Pynt with API Testing CLIs
      • 🔘Pynt for Newman (Postman CLI)
      • 🔘Pynt for TestRunner (ReadyAPI CLI)
    • 🟠Pynt with Testing Frameworks
      • 🔘Pynt for .NET (xUnit)
      • 🔘Pynt for Selenium
      • 🔘Pynt for Rest Assured
      • 🔘Pynt for Jest
      • 🔘Pynt for pytest
      • 🔘Pynt for Go
      • 🔘Pynt for JMeter
    • 🟠Pynt on CI/CD
      • ❗How to get Pynt ID for CI/CD Authentication
      • 🔘Pynt for GitHub Actions
      • 🔘Pynt for Azure DevOps Pipelines
      • 🔘Pynt for GitLab
      • 🔘Pynt for Jenkins
    • 🟠Pynt with Burp Suite
    • 🟠Pynt with Browsers
      • 🔘Pynt for Firefox Browser
    • 🟠Live Traffic Connectors
      • 🔘eBPF
        • 🔘Key Components
      • 🔘Traffic Mirroring
    • 🟠Advanced Pynt Examples
      • 🔘Pynt as a Standalone Container
      • 🔘Pynt with Prerecorded Har Files
      • 🔘Pynt with cURL
  • 🈸Applications View
    • Application View Overview
    • Manage Applications
      • Add Application
      • Delete Application
      • Rename Application
    • Manage Sources for API Discovery
      • Add Source
      • Delete Source
      • View Source Info
      • Source Categories
        • API Documentation
          • Swagger
          • Postman Collection
        • API Gateways
          • AWS API Gateway
          • Azure API Gateway
          • Kong API Gateway
          • GCP API Gateway
          • Gravitee API Gateway
        • Testing (API Security Scans)
        • Live Traffic
          • Data Collection with eBPF
          • ALB Traffic Capture with AWS Traffic Mirroring
        • Code Repository
    • Application Dashboard
    • Generate Pentest Report
  • 📚API Catalog
    • API Catalog Overview
    • Navigate API Catalog
      • Filtering API Catalog by Application
      • API Catalog Customization
      • API Related Info
      • APIs at Risk
    • Manage API Source Gaps
      • New APIs
      • Untested APIs
      • Shadow APIs
      • Undocumented APIs
    • View Detailed Endpoint Info
  • ⏪Scan History
    • Scan History Overview
    • Navigate Scan History
      • Associating Scans with Specific Application
      • Filtering by Application
      • Scan Related Info
      • Scan History Customization
    • View Detailed Scan Info
    • Associate Vulnerabilities to Tickets with JIRA
  • Account Management
    • Single Sign-On (SSO)
      • Setting up Okta
      • Setting up Entra ID
Powered by GitBook
On this page
  • Introduction & Purpose
  • 1. Why Live Traffic Capture?
  • 2. Key Components
  • 4. Data Flow & High-Level Steps
  • 5. Security & Trust Considerations
  • 6. Next Steps & Additional Resources
  1. Applications View
  2. Manage Sources for API Discovery
  3. Source Categories
  4. Live Traffic

Data Collection with eBPF

Learn how Pynt uses eBPF to collect live traffic data for real-time API discovery and security testing, enabling seamless monitoring without performance impact.

Introduction & Purpose

This page provides a concise overview of how Pynt leverages eBPF and AWS Traffic Mirroring (where relevant) to capture real-time HTTP traffic, generate HAR files, and integrate with Pynt’s SaaS for deeper API security insights. The goal is to deliver comprehensive API visibility, uncovering both known and shadow endpoints while maintaining minimal overhead.


1. Why Live Traffic Capture?

  1. Full Visibility: By monitoring raw network activity, you discover all real-time API calls - including shadow or undocumented endpoints.

  2. Low Overhead: eBPF operates at the Linux kernel level with minimal performance impact and runs seamlessly in cloud environments.

  3. Actionable Insights: Generating accurate HAR files enables quick integration into security workflows, identifying risks you might otherwise miss with static or manual discovery methods.


2. Key Components

eBPF Sniffer

  • Purpose: Intercepts HTTP traffic by hooking into system calls (accept, read, write, close) at the kernel level.

  • Deployment: Runs as a DaemonSet in Kubernetes, ensuring continuous coverage across all nodes.

  • Value: Near real-time data capture with minimal system overhead or code instrumentation.

Aggregator

  • Purpose: Collects, filters, and deduplicates HTTP session data; generates HAR files on demand.

  • Deployment: A Kubernetes Deployment that pulls data from the Sniffer through RabbitMQ.

  • Responsibilities:

    • Filtering irrelevant traffic

    • Deduplicating repeated sessions

    • Storing the last X sessions in memory

    • Exposing an API to produce HAR files

RabbitMQ

  • Purpose: Acts as a message queue for seamless, scalable communication between the Sniffer and the Aggregator.

  • Deployment: A Kubernetes Deployment in the same cluster.

  • Benefit: Decouples the data capture from processing, improving reliability and scalability.

Attacker Container (Sidecar)

  • Purpose: Shares a volume with the Aggregator to access generated HAR files for subsequent scanning or analysis.

  • Deployment: A sidecar container within the Aggregator pod.

  • Benefit: Automates vulnerability testing (e.g., a “har-based” approach) without extra network hops.


3. Architecture Diagram


4. Data Flow & High-Level Steps

  1. Syscall Interception: The eBPF Sniffer hooks system calls (accept, read, write, close), capturing HTTP requests/responses in real time.

  2. Queue & Transport: Captured session data is sent to RabbitMQ.

  3. Aggregation & Storage: The Aggregator consumes these sessions, applying filtering and deduplication rules.

  4. HAR Request: An API endpoint on the Aggregator lets you request an HAR file for the last X sessions.

  5. HAR File Generation: The Aggregator writes the HAR file to a shared volume.

  6. Attacker Container: If needed, the sidecar container accesses the HAR file for security tests or other usage.

  7. Pynt SaaS Upload: Session metadata is also uploaded to Pynt’s SaaS for broader API cataloging and vulnerability analysis.


5. Security & Trust Considerations

  1. Minimal Footprint: eBPF runs in a sandboxed environment at the kernel layer, ensuring system stability and performance.

  2. Controlled Access: Only authenticated users and designated microservices can request HAR files, reducing risk.

  3. Filtered Storage: The Aggregator’s filtering rules ensure sensitive or irrelevant data is not stored beyond the configured retention.

  4. Encryption in Transit: Data from the Sniffer to the Aggregator is protected via secure protocols and contained within your Kubernetes cluster.


6. Next Steps & Additional Resources

  1. Setup Guidelines: We can provide a private repository or documentation detailing the exact deployment steps for your cluster.

  2. Configuration Examples: Sample YAML manifests for deploying the DaemonSet, Aggregator, RabbitMQ, and sidecar containers.

  3. Integration Support: Our team is available to guide you through customizing filters, storage limits, and any specialized network settings.

PreviousLive TrafficNextALB Traffic Capture with AWS Traffic Mirroring

Last updated 2 months ago

eBPF Data Collection

For specific inquiries regarding this feature, please reach out to .

🈸
support@pynt.io