Login to start a new topic
Answered

Fiddler Everywhere 1.6.0 not capturing traffic

I have Fiddler 1.6.0 on MacOS Big Sur 11.2.3. Fiddler will launch, however, I see zero traffic being captured and traffic to the internet is blocked/times out waiting on the proxy to respond.  


I went into the system Network settings, and indeed the system proxy is setup for localhost and the Fiddler port. However, browsers such as Edge just timeout when accessing the web. 


I do NOT have any VPNs active. If I clear the system proxy settings at the MacOS level, then internet traffic resumes.


I did successfully use an older version of FE late last year and it worked fine on Catalina. 


Best Answer

Thanks for the update! I just confirmed it was Sophos.


For anyone who can't uninstall Sophos, apparently it is possible to run it with a proxy tool but you'd need to do some configuring. We couldn't get it to work, but maybe you'll have better luck. These are for Charles Proxy but the info is probably relevant for FE as well:

https://www.sophos.com/en-us/threat-center/threat-analyses/controlled-applications/Charles.aspx

https://community.sophos.com/intercept-x-endpoint/f/discussions/127498/sophos-blocking-charles-proxy



Hey,

That is definitely strange. It seems like there's a problem with the proxy configuration, which could be caused by various reasons (for example leaked process or incorrect setup of the proxy settings in the network adapter). In order to try to determine which one causes it, can you please try the steps below and share the results:

  1. Start Fiddler Everywhere and ensure Capturing is turned on.
  2. Ensure the proxy configuration is set in the network settings of the currently used network adapter. The configuration itself should be something similar to the one in the attached image - macOS_Big_Sur_Network_Adapter_Proxy_Config.png
  3. Open the Composer in Fiddler Everywhere and enter https://example.com for URL. Click on the EXECUTE button and verify you have received a successful response in the bottom part of the composer. It should look similar to the attached image - Composer_Example.com_Request.png
  4. Now get back to the Live Traffic tab and check if you have the currently executed request there, you should find a line similar to the attached image - Live_Traffic_Composer_Request_Captured.png Can you confirm you see it?

After checking this, can you try the following steps:
  1. Again ensure Fiddler Everywhere is running.
  2. Open Terminal and use the following command to execute a request that should go through the proxy:  curl -v -k --request GET --url https://example.com/ --proxy 127.0.0.1:8866 
  3. After the command finishes, check the Live Traffic in Fiddler Everywhere, you should see something like in the attached image - Live_Traffic_Curl_Captured.png
  4. Can you confirm you see the traffic there?

As a final step of the testing, can you please follow the steps below:
  1. Again ensure Fiddler Everywhere is running.
  2. Open the Settings from the top-right corner and navigate to the Connections page there. 
  3. In the Fiddler listens on port section, can you try switching the port to another value, for example 8868.
  4. Use the Save button at the bottom. 
  5. After the dialog is closed, can you please check the network configuration of the currently active adapter in your OS settings - ensure the port in the proxy settings is changed to the one you've just set in Fiddler Everywhere.
  6. Now check the Live Traffic - do you see any requests there?

If in any of the steps you see different results from the one shown in the attached images, can you please send us information about the difference. Also, can you send us the application logs - from Fiddler Everywhere use the top-level menu Help -> Open Application Logs Folder, get all files and send them to us for investigation.

Hope this helps!

Regards,
Rosen Vladimirov

Step 3 in the first section simply hangs. I don't get a response, but I do see a single line in the capture tab (but no data). If I untick the proxy settings at the MacOS level, then the composer query will return data.  The curl command just hangs when I try to run it with system proxy settings turned on. 


I then changed the proxy port in FE to 8686. For a split second I got 161 entries in the Capture window, but all are stuck at CONNECT. I should also mention upon startup of FE, that I see a spinning circle outline for the longest time. This is far different behavior from the late 2020 FE, where it just worked out of the box on Catalina.


In the netcore.log I see a TON of:  


Stream Error: Server timeout elapsed without receiving a message from the server.. Keep the stream in the active ones as it could be


Stream Error: Invocation canceled due to the underlying connection being closed.. Keep the stream in the active ones as it could be reconnected in the connection state handlers.




Hey,

Thank you for the provided additional information. Based on it, I think there might be a leaked process from old Fiddler Everywhere instance. Can you try the steps:
1. Stop Fiddler Everywhere.
2. Open Terminal and execute the command: ps -ef | grep Fiddler.WebUi | grep -v grep 
3. If you see any result, it means there's a process running, while it shouldn't be and you should kill it (you can do this by executing kill -9 <pid>, where <pid> is the value of this second column in the returned result). If there are no results, all the processes are already finished their work and there are no leaked ones.

Regarding the multiple CONNECTs, can you please open the Settings in your Fiddler Everywhere applicaiton and ensure the Capture HTTPs traffic checkbox is checked. You may try using the Reset root certificate button in the Advanced section to ensure the root certificate is correctly trusted. Without this, you will not be able to see HTTPS traffic in the app.

Can you please check those and see if they help?

Regards,
Rosen Vladimirov

Things are getting worse. I did do the ps command, and yes there was a straggler process running which I killed. Now, when I launch FE it's stuck on "Please wait" with the green paper airplane. After a long time (20-30 minutes) it says I can't login due to a backend error. I de-installed FE and tried again, and the same login issue keeps happening.

Hey,
This is definitely not expected. Can you try opening the following URL in your browser: https://api.getfiddler.com/index.html
As a result you should see something similar to the attached image.  If you do not see the same thing, it probably means you do not have access to this URL.
Additionally, can you send us all the application logs (all electron.log and netcore.log files)?

Looking forward to hearing from you.

Regards,
Rosen Vladimirov

 Hi, I am having nearly the exact same issue as the original poster. The only difference is I installed Fiddler Everywhere for the first time after upgrading to Big Sur, and did not have it installed on Catalina. I also don't seem to be having any login issues. I have run through the steps in the first set of question and get the same results as the OP. For the follow-up questions, there are no Fiddler processes running after FE shutdown, the Capture HTTPS traffic option is checked and the Root Certificate is trusted.

Some other things to note:

  • I am seeing the same issue with other proxy tools such as Charles
  • I have two colleagues with the same setup and the same issue
  • Issue happens with or without being connected to my company's vpn
  • Have this third party app running: Sophos


Log files attached.

log
(160 KB)
log
(142 KB)

After updating to BS 11.3.1, Sophos went to hell and basically made my system unusable. So I de-installed Sophos, and now I'm using Clamxav. I JUST launched Fiddler Anywhere (first time post-Sophos) and it's running just fine. So Sophos MIGHT be the root cause here.


1 person likes this
Answer

Thanks for the update! I just confirmed it was Sophos.


For anyone who can't uninstall Sophos, apparently it is possible to run it with a proxy tool but you'd need to do some configuring. We couldn't get it to work, but maybe you'll have better luck. These are for Charles Proxy but the info is probably relevant for FE as well:

https://www.sophos.com/en-us/threat-center/threat-analyses/controlled-applications/Charles.aspx

https://community.sophos.com/intercept-x-endpoint/f/discussions/127498/sophos-blocking-charles-proxy


Login to start a new topic