#Fiddler configuration and usage: from entry to mobile practice

When writing an iOS/Android App, the interface returns 500 but I don’t know which parameter is wrong? Want to sort out the complete API call links of competing products and do reverse analysis? When testing limited-time offers or payment logic, want to change the original price to 1 cent to simulate?

Fiddler is the answer you want - it is the most mature HTTP/HTTPS packet capture + debugging artifact on the Windows platform and has the best mobile support. It is not an exaggeration to say that it is a toolbox for "network middlemen".

#1. Core working principle

In one sentence: Fiddler is a proxy server that mediates communication between two parties.

After starting Fiddler, it will quietly set the system global proxy to127.0.0.1:8888, all HTTP/HTTPS traffic will pass through it first, and then sent to the real target server. The entire link becomes like this:

1. Client (browser/App) throws the request to Fiddler instead of directly requesting the server.
2. Fiddler receives the request, records it, and can even modify the request content before forwarding it if you allow it.
3. The server cannot see the real client. It can only see the request sent by Fiddler on its behalf and return the response to Fiddler.
4. Fiddler intercepts the response again, records and can modify it, and then returns it to the client.

As a result, all information between the client and the server is "visible" by Fiddler. If you want to capture packets and analyze them, breakpoint tampering, simulate weak networks... you can all easily do it in this middle layer.

#2. Fiddler basic configuration

#2.1 HTTPS decryption configuration (unqualified equals white installation)

HTTPS is designed to prevent eavesdropping and tampering by middlemen, so by default, Fiddler can only see encrypted handshake tunnel records (grayTunnel to xxx), I have no idea what content is transmitted inside.

To see clear text data, you must make Fiddler a "trusted middleman", that is, install and trust its root certificate.

Operation steps:

1. Open the Fiddler top menu: Tools > Options > HTTPS
2. Check the three key options in sequence:
   • ✅ Capture HTTPS CONNECTs—— Capture the tunnel request to establish an encrypted connection
   • ✅ Decrypt HTTPS traffic——Transparently decrypt the encrypted content in the tunnel
   • ✅ Ignore server certificate errors (unsafe)—— (Ignore self-signed/expired certificates during development and debugging)
3. First checkDecrypt HTTPS traffic, the system will continuously pop up 2-3 trust dialog boxes, click "Yes" or "OK" on all of them, otherwise the subsequent computer or mobile phone will not be able to decrypt the traffic.

⚠️ If you accidentally click "No" on a pop-up window, you need to go back and uncheck it again to re-trigger the certificate installation.

#2.2 Remote packet capture connection configuration

In order for Fiddler to "control" your phone's traffic, you must allow it to accept connections from other devices on the network.

Operation steps:

1. Open Tools > Options > Connections
2. ConfirmFiddler listens on portfor8888(Can be customized, but subsequent phone and code configurations must be consistent)
3. Make sure to checkAllow remote computers to connect
4. Click on the lower right cornerOK, then Fiddler must be restarted for the settings to take effect.

After restarting, Fiddler will listen to requests from mobile phones/other devices.

#3. Practical Guide to Packet Capture on Mobile Terminal

This is the most commonly used and valuable scenario for Fiddler. It is divided into three steps to avoid pitfalls throughout the process.

#3.1 Preparation

First ensure two prerequisites:

• The computer and mobile phone are connected to the same Wi-Fi (one cannot be wired and the other wireless, nor can it cross the router frequency band)
• Fiddler on the computer has been restarted, and the remote connection configuration in the previous step has taken effect.

#3.2 Manually set the proxy on the mobile phone

1. Check computer IP Windows pressWin + Rentercmd, knock againipconfig, find under "Wireless LAN Adapter WLAN"IPv4 地址,For example192.168.31.123。

2. Modify mobile phone Wi-Fi proxy

• Long press the name of the currently connected Wi-Fi → Select "Modify Network" (some Android phones need to expand "Advanced Options" first)
• Change proxy settings from "None" or "Automatic" to "Manual"
• Proxy server host name: The IPv4 address of the computer just found
• Agent Port:8888
• Click "Save"

As long as the proxy is filled in correctly, all Internet requests on the phone will be sent to Fiddler first.

#3.3 Mobile certificate installation (the "last step" that is most likely to be missed)

If you only set up a proxy but do not install and trust Fiddler's certificate, all HTTPS requests will still be displayed in gray.Tunnel to xxxappears, and the content of the request and response cannot be seen.

#Android installation steps

1. Open the browser that comes with your phone** (do not use the latest version of Chrome, as it may block the download of the self-signed certificate) and visithttp://[电脑IP]:8888
2. Click the blue link at the bottom of the pageFiddlerRoot certificateDownload certificate
3. Enter "Settings" on your phone → search for "Install Certificate" → select "CA Certificate" (some systems call it "Trusted Credentials" or "Install from Storage Device")
4. Find the one you just downloadedFiddlerRoot.cer, enter the lock screen password to verify and then install. Some models require restarting the phone to take effect.

#iOS installation steps (one more step to manually trust)

iOS certificate installation has one more key operation than Android, and many people get stuck here:

1. Access with Safari browserhttp://[电脑IP]:8888
2. ClickFiddlerRoot certificate, you will be prompted to download the "Configuration Description File", click "Allow"
3. Open "Settings" → "Downloaded Description File" will be displayed at the top → click Install, enter the lock screen password, and continuously click "Install" → "Finish"
4. ⚠️ An extremely important step: Go to "Settings" → "General" → "About This Mac" → Pull to the bottom "Certificate Trust Settings" → FindDO_NOT_TRUST_FiddlerRoot, turn on the switch on the right to turn on trust.

After completing this step, HTTPS traffic on the iOS device will be properly decrypted.

#4. FiddlerScript custom rules

In addition to capturing packets, Fiddler can also dynamically modify requests and responses through small scripts - this is the power of FiddlerScript. You can use Fiddler as a programmable middleman to implement Mock interfaces, automatically change prices, add request headers, redirect domain names, and other operations.

#4.1 Script entry

Click the menu Tools > Fiddler Script to open the built-inCustomRules.jsEditor. All custom logic is written in this file, mainly using two functions:

• OnBeforeRequest(oS: Session)—— Triggered before the request is sent to the server
• OnBeforeResponse(oS: Session)—— Triggered before the response is returned to the client

#4.2 Common code examples

static function OnBeforeRequest(oS: Session) {
    // 示例1：把测试环境接口重定向到本地开发服务器
    if (oS.HostnameIs("api.test.com") && oS.uriContains("/v1/order")) {
        oS.hostname = "localhost";
        oS.port = 3000;
    }

    // 示例2：自动给登录接口附加测试请求头
    if (oS.uriContains("/user/login")) {
        oS.oRequest["X-Test-Env"] = "sandbox";
        oS.oRequest["User-Agent"] = "Test-Crawler-Bot-2026";
    }
}

static function OnBeforeResponse(oS: Session) {
    // 示例3：修改支付接口返回的价格（模拟1分钱支付）
    if (oS.fullUrl.Contains("pay/submit") && oS.oResponse.MIMEType.Contains("json")) {
        oS.utilDecodeResponse(); // 必须先解码，防止 Gzip 压缩导致乱码
        var oldBody = oS.GetResponseBodyAsString();
        var newBody = oldBody.replace('"totalPrice":99.90', '"totalPrice":0.01');
        oS.utilSetResponseBody(newBody);
    }
}

💡 each modificationCustomRules.jsAfter that, pressCtrl + SSave and it will take effect immediately without restarting Fiddler.

#5. Python integration and automated packet capture

Suppose you write a crawler in Python, or use it for automatic interface testing, but you are not sure whether the request headers, parameters, and cookies sent are correct - then just divert the traffic sent by Python to Fiddler, and all the details will be clear at a glance.

#5.1 Basic sample code

import requests
import urllib3

# 关闭 InsecureRequestWarning（仅限本地调试，千万不要用在生产环境）
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

# 将 HTTP 和 HTTPS 代理都指向 Fiddler
fiddler_proxies = {
    "http": "http://127.0.0.1:8888",
    "https": "http://127.0.0.1:8888",
}

try:
    response = requests.get(
        url="https://httpbin.org/get",
        proxies=fiddler_proxies,
        verify=False,
        headers={"X-From-Python": "True"}
    )
    print("状态码:", response.status_code)
    print("响应 JSON:", response.json())
except Exception as e:
    print(f"请求出错: {e}")

After running this script, a request from Python will immediately appear in the Fiddler session list. You can view the original request and response content in the Inspectors panel, which is very convenient for troubleshooting issues such as headers and parameters.

#6. Troubleshooting common problems

#7. Summary and practice path

Fiddler is far more than a "package viewing tool", it is more like a programmable data transfer station and debugging assistant. If you are a mobile development, reverse analysis or crawler engineer, it is recommended to master it step by step according to the following route:

1. Step 1: Configure the certificate, enable HTTPS packet capture, and ensure that you can see the clear text request and response.
2. Step 2: Use the Composer module to quickly replay or modify a request and verify the interface behavior in real time.
3. Step 3: Use the Filters tab to filter irrelevant traffic (such as advertisements, system updates) and only focus on the data packets of the target App.
4. Step 4: Go deep into FiddlerScript to automatically tamper with Mock data and rules to maximize work efficiency.