Getting Started
Trace Eagle is a cross-platform packet capture and decryption tool. It captures traffic on your computer and phone, automatically decrypts ciphertext into plaintext, and lets you read every request and response directly.
This guide walks you through capturing and understanding your first decrypted request in just a few minutes.
1. Install and launch
Section titled “1. Install and launch”- Follow Install to download the desktop app for your platform (macOS / Windows / Linux).
- Open the app. On first launch it may ask for system permissions (low-level capture needs them); just approve.
- No registration, no login: open it and it just works.
2. The fastest first success: capture your own browser
Section titled “2. The fastest first success: capture your own browser”Want to see results immediately? Use per-process capture: the tool launches your browser for you and captures only that one program, decrypting everything automatically, with no proxy to configure and no certificate to install.
- Go to “Per-process capture” and pick your browser (or enter a launch command).
- Click Start, and the tool launches the browser.
- In the browser, open any website.
- Requests appear in the request list immediately; click one to see the decrypted plaintext: request line, headers, body, and the response too.
3. Pick a capture method that fits you
Section titled “3. Pick a capture method that fits you”Different targets call for different capture methods. Pick one from the list below:
| What you want to capture | Which capture method |
|---|---|
| A local browser / program, and you also want to edit and replay packets | Proxy capture |
| All traffic on the whole machine, including traffic that does not go through the proxy, UDP / QUIC, and DNS | NIC capture |
| Just one program, with automatic decryption and no certificate | Per-process capture |
| An app that uses certificate pinning or custom encryption you can’t decrypt | App-layer plaintext |
| Built-in system apps and stubborn applications | System-level capture |
| Traffic from an iPhone / iPad | iOS capture |
| Traffic from an Android phone | Android capture |
If you’re unsure, start with proxy capture: it’s the most general, it produces plaintext and lets you edit and replay packets, and it can capture phones and LAN devices along the way.
4. Understanding the interface
Section titled “4. Understanding the interface”- Request list: every captured flow appears here in order; click to expand its details.
- Automatic decryption: when the session key for a flow is available, the tool automatically decrypts the ciphertext into plaintext. For where the keys come from and how far support goes, see TLS decryption.
- Raw and plaintext side by side: view both the decrypted request / response and the underlying raw bytes.
- Process attribution: every flow is labeled with the program that sent it, so you can recognize it at a glance even when everything is mixed together.
For how to read and decode what you captured, see Inspect and decode; to find differences between two requests, see Request comparison.
5. Can’t capture / can’t decrypt? Check these first
Section titled “5. Can’t capture / can’t decrypt? Check these first”| Symptom | Most likely | What to do |
|---|---|---|
| Not a single request | The target doesn’t use the system proxy | Switch to NIC capture; at the NIC layer, everything is capturable |
| Captured, but it’s all ciphertext | No certificate installed, or the app uses certificate pinning | Install the certificate (see Certificate management and installation), or switch to app-layer plaintext |
| Certificate installed on the phone but still can’t capture | Newer Android versions don’t trust user certificates | See the no-cert-install method in Android capture |
| Can’t see HTTP/3 / QUIC | It runs over UDP, which ordinary proxies can’t see | Use NIC capture together with H3 decryption; see TLS decryption |
For more questions, see the FAQ.
6. What’s next
Section titled “6. What’s next”Once you’ve captured, decrypted, and understood a request, these are the everyday high-frequency features:
- Rewrite rules and breakpoint interception: change requests and responses without touching code, or intercept a request mid-flight to edit it by hand.
- Request composing and replay: edit any request and resend it; even endpoints with signatures and timestamps can be truly replayed.
- Session replay and load testing: replay a string of requests in batches, or load-test a single endpoint in place.
- Generate code and export API docs: turn one request into code in multiple languages, and reverse an entire session into an OpenAPI document.