# Key Components

## **eBPF Sniffer**

**Purpose:** Intercepts HTTP traffic by hooking into key system calls (`accept`, `read`, `write`, `close`) at the kernel level.\
**Deployment:** Runs as a **DaemonSet** in Kubernetes, ensuring coverage across all nodes.\
**Value:** Captures API traffic in **near real-time** with **low overhead** and **no code instrumentation**.

## **RabbitMQ (Message Queue)**

**Purpose:** Acts as a **scalable message broker** between the Sniffer and Aggregator.\
**Deployment:** Runs as a **Kubernetes Deployment** in the same cluster.<br>

## Aggregator

**Purpose:** Collects, filters, and **deduplicates HTTP session data** before generating HAR files.\
**Deployment:** Runs as a **Kubernetes Deployment**, pulling data from the Sniffer via **RabbitMQ**.\
**Responsibilities:**

* **Filtering** irrelevant traffic.
* **Deduplicating** repeated sessions.
* **Storing** the last X sessions in memory.
* **Providing an API** to generate HAR files on demand.

## **Attacker Container (Soon)**

**Purpose:** Accesses generated HAR files for **automated security scanning** and API testing.\
**Deployment:** Runs as a **sidecar container** within the Aggregator pod.\
**Benefit:** Enables **seamless vulnerability testing** **without extra network hops**.

## Security & Trust Considerations

### **Minimal System Footprint**

eBPF operates **in a sandboxed environment** at the **kernel level**, ensuring **system stability** with **minimal overhead**.

### **Controlled Access & Compliance**

**Strict access controls** allow only authenticated users and **designated microservices** to request HAR files.

**Filtered storage policies** prevent the retention of unnecessary or sensitive data.

### **End-to-End Data Protection**

**All communication is encrypted** between the Sniffer, Aggregator, and RabbitMQ.

Data remains contained **within your Kubernetes cluster**, ensuring **isolation and security compliance**.