Debugging the Web with Fiddler

Ido FlatowSenior Architect

Microsoft MVP & RD Sela Group

Meet Fiddler…

Application Network APIs Proxy Website

What is Fiddler?

Fiddler Facts• A proxy server• An HTTP/HTTPS Sniffer • An HTTP Debugger• Written in .NET / Mono• A free utility (for now, cross your fingers)• An extensible application• A must tool for web developers

• Unfortunately, it doesn’t make coffee!

How Fiddler Works…

Internet Explorer WinINET

Office

CryptoAPI WinHTTP

Fiddler

Firefox

Upstream Proxy Web Site

Firewall

Fiddler by Scenarios

Traffic Inspection

PerformanceTuning

DebuggingTesting

Scenario: Inspecting Traffic

Fiddler to the Rescue• Browsers (Static sites, ASP.NET, J2EE, PHP)• Desktop applications that use HTTP• Web services• Phone emulators• Any device that supports

a proxy server ( )

The Sessions List

Sequence and color coding

Caching information

Origin process

Manual commentsResponse size

Inspectors• See the content of messages (requests & responses)• View both headers and body• Transform content to viewable form XML, Image, JSON, JavaScript, Binary• Create your own inspectors

Inspectors, Now with Web Sockets

Filter by…

By process type

By specific process

By host

By process name/PID/svchost

By URL

By status code

By MIME or size

QuickExec

Fiddler and HTTPS• Fiddler acts as a “machine-in-the-middle”• Generates certificates for web sites on-the-fly• Supports excluding sensitive HTTPS sites• Basic support for client certificates

Scenario: Performance Tuning

Reminder:Understanding the Connection

Application Network APIs Proxy Website

Second connectionFrom Fiddler to the server

First connectionFrom client to Fiddler

Visualize the Traffic with Timeline

Start End

Bar color = MIME

Red = new connection

Green = reused connection

Disk = cached responseBar = begin receive

Stripes = buffered by Fiddler

Prefer stream over bufferUse buffer when editing responses

Single Session Timeline• Server wait time• Time to receive headers and body• Time between body chunks

Statistics are Important• Single page statistics give info on performance

– Client processing– Server processing– Network latency

• Execution time: ServerBeginResponse – ServerGotRequest

• Upload time: ServerGotRequest – ClientDoneRequest

• Download time: ServerDoneResponse – ServerBeginResponse

• Watch out for misleading connection reuse• Add timer columns instead of calculating

Statistics are Important• Statistics is also supported for multiple sessions• Aggregative information

– Request count– Unique hosts– Bytes sent– Bytes received– Elapsed time– Response code statistics– Content statistics

Performance-related inspectors• Transformer• Image view• Caching• Cookies• HTML Inspector (3rd party)

Drawing Conclusions• Reduce number of requests• Reduce traffic roundtrips• Reduce the size of requests and responses• Applying compression where needed• Identify non-cached responses

• Use Fiddler to improve performance, not to measure it!

Scenario: Debugging

Manipulate Traffic with Rules• Simulate user-agents (IE, Mozila…)• Simulate network latency• Disable sending cache headers• HOSTS file remapping

• You can also write your own rules!http://fiddlerbook.com/Fiddler/dev/ScriptSamples.asp

Play it Again, Sam• Why run the client scenario again, just to resend the request?• Simply click “Replay”

– Reissue a single request– Reissue a set of requests– Reissue unconditionally (no cache headers)– Reissue multiple times

• What if the request needs a change before reissuing?

Changing Requests with Composer• Create any request from scratch• Use previous requests with drag-n-drop• Don’t bother calculating content length• Composed requests history

www.bobthebuilder.com

Breakpoints – Human in the Middle• Manual control over

request & response• Stop on any direction• Manipulate header and body• Auto reply instead of forwarding

request• Least used feature in Fiddler!!

Debugging Localhost• In some cases, proxies are bypassed when using

localhost (127.0.0.1) addresses• What to do?• Use the machine’s name• Use fictitious DNS names

– ipv4.fiddler or ipv6.fiddler (converted to 127.0.0.1 / [::1])– localhost. or localhost.fiddler (converted to localhost)

Debugging Services• Fiddler hooks to the interactive user• IIS App Pools and Windows Services runs with built-in

users (Network Service / AppPoolIdentity)• Use network sniffers and export as PCAP• Download PsExec and run:

PsExec.exe -i -u "nt authority\network service" "%ProgramFiles(x86)%\Fiddler2\Fiddler.exe"

If You See This, Don’t Panic

Before rebotting your machinetry running Fiddler again

When Fiddler crashes proxy setting are still in effect

Scenario: Testing

“My Code is Perfect”• No more “I can’t reproduce this bug”• Save sessions to .SAZ archive and

send them to the developer• Saves everything, not only text

responses• Open on another machine, inspect,

and replay if necessary

I Got this From Fiddler• Save/Load sessions to .SAZ files• Export/Import HTTP Archive (HAR) sessions• Export sessions to raw files. Great for:

– Images– CSS– Scripts– Data URIs

• Export as Visual Studio web test

In-Memory Website with Auto-Responder

• Match URI according to– String literals (sub-string, * wildcard)– Inverse string literals– Exact match, including casing– Regular expressions

• If a match then– Respond with file– Send stored response– Redirect (not 301 redirect)– Http Redirect (301)– Break– Delay send– Drop response

If URI matches… then respond with…

Extending Fiddler to Your Needs• Customize rules script• Create custom inspectors• Create requests and responses auto-modifiers• Create new exporter/importer• Extend QuickExec with new commands• Add menus and tabs

http://docs.telerik.com/fiddler/Extend-Fiddler/ExtendWithDotNet

Fiddler is More Than a Sniffer• Monitors traffic, yes, but also…• Controls traffic• Modifies traffic• Generates traffic• Easy to use• Extensible

Enhance your web debugging with Fiddler today!

Resources• Fiddler Website

– http://www.telerik.com/fiddler

• Fiddler Forum– http://groups.google.com/group/httpfiddler

• Fiddler Blog– http://www.telerik.com/blogs/tag/fiddler– http://www.telerik.com/blogs/fiddler-a-segue – http://blogs.msdn.com/b/fiddler (old blog)

• My Info– @IdoFlatow // idof@sela.co.il // www.idoflatow.net/downloads