How'd you like to listen to dot net rocks with no ads? Easy? Become a patron For just five dollars a month you get access to a private RSS feed where all the shows have no ads. Twenty dollars a month will get you that and a special dot net Rocks patron mug. Sign up now at Patreon dot dot net rocks dot com. Hey Carlin, Richard Here, As you may have heard, NDC is back offering their incredible in person conferences around the world, and we'd like to tell you about them. NDC Oslow
will be made twenty first through the twenty fifth. Go to NDC Oslo dot com to register. NDC Copenhagen is happening August twenty seventh through the thirty first. Go to NDC Copenhagen dot com for more information. NDC Porto is happening October sixteenth through the twentieth. The early bird discount for DC Porto ends July twenty first. Go to Eddcporto dot com to register and check out the full lineup of conferences at DC conferences dot com. Hey guess what it's dot net
Rocks. This is Carl Franklin and this is Richard Cappell. We're here again for your listening pleasure, and this be episode eighteen hundred and forty. Well, there you go. Who knew? Yeah, who knew? Indeed, wait till you see the way back machine. I'm tapping for the comment on this show. Oh boy, wow, all right, I can't wait, But verse, I have something for you, okay with better know fwork awesome? All right, buddy, what do you got? Well, rold Buddy.
Simon Cropp is at it again. He's wicked smart, is just ridiculous smart. And you know, I think it's the water in Australia that or maybe it's water in America. I don't know. Anyway. He wrote this great um source only repo called polyphil. Wait we did We used to do polyphilps for web. Yeah, this is polyphil for dot net. It exposes newer dot net and c sharp features to older run times. What older run times? So dot in a standard two designed to support Net four six one
all the way to Net eight right? Dot might interesting? And if you yeah, if you go there, you'll see a detailed list of all of the polyphils that he's implemented. How cool is that? That's really clever? Yeah, that's an interesting idea. Yeah, I really like that feature of C sharp eight, but I don't have C sharp eight. Yeah, I can't use pay for whatever reason, so I'll do it as a poly felt like this is something that Microsoft is not going to build, right, They're
going to tell you just use dot net eight. Excellent. So that's it. No, it learned it, love it. And Simmons just again, really really smart guy, so brilliant. Yeah, that's very clever. I expect it to be just as great as everything else that he's done. Who was talking to us today, Richard? You know we are doing a show about Fiddler today. Yeah. And the last I went and looked on like,
when's the last time we talked about Fiddler as like a show? And we did one with Eric Lawrence like episode eight oh nine, like a thousand
shows ago. Yeah, it's a little too old, but we referenced Fiddler on a regular basis and this led to a great little comment chain where on episode ten seventy two, we were talking to Shay Freedman about Chrome developer tools and Fiddler came up in that conversation and that led to a show we did with Brad Abrams about the Google Cloud back in twenty fifteen show ten to eighty three. Totally crap, right, Brad Abrams. Brad Abrams, who I
think is back at Microsoft again? Really like, oh, I'm pretty sure. Yeah, yeah, he escaped to Google after the silver Light thing when it's up, and then he came back. Yeah, it's coming back around. You know, what comes around goes around kind of thing. But years
later I always liked him. But what I what I appreciate the fact that we're talking about Fiddler is this comment from Dave's Russell, which admittedly is from eight years ago, eight hundred episodes ago, and where Dave says, you know, Fiddler is required for any non browser endpoints you wanted to bug and anything that requires a post to put or delete. And it can act as a reverse proxy and can act as a proxy for a bit of devices.
And actually Fiddler is not going anywhere anytime soon. It's a fantastic tool. And saying you don't need is like saying you don't need the rest of the Internet because Amazon sells everything. Ridiculous. Yeah, he says that anyway, Well, and it's just a for me, it's a great moment to realize, is like Hey, this has been an amazing tool for forever and we don't talk about it often enough, so I'm excited to talk about it again. Yeah me too, So Dave, thank you so much for your comment,
and a copy of music cobuy is on its way to you. If you'd like a copy music co buy, write a comment on the website dot net rocks dot com or on Facebook. Publish every show there, and if you comment there and I read it on the show, we'll send you copy. Mused to cobuy and you could certainly follow us on Twitter, but we'd prefer you follow us on Mastodon because there's more cool stuff happening there. I'm at Carl Franklin at tech ub dot social, and I'm Rich Campbell at mastodon
dot social, and send us to and definitely sign up. It's good stuff. We're here with Sam Bassu and Rosen Vladimirov. Let me introduce them. Sam, of course, has been on the show many times. He's a technologist, author, speaker, Microsoft MVP, gadget lover, and developer advocate
for Teller. With a long developer background, he now spends much of his time advocating modern web, mobile cloud development platforms on Microsoft Teller, ek stacks his spare times call for travel, fast cars, Cricket, Cricket somebody actually plays that game, and Culinary Adventures of the Family. You can find him on the internets. Rosen vladimirv is a senior software engineering manager at Progress Software Corporation. Like how I pronounced that free Richard Progress? Yeah, very nice,
Just my inner Canadian came out. Throughout his career, he has been in different roles and worked with various technologies including WPF, silver Light, dot Net, no JS, type Script, Angular, and Electron. Currently, he leads the engineering team responsible for all Fiddler products. He loves helping others and that's why he's so involved in building developer tools such as Fiddler everywhere with a goal of making everyday tasks easier. Welcome guys, Yeah, thank you,
gentlemen. Thanks for having us over here. I thought I was old and I met you people. Yeah, Sam, how many shows have you done with us? So probably a lot. We could probably figure it out number four, yea few, but you know, congratulations from eighteen hundred plus episodes. You know, after after seventeen hundred you just stopped counting. Yeah, it's it's all the same, really, and welcome Rosen. This is your first time with us. Hey guys, Yeah, thanks for having me
here. You're certainly welcome, and thanks for Fiddler. What's name in the fiddler world? I guess, you know, we should start with that comment there there is a it's a easy to dismiss Fiddler because we have such great tools in the browser. But the browser tools don't go far enough for every situation, do they No, they don't. Um, So let's kind of dive in and I'm the fluff. Rosen is the stuff. But I'll try my best to set this stage. So, you know, like the comment
said, it's been a long journey. This kind of started back with you know, Eric, way back with his Microsoft days, and it's you know, it's been a tool that so many developers over you know, the last you know, decade or two have kind of grown up with. You know, you use this every day as a part of your you know, deaf tool set, and at its very essence, it's a network debugging tool.
It's a proxy, so it lets you capture all types of network and here, you know, it comes in some of the differentiators where your browser def tools are you know, pretty down good these days, but they only go as far. We're talking about every type of app. You know, I do a lot of you know, crosslatform mobile and you know desktop stuff. So the moment you step outside the web, the deaf tools, don't you know, work as well. And also we are talking about lots of other
things that you need. You should you know, never be in doubt as a developer as to what's going on in your network and how you function together as a team, your your collaborations, and also doing things like you know, proxying things where you don't always want to go to the network, having a strong rules engine so you can you know, fake things on and off, having ways to save sessions and share them with your team, and you
know, understanding how your users are actually using your apps so that when they have issues and when they come to your know QA and support people, you're not wasting cycles understanding what's going on. I get the packets never a kind of idea, but does it go so far as to being a protocol analyzer, Like can I put it between me and a USB device and say,
hey, can you log all the traffic going between these two things? No, in the current stitution, it's it's more of a network the bugging helper tool that you can use to capture off your network traffic as some mensions. For many years, fed or was famous, like as a web debugging tool, but now we are trying to help our users to understand that it's not
only the web here. There are many types of network requests that you can handle and capture it feedwor and to help you find out what the issue with them or even simulate different terrors and see how our applications will be safe when you're with yeah, okay, get it. Yeah, Just trying to establish the boundaries of expectation here in terms of what it's able to. So you
know, we're talking to developers. It's a developer debugging tool, and that's that's it's realm, that's it's meal you And is it is still a browser based tool or are there sandalone applications? Yes? There are so. Actually, before we jump into tools and features, I think it's important to talk about what you know, Rosen and the team have done with Fiddler in the last you know, several years. Please, it's not just one tool anymore.
It's become like a product family. It's a portfolio of a multiple things that work together to help out developers. So add it's very you know, basic core. Fiddler used to be a you know, Windows app, and that's still there. It's what we call Fiddler Classic, and you know, it's feature rich. A lot of you know people use it, you know, every day in their depth, you know cycles, and nothing wrong with
that. We're not moving the cheese, but we are also have to reinvent Fiddler for how modern developers work, and we want that freedom to be you know, building any type of app on any platform. So you know, Fiddler Everywhere is our you know, most up to date Fiddler tool, and it is cross platforms. So now you can use Fiddler on Windows, Mac
and Linux. And this was something of a request for like a decade for us make it work on Mac and Linux, but now you can, and it's you know, a native tool that works everywhere and functions exactly the same consistently ui uxys. But that's just you know, the capturing part of it. But we also have Fiddler in a few you know, different modes. When it comes to you know, understanding how your users are seeing errors in their apps when they're using it, we have you know two little things.
One is called Fiddler Jam, which is essentially Chromium based browser extension. And this isn't something you want your non technical people to just you know, go to the extension store on both you know, Chrome or Edge and able to just quickly install an extension and run your app, capture what's going on in your app and shared it back with the QWA Fox when giving us a ticket, and it can do you know, other things like capturing a video all
of the necessary logs. And that's for browser based tools. If you have a Windows based app, then we have something called Fiddler Cap which is the same idea. It's a very lightweight, you know, little app that you install that captures local traffic. Again mostly for you know, non technical people. And then we also have Fiddler Core, which is essentially the engine that drives all of Fiddler's functionality that has been separated from the UI part of it.
So you can actually have Fiddler Core as a dot net embedible library, so you can you light up your dashboards or you know, things that you want to embed in your own apps. So that's the whole Fiddler family of five different things now and these are all I mean, for Fiddler core on app. This is all HDPHDPS traffic and analyzing. Yes, and this is where can Rosen and team have been, you know, very active. You know a lot of new things have happened. The web isn't the same as
it was twenty years back. HTP one is where we started. Now you'n HDP two and we are even looking forward. So yes, HTTP and HTPS making sure we can capture both on encrypted and encrypted traffic, and also getting down to a slightly lower level. I don't want to spill Rosin's bills, but you know, things like web sockets, things like grpcy thanks, we think about a lot a lot it okay, because those things aren't transported over HTPS. No, so we can step one level down and you know,
take a look at what apps are doing under the covers. gRPC web is of course, but gRPC I think it requires HTP two. Is that right? I think so, yes, it's suggested that you use HTP two and because like that's where that's how you can you get those parallel request and responses. It's a truly bidirectional, you know, stream of information between the server and the client. And you know, we can capture it all. Yeah,
that's great. Yeah, when I think back to the original Eric Lawrence version of fiddle are it was really a rapper of her Win I had if I remember correctly. Wow, that's taken me back. It just was able to look at the traffic back and forth and there. So if you're getting off, I can imagine people say that would like it to be other than windows. It's like, you mean, totally rewrite it because it was it
was a rapper of her Win I ned. Yeah, yeah, very true, defensive lot the case, and it was it felt only its different that makes it more difficult because yeah, as you've mentioned, you need to re write the whole object to support it on different operating systems. But in addition, when we decided to go on with HTP two support, which had to write a lot of other things because HTP two is a lot more different.
So even now it is still in Better we are waiting for feedback and gethering feedback from our use and now after we have it, we'll soon moved the feature out of Better support. But it was important for us to ensure that we have not process something that was working for the users because the essences that you need to capture traffic and easy understand what's going wrong. But still, as some mentioned that the network had been changed, has changed for a lot
of different aspects. For example, the THOS one point three is something that we are currently working on and it will soon be out as a feature in feed or everywhere you know that it is. It is out there for maybe five or six years, but still many many servers do not support it, maybe due to the security the fact that it has only five ciphers that are
supported in it, so many applications still struggle to have been supported. But in terms of security, it is much more secure and people actually want to use it. So at that point we wanted to help our users to be able to test which are the servers which support it, how to how to use them, helping form even their security team that there is stuff being broken there. So we were we've been working on the last a couple of feks for this teacher, and so we'll have it fantastic as an end user.
Some of the things that we know have thought of thought through in the last few years is your experience. If you are kind of new to Fiddler and you're kind of getting started right so to Fiddler everywhere you have you know, one installer that you know recognizes your OS, and you you install it for Mac, Windows are you know, or Linux, and then it can be a little overwhelming because Fiddler is essentially a network proxy, so everything on your
machine goes through that. So when you open it up for the first time, it starts capturing just about everything. It's just a lot of streaming data. So we think about you know, experiences like filters, so you can you know, turn things on and off as you go. Maybe you don't want, you know, it's a kind of a little embarrassing because you see, you know, Apple and Google and Microsoft, everybody calling home with all
of their services, so you can turn those things off. You can just say, show me network for just this app and nothing else, show me only local host and nothing else, shown me only four or force and nothing else. So filtering and you know, giving you all the knobs and buttons when you do your traffic capturing. That's important for us. You know, little things like you know, dark mode and like mode support, so that we're not you know, uh, forcing people to work in a certain way.
That's important and we kind of want to keep you there once you're there, you don't need to you know, open up anything else. You know. API composition is important for you know, anytime you are going from your you know client apps to another you know service. So I'll let you you know, have a nimble API composer that lets you you know, do things with authentication with you know, service packets going in and out and you know,
just fine tuning it. Maybe you're working in a team. Maybe you have a you know, middleware team, and you have a client services team, you have a database team, all of them, can you know talk through those APIs and you know, get a nice team collaboration going. Now. Is some Fiddler an open source product. It isn't on open sourcities coosed source, but we are working well with different people who are helping cussing them.
When you want to have a feature that is uh, let's say HTP two or JRPC, we're trying to find people who are actually using those protocols, those versions and try to work with them on the specification of the feature,
on the requirements, and then on testing this feature. We are always trying to to quote in the application only feature that we have designed and tested with its external users because yeah, as I've mentioned already, the important part is to help the people and to ensure that we solve various cases or something that we think we will solve. Okay, so so it's now our Is it only a retail product there? Yeah, it is commercial, so okay,
we do a lot of open source work. The reality is, you know, rosen and we have to feed our kids, ensure sneering is expensive. So Fiddler Classic it's in the state the way it is you know, always free for windows, but Fiddler Everywhere has been you know, three or four years. It's stuff engineering, so it's behind a little subscription model, which is you know, the cost of a cup of coffee for a month.
Sure, all right, Yeah, so there is still the original free product, admittedly with a whole lot of updates, you know, still being maintained. The win i net product is out there. But if you want the everywhere product, that one's retail. Yeah, absolutely, yeah, because I mean it has extra things that are you know, starting to not quite be everywhere, right because like all of the you know, latest innovations have
been on Fiddler Everywhere. You know, how you build rules and how you work with teams and that type of stuff is particularly you know, very heavy on Fiddler Everywhere. Yeah, for sure. Yeah, Well it's good that it's good that you have that, and I think that's that's a fair thing. You have a free product and if you need more, you pay for more. Yeah, that's fine. When did work start on Everywhere resin?
I think it was back in the two thousand and nineteen, but the first official version came out in twenty twenty in the COVID time, so that's when it was born, and it was released in July twenty twenty, but the actual working ideas for having a cross platform two started earlier. One of the important things that we wanted to do is to ensure that we have modern technologies.
So you know that feed were classic is using quin forms. It is really hard to write the whole thing, and too if you need to change something, there's a lot of logical many different places I've written other winforced application. I like the technology, but still it doesn't give you the flexibility of
the modern technologies. So once we decided that we need to write a new duo, it was more of a decision of list and we decided to use electron anuer and dot net for this, So it's actually an electron based application.
Uh. In the anguer parts we are building just a seeing layer of FEI and the full work is again in the dot net part of the application, but still in the in the anjuer part, we manage to use our intelric controls or can do in this case, and we manage to handle a lot of data inside inside that you are you know some already mentioned that when you start feedwor and you notice how everyone is doing a lot of requests. For example, we have a feature that allows you to start a new instrumented
browser. We call it instrument but it's actually clean instance of a Chromium browser, and once you start it, we capture everything from it. It's automatically um targeting the feedwork proxy. So what you will notice if you if you do it, is that even from the moment when the browser starts to the first request that you want to execute, for example, Google for soffic or whatever you do, you see at least three hundred requests for trucking, for
analytics for whatever it is. Wow, So it's either visible there well, and it gets back to the classic problem of all of these kinds of logging tools, which is like you are facing a fire hose, just a huge amount of data and somewhere in there is the one little bit of information you wanted that's exactly right because you know it's it's a lot, and that's where the filtering really comes in handy. And you know, to Rosen's point,
you have to understand how Fiddler is working. It is a low level network proxy, so everything on your machine goes through that and there is no escaping every you know, every time Visual Studio calls home, everything is loved. So you really need to you know, get down to exactly what you want to see. And this may not be an option if you are on a machine that is really heavily locked down, because you need do need to be
an admising new machine because it's not just the tool. We would ask you to trust some certificates so we can you know, crack open some you know encryption with HDPS. So maybe you're on a machine that ID has you know, really locked down, but you still want to be able to see your app and debugg network. So that's where that in built browser comes in. So that is already preconfigured. You don't need to ask for an immitis permission
anything on that app. Fiddler will automatically capture even if you do not let it have all the permissions. I'm kind of blown away by the idea that you can build an angular Electron app that can get that low level. Yeah, so Rosen kind of set it out loud, but I was going to present this as maybe a trivia because you know, when you talk about a truly cross platform app nowadays, there aren't you know, too many options out there on the table, and you know, Electron and we talk about dot
m Malby and all of those things. But you know, this is battle tested, and this has been out there for you know, ten plus years. How Electron has worked. If you know what you're doing and if you can manage your footprint, this truly works. I mean, so many of our apps every day that we use our Electron apps and within that the front
end being angular. This is you know, kudus to the team because we get asked a lot, like when you look at our telleric UI for all of the dot Net things, kender ui for all of the JavaScript things. We care about performance because we care about how developers you know, you know, work with our tools. Nothing says like dog fooding more than Fiddler because what you see in Fiddler user interface it's Kender UI grids and you know,
list views and talk about performance. This is like hundreds and thousands of things just streamed into a single app NonStop. So yeah, we're proud of how we have been able to utilize our own UI in building something. Can you talk a little bit about the rule builder. This is an intriguing feature for me. Right. So rule builder essentially is for you to fine tune what type of traffic you want to capture and then what rules apply to sorta types
of traffic. So if me and Rosen are working together and I am building the back end for an app, then when his client side app wants to call in, maybe he doesn't want to go to the internet, maybe just wants to come and hit my box, my machine. So that's one instance. Or maybe you want to test out an app. And again this is where we have worked a lot with people who have been using Fiddler Classic for a long time. We don't want to break their workflows. People use Fiddler
for performance tuning a lot. Right, So you are building an app and people are using your app in a variety of settings. If it's a pa. Maybe you are going from you know, five G, four G all the way down to you know, almost no connectivity when you walk into a plane. So how does your app experience look like? What if your jab script, apps or you know resources cannot be delivered? What if your CSS
or images are bloated and they're not working right? These are all things well health wise, you might be in a very good spot, I guess, but fine tuning those things like what if your videos stop working? What if your you know, images are missing? What if your jobscript doesn't get delivered on time? Those are all things that rule builder is very very good with. It lets you, you know, control exactly what the experience is.
When somebody makes a request and you essentially get to be the middle person between that request and what comes back to a client who's making that request. You get to fake it, You get to you know, slow it down, you get to not deliver things. So truly, you know, fine tuned the experience. But Rose and what did I miss? Oh? I think you've mentioned only the health of the powerful features. There wasn't there? You go? Even I cannot cannot give exactly the amount of items that you can
do do with this future because it's really powerful. It allows you too much the request based on the request or the response theater, for example, it allows you too much even by the certificate a certifty validity. And then there's something with this traffic and even market. You can modify it, you can replace it, or you can just return some errors or even do nothing, just deft market, so it too be easier for you to spot it in the in the grid. I'm reminded of that Boston song. More than a
filter, isn't that energeez? I see my merry network traffic come in my way now, And I guess that's your point that filtering is easy. I only want to see that stuff. But now what do you do with it? You can change it, you can modify it. That's the beauty of that rules engine. In't that that's right? And also, you know how I use Fiddler might be different from how you use Fiddler, right, Right,
all depends on the type of ad that you're building. You know, all of the web folks are cool, but I'm an old school guy. I am start doing my desktop as nowadays I'm doing a lot of you know, cross plat from mobile and the moment you go to iOS or Android, things fall apart very quickly because you want to be able to see those API calls and the traffic going to the devices, but you can't very easily. So this is where I have it used and set up is I will have
you know, Fiddler be my one network proxy. I know my IP address of my machine, and Fiddler essentially opens up one port and so I can make all of my iOS or Android devices instead of you know, I can be on the same WiFi as you know, my home computer, but I can make all of that go through my IP and that that's the way I have it set up. So I'm building an iosapp, I want that specific rule to come into play when I'm hitting Rosen's endpoint and I just want to
see all of the traffic going in and out of my mobile devices. That's really cool. And that's stuff that you can't do without a proxy or I mean, you can't just like write a WPF app that listens to a port with HTTP, you know, the little server, and you expect to hit that from a mobile device connected to your Wi Fi. It just doesn't work.
Yeah. Also, that's where the rules coming can because for example, if your building a mobile application and then it hits some some endpoint, if you want to test it to what happens when the the end point is down, when it's returns four or four or three or whatever. Instead of rebuilding the whole application or the server, you can just use feedwer return there's ball that you want and see how that because without wantifying your applications, neither the
mobile up, neither the server. So I don't actually have to stop the server anymore. I can just spoof the four or four. Yeah, this is not fun. You guys are taking away my fun is kind of an extremely It's it's more like, how about I slow you down? Yeah, and then then see how you're up to the old dot net rocks trope knock knock, who's there? Java? And with that, we're going to take a brief break for this very important message. There's always something new from our
sponsor, text Control. As developer, do you need to integrate PDF generation, document editing, or electronic signatures into your asp net Corp or Angular applications? Or you want to learn more about the differences between electronic and digital signatures. Text Control is offering a free consulting service to educate you about digital document processing and how text control products can help you add these features to your applications.
Go to text control dot com, slash contact and request your free personal consultation. Then we're back. It's died at Rocks. I'm Richard Cabal. That's Carl Franklin, Yo yo yo, talking to our friend Sam and Rosen a bit about the new Fiddler, the Fiddler everywhere, and immediately getting all these ideas of horrible things I could do to people with this tool. This tool is the ultimate man in the middle attack tool. Dude, do you
have your evil on? Is your evil showing? I mean, think about the trouble you could talk with two well, I mean any proxy you can get in trouble with, right, Yeah, cities as suities. You are literally in the middle. Yeah, you get to do all kinds of nutty things. So if if I'm on a developer team, I should probably ask my IT people if I can actually use this, shouldn't I as long as your dad man, you should be good. But you know life Ward said,
with great power comes responsibility. It says a lot of yes, fiddler on your hands, it's your foot, your network, right, Yeah, you could mess some stuff up here without it, thought, yeah, right, but only for the traffic in and out of your machine. You don't really go further afield than that. Yeah right, But the practical gems installing it out of friends machine are endless hours of fun, hours of fun.
Yeah. Well, and maybe even you don't even need the full Fiddler to be installed if you're just trying to message, you're trying to the gem and the cap comes in. Yeah. So I was thinking with Fiddler Core, it's like I could be dynamically putting ads on every page that talks specifically about you, you know, you know. On my other show Security this week, we have a little theme song. It goes like this criminal career advice.
Nice. Yeah, all right, anyway, where were we? Let's talk about some more features of Fiddler that we might not be talking about, like the API composer. What's the API composer? So think about you hitting any type of API. Could be you know, just a back end service that you know, somebody else on your team is building or another team,
or could be you know, an API halfway across the world. You want to you know, you a moddel with things as you're hitting that API, you want to see what are the parameters that I can send in what comes back? Is it Jason? Is it something else? How can I format think? How can I be the man in the middle and you know totally you know, tweak everything that's going in and out. So that's what the APA composer, or is maybe something said behind an odd wall and you get
to you know, fake things if you want it to be. So it is, you know, just an API composer that you expect from a full featured app like you know Fiddler, right, So it's not so much the API composers, the API call composer. Maybe it's the client that hits the
API. Yeah, sure, And it can be both ways. Like if if your client application is hitting an API, then off all of that will be captured as you know, network sessions and by the way, I can save my sessions and then Rosin can you pull up my same sessions, my
sessions on his Fiddlers. So that's nice. But if I am building an API, or if I'm you know, reaching out to an API that I do not have any control over, this gives me the visibility to understand how that API endpoint is working, you know, especially when it comes to crowd operations, create a read update and the leader I need to know exactly what I need to send in and what comes back. So it gives me a
visibility and you know, sometimes it also not quite API composition. But some of the new are things that we have done that Rosen and team have done really helped me out as a modern developer because I do web sockets. You know, I do a lot of signal art these days, you know, especially with lem Blazer server side with you know, dot net, Mary h. You know, I do a lot of real time apps. And now I can you know, step into a web sockets connection and it'll show up
as a different connection. It's not you know, multiple HTP requests going back and forth. It's one connection and then you can dive into and see what the server and the client are talking about um and it's it could be Jason, could be you know, protobuff. But that's something we're excited about. And as we are speaking today, Rosen tells me that we are actually very close to putting out a build and a release that has g RPC support. Is that right, Rosen? Yes, I'm exactly a sugumationed So in the
next two days, hopefully we'll have it out. And what will happened is that FED allow you to have the one HTP two is enabled to capture JRPC traffic. For this version, it will be in better state, so we will not be able to decode the traffic. But in the future, if there is an interesting interest from the people, will probably introduce functionality so you can give your protofiles and feed or you'll be able to decode them and make
them human ratable for you. But for this release, we'll capture the traffic. We'll capture all of the communication that happens through gRPC in all the four modes bi directional modes, server only, and all of those. You also have the x inspector, which will allow you to Yeah, you'll not see the fully decoded message, but you'll be able to at least the text part
of it. You'll see some of the symbol there. Now, we could already do gRPC web before because that's the store htps, right, but yeah, but gRPC what you're talking about, is the one that requires HDUP two. A lot of dat net developers don't use that right because of you know, Azure and didn't support HDP two. I think it does now, but I'm not sure. Yeah, yeah, it does not. And things are coming along. I mean, anybody who's using microservices has to depend on that.
So and the case we dot net is welcoming gRPC, but you know, open open arms. So things are moving along, and you know, we want to make sure we are set up for you know, the next you know, five to six years as you know gRPC growths people. That's true, the guy. Yeah, And however, is your you know, the way in which your serialization decla works. We don't care like just as
long as it's network we can capture it. Yeah, as as we can decrypt it because you've got the right searts in the right places right now. All of this is essentially for developers everything that we have talked about, and again this is how I work. Is like, this is part of my you know, deaf tool chain because I use this every day as I'm building
you know, modern web mobile or desktop apps. But we have to think about, you know, the other side of the story when it comes to end users or you know, your QA people when they are testing, maybe they can poke holes in my app and you know, figure out things that
I have not tested it right. So if you give them Fiddler, they can poke around all of those endpoints and try shutting things on and off, slowing things down, or you know, speaking things up, and just try to figure out all the different ways in which your app can be broken. So it is, you know, really good for QA people. But then once your app, you know, hits uh. You know the end users, you want to know what's going on, and the classic you know works
on my machine but doesn't work on yours. That should not be an excuse anymore. You should be able to see exactly what the user is experiencing, and that's where you know, the end user capturing tools come in. That is, you know Fiddler jam and you know Fiddler cap. You mentioned that you could be working with somebody else in your team, and I see that there's some features for team collaboration in the app, So tell me how that works. What you can do in the inside the application is kept or some
sessions. For example, you may say that you have faced an issue and then you can share them with specific emails. For example, you can share them with me and you can even mark the sessions, let's say four of them in with right backgrounds just to note that I need to take a look at those four or you can even write a comment on each of them and say I see something inaccurate here. What will happen is that if fedure is running on my side, I will receive a notification and I will be able
to download this all of those sessions immediately and inspect them. And I can even update the comment mark the sessions in a different way, or even update them in some way. For example, I can fix some of the parameters. On your side where feedwa is working, you also automatically receive all of those updates, so we can work together to inspect and investigate what is causing
the issues if it's one part of the of the sharing. In addition, what you can at this password protection because we know that the sessions can contain a lot of safety of information, passwords, tokens. If you add this password, it will be quiet science encryption and you shouldn't worry about that if you go through our servers and what will happen there because it will be already encrypted and all the people who have the password will be able to decrypt it
well. Cool. The safe can happen with APR requests. As some already mentioned, we have the ability to compose some of those APR requests. I often use them, by the way, when I do some reverse engineering, it's kind of useful for me to capture the traffic to see what a specific web publication is doing, and then get some of the requests directly editing the
composer. And of course I try to remove all of the of the headers and prodactors just to see which which of them I actually need, and plus I have a successful request, then what I actually do is just export the request in as a script. Feedwork has this capability that you can export the already built requesting in an old script or cur request or whatever you need, and then I used inside my applications. So what I can do in this
case is save this request that I've already captured. I can save it as a collection, and if I want to share it with my team, I can do it again with emails. And the last part for the moment is the sharing of the rules. We've already mentioned how powerful they can be.
You can spend a lot of time building your rules. For example, we have our own rule sets that helps us test fedure everywhere yeah, it may be surprising, but in some cases our case are using feedwork everywhere to tested or everywhere to see how that we behave if you have a failure in specific endpoints. So they have as rules and they can share them with the between them. When new QUA accounts in the team, they can just share the
those rules and it's easy, beaty to do it. Yeah. You know you said when you were talking about the rule Builder about being able to change
things, and I don't want to gloss over that. I mean a request in response mocking is a big part of what that does, and how would somebody go about using that into one end so I can try taking that so essentially, and Rosen mentioned a few ways in which teams can work together, but to me, like the rules Builder is particularly best suited for a collaborative type of environment because you are really getting down to the details of every request
and response and being able to change everything about. So when I am building an app that's hitting a certain endpoint, I want to work with Rosen and I want to save my rules because that is fine tuned to exactly what my app is hitting and exactly what we're expecting out of it. And if I can save my rules and have him will up the same on his Fiddler.
Then we are on the same page. We know exactly which api you know, endpoint we are hitting, what are the parameters going in and out, and how we can fake things out of the way and all of this. It sounds a little bit like we are enabling evil. We're just giving you more power if you think about No, you're in a debugging scenario, just
to understand what's going on exactly. Yeah, absolutely critical. Yeah. I was thinking about fiddler jam from a tech support perspective and the number of times I've dealt with a user that has like some ad in that's a weird old ad blocker or something and is knocking out a feature of the website. And you could go around in circles for a long time trying to figure out what
the heck that was. But if you saw the Fiddler trace on it and saw that that message was just not being received and it wasn't making the request, you've got a pretty good hint that the browsers blocking it are some unhandled JavaScript error. Damn scripting turned off. If that's the worst case. Yeah, but you know, again, the idea is you know, your engineering hours are you know, valuable, and we want to sometimes protect those hours.
And that's where you have you know, layers of you know support, And to Richard's point, you don't know what people have running on their machines. Like I am scared to look at my parents' browsers with all of their extensions, like they can you know, barely see a webpage. It's just
so full of tools because they say yes to everything. But Franklin, this is at least one hundred and four weather applications inner task bar, right, So this is a way in which they can hit one small button and it starts capturing as they're utilizing your app, as they're running through an app, and if you you know, let it, it will also capture a little bit of video to go along, like I clicked on this button and you
can see the Fitler logs kind of you know, follow that along. And once you have that, you can you know, give it off to your first layer of support and they can say, no, it's that extension thing that you have blocked toward. It's that other thing that you have turned off
that's you know, not even letting you make the request and responses. But if it is truly a legitimate, you know, a bug that you want engineering to take a look at. That's when you just say, of the same sessions that you capture from fiddler jam and you just load it up in Fiddler all the way back to your engineering teams who can look at a session as if their app is running on their local machine. But it's just something
the user has recorded. Yeah, you don't need to reproduce because you literally have a copy of a causal problem in the first place. You skip all of that. Yeah, And just to add here regarding fiddler jum, the one of the most the quest thing about fiddler jum is that it captures not only the network requests and sum mentioned video, it also keptures your actions.
For example, user clicked on this deep, user scrolled the page, user or different, whatever you're doing on the on the page, it is captured. In additional, it captured the the console walks the terrors. So if you have an extension that is working southing, you'll see it in the console and you'll see it in the capture walk for fidmore jamp. And the cool thing is that the extension is free. Everyone can stell it and use it.
The paid features fell from the analysis of those walks. So whilst your your end users capture the traffic, they will receive a link and they will send you the link. So you need to have a vicens to open this link. Cool and then yeah, it just works everywhere. And what's the difference between JAM and we'll see end cap. It's a JAM is a browser based extension. Essentially, it's a chromo Chromium based extension for you know, your browser based web apps. But if you rather have a desktop app that
you want to look into. So fiddler cap is a very lightweight Windows desktop app. Okay that does the same thing. So it'll capture everything on your end user's machine without you having to you know, have them run through your entire app. You can just have it installed and you have them, you know, execute a few things and you can capture the same looks. Can I get out of the PC with Fiddler? Can I try and get all the traffic off of an IoT device? Like do I convince that device to
add to use me as a proxy? Yes, in a way. And Rosen can speak more to this, but you know, at the end of the day, anybody who speaks HTTP to an endpoint, you can capture it, but you will have that you need to have that IoT or any type of other device be able to go through a machine. Right, So all of that, you know, devices traffic is also captured. So you ask the device to speak to you as the gateway so that you can then proxy through it, which not that hard to do. You said, you can
go and can figure the network settings for that IoT device. You just push it through that way. So yeah, we are you know, trying to enable developers to have as much visibility. Again, you know, we are not trying to be able, but I mean we have had tools like you know Telarc, you know, disassemble and we'll let you decompile DLLs, so you really can you know, reverse engineer and look through a lot of things.
But this is you know, just literally power in your hands and full visibility in your hands, so you know what's going on in your network. Yeah, I mean I think about low even lower level tools like wire shark, but now you're just looking at the actual network protocols like it's for a lot of folks, I think it's too low lew Right, Yeah, you don't care about a lot of that information. You want to focus on the application message traffic. It's flowing back and forth. Right, it's that protocol
analyzer. It's a debugging tool. Yeah. And if you care enough about or if you know what you're doing, especially with you know, proto buff or you know Rosen mentioned, we have a hex analyzer that shows you the hex of the requestment responses. That's a little little hardcore for me, but if you want it, if you understood what assembly looks like, then that
would be a useful tool for you. Oh, you can always write your own tool, you know, just like you can go grow your own electrons and make a PC for it. Like, it's a lot of work, right, I got stuff to do. The goal was to make a tool. The goal was solved. Problem that the tool already exists. You should be used the tool. They've thought about things you haven't thought about. Yeah, yeah, exactly. And something that that we are trying to do is
make it even easier for people to use the tool. For example, when you want to capture current requests in order to capture them in feed or you need to provide a specific argument. When you want to do it with no jess, you need to set some environment variables but instead of doing cool of those, we are trying to introduce new features inside the application that will automatically
handle those for you. For example, in the next release, we are going to introduce such such option instrumented terminal that will set all of those for you and will help you. So instead of wandering, okay, which was the parameter of how to set it, where to find it and to those, just run your application through THROUGHDS terminal and the network requests will be captured,
says valid. For the applications with a bit a bits twits regarding the certificate, you'll be able to run them through through this terminal and twiteout changing your the configuration inside your application, you'll be able to capture their network traffic. Right Yeah, So what essentially Rosen is trying to point to is we are thinking ahead as to what you know, this tool that has been unbeloved and used you know for decades now by developers, how does this evolve?
And we always want to have developers have all the power. But you know what's next, Let's think about automation, you know, as we are you know, and we spend a lot of time on the minute test of things like the deaf teams do because like those are important, like how you do your searches are important, how you filter down to every detail is important. We also have ways in which you can now, you know, take two
rows of sessions. You know, as we are testing our app, one failed, one worked, and you don't know why, right, So now you can compare every part of that request, every part of the response to see exactly what's the difference between two. But all of that again is part of your deaf workflow. But you know, if you think about automation, like you want to hit a whole bunch of APIs and you want to see what's coming back, and you want to have all of this as a script.
Right, So now we'll let you save off your sessions, your request from responses and open it up in a terminal, open it up as CURL, and have that as a set of instructions that you do maybe as a CICD pipeline. So these are things we are thinking ahead as to see how Fiddler evolves. Yeah, well, I mean, I presume you're not going to get out of the traffic business. But it's about traffic going in and out of a device that I appreciate that you're getting into different kinds of traffic
which besides just htps. Of course there's HDP three, But is that really that much of a stretcher to implement. Are we already you know, using it? Well, I don't want to spot the news here, but we're looking at HTP three, okay, and we'll see a lot of what will happen if people demand for it, then we'll have to do it. Yeah, I just did a run as episode. We were talking about SMB over
quick, which is HDP three. Just this idea of like no more VPNs, we want file access but securely and hand fast and those those techniques work really well, but they still a little lower level than web. Yeah, and as you mentioned, security it is. Security is quite important for us and everything what we are doing, we are trying to put all of our efforts to ensure that we will not expose users information, to ensure that we
will not allow protocol violations. For example, when we were working on the HTP two, we took a lot of time to ensure that we are actually following all the requirements of the protocol and if something is broken, to be sure that we'll show it to the users and to tell them they are made tools that we all ignore such airs, even rather to it for some of them. But we prefer to be on the safe site and to sndle those irs in a different way to show the people that that happened. There might
be some issues or there. One of the latest things that we are introducing is the you know that when you have a problem with the certificate on some website, the brothers are trying to pervate it for you, but in some cases you want to allow it for let's say local whose development or some of your internal servers. So until now we had an option to ignore all of those erirors, but we didn't feel comfortable with it because you had to ignore
all of them, not just for the specific certificate and domain. So now we delay. With the new release, we are going to change this and you'll be able to set it for all the one of the one of the certificate that that we have an error. That's cool. So this way we think that our user feel much safer. Also, we are looking at different compilacies. We are looking to extend the ability to to ensure that feedwork can
work in different environments. As we've already mentioned, it's working behind wogging. So we are wondering what will happened if people need to work without in an restricting environment where they all have no access to our work endpoints. What will happen there? How they are going to use the application. We know that we have such urist out there. We just need more information what are the requirements? And we work on it. Interesting, Yeah, very cool,
very challenging. So what's next? What's on the Fiddle the horizon? Well, the team has been super busy and we have actually internally, you know, tried to align you know, it's a big portfolio products we have, you know, between t Laric and you know can the UI and Fiddler and
side Trinity and all lot of the things we do. So we have been trying to align some you know, our releases are you know, the major releases go out together, so you know we're looking at maybe three major releases in a year for Fiddler with you know, little things in between, service packs in between. You know, like Rosen said, we are you know
thinking about offline capabilities. Maybe we are working with Fiddler on a plane and you know maybe you're just doing local hosts and that's fine, so you know also thinking ahead at you know, what's next with you know, web sockets, what's next with gRPC? Sure? What are the little level protocols come along that matter to us? That's true. Yeah, so you know, enable developers to see everything in your network as best as we can. It's very cool. Thank you guys. It's been great, great, great work.
All kudos go to you know, Rosen and the team. It's been you know, several years of engineering, but we are happy where we stand today. Yeah. I'm sure our listeners will take a first spin and we'll see them next time on dot neem dot net. Rocks is brought to you by Franklin's Net and produced by Pop Studios, a full service audio, video and post production facility located physically in New London, Connecticut, and of course
in the cloud online at pwop dot com. Visit our website at dt nt r ocks dot com for RSS feeds, downloads, mobile apps, comments, and access to the full archives going back to show number one, recorded in September two thousand and two. And make sure you check out our sponsors. They keep us in business. Now, go write some code, seex time, middle band and summer my part that means hard than my taxis