Message Analyzer enables you to load system event data that is typically displayed in the Microsoft Event Viewer. The types of logs for which you can load data into Message Analyzer consist of Applications and Services, Windows, and others. To load data from a particular log, you simply select the log name on the Event Logs tab of the New Session dialog in the Sources list and then click the Start button to load the data into Message Analyzer. The interface from which you will work to load Event Log data into Message Analyzer is shown in the figure that follows.
-->
EventLog Analyzer, a log management software for SIEM, offers in-depth analytical capability to enhance network security with its predefined reports and real-time alerts. It also collects, monitors, correlates, and archives Windows event logs, syslogs, network devices logs, application logs, and more.
Figure 34: Event Logs data retrieval interface
After you load the data into the Analysis Grid viewer, you will typically see a row of data for each log entry, where the details of the log entry are contained in the Summary column of the Analysis Grid. If you select a row of data, you can view field names and values in the DetailsTool Window below the Analysis Grid that correspond to the Summary column data. In addition, any diagnostic message that is associated with the selected entry is displayed in the DiagnosisTypes column of the Analysis Grid viewer for further examination.
To load data from a selected Event Log, perform the following procedure:
Important
Before you perform the following steps, ensure that the Event Viewer Import preview feature is selected on the Features tab of the Options dialog, which is accessible from the global Message Analyzer Tools menu. If not, select it and then restart Message Analyzer to enable the Event Logs option to appear in the New Session dialog under Add Data Source.
To load Event Log data into Message Analyzer
Tip
You can also load system Event Log data into Message Analyzer from a *.evtx or *.xml file, if you save the former or export the latter from the Microsoft Event Viewer. In this case, you can load the data in these files through the Add Files feature in a Data Retrieval Session and examine the results in a chosen data viewer, which is typically the Analysis Grid viewer.
-->
This section begins with some background concepts about Microsoft Message Analyzer and then goes into several mini-tutorials or Getting Started Primers that will help you get started with using this unique tool. Links are provided throughout so that you can navigate to more information about the described features as needed.
Go To Procedures
To go directly to procedures that provide examples of using Message Analyzer, see the following topics:
Procedures: Quick Start
Procedures: Using the Network Tracing Features Procedures: Using the Data Retrieval Features Procedures: Using the Data Viewing Features Procedures: Using the Data Filtering Features Procedures: Using the Asset Management Features Procedures: Using the Chart Viewer Layout Configuration Features
Introduction
The overarching and new approach that Message Analyzer uses when capturing traffic is to limit network noise and to expose at top-level both the issues that occur at lower levels and hidden information that is critical to quick analysis. Message Analyzer does this by the following.
In this manner, the important information that you need to see for any particular message is readily exposed at top-level in the Analysis Grid viewer, which is the main analysis surface that Message Analyzer provides.
Another significant feature that enables you to focus on messages of interest is Viewpoints, which display data from the perspective of a chosen protocol, module, or layer with no messages above it. For example, you could select a TCP Viewpoint and drive all TCP messages to top-level in the Analysis Grid to facilitate better analysis of TCP messages. This is in contrast to Message Analyzer's predecessor Network Monitor, which shows only flat or static message packets in original capture order and does not hide any noise, reassemble fragments, or simulate protocol behavior to allow for interpreting states and maintaining a protocol model, such as Message Analyzer does. Moreover, Message Analyzer formalizes its parser definitions to enable more artifacts to be derived from them, such as test cases and documentation.
You will learn more about these features in the next few sections that provide an overview of acquiring data through a Message Analyzer session and using various tools to focus data capture and analysis on specific types of data. After these sections, you can review the Getting Started Primers.
Acquiring Data Through a Message Analyzer Session
Message Analyzer enables you to capture, display, and analyze protocol messaging traffic, and to trace and assess system events, Windows component events, and device messages. It also provides the capability to retrieve, aggregate, and analyze data from one or more saved traces, which includes support for the .etl, .cap, .pcap, .pcapng, .tsv/.csv, .evtx, and .log input file formats, in addition to Message Analyzer native files in the .matp or .matu format, as described in Locating Supported Input Data File Types. If you work with text based .log files, Message Analyzer enables you to retrieve data from various common text .log file types with the use of built-in text log parsers that are described in Parsing Input Text Log Files. Also note that if you have a custom text .log file, an extensibility feature of the Microsoft Protocol Engineering Framework (PEF) enables Message Analyzer to retrieve its data with the use of a custom configuration file. However, you will need to create this file in order to fully parse your text log, as described in Parsing Input Text Log Files. Message Analyzer also enables you to extend the functionality of the Chart viewer by creating custom view Layouts of your own design, as described in Extending Message Analyzer Data Viewing Capabilities.
Message Analyzer makes use of two different types of sessions to acquire input data, as described in Starting a Message Analyzer Session. These consist of a Live Trace Session and a Data Retrieval Session, which provide data from the live capture of network traffic, events, system messages, and device messages; and saved traces, logs, and text logs, respectively. In a Live Trace Session, PEF provider-drivers and/or other system ETW Providers listen for and capture protocol messages and events at various stack layers or from other components. The messages and events are passed to the PEF Runtime where they are decoded by Open Protocol Notation (OPN) parsers and then temporarily saved in a Message Store. To access and display these messages, Message Analyzer consumes the PEF Runtime data, as described in the PEF Architecture Tutorial. Messages are displayed by default in the Analysis Grid viewer, where you can begin your data analysis process; however, other data viewers and various Tool Windows are also available to streamline message analysis.
Live Trace Session
In a Live Trace Session, you have the option to capture data from the local computer and/or multiple remote computers in concurrent subsessions that return all data to the common initiating live session that you configure with a chosen data viewer. Moreover, the local computer is the default host on which a Live Trace Session captures data; however, if you specify valid connection/authentication credentials for other remote computers, you can capture data simultaneously on those computers as well. Message Analyzer also provides you with the flexibility to run multiple concurrent Live Trace Sessions, optionally with each having different message provider and filtering configurations, to target different computers. You can do this by simply adding one or more Live Trace data sources in the New Session dialog, specifying the hosts from which to capture the data, and selecting or creating Session Filters, as described in Configuring Session Scenarios with Selected Data Sources.
Tip
Quick Tracing — to get started very quickly with a Live Trace Session, you can make use of Start Page features that enable you to start a new Local trace session at Link Layer or begin the configuration phase for a new session—with a single click—as described in Quick Session Startup.
More Information
To learn more about configuring a Live Trace Session, see Capturing Message Data.
Data Retrieval Session
In a Data Retrieval Session, Message Analyzer enables you to retrieve and aggregate saved message collections from multiple sources, including traces and logs, in any combination. This means you can mix and merge data from any of these sources and display it in the Analysis Grid or other selected data viewer. If you know that certain events of interest have occurred at a particular time in a collection of data sources, you can configure a Time Filter to view data in a window of time that you specify to eliminate extraneous data and improve performance. You can also set Time Shifts to accommodate for different time zones or skewed machine times across different data sources. You might also select a built-in Session Filter or configure one of your own design to return specific data that is based on the filtering criteria that you specify, while at the same time further improving performance.
Special Input Sources
Message Analyzer also provides access to special input sources such as Azure Storage Tables, Azure Storage Blobs, Event Logs, SQL databases, and Operations Management Suite (OMS) logs. It also provides an interface from where you can write PowerShell queries. For access to most of these input sources, you will need authentication credentials. The user interface for all of these input sources is located in the New Session dialog, which is accessible from the Start Page by clicking the New Session button.
Message Analyzer also provides a set of built-in parsers for common text logs such as Cluster, Netlogon, IIS, and so on. In addition, if you have a proprietary text log with a unique format, you have the option to create an OPN configuration file which enables Message Analyzer to parse the data in your log file, as described in Parsing Input Text Log Files.
More Information
To learn more about configuring a Data Retrieval Session, see Retrieving Message Data. To learn more about accessing data from the previously mentioned special input sources, see Acquiring Data From Other Input Sources. Focused Tracing and Analysis
Although Message Analyzer enables you to capture messages from many system components, the PEF providers used by Message Analyzer enable you to capture data at several different layers, which provide unique inspection points into the protocol stack. For example, by specifying any Trace Scenario that uses the Microsoft-PEF-WFP-MessageProvider, you can focus on capturing messages above the IP/Network Layer by filtering out lower-level Link Layer messages through the Windows Filtering Platform (WFP), upon which the Microsoft-PEF-WFP-MessageProvider is based. Moreover, by specifying any Trace Scenario that uses the Microsoft-PEF-NDIS-PacketCapture or Microsoft-Windows-NDIS-PacketCapture provider, you can capture messages at Link Layer and above. Message Analyzer also enables you to temporarily set a predefined Viewpoint that filters, reorganizes, and redisplays the data from the perspective of a selected protocol or module type, such as HTTP, TCP, SMB, or ETW, so that you can focus on specific message traffic that is defined by the Viewpoint, while removing all messages above the Viewpoint level to create a focused set of messages.
You can also select a predefined Parsing Level that controls the stack level to which Message Analyzer parses, while passing certain messages in these scenarios that are useful to your data analysis perspective, as described in Setting the Session Parsing Level. In addition, you can make use of Aliases, as described in Using and Managing Message Analyzer Aliases, to configure user-friendly names for cryptic field values; and you can take advantage of the Unions feature, described in Configuring and Managing Message Analyzer Unions, to correlate differently named fields that are of the same type in different data sources. You can even capture and analyze loopback traffic for local application communications that use the IPv4 or IPv6 loopback addresses, by specifying the Loopback and Unencrypted IPSEC or Local Loopback NetworkTrace Scenario, as described in Built-In Trace Scenarios.
You also have the option to select specific data that you want to isolate for focused analysis by making use of any of the following:
Furthermore, Message Analyzer enables you to decrypt data that is encrypted with the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, for example Remote Desktop Protocol (RDP) and HTTPS messages, respectively. The Decryption feature also provides a DecryptionTool Window that presents summary and statistical data for the decryption session to facilitate analysis, as described in Decrypting TLS and SSL Encrypted Data.
These capabilities solve many inherent capture, data display, and analysis problems, such as the visibility of encrypted data, assessment of loopback traffic that is enabled by the Local Loopback Network scenario, and seeing traffic from the Viewpoint of a protocol. The underlying technologies that support Message Analyzer also machine-validate message structure and values, behavior, and architecture based on protocol specifications; and if errors occur, they are surfaced very quickly to top-level as Diagnosis messages. To this end, Message Analyzer also provides a DiagnosticsTool Window that summarizes all the Diagnostic messages in a trace, which interactively drives selection of corresponding messages in the Analysis Grid viewer to facilitate further review of message Details, Message Stack information, and Message Data.
Note
![]()
Message Analyzer is also an effective tool for testing and verifying protocol implementations. See the Open Specifications documentation library for more information about protocol technical specifications.
Getting Started Primers
The sections that follow provide brief conceptual tutorials that serve as getting started primers for Message Analyzer functionality. These tutorials correspond to the major tasks that you perform from the Message Analyzer user interface, where you can:
Capture Message Data
Retrieve Message Data Edit Message Data View Message Data Filter Message Data Analyze Message Data Save Message Data Capture Message Data
When capturing data live, Message Analyzer makes use of various message providers that focus on different layers or types of data. These providers are included in every Message Analyzer installation and consist of common Microsoft-PEF providers, the Microsoft-Windows-NDIS-PacketCapture provider, and various ETW Providers that are registered on the Windows system by default. These providers are briefly described in 'Common Message Providers Used by Message Analyzer', which follows. Thereafter, this section describes how to configure and start a Live Trace Session; provides examples of the Message Analyzer global options you can set; describes how Message Analyzer integrates event tracing into the capture process; how to optimize ETW sessions; and how Message Analyzer parses messages from MOF-based system ETW providers. The subject matter is discussed in the following topics.
Configuring a Live Trace Session
Starting a Live Trace Session Setting Message Analyzer Global Options Protocol Modules and Specifications Integrating Event Tracing Optimizing ETW Session Performance Using MOF-Based ETW Providers
Common Message Providers Used by Message AnalyzerThe following message providers are included in Message Analyzer Trace Scenarios, which contain either one of these providers as the exclusive data source or a combination of several providers, depending on the scenario requirements.
Configuring a Live Trace Session
You can specify the message providers that you want to use to capture data from the network or other components by configuring a Live Trace Session, as shown in the figure that follows. In the figure, the Microsoft-PEF-WFP-MessageProvider appears in the list after selecting the Loopback and Unencrypted IPSECTrace Scenario in the Select Scenario drop-down list on the ETW Providers toolbar in the New Session dialog. The Windows-Firewall-Service ETW Provider appears in the list after selecting this provider in the Add System Providers dialog that displays when you click the Add Providers drop-down list on the same toolbar and then select the Add System Providers item.
Figure 2: Message Analyzer Live Trace Session configuration
Predefined provider configurations are contained in all the built-in Trace Scenarios that you can select from the Select Scenario drop-down list on the ETW Providers toolbar on the Live Trace tab of the New Session dialog. These Trace Scenarios are templates that contain predefined message provider configurations that are tailored for capturing data from various components and/or at different stack layers.
Optionally, you can enhance the scope of data capture by adding other system ETW providers to the scenario. Also, if you have created and saved any custom Trace Scenarios by using the Save Scenario feature on the ETW Providers toolbar, these are also available for selection in the My Items category of the Select Scenario drop-down list. See Creating and Managing Custom Trace Scenarios for further details on creating your own scenarios. You can also modify the capture configuration of PEF and other ETW Providers from the Live Trace tab of a New Session to isolate specific message traffic and realize performance enhancements.
For example, by clicking the Configure link for a selected message provider in the ETW Providers list, such as the Microsoft-PEF-WFP-MessageProvider, you can display a configuration dialog and specify Fast Filters that work very efficiently at the kernel level. These low-level filters enable you to quickly retrieve specific messages that meet the filtering criteria that you specify, which reduces the scope of the data to be returned by the trace. In turn, this accelerates the data capture process and minimizes the Message Analyzer parsing time.
You also have the option to select or create a Session Filter for a Live Trace Session (or a Data Retrieval Session) to reduce the scope and count of messages that you retrieve, and as a result realize performance improvements. The difference between a Fast Filter and a Session Filter is that Fast Filters work at the provider/driver level and are therefore not subject to the Runtime parsing process, which makes them faster, whereas Session Filters are applied to an already parsed set of results, which makes them a little slower because of the additional processing time required.
Other ETW Provider settings that you can configure for a Live Trace Session are described in the list that follows. Note that the Provider tabs of all the Advanced Settings dialogs that are referenced in the list items are accessible by clicking the Configure link to the right of the providers when they display in the ETW Providers list of the New Session dialog.
More Information
To learn more about configuring a Live Trace Session, see Capturing Message Data. To learn more about usage configurations for PEF-based providers and other message providers, see the Built-In Trace Scenarios topic. Starting a Live Trace Session
After you complete the configuration phase for a Live Trace Session, you can start the session by clicking the Start button in the New Session dialog, at which time Message Analyzer will begin capturing data. If you have a specific issue that you are trying to resolve, this would be the time to start the function/s or application/s that you suspect are causing a problem.
Note that you can very quickly start capturing data with Message Analyzer by clicking either of the following on the Message Analyzer Start Page; however, you cannot set any configuration options for a Live Trace Session when using these methods.
More Information
To learn more details about starting a Live Trace Session, see Performing a Live Capture. Setting Message Analyzer Global Options
Message Analyzer provides numerous global options that enable you to specify certain default values or make default selections that can affect Message Analyzer performance, display configurations, or feature activation. For example, you can specify a default Session Viewer, the default configuration for Text Log Files, Time Display format, Decryption certificate data, Parsing options, preview Features, Profiles to enable, symbol files for parsing WPP-generated events, and so on. You can set these options at any time; however, you would typically do so prior to starting a Live Trace Session or a Data Retrieval Session.
Important
If you are enabling preview features on the Features tab of the Options dialog, as accessible from the global Message Analyzer Tools menu, you will need to restart Message Analyzer for the configuration to take effect.
More Information
To learn more about the global Message Analyzer options that you can set, see Setting Message Analyzer Global Options. Protocol Modules and Specifications
Message Analyzer can display message traffic that is captured from specific protocol modules only if the protocol object model (POM) repository within the PEF architecture contains compiled OPN descriptions representing the architecture, behavior, and data for those protocols. Message Analyzer ships with OPN descriptions for a large number of protocols, such as Microsoft Windows and other common public protocols, in addition to Office, Exchange, SharePoint, and SQL protocols. This enables you to capture a wide array of network protocol and application messages. In addition, to support your data analysis process, Microsoft makes Protocol Technical Specifications available on the Microsoft Developer Network (MSDN) web site, while you can find other standard RFC specifications for public protocols on the Internet.
You can use the technical documents (TDs) provided by Microsoft as references that depict protocol architecture, behavior, and data, as it was designed, to facilitate analysis of the messages you capture with Message Analyzer. For example, you could verify the value of a particular field or confirm the presence of required parameters for a particular method of a specific protocol that is failing to perform properly, although Message Analyzer has a built-in message validation feature that does this automatically.
Integrating Event Tracing
Event tracing functionality is integrated with all message providers that are used by Message Analyzer. Moreover, all Message Analyzer providers are instrumented with ETW technology so that events can be returned in a trace along with network traffic. The Message Analyzer trace model uses ETW to enable integrated capture and display of messages and events from a large number of system components. Whenever you start a Live Trace Session, the underlying message provider/s in the Trace Scenario that you select are enabled to an ETW Session Controller, which determines if there are any specific Keyword event or error Level settings that modify which events are to be returned to the ETW Consumer, which in this case is Message Analyzer. If there are no such settings, then the ETW Session Controller returns all events generated by the component that is instrumented for ETW. Message Analyzer then displays detailed, human-readable information for events at the ETW layer that is below the networking stack in all Message Analyzer traces.
At the ETW layer in the Analysis Grid viewer, ETW messages typically contain an expandable EventRecord field and a Payload field, the latter of which integrates the network stack. You can see these fields in the DetailsTool Window if you click an ETW message in the Analysis Grid viewer, as shown in the figure that follows.
Tip
If you expand the EventRecord node in the Details window, you will see the Header, which contains fields such as Size, ThreadId, ProcessId, ProviderId, and the event Descriptor, which contains the fields described in the Event Definition topic of the ETW Framework Conceptual Tutorial.
Figure 3: Message Analyzer with Analysis Grid ETW event
For event parsing to be possible, Message Analyzer must generate OPN for any manifest-based system ETW Provider that you employ in a Live Trace Session so that ETW events can be properly parsed by the PEF Runtime. To generate the OPN, manifests for system ETW Providers in use are retrieved so that OPN descriptions can be inferred from them to provide the basis for Message Analyzer to successfully parse event structures. To facilitate this process, the PEF architecture contains an ETW Manifest Import Adapter. This is a protocol object model (POM) adapter that converts an ETW manifest for a given ETW Provider into a POM model, and then publishes it to the PEF Runtime so it can parse and dispatch ETW messages generated by that provider. The OPN actors and endpoints that enable parsing and dispatching messages for an ETW Provider that you specify in a Live Trace Session are dynamically generated at runtime by the ETW Manifest Import Adapter.
Tip
An ETW Provider manifest defines the event descriptions and format in which events are written by the provider. In the current Message Analyzer v1.4 release, you can extend your system with additional system ETW Providers from which Message Analyzer can receive events. Brother printer updates for windows 10. If you have a custom ETW Provider that you want to use in a Live Trace Session, you will need to specify a Guid and a Name for the provider in the Add Custom Provider dialog, which displays after you select the Add Custom Provider item in the Add Providers drop-down list on the ETW Providers toolbar of the New Session dialog for a Live Trace.
However, you might also need to specify a provider manifest so that Message Analyzer can infer an OPN description for the POM to facilitate parsing of the event structure, as described earlier. Message Analyzer will first check to see if the system contains a registered manifest for your provider, and failing that, Message Analyzer looks in the following directory for a manifest:
%LocalAppData%MicrosoftMessageAnalyzerOPNAndConfigurationEtwManifests
If Message Analyzer does not find a registered manifest on your system for the custom provider you are specifying, you will need to place the manifest in this directory.
More Information
To learn more about the POM, see the PEF Architecture Tutorial.To learn more about ETW, see the ETW Framework Conceptual Tutorial. Optimizing ETW Session Performance
Message Analyzer also enables you to modify certain aspects of ETW Sessions to focus on capture of specific events and/or to improve performance as follows:
More Information
To learn more about optimizing an ETW Session, see Specifying Advanced ETW Session Configuration Settings. To learn more about how system ETW Providers function in the ETW framework, see the ETW Framework Conceptual Tutorial. To learn more about configuring system ETW Providers, including Keyword and Level filters, see Adding a System ETW Provider and System ETW Provider Event Keyword/Level Settings. Using MOF-Based ETW Providers
Message Analyzer also supports registered event providers on your system that use the managed object format (MOF) schema as the basis of generating their events. Event providers that use the MOF schema are typically employed in systems that are managed by Windows Management Instrumentation (WMI). These providers appear in the Add System Providers dialog along with various other types of providers, such as those that are manifest-based. The Add System Providers dialog displays after you click the Add Providers drop-down list on the ETW Providers toolbar in the New Session dialog and you select the Add System Providers item. Because Message Analyzer supports MOF schema, events that are captured by Message Analyzer from MOF-instrumented providers can be fully parsed. Without MOF support, messages that are captured from MOF-based providers would be displayed as simple ETW messages with a summary string and no additional parsing of event fields.
To provide support for MOF-instrumented providers, including fully parsing events from such providers, Message Analyzer uses an extension to the existing ETW adapter. This adapter normally handles ETW providers that have a manifest that is created at the time the provider is instrumented for ETW. When an ETW event arrives, Message Analyzer checks to see whether an OPN description exists that can parse the event. If an OPN description cannot be found, then Message Analyzer attempts to retrieve the manifest-based event schema, from which it can generate OPN. In a similar manner, Message Analyzer does the following to support MOF when events arrive:
Detecting MOF Schema
In Message Analyzer, there are typically three sources from which MOF events can derive, including live traces, saved trace files such as the native Message Analyzer parsed format (.matp), and saved trace files in other supported formats such as .matu, .etl, and .cap. As previously indicated, if there is an existing OPN module (see Protocol Modules and Specifications) that can consume the events, then the events are parsed according to the OPN description and background generation of OPN is not required. However, if there is no existing OPN module to parse the events, Message Analyzer then attempts to locate the MOF schema as follows:
Note
If Message Analyzer requires a MOF schema for a provider that is installed on the local system and cannot find one, then Message Analyzer will display simple ETW messages only, with minimal parsing for that provider’s messages.
Deploying a Custom MOF Provider
If you have a custom MOF-based provider that you want to deploy on your local system, you can use the WMI compiler tool mofcomp.exe to register your provider and its MOF schema. Thereafter, Message Analyzer will be able to locate the MOF schema, should an OPN description need to be created to parse the MOF-based events of the provider. You will find the mofcomp.exe tool in the following directory on your computer: C:WindowsSystem32wbem
More Information
To learn more using the mofcomp.exe tool, see mofcomp in the WMI Command Line Tools topic on MSDN. Retrieve Message Data
This section briefly describes how to create a Data Retrieval Session, how to create a message collection from a set of specified input files (or by selecting a subset of specified input files), the features you can use to select specific data from a collection of messages in one or more input files, in addition to how to parse text-based log files (with a .log extension). The subject matter is discussed in the following topics.
Loading Data into Message Analyzer
Acquiring Input From Other Data Sources Selecting Data to Retrieve Parsing Input Text Log Files Loading Data into Message Analyzer
When you start a Data Retrieval Session, the configuration of which is shown in the figure that follows, you can load data from saved trace files and logs into Message Analyzer, which includes .matu, .matp, .etl, .cap, .pcap, .log files, and others, as described by the table in Locating Supported Input Data File Types. After clicking the Add Files button on the Files tab in the New Session dialog for a Data Retrieval Session, you can navigate to target files that contain the data you want to load into Message Analyzer. After the files containing the target data display on the Files tab, you can also specify subsets of those files in your Files list to create message collections that target specific data to be loaded into Message Analyzer and parsed. To create a subset, you simply select the check box to the left of the file that contains the data you want to load. Note that a Data Retrieval Session enables you to aggregate and merge message data from multiple data sources that include various types of log files and traces.
To create a uniform analysis context for your data, you can apply a common filtering configuration to each collection of input files that you specify as a separate Data Source in the New Session dialog. Such filtering includes specifying a Session Filter or Parsing Level. However, you have the option to apply a differentTime Filter configuration to each Data Source (on a Files tab), which gives you the flexibility to aggregate messages from multiple data sources in a specific window of time. You can also specify a data viewer of choice that applies to all Data Sources, by choosing it from the Start With drop-down list in the New Session dialog.
Figure 4: Message Analyzer Data Retrieval Session configuration
More Information
To learn more about working with a Data Retrieval Session, see Configuring a Data Retrieval Session. Acquiring Input From Other Data Sources
Message Analyzer can load and process data from other input Data Source types besides trace files and common log files. The other sources with which Message Analyzer can work include the following:
Selecting Data to Retrieve
You can also select specific data to retrieve from a target message collection while blocking all other messages that do not meet the filtering criteria that you define, by using a Session Filter, Time Filter, or a Parsing Level. A Session Filter narrows the scope of data retrieval to only the message types that meet the criteria of a Filter that you manually define, or one that you select from the centralized filter Library in the lower section of the New Session dialog. A Time Filter enables you to specify a window of time in which to view data in a correlated target message collection that can consist of one or more sources from which you load data into Message Analyzer. A Parsing Level enables you so specify how far up the network stack that Message Analyzer will parse, which creates a focused set of messages that temporarily eliminates all other messages above the specified Parsing Level. For example, you might set the Parsing Level known as Network Analysis to create a set of results that focuses on the Network and Transport Layer messages.
More Information
To learn more about configuring a Data Retrieval Session, see Retrieving Message Data. To learn more about how to use a Session Filter in a Data Retrieval Session, see Applying a Session Filter to a Data Retrieval Session. To learn more about how to use a Time Filter in a Data Retrieval Session, see Applying an Input Time Filter to a Data Retrieval Session. To learn more about how to work with Parsing Levels, see Setting the Session Parsing Level. Parsing Input Text Log Files
If you have a text-based log file containing log entries that you want to view, Message Analyzer enables you to load and view the data from the log file, but you will need to specify an OPN configuration file to drive the process. Message Analyzer provides several built-in configuration file types that you can select from in the Text Log Configuration column that appears below the toolbar on the Files tab of the New Session dialog for a Data Retrieval Session, as shown in the figure that follows.
Figure 5: Message Analyzer Textlog parsers Windows or mac for home studio.
The drop-down list shown in the figure is populated with common built-in configuration files that are available for selection only after you click the Add Files button and retrieve a *.log file that contains the data you want to load into Message Analyzer. The built-in configuration files are described in the subsection 'Built-In OPN Configuration Files' that immediately follows; however, if you have a text-based log file that contains log entries in a unique/proprietary format, it is likely that you will need to create a custom OPN configuration file so that Message Analyzer can parse your log, as described in Opening Text Log Files.
Built-In OPN Configuration FilesThe built-in OPN configuration file types that are currently available for selection are specified in the list that follows. A short description of the purpose of each configuration file type is included:
Note
With exception of the configuration files for Azure storage logs, the listed text log configuration files are contained in the Message Analyzer Device and Log File Version 1.4 asset collection that you can configure for automatic downloads and updates from a Microsoft web service through the Sharing Infrastructure. The configuration files for Azuze storage logs are contained in the Azure Storage Parsers Version 1.0 asset collection. The management features for the Azure storage parsers and all other Message Analyzer asset collections are available from the Asset Manager dialog, which is accessible from the global Message Analyzer Tools menu.
More Information
To learn more about managing Message Analyzer asset collections, including downloading and auto-syncing any collection for automatic updates, see Managing Message Analyzer Assets.
Selecting Versus Creating an OPN Configuration File
The built-in text log OPN configuration files are named in such a way that it should be obvious which one to select for your text log. For example, a Cluster text log will use the Cluster configuration file, the IIS text log will use the IIS configuration file, and so on.
If none of the built-in text log configuration files apply to your text log, then you can create a new one that is specifically designed to parse the data in your text log, as described in Opening Text Log Files. Whenever you create a new configuration file for a text log, it is added as an item to the Text Log Configuration drop-down list that appears below the toolbar on the Files tab of the New Session dialog. It is also added to the Default text log configuration drop-down list in the Text Log Files pane on the General tab of the Options dialog, which is accessible from the global Message Analyzer Tools menu. From the latter drop-down list, you have the option to set a specific configuration file as the global default for all text log files from which you will load data into Message Analyzer. This makes it convenient if you work with a particular type of .log file consistently.
OPN Configuration File Contents
A configuration file contains a description of the log's messages in OPN and RegEx notation, which ensures that text log data that is loaded into the system can be properly parsed and then displayed in Message Analyzer. The text-based log data is loaded into the Message Analyzer Runtime through a Log File Adapter and the OPN configuration file drives the process. The message definitions contained in the OPN configuration file are compiled by the OPN Compiler to confirm the validity of the configuration file and the integrity of the OPN description that will reside in the POM, which is referenced by the Runtime when the parsing process begins for your text log.
To create an OPN configuration file, you will need to identify each unique log entry and map it to a message structure. You can do this with RegEx notation, which is designed for matching strings of text. RegEx provides the functionality you will need to match data through the mechanism of capture variables, which you can use to map extracted log file data to field names that you define in OPN; in turn, these become data columns in the Analysis Grid viewer.
Tip
Message Analyzer also supports loading regular comma-separated-value (CSV) and tab-separated-value (TSV) data file formats directly, without the need for an OPN configuration file.
More Information
To learn more about how to create an OPN configuration file, download the OPN Configuration Guide for Text Log Adapter document. To learn more about other OPN configuration file requirements, see the Addendum 1: Configuration Requirements for Parsing Custom Text Logs topic. Edit Message Data
Message Analyzer enables you to edit the data of any Live Trace Session or Data Retrieval Session. You can achieve this by modifying the session configuration and applying the changes you make. To modify the configuration for either of these types of sessions, simply click the Edit Session button on the global Message Analyzer toolbar to display the Edit Session dialog. The session configuration that displays in the Edit Session dialog depends on the session viewer tab that has focus (viewer tabs are below the global Message Analyzer toolbar). Note that only one session configuration exists for a specified session, regardless of how many data viewers are open in that session.
Note that the Edit Session dialog for a Live Trace Session is similar to the New Session dialog shown earlier in Figure 2, while the Edit Session dialog for a Data Retrieval Session is similar to the New Session dialog shown earlier in Figure 4, with exception of the Restricted Edit information bar.
Editing a Data Retrieval Session
When you open the Edit Session dialog for a Data Retrieval Session, it opens in Restricted Edit mode, which means you can add more files to the files list and display the data contained in such files without incurring a full reload of data. When the session changes take effect (after you click Apply in the dialog), the data from the new input files is appended to the existing data file import results. However, if you click the Full Edit button on the information toolbar, you have additional options to modify the session configuration.
Similar to initial configuration of a Data Retrieval Session, the changes you can make to the Data Retrieval Session configuration include not only more input data files, but one or more of the following as well:
When you edit a Data Retrieval Session with any of these features, the session data will be reloaded with the specified asset/s applied, for example, a Session Filter and/or a Time Filter. This enables you to modify the session results and obtain a different view of the data. You can edit a Data Retrieval Session in the specified manner as many times as you wish.
Editing a Live Trace Session
When you open the Edit Session dialog for a running, paused, or stopped Live Trace Session, it opens with no editing restrictions; this means you can make modifications to the session configuration and Apply them as required. Whatever changes you make to a running Live Trace Session will take effect on subsequent messages that the Live Trace Session in progress is capturing, that is, after you click Apply in the Edit Session dialog. If you edit a stopped or paused Live Trace Session, the changes do not take effect until you restart the session, either by clicking the Restart button or the Pause/Resume button, respectively, on the global Message Analyzer toolbar.
Similar to initial configuration of a Live Trace Session, the changes that you can make to the Live Trace Session configuration include one or more of the following:
More Information
To learn more about editing a session, see Editing Existing Sessions. To learn more about Trace Scenarios, see the Built-In Trace Scenarios topic. To learn more about working with system ETW providers, see Adding a System ETW Provider. To learn more about Advanced Settings for system ETW Providers, see the topics Using the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture Dialog or Using the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture Dialog. To learn more about ETW session configuration, see Specifying Advanced ETW Session Configuration Settings. To learn more about Session Filters, see Working with Session Filters in a Live Trace Session and Applying a Session Filter to a Data Retrieval Session. To learn more about Time Filters, see Applying an Input Time Filter to a Data Retrieval Session. To learn more about Parsing Levels, see Setting the Session Parsing Level.To learn more about how to configure a session for capturing traffic on remote computers, see Configuring a Remote Capture. To learn more about how to configure multiple data sources, see Configuring Session Scenarios with Selected Data Sources. View Message Data
Message Analyzer provides many different data viewers and Layouts in which to present data that you capture from a Live Trace Session or load from a Data Retrieval Session. It even provides Window Layout presets that each have the Analysis Grid viewer in common along with varying arrangements of Message Analyzer Tool Windows, to create custom working environments that suit the type of troubleshooting and analysis that you typically perform.
The Analysis Grid viewer is the main analysis surface provided by Message Analyzer. It has a tree grid configuration with selectable column Layouts that expose a wide array of data fields that are useful for analyzing different types of data. It also uses a unique message encapsulation and stacking scheme to organize data so that important information is readily accessible at the top-level of the display. This configuration eliminates the time normally needed to search for related but dispersed information in trace files that contain a high volume of messages.
For example, in the Analysis Grid viewer, the message stack is encapsulated under expandable top-level transactional messages and Operations, while message fragments at the Transport Layer are reassembled as part of the PEF Runtime parsing process. Moreover, each line of data in the Analysis Grid viewer displays message data as expandable top-level parent nodes that contain all the child node (message stack) messages and message fragments that were involved in a particular transaction or Operation. Note that you do have the option to display message data in any Message Analyzer data viewer that you select, however, the encapsulation and stacking scheme only exists in the Analysis Grid viewer. The Analysis Grid viewer, which is shown in the subsection that follows, is fully described in the Analysis Grid Viewer topic.
The material of this section is covered in the following topics.
Organizing Messages in the Analysis Grid Viewer
Grouping Messages in the Analysis Grid Viewer Grouping Messages in the Grouping Viewer Applying Viewpoints Viewing Message Details Viewing Other Message Data Viewing Data from Multiple Sessions Limiting the Scope of Applied Assets Driving Interaction Between Data Viewers Using Window Layouts Using Message Analyzer Profiles Organizing Messages in the Analysis Grid Viewer
As indicated earlier in this Tutorial, the overarching approach to analysis in Message Analyzer is to bring key data into focus wherever possible to make it more accessible, which streamlines and therefore expedites the analysis process. In keeping with this approach, the Message Analyzer Runtime creates Operation nodes for protocols that use the request/response conversation architecture, such as DNS, HTTP, SMB2, and so on. The Runtime also reassembles the message stack, including fragments (such as TCP virtual segments), and by default hides them under expandable top-level message nodes in the Analysis Grid viewer for easy access. For example, a top-level message node could be an Operation that encapsulates a request/response message pair, under each of which resides the message stack and fragments that supported the Operation.
By organizing messages this way, you can easily determine such important values as the ResponseTime, which can tell you how long it is taking to receive the first server response to a request message; by utilizing this feature, you can avoid searching through potentially hundreds, if not thousands of messages to find such a response message. The ResponseTime is important to analysis because it can indicate how long a service is taking to respond, which can rule out network issues while potentially indicating server issues instead. Note that by sorting the ResponseTime column in the Analysis Grid viewer, you can readily determine the specific Operations that had the longest response times. However, to view ResponseTime data, you will need to add this Global Annotation from the Field ChooserTool Window as a new Analysis Grid column.
Another important value is the ElapsedTime, which can tell you how long an Operation is taking to complete; this includes how long it took to receive all the associated message fragments. If the ElapsedTime is a comparatively high value with respect to ResponseTime, this could be an indication of a network issue. Also, by performing a sort of the ElapsedTime column in the Analysis Grid viewer, you can determine the specific Operations (with fragments) that took the longest to complete — which can be a cue for further investigation.
More Information
To learn more about the Field Chooser, see Using the Field Chooser and the Field Chooser Tool Window topics. To learn more about ResponseTime, see the Average Response Time for Operations topic.
Another important aspect of organizing messages as top-level nodes with an encapsulated network stack, is that it enables you to have immediate access to stack messages for quick analysis of details, whereas in other tools such as Microsoft Network Monitor, stack messages are typically chronologically dispersed across a set of trace results, making them difficult to find and correlate to a top-level transaction.
The top-level node and encapsulation configuration also provides a visual cue of Diagnosis messages that Message Analyzer drives to top-level, even when those errors occur at deeper stack levels. Although such errors can be initially hidden in the child messages that make up the encapsulated stack, nevertheless you can simply click the error icon at top-level to display the Diagnosis tab of the inline message details where you can review the error text, correlated to the Operation or other top-level message at hand. This provides easy access to error information without having to search through a multitude of messages to discover it. If you want to know exactly where in the stack the error occurred, you can merely expand the child message nodes until you find the specific message that contains the error icon that initially displayed at top-level.
As an example of the benefits of the described message organization, the figure that follows shows the Analysis Grid viewer with an expanded SMB2 Operation node containing a request/response message pair and the expanded message stack showing message fragments for a response message (which also has a Diagnosis error).
Figure 6: Message Analyzer expanded Operation node, message stack, fragments, and Diagnosis error
In this figure, note the highlighted SMB2 request and response message numbers 10545 and 10550, respectively, that are encapsulated under a top-level SMB2 Operation node which is designated by a blue-cubed icon. Also, the response message stack is expanded to show the stack messages which includes the message fragments that consist of one SMBTransport and two TCP fragments. Also note that the Operation message number 10545 contains a blue Diagnosis error icon that Message Analyzer bubbled up from the response message 10550 where the error actually occurred, so that you can see it at-a-glance from the top-level Operation node, even when this node is in the unexpanded state. Note that you can click the Diagnosis error icon in either location for more information, which in this case happens to specify an Application error with a Warning level.
Grouping Messages in the Analysis Grid Viewer
Another feature that is important to data analysis is the Group feature. By right-clicking selected Analysis Grid viewer columns in succession and selecting the context menu Group item for each one, you can create a data display of nested groups that provides a convenient way to organize and explore targeted trace data. As an additional example of grouping, you could create IPv4 Network and TCP Transport groups in the Analysis Grid viewer by executing the Add as Grouping command from the right-click context menu for these fields in the Field Chooser window to Group your data into these field-categories. This quickly organizes your data into groups of IP conversations that took place across a trace, with the TCP ports that supported those conversations nested within each IP group, resulting in a unique analysis perspective. However, to perform this operation, the Analysis Grid viewer must be in focus.
The Analysis Grid viewer Group feature essentially categorizes your data according to the field data you are grouping and the order in which you group it. The Group feature enables you to extract all the data from your trace into the categories that you establish through the grouping process, which results in bringing hidden or dispersed trace messages into what you might call a 'categorical focus'. A figure that shows the results of grouping data in the Analysis Grid viewer is provided in the topic that is referenced in the 'More Information' section that immediately follows.
More Information
To learn more about the Group function in the Analysis Grid viewer, see Using the Analysis Grid Group Feature. Grouping Messages in the Grouping Viewer
You can also make use of the Grouping viewer, which has a set of built-in view Layouts that render your message data into a separate view of predefined nested Group configurations that integrate and interact with other data viewers to create unique analysis contexts. You can also create and save your own Grouping view Layouts that you customize to your environment based on message fields that you select from the Field Chooser window. The Grouping viewer is accessible from the New Viewer drop-down list that appears on the global Message Analyzer toolbar. A Layouts drop-down list is included on the Grouping viewer toolbar.
The Grouping viewer has functional similarities with the Analysis Grid viewer Group feature, in that they both enable you to create nested groups of data that are hierarchically categorized by the message fields that you use for the groupings. With the Grouping viewer, you can organize your traffic into summary hierarchies based on built-in or custom-designed Grouping view Layouts that are configured with message field groups in nested configurations. You can also manually adjust (pivot) your group Layout by dragging and dropping Group labels to change the nesting order and obtain different message correlation configurations that result in unique analysis contexts.
Grouping Viewer Advantages The following summarizes the advantages of viewing data with the Grouping viewer, where you can:
Every Message Analyzer installation provides a default Message Analyzer Grouping View Layouts asset collection that appears in the Asset Manager dialog, where you can manage downloads and the auto-sync feature to update the collection. You can access the Asset Manager dialog from the global Message Analyzer Tools menu.
Example Layout
The figure that follows shows an example of the Grouping viewer with the File Sharing SMB/SMB2 view Layout, that displays three nested Groups as identified by the labels below the Grouping viewer toolbar: SessionIdName, TreeIdName, and FileName. This built-in Grouping viewer Layout was pre-configured with these Group names by locating the corresponding fields in the Field Chooser window under the QueryDirectoryRequest node of the SMB2 message hierarchy. You can add other related SMB2 fields as Groups at your discretion, by right-clicking a particular field in Field Chooser and selecting the Add As Grouping item in the context menu that appears. This action will create a new nested Group identified by the field name that you selected, at which time, the Grouping viewer data display will be refreshed to include the new Group.
Figure 7: Message Analyzer Grouping viewer selection interactively driving Analysis Grid message display
In this figure, the Grouping viewer shows a file name selected in the FileName group, which is *NULL*@#0x0000000000000191, and this group is nested under the TreeIdName Group value of PCUsers@#0x00000005, which in turn is nested under the SessionIdName Group value of (0x0000040000000029). The number of messages associated with this particular SMB2 operation is specified in the corresponding row under the Messages column of the Grouping viewer. Whenever you select a row of data in any Group in the Grouping viewer, the corresponding messages are interactively displayed in the Analysis Grid viewer for further analysis of message details. message stack, message data, field data, diagnostics, and so on.
More Information
To learn more about the Grouping viewer, see the Grouping Viewer topic. Applying Viewpoints
To simplify troubleshooting, Message Analyzer provides the Viewpoints feature that enables you to examine network traffic from the perspective of a protocol. An applied Viewpoint enables you to bring the messages of a particular protocol or module into focus for targeted analysis. By applying a built-in Viewpoint from the Viewpoints drop-down list on the Filtering toolbar shown in the figure below, you can focus on specific messages at top-level in the Analysis Grid viewer with no layers above them, as defined by the applied Viewpoint. Moreover, because the Viewpoint temporarily removes all messages above the applied protocol Viewpoint, only the protocol messages associated with the applied Viewpoint appear at top-level in the Analysis Grid viewer. This feature is advantageous when you have higher-layer traffic that obscures the underlying messages that you want to troubleshoot. For example, if you were interested in focusing on SMB messages at the Application Layer, you could apply the SMB/SMB2Viewpoint as shown in the figure that follows. Upper sublayer protocols such as RPC will be removed from the display, as you will see SMB messages only.
Note
Every Message Analyzer installation provides a built-in Message AnalyzerViewpoints asset collection that appears in the Asset Manager dialog, where you can manage downloads and the auto-sync feature to update the collection.
Figure 8: Message Analyzer SMB/SMB2 Viewpoint applied
In this figure, you can see that only SMB2 messages display in the Analysis Grid viewer when the SMB/SMB2Viewpoint is applied, as indicated by the check mark in the Viewpoints drop-down list. To return to your original message set, simply select the No Viewpoint item in the list; if you want to create a different Viewpoint, you can select another one directly without necessarily selecting the No Viewpoint item first.
You also have the option to disable Operations, which breaks apart the request and response messages so that they appear in their original chronological order, similar to the way Network Monitor displays messages. You can do this by selecting the Disable OperationsViewpoint. The result has similarities with the data view that is achieved when you click the Flat Message List button, which also simulates the Network Monitor display as described in Creating a Flat Message List.
More Information
To learn more about Viewpoints, see the Applying and Managing Viewpoints topic. Viewing Message Details
You can obtain a full visual representation of message details in the Analysis Grid viewer, including field names, values, and types, by double-clicking any top-level parent message node or nested child message node. The indicated information is presented inline on a Fields tab. Note that the inline data can also include other data tabs such as the Stack, Diagnosis, and Embedded tabs, which provide other related message information that is described in the Message Details Tool Window topic. The figure below shows message field details inline on the Fields tab that displays when you double-click a message in the Analysis Grid viewer.
Figure 9: Message Analyzer inline message Details
You can also select any message in the Analysis Grid viewer to see the identical field details data in a separate window that is called the Details window, which typically displays below the Analysis Grid viewer and includes field Name, Value, Bit Offset, Bit Length, and Type data. For example, by selecting an Analysis Grid viewer message, the Details window immediately snaps to the selection and presents the field data for the selected message. Note that any field that you select in the Details window can drive the display of a hexadecimal value in the Message Data window or a decimal value in the Field Data window.
Viewing Other Message Data
Other Tool Windows are also available to enhance your data analysis perspective, for example, the Message Data, Field Data, Diagnostics, and DecryptionTool Windows. You can also view stack information in a separate window known as the Message StackTool Window, which provides an alternate view of the origins tree (message stack) below any top-level message that is normally hidden by collapsed message nodes in the Analysis Grid viewer. Note that many Message Analyzer Tool Windows are interactive, because they either drive or are driven by message or data selection in other windows or data viewers. For instance, by selecting a field in the DetailsTool Window, the Message Data window immediately snaps to the selection and highlights the corresponding hexadecimal value of the selected field.
More Information
To learn more about Message Analyzer Tool Windows, see the Tool Windows topic. Viewing Data from Multiple Sessions
Message Analyzer also provides session viewer navigation functionality from the Session ExplorerTool Window, to enable you to easily explore the data in different types of session data viewers, which can include Chart viewer Layouts that employ top-level data summaries in various graphic and tabular formats, the Grouping viewer, a Pattern Match viewer, the Gantt viewer, and several others that Message Analyzer provides. The Session Explorer window is accessible from the Windows drop-down list in the global Message Analyzer Tools menu.
Note
By right-clicking a session node in Session Explorer, you are presented with the New Viewer context menu item, which displays a drop-down list that enables you to select other data viewers that display data in separate session viewer tabs. Thereafter, any new data viewer that you specified is listed and uniquely identified by a color code in the Session Explorer window navigation area. If you select any Session Explorer node, Message Analyzer responds by immediately displaying the data on the session viewer tab that corresponds with the selected node.
The figure that follows shows an example of the SMB Top CommandsLayout for the Chart viewer that you can select from the Charts drop-down list in the New Viewer drop-down list, which is accessible from the Session Explorer context menu. This Layout enables you to obtain a high-level summary view that depicts the relative distribution of traffic volume, from the highest to the lowest volume, for SMB commands in a set of trace results. The Layout uses a Bar element visualizer component to display the command volumes for various operations such as Create, Read, Close, and QueryInfo, which enables you to quickly evaluate the SMB commands that are consuming the most bandwidth.
Figure 10: Message Analyzer SMB Top Commands Chart viewer Layout
In the figure, note that the Session Explorer window uses a common color code to identify session and viewer nodes of the same session. The same color code is used to correlate the corresponding session viewer tabs above the main analysis surface, for ease of identification. Also, session viewer nodes in Session Explorer and session viewer tabs are assigned a different color code to distinguish the data of different sessions. In addition, if any assets have been applied to a session, such as a view Filter or Viewpoint, a funnel icon displays to the right of the session viewer node in Session Explorer. Also note that when hovering your mouse over a session node in Session Explorer or over a session viewer tab, a tool tip appears with additional information, for example, the available message count and/or type of asset applied to the session viewer.
Limiting the Scope of Applied Assets
The effects of assets that you apply to any data viewer are limited in scope to the data viewer where you apply the asset. This means that no other data viewer will be affected by this action, whether the viewer is in the same session or a different session. You should note that the Filtering toolbar, from where you apply assets such as view Filters, Time Filters, and Viewpoints, is displayed above every data viewer that contains trace results. This is the case for Chart viewer Layouts as well. This enables you to apply different assets to different data viewers without the effects extending outside a particular viewer where an asset is applied. Note that the Grouping viewer has a separate instance of the same Filtering toolbar and any assets that you apply to the Grouping viewer affects the Grouping viewer display only.
Driving Interaction Between Data Viewers
Some Message Analyzer data viewers are interactive, in that data selection in one viewer drives the display of data in another viewer (or Tool Window). For example, in a Chart viewer Layout, you can double-click a bar element in the Bar visualizer component or a module node in the Timeline visualizer component that represents the messages of a particular protocol that were captured in a trace, and display only those messages in a new Analysis Grid viewer tab for data assessment purposes. You might do this, to isolate a group of messages where further investigation is required. Similarly, you can select a message in the Analysis Grid viewer and drive the display of the network stack in the Message Stack window.
Other types of interactions that occur when performing actions such as message, field, or session selection, include the following.
Using Window Layouts
Message Analyzer enables you to customize the working environment in which you manipulate data and perform analysis. Message Analyzer does this by providing several built-in Window Layouts that organize the Analysis Grid viewer along with different Tool Windows into preset configurations that enable you to customize your working environment for the type of troubleshooting and analysis you perform. The window layouts are accessible from the Window Layout drop-down list on the global Message Analyzer toolbar. When you shut down Message Analyzer, the window configuration that you last displayed is registered in a configuration file so that the window configuration persists through subsequent Message Analyzer startups.
The Window Layout presets that you can select range from simple to increasingly more complex selections, given that they are intended to accommodate a cross-section of typical Message Analyzer users. The typical layout configuration consists of a single/default data viewer and an arrangement of one or more Tool Windows. However, you can organize your data windows any way you want.
By default, Message Analyzer uses the Analysis Grid viewer in all the built-in Window Layouts; however, after you display one of the presets, you can select a different viewer of choice if you wish. You can also add other Tool Windows to any of the built-in Windows Layouts, as needed, although you cannot modify the configuration of the built-in Window Layouts. Rather, any Tool Windows that you add to a displayed Window Layout are registered in the previously mentioned configuration file to persist the configuration across Message Analyzer restarts.
More Information
To learn more about Window Layouts, see Working with Message Analyzer Window Layouts Using Message Analyzer ProfilesWindows Event Log Analysis
Message Analyzer now provides the Profiles feature, which enables you to use built-in or custom-specified data viewer and Layout presets that activate whenever you load data from specific types of input files. Prior to the introduction of this feature, you had to manually select viewer Layouts in which to display your data, whenever you wanted to analyze data from different types of input files that you load into Message Analyzer. Although, it is likely that you had to engage in a trial-and-error process to discover the best Layout with the right context for the type of data you are analyzing. Even then, earlier versions of Message Analyzer had a minimal selection of Layouts from which to choose, but this is remediated in Message Analyzer v1.4.
Because Message Analyzer viewing components can expose data in different ways, you can obtain different analysis contexts for the data with different viewer Layouts, although if you are a new user, you may not always know which viewer Layout will maximize your data analysis capabilities in a given instance. The default Layout for the Analysis Grid viewer contains a baseline set of data columns that is suitable for many environments, as described in the Default View Layout topic. However, this is only a starting point, as there are many different Layouts that you can select from the Layout drop-down list on the Analysis Grid viewer toolbar. Similarly, you can select numerous Layouts for the Grouping and Chart viewers.
Displaying Predefined Analysis Environments with Built-in ProfilesSome of the Layouts that Message Analyzer provides for the previously indicated data viewers are designed to work with each other to create an integrated and interactive analysis environment that exposes key information. You can select these manually if you know which ones are designed for integrated analysis, or to automate the process, you can simply select one of many built-in Message Analyzer Profiles that each define different Layout configurations for the Analysis Grid, Chart, and Grouping viewers, depending on the type of input data to be analyzed.
After a specific Profile is enabled in the Options dialog, as shown in the next figure, its preset viewer and Layout configuration automatically displays with populated data whenever you load data from an input file type for which the enabled Profile is designed, for example, a *.etl, *.cap, or *.log file. The analysis environments created by the built-in Profiles are predefined by Microsoft to expose the data that is typically the most important for problem solving and to expose it in a way that provides multiple perspectives on the data, from low-level details and calculated statistics to high level overviews and other data summaries.
The built-in Profiles along with usage overviews and analysis examples are described in Working With Message Analyzer Profiles.
Note
Message Analyzer Profiles are contained in an updatable package that is known as the Message Analyzer Profiles asset collection. You can set this asset collection for automatic updates in the Asset Manager dialog, which is accessible from the global Message Analyzer Tools menu.
Locating the Built-In Profiles
The figure that follows shows the Profiles tab of the Options dialog, where the Advanced Profiles list contains all the built-in Profiles that are available for selection/enabling. You can use these Profiles as is, or you can create your own Profiles with the use of the Add Profile feature. If you want to see the internal configuration of viewer Layouts for any of the built-in Profiles, select the Profile of interest and then click the Edit Profile button on the Advanced Profiles toolbar. Note that the built-in Profiles are ReadOnly and cannot be edited, although you can edit any Profile that you custom design. You can access the Options dialog from the global Message Analyzer Tools menu.
Figure 11: Message Analyzer Profiles tab of the Options dialog
Example Scenario
A scenario in which you could use a built-in Profile might be if you regularly analyze *.cap files for specific types of information that require a particular view of data that quickly exposes the information you need to examine for capture file analysis. To display a typical viewer and Layout configuration for data in this file type, Message Analyzer enables you to use the built-in Network MonitorProfile for *.cap files, which defines a data viewer and Layout configuration that is suitable for analysis of capture file data. When this Profile is enabled and you load data from a *.cap file, Message Analyzer will automatically populate the data in the viewer and Layout configuration that is described in the table that follows. You can view this configuration of viewers and Layouts in the Network Monitor Profile dialog that displays when you click Edit Profile while the Network MonitorProfile for *.cap files is selected in the Advanced Profile list on the Profiles tab of the Options dialog. Table 2. Viewer/Layout Configuration for the Network Monitor Profile
The figure that follows shows what this viewing configuration looks like after data from a .cap file is loaded into Message Analyzer.
Note
You will need to manually open the Chart viewer Layout for the Profile by selecting the Default item in the Chart drop-down list in the New Viewer drop-down list on the global Message Analyzer toolbar. Whenever the data of an input file related to an enabled Profile is loaded into Message Analyzer, selecting the Default item references the Chart viewer Layout configured in the Profile and causes it to be displayed.
Figure 12: Message Analyzer Network Monitor Profile components
In the figure, an IP conversation is selected under the Outlook ProcessName group in the Grouping viewer, which is on the left side of the Message Analyzer user interface (UI). Because the Grouping viewer is in Selection Mode, as described in Grouping Viewer Modes of Operation, Group selection causes the messages that correspond to the conversation to be interactively highlighted in the Analysis Grid viewer — of which the preceding figure shows only three due to display constraints. By identifying these messages, you can then analyze them in further detail with the use of the Message Stack, Details, and Message DataTool Windows.
In addition, the same conversation is selected in the TCP/UDP Conversations by Message Count view Layout, which uses a Table grid visualizer component to provide a data set that includes statistics such as conversation message count, payload, data transmission rate, and duration. Note that many of the data column values, such as Count, Bytes, KBs, Duration, and BPS, are calculated values based on data formulas that were created by Microsoft with the Edit Chart Layout dialog.
More Information
To learn more about using the TCP/UDP Conversations by Message Count Chart viewer Layout, see the TCP/UDP Conversations by Message Count topic.
In Conclusion
The built-in Message Analyzer Profiles are important tools for data correlation, analysis, and problem solving. They enable you to display integrated analysis environments that expose key data fields, calculated statistics or other low-level details, and data summaries that help you to achieve the data perspectives you need to quickly discover areas where issues are occurring. If you configure your own custom-designed Profile/s you have the opportunity to decide which viewers and Layouts you will use to expose your data.
More Information
To learn more about Message Analyzer Profiles, see Working With Message Analyzer Profiles. To learn more about the Message Analyzer Session ExplorerTool Window, see the Session Explorer Tool Window topic. To learn more about using the Asset Manager dialog, see the Asset Manager topic. To learn more about the Message Analyzer data viewer infrastructure, see Data Viewer Concepts. To learn more about Message Analyzer data viewers that you can work with during data analysis, including numerous Layouts for the Chart viewer, see the Data Viewers topic. Filter Message Data
Message Analyzer provides numerous filtering capabilities to enhance data retrieval, capture, and assessment processes. Filtering is critical for focusing on specific messages and enhancing performance. For example, if you were unable to filter message data in a Live Trace Session, you might need to examine potentially tens of thousands of messages to isolate a specific problem. What most Message Analyzer users need to observe is usually related to a specific protocol, error message, conversation, or process. By providing the ability to filter while retrieving, capturing, or viewing data, Message Analyzer provides a convenient way to reduce the scope of the data that you are working with and more effectively pinpoint your issues.
The material that describes these capabilities is included in the sections that follow.
Microsoft Event Log Analyzer Software
Using a Session Filter
Using Special Filters for a Live Trace Using View Filters to Manipulate a Set of Trace Results Creating Custom Filters Using a Session Filter
When capturing data or loading data into Message Analyzer through a Live Trace Session or a Data Retrieval Session, as shown in the figures of the earlier sections: Configuring a Live Trace Session and Retrieve Message Data, you can use the Session Filter feature to isolate specific data that you want to work with. You can select a built-in Session Filter from the Message Analyzer Filters asset collection Library drop-down list that appears on the Session Filter toolbar of the New Session dialog, or you can create a custom Filter of your own design. After specifying a Session Filter and clicking the Start button for a configured Live Trace Session or Data Retrieval Session, the filtering action is automatically applied in the background as messages are filtered and delivered to the default data viewer, for example, the Analysis Grid viewer. A Session Filter works in the same way most filters work, by passing data that matches the filtering criteria and dropping any data that does not. However, you should carefully note that you can never recapture the data that you filter out with a Session Filter in a Live Trace Session, whereas with a Data Retrieval Session, you can always click the Edit Session button on the global Message Analyzer toolbar to return to session configuration, where you can remove or recast your filtering criteria and then reload the data from the originally specified saved files. A Session Filter is shown in the figure that follows.
Figure 13: Session Filter for a Live Trace Session
For instance, when configuring a Session Filter, you could specify a Filter Expression that isolates messages to a specific network address, port, or protocol, or that contains a particular field value or other text. For a Live Trace Session, the effects of a Session Filter are applied at the time of data capture, therefore, your trace results will already reflect application of the filtering. For a Data Retrieval Session, the effects of a Session Filter are applied at the time of data loading, therefore, the loaded data will already reflect application of the filtering. By contrast, the effects of a view Filter are applied to a set of trace results or loaded data results and are temporary, as you can alternately remove or apply the Filter repeatedly as required, or even modify it, during data analysis.
The figure that follows reflects the application of the above specified Session Filter
SMB.FileName ~= ' OR SMB2.FileName ~= ' during data capture, which limits the trace to SMB or SMB2 messages that have a FileName field populated with data, as described in the File Sharing Category topic. Thereafter, an IPv4 Gradient RightColor Rule (with dark green highlights) was applied to the Live Trace Session results to quickly expose messages that are using the IPv4 protocol, for analysis purposes.
Figure 14: Message Analyzer Analysis Grid viewer results with a Session Filter and Color Rule Applied
Using Special Filters for a Live Trace
You also have the option to use many other types of filters in a Live Trace Session, depending on the Trace Scenario and operating system you are running, as follows:
More Information
To learn more about the filtering capabilities of the Microsoft-Windows-NDIS-PacketCapture provider, see Using the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture Dialog. To learn more about Fast Filters and WFP Layer Set filters, see the Microsoft-PEF-WFP-MessageProvider topic. To learn more about Fast Filter Groups and System Network Adapter Group filters, see the PEF-NDIS Fast Filters and Using the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture Dialog topics. To learn more about HostName and Port filters, see the Microsoft-PEF-WebProxy Provider topic. To learn more about Keyword event and error Level filters, see the System ETW Provider Event Keyword/Level Settings topic. To learn more about NDIS stack, Hyper-V-Switch extension layer, host adapter, and other special filters, see the Configuring a Remote Capture and Using the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture Dialog topics.
Important
Message Analyzer provides you with the versatility to apply a Time Filter to the results of a Live Trace Session, the results of a Data Retrieval Session, or to the data loading process. In the latter case, you can achieve performance enhancements due to the effects of a Time Filter on reducing the input message volume that is loaded into Message Analyzer. But this can have an effect on usability when the filtered-out messages have a bearing on the analysis in which you are engaged. When this is the case and you want to recover messages that the input Time Filter dropped, you will need to edit the session as described earlier, to create a different Time Filter configuration; this also has an impact on usability. Therefore, you might want to further consider the tradeoffs between performance and usability, especially when loading data from very large files.
More Information
To learn more about the impacts on performance and usability with the Time Filter feature, see Considering Performance vs. Usability Factors for Time Filter Application.
More Information
To learn more about Time Filters, see Applying a Time Filter to Session Results and Applying an Input Time Filter to a Data Retrieval Session. Using View Filters to Manipulate a Set of Trace Results
After you capture or retrieve your message data in a Live Trace Session or Data Retrieval Session, respectively, you have a baseline set of trace results to work with. However, it is very likely that to analyze the data, you will want to manipulate it with various Message Analyzer tools to isolate specific messages of interest that can expose issues you are trying to detect. One of the most common ways to do this, is to use a view Filter to filter for data that is relevant to the problem you are trying to solve while filtering out data that isn't. This enables you to create a set of messages that is focused on the data you need to examine, without the encumbrance of scrutinizing potentially hundreds if not thousands of messages that are irrelevant to the issue at hand. When you apply a view Filter, the original data set is always preserved and re-displays after you remove it. Note that the effects of a view Filter apply to the in-focus data viewer only and do not impact other viewers, even in the same session.
You can display the configuration controls for a view Filter by selecting Add Filter from the Add Filter drop-down list on the Filtering toolbar that appears above all session data viewers. The controls that display in the Filter configuration panel enable you to specify a built-in or custom Filter, and then apply and remove it as required, as described in Applying and Managing Filters.
The built-in view Filters are contained in a centralized Library that is exposed in the following locations.
Tip
You can also specify a view Filter for a set of trace results by right-clicking a data field value in an Analysis Grid viewer column and selecting Add '<ColumnName>' to Filter, where '<ColumnName>' is a placeholder for the data column under which the data field appears. Note that this action automatically creates the Filter Expression in the Filter configuration panel, but does not apply it. As a result, you must manually apply such a Filter by clicking the Apply button in the Filter configuration panel. This feature enables you to automatically code a column value into a valid Filter Expression, which you can quickly apply to a set of trace results.
To specify a view Filter, Session Filter, Find Message filter, Color Rule filter, or Viewpoint Filter for a set of trace results, you will need to either select a built-in Filter Expression from the centralized Library in the above specified locations, or manually create one as described in Writing Filter Expressions. You will then need to click the Apply button (or Find command in the case of Find Message filters) for the Filter configuration to take effect. The centralized Library contains the built-in Filter Expressions that are provided by the Message Analyzer Filters asset collection in every Message Analyzer installation, for which you can use the following for the indicated purpose:
More Information
To learn more about the functionality of the built-in view Filters, see the Filtering Live Trace Session Results topic, which describes each Filter in the centralized Filter Expression Library. To learn more about auto-syncing, downloading, and managing the Message Analyzer Filters asset collection with the Asset Manager dialog, see the Sharing Infrastructure and Managing Asset Collection Downloads and Updates topics. Creating Custom Filters
To create your own Filter Expressions, you will need to understand the Message Analyzer Filtering Language. This Operating Guide devotes a significant amount of coverage to the subject, to help you understand and use the Filtering Language, as described in the 'More Information' section that follows. Note that Message Analyzer provides the Filter IntelliSense service to assist you in creating your own Filter Expressions. Filter IntelliSense is an interactive and intelligent statement completion service that responds to the text that you enter in any Filter Expression text box, by providing a display of choices in response to the characters you type.
When you create your own custom Filters you must save them to the centralized Filter Expression Library that is exposed in the locations described earlier, that is, if you want such Filters for future use and for sharing with others. However, before you save a Filter that you created, Message Analyzer performs a simple verification check to ensure that you have a valid expression, although checks on field names are less restrictive in Message Analyzer v1.4 to enable operation with other parsers. Note that when you create and save a custom Filter, it is located to the My Items category in the Filter Expression Library. Thereafter, you can simply select your custom Filter from the Library whenever you want to use it.
More Information
To learn more about the Filtering Language, see Writing Filter Expressions. To learn more about the Filter IntelliSense feature, see Filter IntelliSense Service. Analyze Message Data
When analyzing data that you have either captured live on the network, loaded into Message Analyzer, or retrieved from a device such as a Bluetooth, you have the option to apply various types of filters to manipulate the way data is presented for analysis purposes. For example, you could apply various view Filter, Time Filter, Color Rule, Column Filter, and Grouping configurations to a set of trace results, to name a few. In addition, you might use the Pattern Match capability to detect message patterns across a set of trace results.
Advisory
To review summary descriptions of the analysis tools that are available in Message Analyzer, see Analyzing Message Data. For further details about the tools mentioned in this topic, see 'More Information' at the end of this section.
Data Analysis Feature Highlights
Some highlights of the options you have for manipulating data are included here in the following features.
Other Data Analysis Features
Other techniques that you can use to analyze data consist of the following:
More Information
To learn more about the details of working with filters and other data manipulation features for analysis, see the following topics: Using the Filtering Toolbar — Applying and Managing Filters — Applying a Time Filter to Session Results — Applying and Managing Viewpoints — Working With Operations — Creating a Flat Message List Using the Find Message Feature Using the Go To Message Feature Filtering Column Data Using and Managing Color Rules Pattern Match Viewer Using the Analysis Grid Group Feature Grouping Viewer Applying and Managing Analysis Grid Viewer Layouts Using the Field Chooser Using and Managing Message Analyzer Aliases Configuring and Managing Message Analyzer Unions Setting Time Shifts Tool Windows Save Message Data
After you have performed analysis of your message data, you have the option to save it in the Message Analyzer native .matp file format or in the .cap format, as described in Saving Message Data. Thereafter, if you want to work further with the data or share it with others, you can quickly load the data back into Message Analyzer through a Data Retrieval Session, or you can load the data by using the Open dialog, which is accessible from the global Message Analyzer File menu or from the global Message Analyzer toolbar.
The figure that follows illustrates the Save/Export Session dialog, in which you can choose the messages you want to save. You have the option to save all messages that you captured in a Live Trace Session or loaded from a Data Retrieval Session, filtered messages only, or you can select specific messages to save.
Figure 15: Message Analyzer Save/Export Session dialog
The following summarizes the different ways to save message data:
If you have a session configuration that consists of an aggregation of data from multiple sources that you have analyzed, Message Analyzer enables you to save your results to a single file in the default .matp format. Pdf developer tools. Note then when you export your data as a .cap file, it will be compatible with the Microsoft Network Monitor tool and other applications, with certain exceptions that are described in Compatibility with Exported CAP Files.
More Information
To learn more about saving Message Analyzer data, see Saving Message Data. Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |