views:

2708

answers:

8

I thought that the only way to intercept a request is to use a proxy, but fiddler somehow can intercept HTTP requests and responses without configuring anything on any browsers.

What's going on under the hood ?

And do you know any library to do that ? (In any languages)

+1  A: 

May be running the network interface in promiscuous mode. This is how WireShark is able to monitor network traffic and display it.

More Info: http://en.wikipedia.org/wiki/Promiscuous_mode

RC
+1  A: 

I don't know how fiddler is doing it, but it can be done via a Layered Service Provider on Windows.

From Wikipedia:

"A Layered Service Provider (LSP) is a feature of the Microsoft Windows Winsock 2 Service Provider Interface (SPI). A Layered Service Provider is a DLL that uses Winsock APIs to insert itself into the TCP/IP stack. Once in the stack, a Layered Service Provider can intercept and modify inbound and outbound Internet traffic. It allows processing all the TCP/IP traffic taking place between the Internet and the applications that are accessing the Internet (such as a web browser, the email client, etc). "

Murray
I'd like to accept this answer too, because that's the response to the 2nd part of my question >_<, Thanks !
Nicolas Dorier
+5  A: 

Fiddler actually does use a proxy. I believe the installer automatically configures IE to use Fiddler's proxy. You can also configure other browsers to go through the same proxy, so Fiddler will profile their network traffic too.

More info here

KOTJMF
There is nothing configured in options of my browsers, and it works even if I've installed chrome or firefox after fiddler. If fiddler is turned off, everything works fine. I can't imagine than programmers of fiddler have thought about all these use cases, it would be too hard.
Nicolas Dorier
Huh, I've never actually gotten Fiddler to profile any other browser without using configuring them to use Fiddler as a proxy. What version of Fiddler are you using?
KOTJMF
It's version 2.2.2.0, I've never had to configure anything in my browsers to make fiddler work.
Nicolas Dorier
Fiddler changes the System Proxy configuration which is automatically used by IE, Safari, Chrome. Recent versions of Fiddler also install a Firefox plugin that will automatically set the proxy configuration when it is running/actively capturing packets. As far as Opera, and other browsers go, your mileage may vary.
Jordan S. Jones
I just opened Fiddler (which has been prompting me to update for the last couple of months :P), and as of 2.2.1.4 (released 3/31/09), Fiddler includes the FiddlerHook Firefox extension that Jordan mentioned. This explains why it doesn't catch traffic from other browsers on my machine, I'll have to install the update!
KOTJMF
Oh yes, you are right it configures IE, and Chrome use the same proxy as IE !!!
Nicolas Dorier
+1  A: 

From the MSDN notes on extending fiddler

Fiddler supports a JScript .NET event-handling engine that allows the user to automatically modify the HTTP request or response. The engine can modify the visual appearance of the session in the Fiddler user interface (UI), to draw attention to errors or to remove uninteresting sessions from the list altogether.

nik
+1  A: 

I guess you don't want to hear that you can just intercept them in the web server instead of the client (if it is locally) or can use WPAC (proxy auto configuration).

Another option is to use sotware like SocksCap which "debug" the browser (or webserver) process and whenever he calls some winsock functions they intercept it and call their own code.

A library to do things like this (intercept library calls on a debugged process) is detours.

mihi
A: 

The other option is to use something like Wireshark. The following is from the About page on http://www.wireshark.org/

Wireshark is the world's foremost network protocol analyzer, and is the de facto (and often de jure) standard across many industries and educational institutions.

Features

Wireshark has a rich feature set which includes the following:

  • Deep inspection of hundreds of protocols, with more being added all the time
  • Live capture and offline analysis
  • Standard three-pane packet browser
  • Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
  • Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
  • The most powerful display filters in the industry
  • Rich VoIP analysis
  • Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
  • Capture files compressed with gzip can be decompressed on the fly
  • Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom)
  • Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
  • Coloring rules can be applied to the packet list for quick, intuitive analysis
  • Output can be exported to XML, PostScript®, CSV, or plain text
Jordan S. Jones
+1  A: 

Another way to intercept traffic without a proxy is WCCP on a supported device.

http://www.cisco.com/en/US/docs/ios/11_2/feature/guide/wccp.html

XL
+5  A: 

Fiddler is a proxy, written in C# and wrapping basic sockets.

It registers with WinINET using the appropriate API call while running, and detaches in the same way. Most browsers automatically detect the WinINET proxy setting and use it. Firefox does not, which is why current versions of Fiddler install a Firefox addon.

-EricLaw [MSFT]

EricLaw -MSFT-
Isn't it great when core developers send answers to questions about their own software? Fiddler is cool, I don't know what I would be doing without it :-) (Latest Eclipse 3.5 also configures itself to use proxy from IE, so when I start Fiddler, Eclipse now uses it too!)
Peter Štibraný