APP开发浅谈-Fiddler抓包详解

Fiddler抓包工具在APP开发过程中使用非常频繁,对开发者理解HTTP网络传输原理以及分析定位网络方面的问题非常有帮助。今天抽点时间出来总结一下Fiddler在实际开发过程中的应用。


我开发过程中使用的比较多的抓包工具主要有MiniSniffer,Fiddler和Wireshark。其中MiniSniffer是一款体积小巧的老牌网络抓包工具,嗅探、捕获各种程序开启的网络连接数据。Wireshark是一款非常流行,功能十分强大的网络数据分析工具,可以显示网络封包的详细信息,需要网络协议有一定的了解才比较容易看懂Wireshark。Fiddler是一款定位http/https调试的工具,能记录所有客户端和服务器的http和https请求,允许你监视,设置断点,甚至修改输入输出数据。如果平时开发过程中只是涉及到http/https上层网络协议的话,使用Fiddler足够了,这里主要总结下Fiddler的使用。
本文涉及的内容有:

  1. Fiddler概述
  2. Fiddler工作原理
  3. Fiddler抓取Https报文原理
  4. Fiddler基本配置安装
  5. Fiddler抓取Https配置安装
  6. FiddlerCertMaker插件安装
  7. 手机端证书安装

一、概述

Fiddler是一款免费且功能强大的数据包抓取软件。它通过代理的方式获取程序http通讯的数据,可以用其检测网页和服务器的交互情况,能够记录所有客户端和服务器间的http请求,支持监视、设置断点、甚至修改输入输出数据等功能。fiddler包含了一个强大的基于事件脚本的子系统,并且能够使用.net框架语言扩展。

二、Fiddler工作原理

Fiddler是位于客户端和服务器端之间的HTTP代理, 它能够记录客户端和服务器之间的所有 HTTP(S)请求,可以针对特定的HTTP(S)请求,分析网络传输的数据,还可以设置断点、修改请求的数据和服务器返回的数据。
Fiddler在浏览器与服务器之间建立一个代理服务器,Fiddler工作于七层中的应用层,能够捕获通过的HTTP(S)请求。Fiddler启动后会自动将代理服务器设置成本机,默认端口为8888。Fiddler不仅能记录PC上浏览器的网络请求数据,还可以记录同一网络中的其他设备的HTTP(S)请求数据。数据传递流程大致如下:

1) 客户端像WEB服务器发送HTTP(S)请求时,请求会先经过代理Fiddler代理服务器。
2) Fiddler代理服务器截取客户端的请求报文,再转发到WEB服务器,转发之前可以做一些请求报文参数修改的操作。
3) WEB服务器处理完请求以后返回响应报文,Fiddler代理服务器会截取WEB服务器的响应报文。
4) Fiddler处理完响应报文后再返回给客户端。

三、Fiddler抓取HTTPS原理

现在APP中的数据传输基本上都使用HTTS传输,传输的数据都是经过加密的,这增加了我们分析数据包的难度,还好Fiddler除了可以抓取HTTP数据包,还可以抓取HTTPS数据包。由于HTTPS传输需要使用到CA证书,所以抓取抓取HTTPS数据包时需要做一些特殊配置。Fiddler截取HTTPS报文的流程大致如下:

1) 客户端请求建立HTTPS链接,发送客户端支持的加密协议及版本列表等信息给服务器端。
2) Fiddler接受客户端请求并伪装成客户端向WEB服务器发送相同的请求。
3) WEB服务器收到Fiddler的请求以后,从请求中筛选合适的加密协议。并返回服务器CA证书,证书中包括公钥信息。
4) Fiddler收到WEB服务器的响应后保存服务器证书并自签名一个CA证书,伪装成服务器,把该证书下发给客户端。
5) 客户端验证证书合法性。(Fiddler能否抓取到HTTPS报文关键看这一步
6) 客户端生产对称密钥,通过证书的公钥加密发送给服务器。
7) Fiddler拦截客户端的请求以后,使用私钥解密该报文,获取对称加密秘钥,并使用服务器证书中带的公钥加密该对称密钥发送给WEB服务器。此时对称密钥已经泄露了,以后可以使用该秘钥界面客户端和服务器端传输的数据。
8) WEB服务器接收到客户端发送的加密的对称密钥后使用私钥解密,并使用对称密钥加密测试数据传给客户端。
9) Fiddler使用前面获取的对称密钥解密报文。
10) 客户端验证数据无误以后HTTPS连接就建立完成,客户端开始向服务器发送使用对称密钥加密的业务数据
11) Fiddler使用前面获取的对称密钥解密客户端发送的数据并重新加密转发给客户端。

四、Fiddler配置流程

1. 下载安装

a) 可以到官网下载Fiddler免费安装包:https://www.telerik.com/fiddler。由于旧版本的Fiddler抓包HTPPS时需要用到FiddlerCertMaker插件,所以我这里打包了一个压缩包,包含fiddler和FiddlerCertMaker,可点击这里下载。

b) 点击Fiddler安装文件(我这里演示用的是Fiddler5.0版本)安装Fiddler。

2. Fiddler基本配置

如果只是需要监听本机浏览器HTTP数据包的话不需要做任何额外配置,打开Fiddler即可直接使用。一般我们需要监听远程终端设备的网络请求,需要做以下配置。打开Fiddler,在菜单栏中选择Tools->Options->Connections。输入监听端口(默认是8888),选择Allow remotecomputers to connect,点击确认然后重启Fiddler。

由于我们需要监手机端的网络请求,所以还需要对手机端进行设置。首先确保手机网络和安装Fiddler的电脑网络处于同一个wifi网络中。可以点击Fiddler主界面的右上角的“Online”按钮查看Fiddler所在主机的主机名和IP地址,配置手机网络时需要使用到这个IP地址。

打开手机网络设置,选择跟Fiddler主机在统一网络,打开wifi设置界面,进入wifi的高级设置(不同手机设置不一样,有一些手机长按选中的wifi名称可以出来,有一些手机是点击wifi名称后面的按钮,自己尝试)。Fiddler本身就是代理服务器,在wifi高级设置中的代理栏下面选择手动设置,设置输入Fiddler主机的IP地址(上一步显示的IP)和监听端口号(前面默认8888那个),点击确认。

这些配置按成以后,你在APP中打开有网络请求的操作,即可在Fiddler中看到。

在右边的Inspectors窗口中可以看到这个请求的请求报文和响应报文信息。

以上配置只能监听到HTTP报文,对于HTTPS报文无法显示内容,还需要做其他配置。

3. Fiddler抓包HTTPS

前面也讲了,HTTPS数据报文传输的时候涉及到证书及数据加密的问题,所以Fiddler需要抓取HTTPS报文的话还需要做其他配置。
首先还是打开Fiddler配置:Tools->Options->HTTPS:

勾选Capture HTTPS CONNECTS和Decrypt HTTPS traffic选项,如果只是想抓取本机或者远程终端的数据报文,可以在…from all processes这个下拉框中选择。这里还有一点需要注意的就是,低版本的Fiddler自签名的CA证书有一些问题,后面导入到手机上时无效,这里就需要安装上面说的FiddlerCertMaker插件。安装后要重启Fiddler,如果安装成功在上图Certificates generated by CertEnroo engine的位置的内容就会显示安装的FiddlerCertMaker插件信息。
设置完成以后点击OK,重启Fiddler。此时在手机端操作一些有https传输的app就会发现可以看到传输的内容,但是有局限性,只有设置了信任所有证书的APP中的HTTPS报文才能查看到,这类APP是非常不安全的。如果需要抓取大部分HTTPS报文怎么办呢?
大家都知道手机系统中集成了系统认为可信的CA根证书,如果服务器的证书是这些机构颁发了,HTTPS请求时系统才认为是安全的,否则SSL握手失败(前提是APP中使用系统默认证书信任机机制)。Fiddler自签名证书肯定不在系统信任的证书列表中,那怎么办呢?我们可以在手机中把Fiddler自签名的证书导入到信任证书列表中就可以解决这个问题了。
接下来打开手机中的浏览器,在地址栏输入Fiddler监听的IP:端口,比如:192.168.1.106:8888。

点击页面中的FiddlerRoot Certificate,下载并安装证书(如果下载了没有自动提示安装,可进入设置->系统安全->从存储设备安装中手动安装

输入证书名称,这里命名fiddler,点击确认。如果安装成功在系统安全->信任的凭据->用户中可以看到刚才安装的证书(如果证书名称是乱码,可能是Fiddler生成的证书有问题,需要安装FiddlerCertMaker插件,重新操作)。
我们在手机端打开有HTTPS链接的APP发现可以抓取HTTPS中的数据报文了。


这样就大功告成了,大家发现大部分HTTPS请求是可以抓取到的。大家有没有发现好像HTTPS传输也不是100%安全,怎么保证不被抓包呢,下次整理一篇文章总结一下怎么防止APP被抓包。

五、总结

以上哪里写的不对或者有待改进,欢迎大家提意见,谢谢!
转载请注明出处:http://www.luoxudong.com/?p=306

有544人对 “APP开发浅谈-Fiddler抓包详解”留言了

  1. I like the valuable information you provide in your articles.
    I will bookmark your weblog and check again here
    regularly. I am quite sure I will learn many new stuff right
    here! Good luck for the next!

  2. Hi, i think that i saw you visited my web site thus i came to “return the favor”.I am trying to find things to improve my
    website!I suppose its ok to use some of your
    ideas!!

  3. Do you have a spam issue on this site; I also am a blogger, and I
    was wondering your situation; many of us have developed some nice methods and we
    are looking to exchange strategies with other folks, be sure to shoot me an email
    if interested.

  4. It’s hard to find experienced people on this subject, but you sound like
    you know what you’re talking about! Thanks

  5. Hi there just wanted to give you a quick heads up and let you know a few of the images aren’t loading properly.
    I’m not sure why but I think its a linking issue.
    I’ve tried it in two different browsers and both show the same results.

  6. I every time used to study paragraph in news papers but now
    as I am a user of internet therefore from now I
    am using net for articles or reviews, thanks to web.

  7. Hi there would you mind stating which blog platform you’re using?

    I’m looking to start my own blog in the near future but I’m having a difficult time making a decision between BlogEngine/Wordpress/B2evolution and Drupal.
    The reason I ask is because your design seems different then most blogs and I’m looking for something completely unique.
    P.S My apologies for being off-topic but I had to ask!

  8. Aw, this was an exceptionally nice post. Finding the time and actual effort to produce a good article… but what can I say… I procrastinate a lot and never manage to get anything
    done.

  9. Thanks for one’s marvelous posting! I seriously enjoyed reading it, you’re a great author.
    I will make sure to bookmark your blog and will
    often come back from now on. I want to encourage yourself to continue your great work,
    have a nice weekend!

  10. Very good article, Its really great blog thank you for sharing important information, my blog also have beautiful information to keep you informed!

  11. Hello, i think that i saw you visited my web site so i came to
    “return the favor”.I am trying to find things to improve my site!I suppose its ok to use a few of your ideas!!

  12. It’s really a cool and useful piece of info.
    I am happy that you just shared this helpful information with us.

    Please keep us up to date like this. Thank you for sharing.

  13. I have to thank you for the efforts you have put in penning
    this blog. I am hoping to view the same high-grade blog posts from you later on as well.

    In fact, your creative writing abilities has motivated me to get my very own blog now
    😉

  14. I am not sure where you are getting your info, but good topic.
    I needs to spend some time learning more or understanding more.
    Thanks for wonderful information I was looking for this information for my
    mission.

  15. What’s up all, here every person is sharing these
    kinds of experience, therefore it’s good to read this web site, and I used to pay a quick visit this
    website daily.

  16. whoah this blog is wonderful i like studying your articles.
    Stay up the great work! You understand, lots of individuals are searching around for this information, you can aid them greatly.

  17. I’ve been surfing online more than three hours today, yet I never found any interesting article like yours.

    It’s pretty worth enough for me. Personally, if all website owners and
    bloggers made good content as you did, the internet will be much more useful than ever before.

    asmr 0mniartist

  18. Hey There. I found your blog using msn. This is a really
    well written article. I will make sure to bookmark it and return to
    read more of your useful information. Thanks for the post.

    I will certainly return.

  19. You are so interesting! I do not think I’ve read anything like
    that before. So great to discover someone with original thoughts on this subject matter.
    Seriously.. thanks for starting this up. This site is something that
    is needed on the internet, someone with a little originality!

  20. of course like your web-site however you need to check the spelling on quite a few
    of your posts. Many of them are rife with spelling problems and
    I find it very bothersome to tell the truth then again I
    will certainly come again again.

  21. Why visitors still use to read news papers when in this technological globe the whole thing
    is available on web?

  22. I think that is one of the most important
    information for me. And i am satisfied studying your article.
    However want to remark on some general issues, The web site style is ideal, the articles
    is in point of fact nice : D. Good process, cheers

  23. Aw, this was an incredibly good post. Spending some time and actual effort to produce
    a very good article… but what can I say… I put things off a whole lot
    and never seem to get anything done.

  24. Hi there! I just would like to give you a huge thumbs up for your great info you
    have here on this post. I’ll be coming back to your website for more soon.

  25. Hi to all, the contents existing at this website are in fact awesome for people experience,
    well, keep up the nice work fellows.

  26. We’re a group of volunteers and starting a brand new
    scheme in our community. Your site offered us with helpful information to work
    on. You have performed a formidable task and our whole neighborhood shall be thankful to you.

  27. Hi, Neat post. There’s an issue together with your site in internet explorer, may check this?

    IE nonetheless is the marketplace leader and a big component of other folks will omit
    your great writing due to this problem.

  28. Hey there! This is my first comment here so I just wanted to give a quick shout out and say I
    truly enjoy reading your posts. Can you recommend any other blogs/websites/forums that deal with
    the same subjects? Thank you so much!

  29. Hi there! I understand this is somewhat off-topic however I needed to ask.
    Does building a well-established website like yours require a lot of work?
    I am brand new to blogging however I do write in my diary on a daily basis.
    I’d like to start a blog so I will be able to share my personal experience and thoughts
    online. Please let me know if you have any kind of ideas or tips for new aspiring bloggers.
    Appreciate it!

发表评论

邮箱地址不会被公开。