Examine All HTTP/HTTPS Traffic on Windows with Fiddler2

I’m an HTTP geek. RFC 2616 is my best friend.

This means two things. First, I need more friends. And second, I need a tool that’ll show me what my HTTP and HTTPS requests are doing under the covers. (After all, best friends shouldn’t have any secrets.)

I can dig up this information in PHP pretty quickly using cUrl: curl_exec() gives me the headers and body of a response, and the CURLINFO_HEADER_OUT argument to curl_getinfo () yields the headers for the last request on the specified resource. But there’s no easy way to obtain the request body, which can be critical when debugging multi-part POST issues. Plus, this trick is limited to PHP. There’s no easy way to examine the request/response headers of an HTTP request using .NET’s HttpWebRequest, for example. And what if I want to examine how another popular Web application, such as Gmail or a REST API, works at the protocol level?

There are commercial applications that will expose HTTP request/response pairs, but they cost an arm and a leg. Fortunately, those of us slinging code on Windows can download Eric Lawrence’s freeware application Fiddler2. Built on .NET Framework 2.0, Fiddler2 tells you all you want to know about every HTTP and HTTPS transaction on your machine. You can view request and response headers as a Treeview, hex code, or a raw header dump. Fiddler2 automatically captures traffic from Internet Explorer, Chrome, and Opera, and can capture Firefox requests and responses with a minor tweak.

Fiddler main UI. Click to view larger version (1288×815).

The features in Fiddler are too numerous to mention. Here are three that I guarantee you’ll use regularly in your development work.

Inspect Unencrypted HTTPS Requests

Fiddler2 works by acting as a proxy server between your software and the Internet, intercepting HTTP requests before transmitting them to their intended destination. Many REST APIs, particularly OAuth authentication, operate over SSL. Because Fiddler2 is a proxy server, it can instruct an HTTP protocol stack that it is the intended secure server for all SSL connections. This enables the app to intercept all SSL requests, giving developers a peek at data that’s usually kept under lock and key.

HTTPS interception is not enabled by default. To enable it, click Tools->Fiddler Options, select the HTTPS tab, and click both Capture HTTPS CONNECTs and Decrypt HTTPS Traffic. Fiddler2 will then generate a pseudo-certificate to enable public key signing of SSL requests.

You will see a series of scary prompts warning you that Fiddler2 is generating a root CA certificate named DO_NOT_TRUST_FiddlerRoot . Once you trust this certificate, you’ll be able to see unencrypted HTTPS requests and responses in Fiddler2’s Web Sessions window.

Compose Ad Hoc HTTP and HTTPS Requests

This is, in my opinion, the best part of Fiddler2. To the right of the Web Sessions window is a tab called Request Builder. Use it to compose your own custom HTTP request, complete with parameters, choice of method (GET, POST, PUT, HEAD, etc.), and an optional request body. If you have HTTPS decryption enabled, you can execute your HTTP command over HTTP or HTTPS. After you execute a command, you can double-click the resulting query in the Web Sessions window and view the results. This utility is ideal for debugging HTTP requests outside of a development platform, particularly when calling REST APIs.

If you don’t want to build a request from scratch, you can drag a previous request from the Web Sessions window and drop it onto Request Builder.

This window is so useful that it can be floated separately from the rest of the application. Select the Options tab and click the Tear off button to display the Request Builder in a separate window.

Finally, you can use an https:// prefix in your URL, and Fiddler2 will send your request over SSL. Yes, Virginia, there is a Santa Claus.

Reroute Local PHP cUrl Requests Through Fiddler2

If you’re developing in PHP on Windows using a system such as Uniform Server, and need to debug cUrl requests sent by your application, you can tell the PHP cUrl API to send all HTTP/HTTPS requests through the Fiddler2 proxy with a single line of code. (In this snippet, $ch is the handle returned by curl_init() .)

curl_setopt($ch, CURLOPT_PROXY, '127.0.0.1:8888');

Dig In

This is only a sampling of features. Fiddler2 can emulate popular user agents, compress your request, chain to upstream proxies, and encode/decode text in over half a dozen different formats. The breadth and reliability of this application make it a must-have for any Windows developer’s toolkit.