Post on 06-Jan-2017
Debugging the Web with Fiddler
Ido FlatowSenior Architect
Microsoft MVP & RD Sela Group
Meet Fiddler…
Application Network APIs Proxy Website
What is Fiddler?
Fiddler Facts• A proxy server• An HTTP/HTTPS Sniffer • An HTTP Debugger• Written in .NET / Mono• A free utility (for now, cross your fingers)• An extensible application• A must tool for web developers
• Unfortunately, it doesn’t make coffee!
How Fiddler Works…
Internet Explorer WinINET
Office
CryptoAPI WinHTTP
Fiddler
Firefox
Upstream Proxy Web Site
Firewall
Fiddler by Scenarios
Traffic Inspection
PerformanceTuning
DebuggingTesting
Scenario: Inspecting Traffic
Fiddler to the Rescue• Browsers (Static sites, ASP.NET, J2EE, PHP)• Desktop applications that use HTTP• Web services• Phone emulators• Any device that supports
a proxy server ( )
The Sessions List
Sequence and color coding
Caching information
Origin process
Manual commentsResponse size
Inspectors• See the content of messages (requests & responses)• View both headers and body• Transform content to viewable form XML, Image, JSON, JavaScript, Binary• Create your own inspectors
Inspectors, Now with Web Sockets
Filter by…
By process type
By specific process
By host
By process name/PID/svchost
By URL
By status code
By MIME or size
QuickExec
Fiddler and HTTPS• Fiddler acts as a “machine-in-the-middle”• Generates certificates for web sites on-the-fly• Supports excluding sensitive HTTPS sites• Basic support for client certificates
Scenario: Performance Tuning
Reminder:Understanding the Connection
Application Network APIs Proxy Website
Second connectionFrom Fiddler to the server
First connectionFrom client to Fiddler
Visualize the Traffic with Timeline
Start End
Bar color = MIME
Red = new connection
Green = reused connection
Disk = cached responseBar = begin receive
Stripes = buffered by Fiddler
Prefer stream over bufferUse buffer when editing responses
Single Session Timeline• Server wait time• Time to receive headers and body• Time between body chunks
Statistics are Important• Single page statistics give info on performance
– Client processing– Server processing– Network latency
• Execution time: ServerBeginResponse – ServerGotRequest
• Upload time: ServerGotRequest – ClientDoneRequest
• Download time: ServerDoneResponse – ServerBeginResponse
• Watch out for misleading connection reuse• Add timer columns instead of calculating
Statistics are Important• Statistics is also supported for multiple sessions• Aggregative information
– Request count– Unique hosts– Bytes sent– Bytes received– Elapsed time– Response code statistics– Content statistics
Performance-related inspectors• Transformer• Image view• Caching• Cookies• HTML Inspector (3rd party)
Drawing Conclusions• Reduce number of requests• Reduce traffic roundtrips• Reduce the size of requests and responses• Applying compression where needed• Identify non-cached responses
• Use Fiddler to improve performance, not to measure it!
Scenario: Debugging
Manipulate Traffic with Rules• Simulate user-agents (IE, Mozila…)• Simulate network latency• Disable sending cache headers• HOSTS file remapping
• You can also write your own rules!http://fiddlerbook.com/Fiddler/dev/ScriptSamples.asp
Play it Again, Sam• Why run the client scenario again, just to resend the request?• Simply click “Replay”
– Reissue a single request– Reissue a set of requests– Reissue unconditionally (no cache headers)– Reissue multiple times
• What if the request needs a change before reissuing?
Changing Requests with Composer• Create any request from scratch• Use previous requests with drag-n-drop• Don’t bother calculating content length• Composed requests history
www.bobthebuilder.com
Breakpoints – Human in the Middle• Manual control over
request & response• Stop on any direction• Manipulate header and body• Auto reply instead of forwarding
request• Least used feature in Fiddler!!
Debugging Localhost• In some cases, proxies are bypassed when using
localhost (127.0.0.1) addresses• What to do?• Use the machine’s name• Use fictitious DNS names
– ipv4.fiddler or ipv6.fiddler (converted to 127.0.0.1 / [::1])– localhost. or localhost.fiddler (converted to localhost)
Debugging Services• Fiddler hooks to the interactive user• IIS App Pools and Windows Services runs with built-in
users (Network Service / AppPoolIdentity)• Use network sniffers and export as PCAP• Download PsExec and run:
PsExec.exe -i -u "nt authority\network service" "%ProgramFiles(x86)%\Fiddler2\Fiddler.exe"
If You See This, Don’t Panic
Before rebotting your machinetry running Fiddler again
When Fiddler crashes proxy setting are still in effect
Scenario: Testing
“My Code is Perfect”• No more “I can’t reproduce this bug”• Save sessions to .SAZ archive and
send them to the developer• Saves everything, not only text
responses• Open on another machine, inspect,
and replay if necessary
I Got this From Fiddler• Save/Load sessions to .SAZ files• Export/Import HTTP Archive (HAR) sessions• Export sessions to raw files. Great for:
– Images– CSS– Scripts– Data URIs
• Export as Visual Studio web test
In-Memory Website with Auto-Responder
• Match URI according to– String literals (sub-string, * wildcard)– Inverse string literals– Exact match, including casing– Regular expressions
• If a match then– Respond with file– Send stored response– Redirect (not 301 redirect)– Http Redirect (301)– Break– Delay send– Drop response
If URI matches… then respond with…
Extending Fiddler to Your Needs• Customize rules script• Create custom inspectors• Create requests and responses auto-modifiers• Create new exporter/importer• Extend QuickExec with new commands• Add menus and tabs
http://docs.telerik.com/fiddler/Extend-Fiddler/ExtendWithDotNet
Fiddler is More Than a Sniffer• Monitors traffic, yes, but also…• Controls traffic• Modifies traffic• Generates traffic• Easy to use• Extensible
Enhance your web debugging with Fiddler today!
Resources• Fiddler Website
– http://www.telerik.com/fiddler
• Fiddler Forum– http://groups.google.com/group/httpfiddler
• Fiddler Blog– http://www.telerik.com/blogs/tag/fiddler– http://www.telerik.com/blogs/fiddler-a-segue – http://blogs.msdn.com/b/fiddler (old blog)
• My Info– @IdoFlatow // idof@sela.co.il // www.idoflatow.net/downloads