Skip to content

Getting Started

Trace Eagle is a cross-platform packet capture and decryption tool. It captures traffic on your computer and phone, automatically decrypts ciphertext into plaintext, and lets you read every request and response directly.

This guide walks you through capturing and understanding your first decrypted request in just a few minutes.

  1. Follow Install to download the desktop app for your platform (macOS / Windows / Linux).
  2. Open the app. On first launch it may ask for system permissions (low-level capture needs them); just approve.
  3. No registration, no login: open it and it just works.

2. The fastest first success: capture your own browser

Section titled “2. The fastest first success: capture your own browser”

Want to see results immediately? Use per-process capture: the tool launches your browser for you and captures only that one program, decrypting everything automatically, with no proxy to configure and no certificate to install.

  1. Go to “Per-process capture” and pick your browser (or enter a launch command).
  2. Click Start, and the tool launches the browser.
  3. In the browser, open any website.
  4. Requests appear in the request list immediately; click one to see the decrypted plaintext: request line, headers, body, and the response too.

Different targets call for different capture methods. Pick one from the list below:

What you want to capture Which capture method
A local browser / program, and you also want to edit and replay packets Proxy capture
All traffic on the whole machine, including traffic that does not go through the proxy, UDP / QUIC, and DNS NIC capture
Just one program, with automatic decryption and no certificate Per-process capture
An app that uses certificate pinning or custom encryption you can’t decrypt App-layer plaintext
Built-in system apps and stubborn applications System-level capture
Traffic from an iPhone / iPad iOS capture
Traffic from an Android phone Android capture

If you’re unsure, start with proxy capture: it’s the most general, it produces plaintext and lets you edit and replay packets, and it can capture phones and LAN devices along the way.

  • Request list: every captured flow appears here in order; click to expand its details.
  • Automatic decryption: when the session key for a flow is available, the tool automatically decrypts the ciphertext into plaintext. For where the keys come from and how far support goes, see TLS decryption.
  • Raw and plaintext side by side: view both the decrypted request / response and the underlying raw bytes.
  • Process attribution: every flow is labeled with the program that sent it, so you can recognize it at a glance even when everything is mixed together.

For how to read and decode what you captured, see Inspect and decode; to find differences between two requests, see Request comparison.

5. Can’t capture / can’t decrypt? Check these first

Section titled “5. Can’t capture / can’t decrypt? Check these first”
Symptom Most likely What to do
Not a single request The target doesn’t use the system proxy Switch to NIC capture; at the NIC layer, everything is capturable
Captured, but it’s all ciphertext No certificate installed, or the app uses certificate pinning Install the certificate (see Certificate management and installation), or switch to app-layer plaintext
Certificate installed on the phone but still can’t capture Newer Android versions don’t trust user certificates See the no-cert-install method in Android capture
Can’t see HTTP/3 / QUIC It runs over UDP, which ordinary proxies can’t see Use NIC capture together with H3 decryption; see TLS decryption

For more questions, see the FAQ.

Once you’ve captured, decrypted, and understood a request, these are the everyday high-frequency features: