tags:

views:

2708

answers:

8
+1  Q: 

How to intercept HTTP requests and responses of a client machine (like fiddler does)

I thought that the only way to intercept a request is to use a proxy, but fiddler somehow can intercept HTTP requests and responses without configuring anything on any browsers.

What's going on under the hood ?

And do you know any library to do that ? (In any languages)

+1  A: 

May be running the network interface in promiscuous mode. This is how WireShark is able to monitor network traffic and display it.

More Info: http://en.wikipedia.org/wiki/Promiscuous_mode

RC  2009-06-17 17:13:51
+1  A: 

I don't know how fiddler is doing it, but it can be done via a Layered Service Provider on Windows.

From Wikipedia:

"A Layered Service Provider (LSP) is a feature of the Microsoft Windows Winsock 2 Service Provider Interface (SPI). A Layered Service Provider is a DLL that uses Winsock APIs to insert itself into the TCP/IP stack. Once in the stack, a Layered Service Provider can intercept and modify inbound and outbound Internet traffic. It allows processing all the TCP/IP traffic taking place between the Internet and the applications that are accessing the Internet (such as a web browser, the email client, etc). "

Murray  2009-06-17 17:14:26
I'd like to accept this answer too, because that's the response to the 2nd part of my question >_<, Thanks !
Nicolas Dorier  2009-06-17 17:36:48
+5  A: 

Fiddler actually does use a proxy. I believe the installer automatically configures IE to use Fiddler's proxy. You can also configure other browsers to go through the same proxy, so Fiddler will profile their network traffic too.

More info here

KOTJMF  2009-06-17 17:16:06
There is nothing configured in options of my browsers, and it works even if I've installed chrome or firefox after fiddler. If fiddler is turned off, everything works fine. I can't imagine than programmers of fiddler have thought about all these use cases, it would be too hard.
Nicolas Dorier  2009-06-17 17:18:55
Huh, I've never actually gotten Fiddler to profile any other browser without using configuring them to use Fiddler as a proxy. What version of Fiddler are you using?
KOTJMF  2009-06-17 17:23:57
It's version 2.2.2.0, I've never had to configure anything in my browsers to make fiddler work.
Nicolas Dorier  2009-06-17 17:25:38
Fiddler changes the System Proxy configuration which is automatically used by IE, Safari, Chrome. Recent versions of Fiddler also install a Firefox plugin that will automatically set the proxy configuration when it is running/actively capturing packets. As far as Opera, and other browsers go, your mileage may vary.
Jordan S. Jones  2009-06-17 17:26:01
I just opened Fiddler (which has been prompting me to update for the last couple of months :P), and as of 2.2.1.4 (released 3/31/09), Fiddler includes the FiddlerHook Firefox extension that Jordan mentioned. This explains why it doesn't catch traffic from other browsers on my machine, I'll have to install the update!
KOTJMF  2009-06-17 17:29:11
Oh yes, you are right it configures IE, and Chrome use the same proxy as IE !!!
Nicolas Dorier  2009-06-17 17:32:56
+1  A: 

From the MSDN notes on extending fiddler

Fiddler supports a JScript .NET event-handling engine that allows the user to automatically modify the HTTP request or response. The engine can modify the visual appearance of the session in the Fiddler user interface (UI), to draw attention to errors or to remove uninteresting sessions from the list altogether.

nik  2009-06-17 17:18:06
+1  A: 

I guess you don't want to hear that you can just intercept them in the web server instead of the client (if it is locally) or can use WPAC (proxy auto configuration).

Another option is to use sotware like SocksCap which "debug" the browser (or webserver) process and whenever he calls some winsock functions they intercept it and call their own code.

A library to do things like this (intercept library calls on a debugged process) is detours.

mihi  2009-06-17 17:19:17
A: 

The other option is to use something like Wireshark. The following is from the About page on http://www.wireshark.org/

Wireshark is the world's foremost network protocol analyzer, and is the de facto (and often de jure) standard across many industries and educational institutions.

Features

Wireshark has a rich feature set which includes the following:

  • Deep inspection of hundreds of protocols, with more being added all the time
  • Live capture and offline analysis
  • Standard three-pane packet browser
  • Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
  • Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
  • The most powerful display filters in the industry
  • Rich VoIP analysis
  • Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
  • Capture files compressed with gzip can be decompressed on the fly
  • Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom)
  • Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
  • Coloring rules can be applied to the packet list for quick, intuitive analysis
  • Output can be exported to XML, PostScript®, CSV, or plain text
Jordan S. Jones  2009-06-17 17:23:55
+1  A: 

Another way to intercept traffic without a proxy is WCCP on a supported device.

http://www.cisco.com/en/US/docs/ios/11_2/feature/guide/wccp.html

XL  2009-06-17 23:03:07
+5  A: 

Fiddler is a proxy, written in C# and wrapping basic sockets.

It registers with WinINET using the appropriate API call while running, and detaches in the same way. Most browsers automatically detect the WinINET proxy setting and use it. Firefox does not, which is why current versions of Fiddler install a Firefox addon.

-EricLaw [MSFT]

EricLaw -MSFT-  2009-06-20 16:44:32
Isn't it great when core developers send answers to questions about their own software? Fiddler is cool, I don't know what I would be doing without it :-) (Latest Eclipse 3.5 also configures itself to use proxy from IE, so when I start Fiddler, Eclipse now uses it too!)
Peter Štibraný  2009-06-20 16:51:54

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.