Skip to content

Per-Process Capture

Want to see the traffic from just one program, but not go through the whole hassle of “change the global proxy, install a certificate, restore everything after capture”? Give it a launch command and the tool starts the program for you, captures only that one and shows plaintext from launch, with zero interference to other software on the system. The lightest, cleanest way to capture a single program.


Proxying a single program usually means changing the system proxy, installing a certificate for it, and restoring everything afterward, with the risk of affecting other software if you’re not careful. Per-process capture skips all of that:

Proxying a single program (traditional approach) Per-process capture
System-wide proxy Must change it, and restore it after Untouched
Install a certificate Must install one, and the program must trust it Not needed
Impact on other software Possible (a global proxy spills over) Zero interference (affects only this one program)
Seeing plaintext Only if the program trusts the certificate Plaintext from launch (automatic decryption for common programs)
Cleanup after capture Must restore the proxy / remove the certificate Just stop it, nothing to restore

In short: proxy capture touches “the whole machine,” per-process capture touches only “this one program.” If you want to cleanly see what a single program is sending, this is the most effortless way.


  • Captures only this one program, zero intrusion: doesn’t change the system proxy, install a certificate, or touch the NIC; only the program you launch gets captured. Other software on the system is entirely unaffected, and there’s no cleanup after capture.
  • Plaintext from launch, broad coverage: browsers, Electron-style desktop apps, Node, Python, desktop Java, and command-line tools that use common crypto libraries all show plaintext the moment one command starts them up, with nothing to configure for the program and no certificate to install.
  • Child processes followed automatically: child processes the program spawns internally are captured too, nothing missed.
  • Ready whenever you are: to debug a script or verify an API, enter a command and start capturing, far faster than setting up a proxy and installing a certificate.

In “Launch command,” enter the command you want to run (for example python3 app.py), and the tool will start it and capture only its traffic. Three one-click examples are built in; click one to fill it in automatically, then edit as needed:

  • Browser example: launches a separate, clean browser window (leaving the browser you use day to day untouched) and captures it directly; HTTP/3 (QUIC) has already been set to fall back to an ordinary connection for you, so it’s easy to capture and decryptable.
  • Python example: send a request with one command and see the plaintext.
  • Command-line example: an HTTPS request made from the command line is captured immediately.

New session · Per-process capture: enter a launch command and the tool starts the program for you, captures only that one, and decrypts it automatically; browser / Python / command-line one-click examples are built in

If a different program you’re capturing also uses HTTP/3, turn on the session-level “Block HTTP/3” to make it fall back to an ordinary connection, which likewise makes it easy to capture and decryptable.


4. Seeing plaintext: what works, and what needs a different approach

Section titled “4. Seeing plaintext: what works, and what needs a different approach”
  • Common programs: plaintext from launch. Browsers, Electron apps, Node, Python, desktop Java, and command-line tools that use common crypto libraries show plaintext directly after launch, with no extra steps.

Real result: a program launched by a single command has its HTTPS request captured and decrypted; the details show TLS “Decrypted,” with the request headers and JSON response laid out clearly

  • A few programs can’t be decrypted (capturable, but ciphertext only): certain programs that use special crypto libraries don’t yield plaintext with this method. The most typical is macOS’s built-in curl (and tools based on the same system crypto library); some programs written purely in Go are the same.

    To see plaintext for HTTPS sent from the command line, the “Python example” is the most reliable; or switch to an OpenSSL-based curl.

  • Programs that ignore proxy settings entirely: this method can’t capture their traffic.

For these “fortified” or special programs, switch to App-Layer Capture, which reads plaintext directly from inside the program and can handle certificate pinning, in-house encryption, and system crypto libraries alike.


5. After capture: understand it, decode it

Section titled “5. After capture: understand it, decode it”

Captured data goes through the same processing as every other capture method, and is just as easy to understand and decode:

  • Multiple ways to view: structured, prettified text, hex, and auto-detect, switchable independently for each direction. See Inspect & Decode for details.
  • Automatic decompression and detection: automatically decompresses gzip / brotli / deflate / zstd (including multiple stacked layers), and auto-detects and prettifies JSON, XML, forms, protobuf / gRPC, and more.
  • Custom codecs: for proprietary / in-house protocols, write a short script to teach it how to read them. See Custom Protocol Decoding for details.

6. Choosing among the four local capture methods

Section titled “6. Choosing among the four local capture methods”
Your situation Which to use
A regular program you can start with a command (browser / script / CLI) Per-process capture (this page, the most effortless)
Wanting to see all traffic on the machine, non-HTTP traffic, or everything a program does on the network NIC Capture
A program that’s already running / uses certificate pinning / ignores the proxy / uses in-house encryption / uses a system crypto library App-Layer Capture
Built-in system apps on macOS / stubborn apps System-Level Capture

  • Debugging a script / verifying an API: you’ve written a Python / Node script and want to see exactly what it sends and receives; enter a command and see plaintext directly.
  • Watching just one program: without changing system settings or affecting other software, see only who this one program is talking to.
  • Capturing a clean browser session: use the example to launch a separate browser window, free of the noise from all the plugins and tabs in your everyday browser.

Related: Proxy Capture · App-Layer Capture · Inspect & Decode