Applying and Managing Viewpoints

In Message Analyzer, the default Analysis Grid viewer focuses on top-level messages to provide a compact display of data summaries, so that you can very quickly understand issues at a high level. As a result, other important details can be hidden in this view, such as the underlying origins messages that support operations or other top-level messages. However, because awareness of the activities of specific protocols at the lower layers can be crucial to data analysis, it is often necessary to achieve a focused analytical perspective at these levels. Moreover, it can also be advantageous to be able to view only the traffic of a particular higher-layer protocol, for example, HTTP. In Message Analyzer, this is made possible through the application of Viewpoints.

Protocol Viewpoints
To make your troubleshooting efforts easier, Message Analyzer enables you to examine network traffic from the perspective of a protocol, where you can display the specific protocol messages at top-level in the Analysis Grid with no layers above them. For this reason, Viewpoints could be considered layer filters because they temporarily remove the display of all messages above the applied protocol Viewpoint, such that only those protocol messages appear at top-level in the Analysis Grid viewer.

For example, when viewing trace results in the Analysis Grid viewer, you may have higher-layer traffic that obscures the underlying messages that you want to troubleshoot. By default, the Analysis Grid viewer displays top-level messages and operations in single rows with expandable nodes, where the message origins or underlying call stack is concealed under multiple lower-level expansion nodes. As a result, you can only examine the details of messages in the underlying layers by expanding the message nodes one by one to expose the protocol or module layer that you want to troubleshoot. Repeating this process for many messages can become very labor intensive.

To alleviate this difficulty, Message Analyzer provides preconfigured Viewpoints that enable you to expose the data for specific message types in top-level rows of the Analysis Grid, with all the upper-layer messages above the Viewpoint level removed. However, even though the upper-layer messages are removed, you can still view the call stack in its entirety for any viewpoint message by opening the Call Stack tool window. Thereafter, when you select any viewpoint message in the Analysis Grid viewer, the selected viewpoint message and the layers above and below it display in the Call Stack tool window to give you some layering context, along with a quick view of Summary statistics for messages at each layer.

Toggling Operations
When you capture messages that are part of an operation, Message Analyzer normally collapses this traffic to combine related request and response message pairs into a single, top-level message line that contains a blue cubed icon to indicate an operation. However, because it is important to understand the interaction between requests and responses, Message Analyzer also enables you to toggle operations with the Hide Operations button, so you can alternately hide and show them in the Analysis Grid.

When you hide operations, you can expose additional messages that match the currently applied Viewpoint. For example, if you have an operation consisting of HTTP request and response message pairs grouped under a single top-level message node after applying the HTTP Viewpoint, the HTTP response component of the operation might still be buried inside multiple expansion nodes in the Analysis Grid viewer. By toggling the Hide Operations button, you can expose the HTTP response message at the top level in the Analysis Grid viewer. However, you might lose some context as the request and response messages will no longer be grouped together as a single operation, but chronologically sorted instead.

Note  When you hide operations, the original top-level parent message of the operation remains at top-level in the Analysis Grid viewer, for example a request message along with its child messages that you can expose with expansion nodes. However, the other messages that comprised the operation are removed from the operation group, for example the response message along with its child messages. All these messages are then redisplayed in chronological order.

Applying Preconfigured Viewpoints
By default, Message Analyzer provides several preconfigured Viewpoints that consist of the following:

  • TCP — this Viewpoint reorganizes your data and places TCP messages on top, which can facilitate diagnosis of TCP performance issues that include the analysis of TCP SequenceNumber and AcknowledgementNumber values, TCP flags such as SYNs and ACKs, retransmits, broken three-way handshakes, window size, TCP options, and so on.

  • TCP Reassembled — since Message Analyzer automatically reassembles payloads, the details can be hidden under a Virtual TCP Segment. By applying this Viewpoint, you can observe the TCP Viewpoint after reassembly has occurred.

    Note  Applying either of the TCP Viewpoints will automatically hide operations.

  • UDP — provides perspective from the Viewpoint of the UDP transport protocol.

  • HTTP — an application-layer Viewpoint that places HTTP messages at top-level in the Analysis Grid. Provides a convenient way to analyze the request/response pairs of HTTP operations.

  • SMB/SMB2 — an application-layer Viewpoint that places SMB and SMB2 messages at top-level in the Analysis Grid by removing RPC and any other message layers on top, such as GSSAPI and Kerberos.

  • IPv4 — a network-layer Viewpoint that enables you to more easily troubleshoot IP conversations, by pushing all IPv4 messages to top-level in the Analysis Grid. Note that you can enhance your analysis capabilities by using the Group command to partition the IPv4 conversations into groups.

  • IPv6 — a network-layer Viewpoint that enables you to more easily troubleshoot IP conversations, by pushing all IPv6 messages to top-level in the Analysis Grid. You can also enhance your analysis capabilities by grouping, as specified in the previous bullet point.

  • ETW — enables you to remove all messages above the ETW layer to simplify event diagnostics. This Viewpoint can also facilitate easier analysis of components that are instrumented as ETW providers to use event logging.

Tip  To configure a Viewpoint as a Favorite, click the white star to the left of the Viewpoint in the Viewpoints drop-down menu. When you do, the white star changes to the color yellow and the Viewpoint is also added to the My Viewpoints list under Favorites in the Viewpoints drop-down. You can also create a Favorite by right-clicking a Viewpoint and selecting the Favorites item from the context menu that displays. If the Viewpoint is already a Favorite, you can remove the Favorite status by clicking the check mark next to that Viewpoint item in the context menu.

Processing Viewpoints
When messages are parsed by Message Analyzer, they are indexed. When you apply a Viewpoint to a set of parsed messages, Message Analyzer simply reorganizes the data display by retrieving messages whose indexes correlate with the applied Viewpoint filtering criteria. The result is that you display the viewpoint messages at the top-most level in the Analysis Grid viewer, which includes all operations for the current Viewpoint, if they are enabled. For example, if you apply the SMB/SMB2 Viewpoint, then operations for the SMB and SMB2 protocol will display.

The viewpoint that displays by default in the Analysis Grid viewer is a summary view of top-level messages that have no other message layers above them. After applying a Viewpoint to a set of messages and changing the data to the perspective of a particular protocol, you can return to the default viewpoint by clicking the Default ViewPoint button.

Managing Viewpoints as Shared Items
The items in the Viewpoints Library drop-down in the Viewpoints group on the Message Analyzer Ribbon are shareable data manipulation items. Message Analyzer provides a simple way to expose these Viewpoint items to others for sharing purposes, or to retrieve Viewpoint items that others have shared.

Note  The ability to create new Viewpoints or edit existing ones will be available in the near future.

You can share Viewpoint items directly with others by using the Export feature in the Manage Viewpoint dialog to save one or more Viewpoint items to a designated file share. You can also use the Import feature in the same dialog to access Viewpoint items that have been shared by others in a similar manner. The Manage Viewpoint dialog is accessible by selecting the Manage Viewpoints item from the Viewpoints Library drop-down in the Viewpoints group on the Message Analyzer Ribbon.

In addition, you can share your Viewpoint items through a user feed that you configure in the Message Analyzer Sharing Infrastructure from the Settings tab on the Start Page. Thereafter, you can use the Export feature of the Manage Viewpoint dialog to post your Viewpoint items to the feed so that others can access them. If you updated your existing Viewpoint items or added others to your collection, you can make them available to team members or other users through the configured feed, where they can view, synchronize with, and download your collection items. However, to enable users to download item collection updates, there is some manual configuration required at this time, as described in Manual Item Update Synchronization.

Microsoft also provides a default Message Analyzer feed on the Downloads tab of the Start Page that enables you to download Viewpoint item collections from a Microsoft web service and to synchronize with item collection updates that are periodically pushed out by the service. To receive these updates that will appear in the Message Analyzer category of your local Viewpoints Library, you must set the Viewpoints collection to the auto-sync state on the Message Analyzer Start Page. At any time, you can perform a download of an auto-synced collection from the Settings tab on the Start Page.

More Information
To learn more about the Sharing Infrastructure and managing user Library items; downloading item collections; and auto-syncing item collection updates, see the Sharing Infrastructure and Managing Item Collection Downloads and Updates topics.

