Read the directory
1. Introduction to Fiddler packet capture
1). Field Description
2). Statistics Analysis of requested performance data
3). Inspectors to check the data content
4). AutoResponder allows the interception of rule-making requests
5).filters request filtering rules
6). Timeline Request response time
2. Fiddler sets the decryption of HTTPS network data
3. Fiddler grabs Iphone/Android packets
4. Built-in commands and breakpoints in Fiddler
prologue
Fiddler is a handy packet capture tool that can intercept, resend, edit and save packets sent and received over the Internet. It can also be used to detect network security. Anyway benefit a lot, lift of endless ah! When I was learning, I was also quite laborious. Some practical and hidden small functions were forgotten after I used them. Every time I went to the website, IT was very troublesome to find them, so I collected the information of major networks and summarized some common functions.
Fiddler download address: www.telerik.com/download/fi…
Fiddler can be downloaded offline at pan.baidu.com/s/1i3NvE8P and password is ozem
To download Fiddler you need an FQ, and I had to dig it out and download it to…
For Windows 8, Fiddler for.NET4 is better than Fiidler for.NET2
1. Introduction to Fiddler packet capture
Fiddler monitors and intercepts data by rewriting HTTP proxies to let data pass through it. Fiddler is cool, of course. The instant you open it, you’ve already set up your browser proxy. Isn’t it sweet that it restores the agent when you close it…
1) Field description
If Fiddler wants to catch packets, make sure Capture Traffic is enabled by going to File – > Capture Traffic. After this function is enabled, the packet capture function will be displayed in the lower left corner. Of course, you can directly click the icon in the lower left corner to disable/enable the packet capture function.
Fiddler is up and running, and the captured packets are displayed in a list. Here’s what it all means:
|
The name of the |
meaning |
|
# |
Fetch HTTP requests in ascending order, starting with 1 |
|
Result |
The HTTP status code |
|
Protocol |
Protocol used for the request, such as HTTP, HTTPS, or FTP |
|
Host |
The host name of the requested address |
|
URL |
Request the location of the resource |
|
Body |
The size of the request |
|
Caching |
The requested cache expiration time or cache control value |
|
Content-Type |
The type of the request response |
|
Process |
The process sending this request: process ID |
|
Comments |
Allows the user to add remarks to this reply |
|
Custom |
Allows users to set custom values |
|
icon |
meaning |
|
|
The request has been sent to the server |
|
|
The response result has been downloaded from the server |
|
|
The request is paused from the breakpoint |
|
|
The response is paused from the breakpoint |
|
|
The request uses the HTTP HEAD method, meaning that the response has no Body. |
|
|
The request uses the POST method of HTTP |
|
|
The request uses HTTP CONNECT method and HTTPS protocol to establish the connection tunnel |
|
|
The response is in HTML format |
|
|
The response is a picture |
|
|
The response is in script format |
|
|
The response is in CSS format |
|
|
The response is in XML format |
|
|
The response is in JSON format |
|
|
The response is an audio file |
|
|
The response is a video file |
|
|
The response is a SilverLight |
|
|
The response is a FLASH |
|
|
The response is a font |
|
|
Normal Response Succeeded |
|
|
The response is HTTP/300, 301, 302, 303, or 307 redirects |
|
|
The response is HTTP/304 (no change) : use cached files |
|
|
The response requires client certificate verification |
|
|
Server error |
|
|
The session is terminated by the client, Fiddler, or server |
2). Statistics Analysis of requested performance data
All right. We’re done with the left. Now we can go to the right
Click on a random request and you can see Statistics on HTTP request performance and data analysis (you can’t install Fiddler without a single request…) :
3). Inspectors to check the data content
The Inspectors are used to check the session content, the top part is for the request and the bottom part is for the response:
4). AutoResponder allows interception of requests for a specified rule
AutoResponder allows you to intercept a request for a specified rule and return a local or Fiddler resource instead of a server response.
Look at step 5 below, I bind the keyword “baidu” with the picture of my computer “F: Users\YukiO\Pictures\boy.jpeg”, click Save and check Enable Rules, then visit Baidu, it will be hijacked.
This thing has many matching rules, such as:
1. String matching (default) : Any string that contains the specified string (case insensitive) is considered a match
String matching (Baidu) match www.baidu.com matching pan.baidu.com matching tieba.baidu.com matching 2. Regular expression matching: Start with “regex:” and use the regular expression to match. This is case-sensitive
String matching (regex: +. (JPG | | GIF BMP) $) match Bbs.fishc.com/Path1/query… Don’t match Bbs.fishc.com/Path1/query… matching Bbs.fishc.com/Path1/query… matching Bbs.fishc.com/Path1/query… Don’t match
4). Composer custom request sending server
Composer allows custom requests to be sent to the server, either by manually creating a new request or by dragging and dropping an existing request from the session table
In Parsed you only need to provide a simple url address (see figure below). You can also customize some attributes in the RequestBody, such as mock browser User-agent.
5).filters request filtering rules
Fiters is used to filter requests. The window on the left is constantly updated. When you want to see a request from your system, you refresh your browser and it’s an eyesore and it keeps refreshing your screen. Filter rules are used to filter out unwanted requests.
Check the Use Filters in the upper left corner to enable the filter. There are two most commonly used filter criteria: Zone and Host
1. The Zone displays only Intranet or Internet content:
Host specifies that sessions under a domain name are displayed:
If the box is yellow (as shown in the picture), it means that the modification has not taken effect. Click the text in the red circle
6). Timeline Request response time
Click one or more (Ctrl key at the same time) in the left session window, and the Timeline displays the time when the specified content is transferred from the server to the client:
2. Fiddler sets the decryption of HTTPS network data
Fiddler can fool browsers and servers by forging CA certificates. Fiddler is a very clever device. The idea is that Fiddler masquerades as an HTTPS server in front of the browser and acts as a browser in front of the real HTTPS server, decrypting HTTPS packets.
To decrypt HTTPS manually, click:
1. Tools > Fiddler Options > HTTPS
2. Select Decrypt HTTPS Traffic
3. Click OK
3. Fiddler grabs Iphone/Android packets
Fiddler’s ability to grab data packets from a mobile device is simple. Here’s how the device accesses the network.
It can be seen that all the data packets on the mobile end need to go out through wifi, so we can turn on the hotspot of our computer, connect our mobile phone to the computer, and after Fiddler opens the agent, let the data pass Through Fiddler. Fiddler can catch these packets and send them to the router (as shown in the figure) :
1. Turn on a Wifi hotspot and connect your phone to it (I’m using 360wifi here, but any one will do)
2. Open Fidder and click [Tools] — > [Fiddler Options] on the menu bar.
3. Click [Connections], set proxy port to 8888, select Allow remote Computers to connect, and click OK
4. You can now see the IP address of your local wireless card in Fiddler (if not, restart Fiddler or find the IP address in CMD ipconfig).
5. Connect the mobile phone to THE PC’s wifi, and set the proxy IP and port (the proxy IP is the IP in the figure above, and the port is Fiddler’s proxy port 8888).
6. Access the web page, enter the proxy IP address and port number, and download Fiddler certificate. Click FiddlerRoot Certificate below
[Note] : If you open your browser and encounter an error similar to the following, please open Fiddler certificate decryption mode (Fiddler is set to decrypt HTTPS network data)
No root certificate was found. Have you enabled HTTPS traffic decryption in Fiddler yet?Copy the code
7. Once the certificate is installed, you can use your phone to access the application and see the captured packets. (Below is the data package of Burqa comics selected, and below is QQ mailbox)
4. Built-in commands and breakpoints in Fiddler
Fiddler also has a deep hidden command box. I haven’t found it after using Fiddler for several years. Occasionally, I found this small function in other people’s articles, which is quite useful.
FIddler’s breakpoint feature intercepts a request but does not send it, so you can do a lot of things like change the packet and send it back to the server. There’s a whole bunch of things you can do in Balabala, without giving examples.
|
The command |
Corresponding request item |
introduce |
The sample |
|
? |
All |
The question mark is followed by a string that matches the request containing the string |
|
|
> |
Body |
The greater-than sign is followed by a number that matches the size of the request |
> 1000 |
|
< |
Body |
The less-than sign is the opposite of the greater-than sign, matching requests that are smaller than this number |
< 100 |
|
= |
Result |
The equals sign is followed by a number that matches the HTTP return code |
= 200 |
|
@ |
Host |
@ followed by Host matches the domain name |
@www.baidu.com |
|
select |
Content-Type |
Select is followed by the response type and can be matched to the associated type |
select image |
|
cls |
All |
Clear all current requests |
cls |
|
dump |
All |
Package all requests into a SAZ package and save it in the “My Documents \Fiddler2\Captures” directory |
dump |
|
start |
All |
Start listening for requests |
start |
|
stop |
All |
Stop listening for requests |
stop |
| Breakpoint commands | |||
|
bpafter |
All |
Bpafter is followed by a string that interrupts all requests containing the string |
Bpafter baidu (enter BPAfter to remove breakpoint) |
|
bpu |
All |
Similar to BPAfter, except that the request was received and the interrupt response was received |
Bpu baidu (enter BPU to remove breakpoint) |
|
bps |
Result |
It is followed by the status code, which interrupts all requests with this status code |
BPS 200 (Enter BPS to remove breakpoints) |
|
bpv / bpm |
HTTP method |
Interrupts only HTTP commands, such as POST and GET |
BPV get (Enter BPV to break the breakpoint) |
|
g / go |
All |
Allow all interrupted requests |
g |
Example demonstration:
?
>
<
=
@
select
cls
dump
Breakpoint command:
Breakpoints can be set for all requests by clicking on Fiddler’s icon in the image below. Breakpoint commands specify which requests need to be intercepted. The following is an example:
Command:
bpafter
bps
bpv
g / go
