mitmproxy: In-the-Middle Debugging That Just Works
mitmproxy isn’t trying to be Wireshark. It doesn’t do pcap reassembly or decode VoIP flows. What it does is put itself between a client and a server — and let the operator see, tweak, or intercept the full HTTP/HTTPS request/response cycle. All from a terminal. Or a web UI. Or a Python script.
It’s built for people who need to see what’s going across the wire — but want to do it on live traffic, in real time, without getting lost in raw hex dumps. Whether that’s inspecting mobile app calls, testing custom APIs, or rewriting requests mid-flight — mitmproxy fits into a workflow where traditional sniffers don’t help much.
What It Handles Well
| Feature | What It’s Used For |
| Transparent proxying | Captures traffic without client-side config (with correct network setup) |
| TLS interception | Acts as a root CA — can decrypt HTTPS (if trusted by the device) |
| Real-time inspection | View, search, and filter flows as they pass through |
| Inline request editing | Modify headers, bodies, cookies, or query strings on the fly |
| Replay and scripting | Save traffic, replay later, or script custom behavior via Python |
| Web and terminal UI | Choose between ncurses-based CLI or a modern web dashboard |
| HTTP/2 and WebSocket support | Handles modern protocols, even for browser or mobile traffic |
| Add-ons and filters | Plug in logic for auth bypass, load testing, fuzzing, or payload injection |
System Requirements and Setup
It’s a Python tool, works cross-platform, and doesn’t require special kernel hooks or packet capture permissions. It’s often run on a laptop, a Raspberry Pi, or as a MITM node in test environments.
– OS: Linux, macOS, Windows
– Python: 3.8 or higher (Python 3.11+ recommended)
– Install: pipx, pip, or system packages (Homebrew, APT, etc.)
– Browser/devices: Must trust the mitmproxy-generated certificate to avoid SSL errors
Getting Started (Simple Install)
- Using pipx (preferred):
pipx install mitmproxy
- Launch intercept mode:
mitmproxy
- On client device:
– Set HTTP/HTTPS proxy to host_ip:8080
– Install the mitmproxy CA cert (via http://mitm.it)
– Start browsing or launching apps — traffic will appear in terminal
- Web UI version:
mitmweb
When It’s Used in Practice
– QA teams testing APIs and looking at raw responses
– Mobile security assessments — observing traffic from Android/iOS apps
– Developers checking how apps behave when connections fail or headers change
– Red teamers manipulating auth tokens or injecting payloads
– Debugging third-party integrations where server behavior isn’t documented
– Teaching HTTP protocol logic — from request structure to TLS negotiation
Strengths (and A Few Gotchas)
Why it’s powerful:
– Scriptable in Python — can modify traffic in smart ways
– Great visibility without packet noise
– Works with WebSockets, compressed bodies, chunked encoding
– No external infrastructure needed — fully standalone
Challenges to expect:
– HTTPS inspection depends on CA trust — not automatic
– Transparent mode needs iptables or routing setup
– High-volume environments might need tuning to avoid memory issues
– Complex traffic (e.g. pinned certs, TLS 1.3 strictness) can block proxying
– Not ideal for binary or non-HTTP protocols
Final Thought
mitmproxy is one of those tools that quietly saves hours — especially when other approaches just show you the surface. It doesn’t try to guess what’s happening — it shows you, lets you tweak it, and then keeps watching. In a field crowded with GUIs and sniffers, this one’s for when control matters more than charts.
