Debugging Tools for HTTP Headers with Flash?

How are people debugging http traffic in Flash? I used to use HTTPLook, but switched to ServiceCapture because at the time, I was doing a lot of Flash Remoting and it nicely showed AMF traffic. Fiddler’s ok in that it shows better formatted headers, but I like ServiceCapture’s GUI better. Finally, I’ve got Wireshark the packet sniffer (which apparently is based on some sort of open source standard because out of the 3 I’ve tried today it’s GUI is almost identifcal). I can’t read what the heck Wireshark is outputting, but it’s helpful when you are debugging things for those who CAN read it.

Bottom line, none of the above appear to be showing all of the headers Flash is sending. Using addRequestHeader for LoadVars in Flash Player 8 and 7 doesn’t seem to work in the above, at least for the few headers that I’ve tried that aren’t in the not allowed list.

Beyond Charles, what are others using? What do you use to see what headers Flash is sending?

20 Replies to “Debugging Tools for HTTP Headers with Flash?”

  1. I’ve been using ethereal ( It’s down-to-the metal, andthe advantage is that you can be sure that the capture tool isn’t missing anything subtle but important.

  2. Before Flex 2, the Flash NetConnection Debugger was my constant companion. As sweet as Flex 2’s debugging tools are, this is one area that Adobe really ought to step up and improve their tools. I think they should update the NetConnection Debugger for AMF3 and use with Flex.

    For now I am using ServiceCapture.


  3. aah, wireshark is ethereal.

    take some time with it and you can setup filters so you only get the data you are interested in.

    a quick easy one is just to write http in the filter, hit just http traffic.

    or just amf traffic :

    http.content_type contains ‘x-amf’

    theres plenty of predefined filters so you can learn the syntax without too much trouble

    i still use service capture for most development but sometimes getting right to the details is invaluable.

  4. Seems a bit broken in IE7, but I used to find iehttpheaders very useful for this sort of thing.

  5. Ethereal / Wireshark + ServiceCapure (and sometimes tamperdata xpi) here too.

    (Haven’t tried Carles yet.)

  6. If any of you are running FMS2 locally watch out – some of these tools can break FMS functionality, others include Netlimiter and Cingular wireless software. Some AV programs also… sucks.

  7. Using Wireshark/Ehtereal – I normally just capture the traffic, click on the protocol header to sort by it, find the HTTP packets (detected based off port I believe), and then right click on one of them and choose ‘Follow TCP Stream’ This lets you inspect that HTTP request by filtering on the source and destination ports/ips. You can see the filter it builds up at the top of the screen, and can always modify it or hit the ‘clear’ button if you’re looking for something else.


  8. I like UI and features of ServiceCapture the best, but it is not a free tool, and I do not now own a license at home/

    If I would rely on AMF protocol in my current project that I would have not viable choice then to purchase a license of ServiceCapture, but we are using XML data and I was able to switch Fiddler recently and it does its work well with HTTP headers, although I still like ServiceCapture‘s UI more.

  9. I used ServiceCapture here too, lately i changed to Charles because of the problems servicecapture has with multiple AMF requests without using a VO. It can’t deserialize the requests and then . Charles does the job….

    I never used the other options mentioned…

  10. I mainly use ServiceCapture, because it has HTTPS middleman feature built in too (Fiddler doesn’t), and because it’s Win/Mac. Btw JabbyPandg, SC is licensed per developer, so you can legally install it on home PC as well if only you use it there.

    Depending on projects, sometimes I use more pentest-oriented tools like Paros, WebScarab or Burp proxy.

  11. Just curious what headers you think are being sent that are not showing in ServiceCapture? There is nothing in ServiceCapture that would be removing headers…

  12. Oh… I don’t know… like ALL the headers I’m sending custom wize excluding Authorization. Like X-If-No-Redirect, it just doesn’t work except for random times. I’m hitting Google Calendar’s API which is supposed to hit you with a 412 (or was it 302?) if you send that header. Problem is, my custom headers I’m playing with aren’t showing up. Additionally, every so often, the Google Calendar API will send a re-direct, resulting in like 4 requests, but Flash only show’s 2. Really bizarre stuff. Naturally, I’m liable to blame Google since they are changing their API often enough that my results are questioning.

    Another could be my expectations. I can’t see the post data I’m sending… why not? Is it because authorization stuff isn’t shown? I guess I’m not really sure what I’m allowed to see, what I’m not, and what I can/cannot affect. Sometimes, too, the responses I get in Flash don’t match what Fiddler says. It’s all quite frustrating. I’m glad there are middle-tier solutions (which I’m now using) instead of using boilerplate HTTP requests like this. I’ve switched to using PHP make the requests for me, and all is well. I’d say 1 out of every 20 requests get’s ‘malformed’ but that could be PHP yuking… or… God knows. Why I do I specialize in client side development again…? OH YEAH!

  13. I use servicecaptuer most of the time, when I want to dig deep, especially when doing non-flash socket coding I use wirershark. I’ve also used tcpdump and fiddler

  14. FWIW, Fiddler2 shows you EXACTLY what headers are sent, and it shows all of them. It’s not possible to hide any, since Fiddler2 shows you exactly what it receives, and Fiddler sends what it receives.

    Contrary to the comment above, Fiddler2 has included HTTPS decryption for several years now.

Comments are closed.