Fiddler can't track traffic but httpAnalyzer can (connection looks like websockets)

1 Answer 655 Views

Fiddler Classic

Serhio asked on 14 Jun 2021, 10:34 PM | edited on 15 Jun 2021, 09:05 AM

httpanalyzer.png

fiddler.png

fiddler-2.png

fiddler3.png

fiddler4.png

I need to explore the traffic from one program.

The program makes something like a connection through the WebSockets.

Fiddler displays this:

Request Headers: `CONNECT 144.***:443 HTTP/1.0`

Response: `HTTP/1.0 200 Connection Established`

End empty body.

But httpanalyzer displays full information after that response, and that information continues flowing. Very likely like WebSockets (one connection and receive more answers).

And fiddler display zero traffic.

How can I explore such traffic through the fiddler?

Updade1: No websockets icon and websockets tab

1 Answer, 1 is accepted

answered on 15 Jun 2021, 06:47 AM

fid-ws.png

Hello Serhio,

The Fiddler Classic support and visualizes WebSocket communication in a separate WebSocket tab (see the attached screenshot). So in case, the application is opening a WS, you should see it when the connection is opened, and then any ongoing communication will appear in the active WS session (while using the WebSocket tab to see the incoming and outgoing messages).

Regards,
Nick Iliev
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

Serhio

commented on 15 Jun 2021, 08:39 AM | edited

I've analyzed websockets with fiddler later on some resources and everything was good, but this time there is no websocket icon and websocket tab ("In order to see the websocket communication you have to find the session that has the little websocket icon on the left and double-click it. New tab will pop up showing you the messages." - but there is no icon - see screenshots in Updade 1)

Serhio

commented on 15 Jun 2021, 08:51 AM

And I see "Request HTTPSParse failed: Object reference not set to an instance of an object." in the request screenshot. May be this is something like websockets, but not exactly websockets, and fiddler can't parse it?

Nick Iliev

commented on 16 Jun 2021, 06:42 AM

If possible, you could send us the SAZ file with the problematic session so that we could investigate the case further. If you don't want to share the SAZ in a public post (but it is still OK to share it with the Fiddler team), then you could mail it directly to me at nikolay.iliev at progress.com

Serhio

commented on 16 Jun 2021, 08:57 AM

Thanks, I've sent SAZ file to the Fiddler team

Nick Iliev

commented on 17 Jun 2021, 07:22 AM

Thank you for the provided SAZ archive. The problematic sessions are indeed using a protocol that looks similar to WebSocket but actually is something different. We are currently unable to identify the protocol, and this in case the Fiddler is not trying to decrypt the traffic but directly proceeding with the tunnel.

As faр as I see, the HttpAnalyzer is also not able to decrypt the content. It looks like this is an additional security layer applied by the application owners.

Serhio

commented on 17 Jun 2021, 08:30 AM

Is there any way to use fiddler to collect row data flow to analyze it? Something like answers in your SAZ archive, but with all data sent-received, even undecrypted? I mean to be able to see I mean to gather all row data (like messages in websockets) to analyze what's happening manually? HttpAnalyzer display that data flow, the problem is that I can't export that data to analyze it.

Nick Iliev

commented on 21 Jun 2021, 07:34 AM

If you mean a raw output where you could see the encrypted content from the unknown format, then the answer would be that Fiddler SAZ files are not storing that information. The encrypted body is omitted as the content would make no sense.

Serhio

commented on 21 Jun 2021, 10:29 AM

And for example, when the WebSockets protocol was unknown to fiddler, how did you get that row data to setup fiddler to WebSockets?

Nick Iliev

commented on 24 Jun 2021, 10:00 AM

The decrypted content (from the unknown protocol) is not part of the SAZ archives and is not stored by Fiddler. So that said, you can not obtain it (using Fiddler)

Serhio

commented on 26 Jun 2021, 11:32 PM

What another problem would you advice to obtain that content?