Best Way to Inspect HTTP(S) APIs of Many Devices

The big picture is that I want to inspect web API requests and responses. I'm a developer with many different devices. I want to inspect traffic from any of the devices. I don't want to have to configure and unconfigure proxy settings on a host of devices.

My solution is to ​configure a router, call it "PROXY", that routes device traffic to a transparent proxy. This eliminates the need for proxy changes. In fact, I've been able to do all this with a dd-wrt router and mitmproxy (OS X). However, I ​much prefer Fiddler over mitmproxy because of Fiddler's superior UI and my personal preference for C# and .Net. So I've been trying to get mitmproxy's system to redirect HTTP(S) to a Windows 10 system running Fiddler. That way I can have the best of all worlds. So far I've been unable to figure out the ip commands to get the traffic from mitmproxy's system to Fiddler system.

The ideal solution is to configure the router to directly send HTTP traffic to Fiddler. However, I haven't been able to figure out how to do that. The fallback is to figure out how to ​get OS X to redirect to Fiddler. I haven't been able to figure that out either. So I'm stuck using mitmproxy, which while working, is a less than ideal solution.

Today I tried inspecting traffic from an Amazon Echo using mitmproxy. I've been unable to get that combo working. The Echo doesn't have proxy settings so I can't use Fiddler either. I guess I need to look into Wireshark.

Yes, interesting what happens when a noobie assumes something can be done, has time available, and ​is motivated. Usually the interesting thing turns out badly but in this rare ​exception, all the experiments have ​lead to a good payoff.

===

Here's a really easy way to inspect realtime web API traffic. It works for both HTTP and HTTPS (decrypted) traffic. There's no hassling with device proxies. It works with all sorts of client devices including Android, iOS. Linux and Windows. You'll need to setup a router and install transparent proxy software. Specifically, I use dd-wrt router software, and installed mitmproxy.org's transparent proxy on a Mac OS/X system. Probably any router's software will do. There's other choices for transparent proxy software (squid), and other hosting system choices such as Linux. There's articles on the internet which explain, in uber-guru terms, how to install mitmproxy on a dd-wrt router so a host system isn't needed. There's also articles about using a Raspberry PI to as both a router and mitmproxy host.

Client Device Enabling

First, connect your client device to your private proxy network (192.168.3.x) -- just select your wireless SSID. Second, to enable HTTPS decryption, follow your proxy provider's instructions for storing their SSL certificate.

Router Configuration

Let's assume your LAN is 192.168.1.x (usually having a gateway ​of 192.168.1.1), your transparent proxy host is 192.168.1.2, and you've chosen to create a new LAN (named PROXY) of 192.168.3.x for your client devices. Note that the attached image uses a somewhat unusual gateway of 192.168.1.254 because that's my internet provider's default.

You need to configure the router so that the gateway value points to the transparent router host ip (192.168.1.2). To do so, assign a static IP address for the WAN. Use an ip which is outside of the LAN's DHCP range, often 192.168.1.201 is good. Router's WAN automatic DHCP assignment can't be used because it will also assign the ​default gateway (usually 192.168.1.1), which in this case won't be the desired proxy host address (192.168.1.2). Hence we are using the router's static IP WAN option to assign a WAN address. Attached is a screen shot image of my dd-wrt setup. The image shows a static IP of 192.168.1.201, a gateway of 192.168.1.2, some google DNS addresses. The router will use a private network of 192.168.3.1.

Transparent Proxy Installation

I chose to install mitmproxy, a transparent proxy, on an OS/X system. There are other choices for proxy and system. You must use a proxy that has a transparent mode, otherwise this configuration won't work. Charles and Fiddler offer reverse proxy but NOT transparent proxy. Follow your proxy provider's installation instructions.

How to Execute mitmproxy on OS/X

 I tried sending an email using "Send Feedback" in Fiddler's Help menu. It ​launched Outlook and wanted me to setup an email account. I really don't want to do that and have always avoided using Outlook. Is there an alternate method of contacting you, an email address?

I've spent a few more hours trying to get this to work. No progress. The issue may be more of a Windows issue than Fiddler, I just don't know. If you'd like to help, here's a simple setup which isn't working. If you can get it to work, perhaps that's all that's needed. It works great with OS/X and mitmproxy.

1. Setup a router whose gateway points to a Windows system.

2. Launch some listener program on the Windows system such as Fiddler. Listen on port 8888.

3. Connect a ​computer to the router. In the computer's browser type a url using port 8888 (e.g. www.example.com:8888). The HTTP GET request should be heard and displayed by the listener (Fiddler) on the gateway system.

4. Now try again using port 80, then port 443. If it works, all's done.

I've been unable to get this simple setup to work. Windows doesn't seem to pass on the GET to the listener.

In the client browser, when I enter http://FiddlerPC:8888/, Fiddler reports empty GETs, which I assume is the correct.

This happens when the client is on the same subnet ​AND also when the client is on the router's own subnet.

What's the next thing to try?

For systems connected to the proxy router, where the router uses the Fiddler system as the gateway, DNS will work if you enable IP forwarding on the gateway/Fiddler system following a reboot. Follow this registry change:

https://support.microsoft.com/en-us/kb/99686

As you surmised above, the trick is to get the gateway/Fiddler system to respond to traffic forwarded to it from the router.

The latter. While DNS is working, transparent is not. Fiddler is not displaying any HTTP traffic gateway-ed from the router. ​From the client, connected to the router, requesting http://example.com ​displays (in browser) the correct response but nothing is ever displayed by Fiddler (although http://example.com:8888 works, 80 does not). It appears that Fiddler never hears a ​HTTP port 80 request. I've blindly tried various NETSH commands, trying to redirect from port 80 to 8888, ​similar to OS/X, but nothing's working. I really don't understand what NETSH commands are required to get Fiddler to see the HTTP traffic or even if NETSH is the correct way to redirect. I'm hoping you can figure out what possibly is the last hurdle.

I've spent more hours but haven't made any progress. Here's where I'm stuck. In a proxy router's client's browser, if I type "http://fiddlersystem" I see the request coming into the gateway/Fiddler(proxy set to port 80) system. If I type a website, e.g. "http://httpbin.org", I don't see anything coming into Fiddler, Charles, or any other listener however the proper response is received. So it seems that Windows ​is not passing the http request through to Fiddler.

 Note that the above works perfectly using OS/X with mitmproxy.