How to use Fiddler to capture traffic

In this blog you will learn what is Fiddler, how to use fiddler, how to use Fiddler to capture traffic, and how to analyze Fiddler logs.

What is Fiddler

Fiddler tool assists in the debugging of web applications by capturing the network traffic between the Internet and test computers. This tool allows users to examine both incoming and outgoing data, providing the capability to observe and alter requests and responses before they reach the browser. Additionally, Fiddler incorporates a robust event-based scripting subsystem that can be expanded using any .NET Framework language.

How to download Fiddler

To download Fiddler tool, click this link, enter your email address and fill in the requested details and click Download For Windows. Once Fiddler installation file is downloaded, install it.

download fiddler

How to use Fiddler to capture traffic

Open Fiddler tool, go to File tab and click Capture Traffic to stop fiddler from capturing the traffic.

use fiddler to capture traffic

Click Tools, and click Options.

how to use fiddler trace tool

On the Options page, go to HTTPS tab and check Decrypt HTTPS traffic and click OK. Click OK on certificate prompt and click OK again.

decrypt HTTPS traffic in fiddler

Go to File tab and click Capture Traffic again to start capturing the traffic in fiddler trace tool.

How to use Fiddler

In this example I will login to outlook.office.com (OWA) using one of the user accounts ([email protected]) that exist in on-premises Active Directory. Also I have deployed ADFS in on-premises environment and the domain office365concepts.com is federated (all login requests for this domain will be redirected to the ADFS server).

Important: You can use Fiddler trace tool to analyze any type of browser based authentication or to test any issues with we-based applications.

When this user will type outlook.office.com in the browser and press Enter, he will be redirected to Microsoft 365 Security Token Service (STS) which is https://login.microsoftonline.com.

microsoft 365 security token service

As soon as the user will type or click his username [email protected], he will be redirected to the ADFS server authentication page as shown below:

adfs authentication page

In the above image you can see the user is redirected to ADFS authentication page and you can see the Federation Service Identifier of ADFS server in the URL along with the ADFS endpoint that answered this request.

User will enter his password in the Password box and will press Enter, and user will be able to login to OWA.

Now let’s go to Fiddler tool and analyze Fiddler logs.

Go to Fiddler trace tool, go to File and click Capture Traffic to stop Fiddler from capturing the traffic.

stop fiddler

In the below image on the row 28, you can see the user typed outlook.office.com, and in the row 30 you can see the user was redirected to Microsoft 365 Security Token Service (STS) page.

fiddler logs analysis

In the below image on row 44, you can see the user was redirected to the ADFS server authentication page and you can see the ADFS server endpoint (/adfs/ls) that answered the browser request.

/adfs/ls

Double click on the header that shows ADFS server URL, on the right side of the window make sure Inspectors is selected, and click WebForms. In this section you can see the username that was used to login to outlook.office.com.

fiddler trace 3 1

On the row 50, under Webforms tab you can see the password that user entered in ADFS authentication page.

fiddler 4

On the row 51 under Headers tab within the Response Headers section, we can see the user was authenticated and 4 cookies were issued to the user.

check cookies issued with fiddler

Below are the 4 cookies those were issued post successful authentication:
MSISAuth: This cookie tells that the user is authenticated.
MSISAuthenticated: This cookie will show the time and date when user was authenticated.
MSISLoopDetectionCookie: This cookie will show the number of attempts user has made to login.
MSISSignOut: Sign Out cookie will delete the user information when user will sign out from the application or he will close the browser.

Let’s analyze these cookies using Fiddler trace tool.

MSISAuthenticated cookie: This cookie shows the time and date when user was authenticated. To analyze MSISAuthenticated cookie, right click on the cookie and click Send to TextWizard.

msisauthenticated cookie

Remove the highlighted text in the below image:

msisauthenticated cookie 2 1

Select From Base64 next to Transform.

msisauthenticated cookie 3

And you can see the date and time when the user was authenticated as shown in the below image:

msisauthenticated cookie 4

MSISLoopDetectionCookie: This cookie shows the number of attempts user has made to login to the application. To analyze this cookie, right click on the cookie and click Send to TextWizard.

Remove the text as shown below and select From Base64 next to Transform. And in the below image you can see user has made only one attempt to login to the application.

MSISLoopDetection Cookie

Conclusion

In this blog you learnt what is Fiddler and how to use Fiddler to capture traffic and analyze the logs. You might like our other article on Troubleshoot MRM using MFCMAPI, Troubleshoot OOF issues with MFCMAPI, and Purge emails using MFCMAPI.

If you found this article helpful and informative, please share it within your community and do not forget to share your feedback in the comments below. Join us on YouTube for the latest videos on cloud technology and join our Newsletter for the early access of the blogs and updates.

Happy Learning!!