Skip to content
Clare Yan edited this page Mar 30, 2017 · 42 revisions

MAPI Inspector for Fiddler User Guide

The Messaging Application Programming Interface (MAPI) Inspector for Fiddler allows a Fiddler-user to view Outlook client requests and Exchange server responses that use the MAPI over HTTP protocol, which is specified in MS-OXCMAPIHTTP. The MAPI Inspector for Fiddler is an extension to Fiddler.

Table of Contents:

Configuring Fiddler to Capture Traffic between Outlook and Exchange

If Outlook/Exchange traffic is encrypted, you must configure Fiddler to decrypt HTTPS traffic; otherwise, Fiddler is not able to display the request and response data in the MAPI Inspector. You may also want to configure Fiddler to filter out traffic that is not Outlook/Exchange.

Enabling Decryption

To enable HTTPS traffic decryption in Fiddler, go to Tools > Fiddler Options. On the HTTPS tab of the Fiddler Options dialog box, check the box labeled Capture HTTPS CONNECTs; next, check the box labeled Decrypt HTTPS traffic. To focus on Outlook/Exchange traffic and to save CPU cycles and memory, you may want to exclude certain traffic, such as the traffic of a browser, from being decrypted. The dropdown box that is just below the Decrypt HTTPS traffic label allows you to select which processes will have traffic decrypted.

After enabling HTTPS traffic decryption, Fiddler generates a self-signed root certificate and prompts you to trust this certificate. To complete the configuration of Fiddler for traffic decryption, you must trust the Fiddler root certificate when prompted to do so.

Filtering

When capturing Outlook/Exchange traffic, you may want to filter out the non-Outlook/Exchange traffic. The Filters tab, which, along with other tabs, is located on the right side of the Fiddler user-interface, provides a variety of filtering options. The filters that you configure are applied against traffic as it is captured. The screenshot in Figure 1 shows an example of a filter that removes all traffic that is not hosted by outlook.office365.com. The particular host that your Outlook client uses may be different.

Figure1

Figure 1: A filter that that removes all traffic that is not hosted by outlook.office365.com

For complete details about Fiddler decryption, the Fiddler root certificate, filtering, or configuring other options in Fiddler, see the Fiddler Help documentation or consult the book, Debugging with Fiddler, by Eric Lawrence.

Viewing Traffic Between Outlook and Exchange

Each request from the Outlook client and the corresponding response from the Exchange server compose a single transaction, which is represented as a web session in Fiddler. Each web session appears as a single entry in the Web Sessions List, which is displayed on the left side of the Fiddler user-interface.

Certain information about a web session is displayed in the columns of the Web Sessions List. For the MAPI over HTTP protocol, a column labeled MS Protocol is displayed to specify the top-level protocol that is being used for the session. The screenshot in Figure 2 shows two MAPI over HTTP sessions: one on the Mailbox server endpoint (session #123), indicated by "/mapi/emsmdb/" at the beginning of the URL, and the other on the Address Book server endpoint (session # 114), indicated by "/mapi/nspi/" at the beginning of the URL.

Figure2

Figure 2: A view of the Web Sessions List showing two MAPI over HTTP sessions

For complete details about how to use the Web Sessions List to aid analysis of HTTP traffic, see the Fiddler Help documentation or consult the book, Debugging with Fiddler, by Eric Lawrence.

Viewing the Request and the Response of a Session

You can use the MAPI Inspector to view the request and the response of a MAPI over HTTP session. The MAPI Inspector is located on the Inspectors tab. To view the request/response of a particular MAPI over HTTP session that is displayed in the Web Sessions List, double-click on the session or select the session and press enter. Either of these actions activates the MAPI Inspector.

The request and response appear in the top panel and bottom panel, respectively, of the MAPI Inspector. Within each panel, the MAPI Inspector displays the parsed data on the left side and the raw data on the right side. The screenshot in Figure 3 shows the request and response bodies for the Connect request type in the MAPI Inspector.

Figure3

Figure 3: The MAPI Inspector displays the request and the response of a MAPI over HTTP session

The request/response data is parsed into fields according to MS-OXCMAPIHTTP section 2.2.4 for the Mailbox server endpoint and according to MS-OXCMAPIHTTP section 2.2.5 for the Address Book server endpoint. If a field has subfields, the field's name is preceded by a plus sign, which can be clicked to expose the subfields and their values. The screenshot in Figure 4 shows fields expanded to expose their subfields.

Figure4

Figure 4: A field's subfields can be exposed by expanding the field

When you select a field of the request/response body, which is displayed on the left side of the MAPI Inspector, the raw data for that field is highlighted in the raw data section, which is displayed on the right side of the MAPI Inspector. The screenshot in Figure 5 shows the raw data of the AdditionalHeaders field in an Execute response body.

Figure5

Figure 5: The raw data bytes are highlighted for the field that is selected