I thought that the only way to intercept a request is to use a proxy, but fiddler somehow can intercept HTTP requests and responses without configuring anything on any browsers.

What's going on under the hood ?

And do you know any library to do that ? (In any languages)

Fiddler actually does use a proxy. I believe the installer automatically configures IE to use Fiddler's proxy. You can also configure other browsers to go through the same proxy, so Fiddler will profile their network traffic too.

More info here

Fiddler is a proxy, written in C# and wrapping basic sockets.

It registers with WinINET using the appropriate API call while running, and detaches in the same way. Most browsers automatically detect the WinINET proxy setting and use it. Firefox does not, which is why current versions of Fiddler install a Firefox addon.

-EricLaw [MSFT]

I don't know how fiddler is doing it, but it can be done via a Layered Service Provider on Windows.

From Wikipedia:

"A Layered Service Provider (LSP) is a feature of the Microsoft Windows Winsock 2 Service Provider Interface (SPI). A Layered Service Provider is a DLL that uses Winsock APIs to insert itself into the TCP/IP stack. Once in the stack, a Layered Service Provider can intercept and modify inbound and outbound Internet traffic. It allows processing all the TCP/IP traffic taking place between the Internet and the applications that are accessing the Internet (such as a web browser, the email client, etc). "

From the MSDN notes on extending fiddler

Fiddler supports a JScript .NET event-handling engine that allows the user to automatically modify the HTTP request or response. The engine can modify the visual appearance of the session in the Fiddler user interface (UI), to draw attention to errors or to remove uninteresting sessions from the list altogether.

I guess you don't want to hear that you can just intercept them in the web server instead of the client (if it is locally) or can use WPAC (proxy auto configuration).

Another option is to use sotware like SocksCap which "debug" the browser (or webserver) process and whenever he calls some winsock functions they intercept it and call their own code.

A library to do things like this (intercept library calls on a debugged process) is detours.

May be running the network interface in promiscuous mode. This is how WireShark is able to monitor network traffic and display it.

More Info: http://en.wikipedia.org/wiki/Promiscuous_mode

The other option is to use something like Wireshark. The following is from the About page on http://www.wireshark.org/

Wireshark is the world's foremost network protocol analyzer, and is the de facto (and often de jure) standard across many industries and educational institutions.

Features

Wireshark has a rich feature set which includes the following:

• Deep inspection of hundreds of protocols, with more being added all the time
• Live capture and offline analysis
• Standard three-pane packet browser
• Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
• Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
• The most powerful display filters in the industry
• Rich VoIP analysis
• Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
• Capture files compressed with gzip can be decompressed on the fly
• Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom)
• Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
• Coloring rules can be applied to the packet list for quick, intuitive analysis
• Output can be exported to XML, PostScript®, CSV, or plain text

Another way to intercept traffic without a proxy is WCCP on a supported device.

http://www.cisco.com/en/US/docs/ios/11_2/feature/guide/wccp.html