Detailed introduction of Fiddler packet capture tool

This article is transferred from: http://www.cnblogs.com/Chilam007/p/6985379.html

1. The difference between Fiddler and other packet capture tools

　1. Although Firebug can capture packets, it is not powerful enough to analyze the detailed information of http requests. The function of simulating http requests is not enough, and firebug often requires "no refresh modification". If the page is refreshed, all modifications will not be saved;

　2. Wireshark is a general packet capture tool, which can obtain HTTP and HTTPS, but cannot decrypt HTTPS, so wireshark cannot understand the content of HTTPS, but if it is TCP, UDP protocol, you can use wireshark;

　3. Httpwatch is also a commonly used http packet capture tool, but only supports IE and firefox browsers (other browsers may have corresponding plug-ins);

Fiddler is an HTTP proxy that uses the local 127.0.0.1:8888. Any browser and application that can set the HTTP proxy to 127.0.0.1:8888 can use Fiddler.

Second, the working principle of Fiddler

　Fiddler is an HTTP proxy located on the client and server sides, and it is also one of the most commonly used HTTP packet capture tools. It can record all HTTP requests between the client and the server, and can analyze the request data, set breakpoints, debug web applications, modify the requested data, and even modify the data returned by the server for a specific HTTP request.

　Since it is a proxy, that is to say: all requests from the client must go through Fiddler first, and then forwarded to the corresponding server. On the contrary, all responses from the server will also go through Fiddler and then sent to the client, so the web client and server The request is shown in Figure 1:

Figure 1 (the request process of the web client and server)

　Note: If you use Fiddler, you need to set the proxy address of the browser before you can capture the data packets of the browser. And it is very convenient that after you start the tool, it has automatically set up the proxy of the browser for you , and when it is closed, it will restore the proxy of the browser. Of course, if you find that the browser proxy is not automatically set, you have to go to the browser to set the proxy yourself. (You can set the proxy for each browser of Baidu by yourself), anyway, you must set the corresponding proxy, otherwise fiddler will not be able to capture the HTTP request.

3. Introduction to the interface of Fiddler

 1. The main interface is shown in Figure 2:

Figure 2 (Fiddler main interface)

2. The meanings of the fields and icons in the left web session panel are as follows:

name	meaning
#	The order in which HTTP Requests are fetched, starting from 1 and increasing accordingly
Result	HTTP status codes
Protocol	The protocol used by the request, such as HTTP/HTTPS/FTP, etc.
Host	The hostname of the requested address
URL	the location of the requested resource
Body	the size of the request
Caching	Requested cache expiration time or cache control value
Content-Type	type of request response
Process	The process that sent this request: Process ID
Comments	Allow users to add notes to this conversation
Custom	Allow users to set custom values
icon	meaning
	The request has been sent to the server
	Response result downloaded from server
	Request to pause from breakpoint
	The response is paused from the breakpoint
	The request uses HTTP's HEAD method, that is, the response has no content (Body)
	request using HTTP's POST method
	The request uses the CONNECT method of HTTP, and the connection tunnel is established using the HTTPS protocol
	The response is in HTML format
	The response is an image
	The response is in script format
	The response is in CSS format
	The response is in XML format
	The response is in JSON format
	The response is an audio file
	The response is a video file
	The response is a SilverLight
	The response is a FLASH
	response is a font
	normal response success
	The response is an HTTP/300, 301, 302, 303, or 307 redirect
	The response is HTTP/304 (no change): use cached file
	Response requires client certificate verification
	server error
	Session terminated by client, Fiddler or server

The table comes from the blog: http://blog.csdn.net/qq_21445563/article/details/51017605

3. On the right is the details and statistics panel

1) Statistics about the performance of HTTP requests (such as the number of bytes sent/received, send/receive time, and roughly the time spent accessing the server around the world) and data analysis. As shown in Figure 3:

Figure 3 (Statistics tab)

2) Inspectors are used to view the content of the session. The upper part is the content of the request, and the lower part is the content of the response. It provides headers, textview, hexview, Raw and other methods to view the information of the request message of a single http request. As shown in Figure 4:

 Figure 4 (Inspectors Tab)

3) AutoResponder can be used to intercept a request, that is, redirect to local resources or Fiddler resources according to the specified rules added by itself, thereby replacing the server response.

For example: bind the keyword "baidu" to a picture on the local computer, and then access the address with the keyword "baidu", it will be hijacked. The specific steps are shown in Figure 5: 

Figure 5 (AutoResponder Tab)

After enabling the rules (check enable rules), enter pan.baidu.com in the browser, you will find that it has been hijacked, and the bound local image is displayed instead of the pan.baidu.com page

Figure 6 (hijacked)

4) Composer customizes the request sending server. In Parsed mode, you only need to provide a simple URLS address, as shown in Figure 7

Figure 7 (Composer Tab)

5) Filters is the filter rule, filter the required http request by setting the filter rule, as shown in Figure 8, check Use Filters in the upper left corner to open the filter:

Figure 8 (Filters tab)

　　And here are the two most commonly used filter conditions: Zone and Host

a.Zone specifies that only the content of the intranet or the Internet is displayed, as shown in Figure 9:

Figure 9

b.Host specifies to display the session under a certain domain name, as shown in Figure 10, if the box is yellow, it means that the modification does not take effect, just click the text in the red circle:

Figure 10

6）timeline 请求响应时间，在左侧会话窗口点击一个或多个请求，Timeline 便会显示指定内容从服务端传输到客户端的时间，如图11所示：

图11（timeline选项卡）

四、Fiddler的其他功能介绍

 1、Fiddler 设置解密HTTPS的网络数据

　Fiddler可以通过伪造CA证书来欺骗浏览器和服务器。大概原理就是在浏览器面前Fiddler伪装成一个HTTPS服务器，而在真正的HTTPS服务器面前Fiddler又装成浏览器，从而实现解密HTTPS数据包的目的。

解密HTTPS需要手动开启，依次点击：Tools –> Fiddler Options –>  HTTPS ->勾选Decrypt HTTPS traffic -> 点击Yes，在弹出的对话框中选择是即可，如图12所示

图12

2、Fiddler 内置命令与断点

　FIddler断点功能就是将请求截获下来，直接点击Fiddler下图的图标位置，就可以设置全部请求的断点，也可以在命令栏输入断点命令进行截获，如图13所示

图13（断点）

　　而断点的命令则可以精确设置需要截获那些请求，如下表所示：

命令	对应请求项	介绍	示例
?	All	问号后边跟一个字符串，可以匹配出包含这个字符串的请求	?google
>	Body	大于号后面跟一个数字，可以匹配出请求大小，大于这个数字请求	>1000
<	Body	小于号跟大于号相反，匹配出请求大小，小于这个数字的请求	<100
=	Result	等于号后面跟数字，可以匹配HTTP返回码	=200
@	Host	@后面跟Host，可以匹配域名	@www.baidu.com
select	Content-Type	select后面跟响应类型，可以匹配到相关的类型	select image
cls	All	清空当前所有请求	cls
dump	All	将所有请求打包成saz压缩包，保存到“我的文档\Fiddler2\Captures”目录下	dump
start	All	开始监听请求	start
stop	All	停止监听请求	stop
断点命令
bpafter	All	bpafter后边跟一个字符串，表示中断所有包含该字符串的请求	bpafter baidu（输入bpafter解除断点）
bpu	All	跟bpafter差不多，只不过这个是收到请求了，中断响应	bpu baidu（输入bpu解除断点）
bps	Result	后面跟状态吗，表示中断所有是这个状态码的请求	bps 200（输入bps解除断点）
bpv / bpm	HTTP方法	只中断HTTP方法的命令，HTTP方法如POST、GET	bpv get（输入bpv解除断点）
g  / GO	All	放行所有中断下来的请求	g

 注：1、如bpafter断点命令使用方法为：bpafter 后边跟字符串->表示中断所有包含该字符串的请求；   bpafter ->表示解除刚刚的中断断点；

　　 2、该表来源于博客：http://blog.csdn.net/qq_21445563/article/details/51017605

3、中断会话后修改表单内容

　　不知道什么原因捕获不了登录界面的会话（除了博客园网站外，其他很多网站的会话都捕获不到->解决方法：按上面‘Fiddler 设置解密HTTPS的网络数据’所写的步骤设置一下），所以下面的实例是来自小坦克的，详细博客地址在图片正文贴着。

　　看个实例，模拟博客园的登录， 在IE中打开博客园的登录页面，输入错误的用户名和密码，用Fiddler中断会话，修改成正确的用户名密码。这样就能成功登录：

　　1. 用IE 打开博客园的登录界面  http://passport.cnblogs.com/login.aspx

　　2. 打开Fiddler,  在命令行中输入bpu http://passport.cnblogs.com/login.aspx

　　3. 输入错误的用户名和密码，点击登录

　　4. Fiddler 能中断这次会话，选择被中断的会话，点击Inspectors tab下的WebForms tab 修改用户名密码，然后点击Run to Completion 如图14所示。

　　5. 结果是正确地登录了博客园（当然Fiddler中也能修改Response）

图14（该实例来源于博客：http://kb.cnblogs.com/page/130367/）

4、Fiddler中会话比较功能

　选中2个会话，右键然后点击Compare，就可以用WinDiff来比较两个会话的不同了（注：需要安装WinDiff，自行百度安装就可以了，这里就不细说安装步骤），如图15所示

图15（compare功能）

5、Fiddler中提供的编码工具

　　点击Fiddler 工具栏上的TextWizard,  这个工具可以Encode和Decode string，如图16所示

图16（TextWizard界面）

6、Fiddler中的查询会话

　　Edit->Find Sessions（或Ctrl+F）打开Find Sessions的对话框，输入关键字查询你要的会话。 查询到的会话会用黄色显示，如图17所示

图17（find session界面）

7、Fiddler中的保存会话

　　有些时候我们需要把会话保存下来，以便发给别人或者以后去分析。  保存会话的步骤如下：File->Save->Selected Sessions

8、Fiddler中的script系统

　　首先先安装SyntaxView插件，Inspectors tab->Get SyntaxView tab->Download and Install SyntaxView Now... 如图18所示

图18（安装SyntaxView插件）

　　安装成功后Fiddler 就会多了一个Fiddler Script tab，如图19所示：

图19

　　在里面我们就可以编写脚本了， 看个实例让所有cnblogs的会话都显示红色。

　　把这段脚本放在OnBeforeRequest(oSession: Session) 方法下，并且点击"Save script"

　　(This script comes from the blog: http://kb.cnblogs.com/page/130367/)

if (oSession.HostnameIs("www.cnblogs.com")) {

　　oSession["ui-color"] = "red";

}

　　This way all cnblogs sessions will be displayed in red.

9. How to use Fiddler when debugging a website in VS

　　When we use visual stuido to develop ASP.NET websites, we also need to use Fiddler to analyze HTTP. By default, Fiddler cannot sniff localhost websites. But just add a dot after localhost and Fiddler can sniff it.

　　For example: the original ASP.NET address is http://localhost:9999/Default.aspx, after adding a dot, it becomes http://localhost.:9999/Default.aspx

 

The detailed introduction about Fiddler is here. Other data packet capture analysis and mobile phone packet capture analysis will be operated next time.