If you do not find a solution to your problem below - or you have some feedback on the product - then please do not hesitate to email us.

When lodging a support request, please give as much relevant information as possible such as: OS version, processor (Intel or PowerPC), Mac model and the detail from the crash report, if appropriate.

General FAQ

Support FAQ

Top 5:

Purchase FAQ

Q: What does HTTP Scoop do exactly?
A: HTTP Scoop is an HTTP protocol analyser (sometimes called an HTTP sniffer) for Mac OS X. It captures packets from the network and reassembles them into complete HTTP requests/responses and displays the results in real-time. You can view all different aspects of the conversation: request URLs and parameters, request/response headers and POST data. You can also view the returned files as text (syntax highlighted for HTML and XML) or as a hex dump, as well as saving them to disk.
Q: What are the system requirements?
A: HTTP Scoop requires Mac OS X 10.4 (Tiger) to 10.7 (Lion) and 512MB of RAM is recommended. Both Power-PC and Intel platforms are supported.
Q: Who needs it?
A: HTTP Scoop is a valuable tool for any web developer or web admin who works on a Mac, regardless of the client or server technology they use.
Q: Why not just use tcpdump or Ethereal?

We have the utmost respect for these tools and the developers behind them. They've helped us - and thousands like us - enormously over the years and the tools are available free of charge. In fact, we rely on the code the tcpdump folks wrote (libpcap) to grab packets from the network.

What HTTP Scoop does do which these other tools do not, is reconstruct complete HTTP conversations (rather than just showing the packets that make them up) and present them in a user-friendly manner. It transparently handles the mechanics of de-chunking, decompression and request pipelining so you can quickly see exactly what is going on between client and server.

Q: How much data can I capture?
A: Approximately 100MB in any one capture.
Q: How much data can I view?
A: The "Response Text" view is restricted to showing the first 20MB of text, and the "Response Hex" tab is restricted to showing 1MB of data. The purpose of these limitations are to prevent excessive memory usage and to ensure that the system remains responsive enough to keep up with the speed of the network traffic. To examine larger files, simply save them to disk and use a more appropriate application.
Q: Who contributed to this project?
A: Quite a few people, actually. Special thanks go to:
  • Pierre Rudloff for the French localisation of the app.
  • Lucas Newman for his contributions to this project.
  • Andy Matuschak for his excellent Sparkle library (used for application updates).
  • Matt Gemmell for the nice "Polished Metal" look.
Q: I can't see local traffic.
A: Make sure you have Local interface (lo0) selected and double-check your settings in Preferences.
Q: Why can't I see the traffic I am expecting?

If you fail to see the HTTP requests you were expecting, first ensure that you have selected the appropriate network interface from the drop-down at the top-right of the main screen. Check also that you have not been too restrictive in the ports and hosts you have specified in "Preferences".

Specifying a host name (as opposed to an IP address) in the Restrict to hosts list in "Preferences" can cause confusion in a couple of situations. Firstly, the host name you type into a browser may be where the HTML is stored, but other resources such as images may be held on another server. Also, some sites use round-robin DNS for load balancing in which successive host lookups result in different IP addresses being resolved. In this case, the IP address which HTTP Scoop resolves a host name to - and hence filters traffic upon - could be different to the IP address being accessed by the client.

Q: How can I capture HTTPS traffic?

HTTP Scoop captures packets at the IP layer and then reassembles them into HTTP conversations. By capturing packets in this way, the application can see traffic regardless of what browser or other HTTP client is being used.

Unfortunately, by the time SSL traffic reaches this layer, it is already encrypted and therefore HTTP Scoop can't get at the data.

One way to get around this is to use a "reverse proxy" which allows you to make requests to the proxy over an unencrypted connection (which HTTP Scoop can intercept) and forwards them on to the destination server using HTTPS. Luckily the Apache webserver which comes pre-installed on all Macs already has this capability, but it needs a little configuration.

WARNING! Follow these instructions at your own risk. If you're not comfortable with using the command line then you should seek guidance.

The following instructions appear to work for Mac OS X 10.5 (Leopard). I believe the location of httpd.conf changed in this version of OS X so some changes to this procedure may be necessary for older versions (please let us know if you can provide details).

  1. Stop Web Sharing, if necessary, from the Sharing section of System Preferences.
  2. Make a backup of /etc/apache2/httpd.conf.
  3. Edit /etc/apache2/httpd.conf and add the following lines to the bottom of the file, replacing with the target server:
    <VirtualHost *:80>
           SSLProxyEngine on
           ProxyRequests off
           ProxyPass /
           ProxyPassReverse /
  4. Start Web Sharing.
  5. Use HTTP Scoop to start capturing data on the local interface if the proxy is running on the same machine as HTTP Scoop.
  6. All HTTP requests to localhost should now be forwarded to the target server using HTTPS.

Note that this procedure causes all traffic to localhost to be proxied, so you will not be able to access any local web content until you restore your httpd.conf file and restart Web Sharing.

Some resources which may prove useful:

Q: Why am I asked for a password when I first start a capture?

HTTPScoop needs to run a privileged process in order to capture traffic which, by its nature, is a potential security risk. The password dialogue ensures that the user has the appropriate rights to perform the operation. It also allows the user to decide whether to trust the application to carry out a privileged operation.

Note that the password dialogue is only shown the first time you start a capture. Repeated entries of the password can be avoided by leaving the application open in-between captures: it consumes minimal resources when a capture is not in progress.

From version 1.4.2, it is possible to avoid the password check altogether by pre-authorising HTTPScoop to run as root. You may wish to do this for convenience or because you administer the computer and want your users to be able to use HTTPScoop without an administrative password.

WARNING! You should only carry out this procedure if you are authorised to do so and you understand the risks. The sniffer tool is run as root: if an attacker is able to modify this file then he or she will have full control of your system. Note also that a non-admin user will not be able to upgrade HTTPScoop until it has been removed by an administrator (because portions of the app will be owned by root).

Execute the following in Terminal (assuming you have installed HTTPScoop in the normal place):

cd /Applications/
sudo chown root HTTP\ Scoop\ Sniffer\ Tool
sudo chmod u+s HTTP\ Scoop\ Sniffer\ Tool

A directory listing should reveal that the tool is owned by root and that the 'setuid' bit is set (note the 's' in the flags):

ripley:MacOS jayray$ ls -l
total 1144
-rwsr-xr-x 1 root jayray 56692 3 May 09:44 HTTP Scoop Sniffer Tool
-rwxr-xr-x 1 jayray jayray 526044 3 May 09:44 HTTPScoop

When a capture is first started, HTTPScoop will spot that the tool has been set-up to be run as root and will avoid showing an authorisation dialogue.

Q: Will this work with my VPN, Virtual Machine or GSM/3G modem?
A: Support varies between products.

Works ok. Tested with tap interface.


Works ok.

Cisco VPN

Doesn't work. IPSec VPNs unsupported.

VMWare Fusion

Doesn't work. VMWare have not implemented the Berkeley Packet Filter interface properly which prevents HTTPScoop (and other apps like tcpdump and Wireshark) from capturing traffic.


Please let us know if anyone spots any progress on this front.

GSM/3G modem

Should work fine, provided you can see the interface has an IP address in ifconfig.

Any information on specific devices would be appreciated - please get in touch.

Theoretically, if you can see HTTP traffic in both directions with tcpdump then you should be able capture it with HTTPScoop. Execute the following line (substituting the network interface as appropriate).

sudo tcpdump -A -i en0 port 80

Look for human-readable HTTP requests e.g. "GET / HTTP/1.1" and responses e.g. "HTTP/1.1 302 Found".

Q: My licence doesn't work, can you help?
A: Naturally. Just send us an email describing the issue and we'll have you up-and-running as soon as we can.
Q: How do I capture conversations between two other machines?
A: Be aware that using this feature on a shared network is privacy risk, is detectable by network administrators and could be against the law where you live. Please exercise consideration and caution! First, the HTTP messages you are trying to capture must actually reach your network adapter. Generally this means being plugged into a hub which is shared with either the client or server you are trying to monitor, although some network switches can be configured to broadcast certain traffic to multiple ports (check the switch's documentation for how to do this). You can also capture traffic over a non-secured Wi-Fi connection. Just select the appropriate network interface from the drop-down at the top-left of the screen. Next, select "Scoop Settings" from the "Scoop" menu and tick the "Promiscuous Mode" box. Finally, double check that the other settings in this dialogue are correct, click "OK" and start scooping.
Q: I get the message "Traffic too fast - some packets lost" - what happened?
A: Sometimes this is because the CPU load is too high on the computer you are running HTTP Scoop upon. Try closing some applications and restarting the capture. Alternatively the speed of traffic is simply too high to keep up with. Try being more restrictive with the hosts/ports you monitor. In extreme circumstances, you may find that it reduces CPU utilisation (and hence the reliability of the capture) to close the "HTTP Request Detail" window during periods of intense network activity. Please also see the troubleshooting section of the help system within HTTP Scoop.
Q: Why do I get a dialogue box warning me that my file may corrupt when I try to save it?
A: This warning will appear if you try to save a file after the message "Traffic too fast - some packets lost" has been shown. This message is mainly to help you avoid causing damage to your system by running a corrupt executable. You can get around this by clicking the "Clear" button and recapturing the file. See the previous FAQ and the help system within HTTP Scoop for more information about to avoid this message in the first place.
Q: Why isn't syntax colouring working for some HTML/XML responses?
A: HTTP Scoop detects that a document is HTML or XML using the "Content-type" HTTP header. If this is not "text/xml" or "text/html" then HTTP Scoop will not apply syntax colouring.
Q: How can I get help with another problem?
A: Just drop us an email and we'll do what we can to help.
Q: How does licencing work?

By downloading HTTPScoop, you agree to be bound by the End User License Agreement.

To activate HTTP Scoop, you simply go to the purchase page to make a payment. When this is done successfully, you will immediately be sent an email containing your licence file. Save this somewhere safe in case you need it again, for example if you need to restore software on your computer.

When you receive your licence, start HTTP Scoop. Click the Load From Disk button in the Registration screen and select the licence file.

If you are the sole user of the licence then you may install it up-to three machines you own (or have exclusive use of). If several people are going to use a given licence (for example on a shared office computer) then it must only be installed on one machine.

Q: How do you protect my privacy?

We collect a minimum of information to carry out a card transaction and retain only that which is necessary to fulfil our obligations under EU VAT legislation. Credit card information is passed directly to our payment processor (Stripe) and does not pass through Tuffcode's servers. Your personal information is protected by SSL/TLS at all times.

From time-to-time we may let you know about software updates or other Tuffcode news but you may opt out at any time. We will never share your email address with any other company.

Our software will, if you request it to do so, check for updates periodically. We may collect statistics about usage from this network activity, but will not use it to track individuals' use of the software.

Q: Will I be charged Value Added Tax?
A: VAT is chargable - at your local rate - on purchases by individuals inside the EU. EU countries are as follows:
  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • United Kingdom
VAT will be automatically added to your order if your billing address is in one of these countries. If you are purchasing for a company inside the EU then you should not pay VAT. Please email us with your company name, address (including country) and the number of licences you require. We will reply with an email describing how to make payment without VAT applied. We apologise for the inconvenience in making payment by this method.
Q: I am buying a lot of licence credits (more than ten), do I get a discount?
A: Yes! Please get in touch and we'll work out a quote for you.
Copyright © 2015 Tuffcode Ltd. All rights reserved.