Export (0) Print
Expand All

Microsoft Message Analyzer Operating Guide

 

Message Analyzer Icon

Introduction
Microsoft Message Analyzer is a new tool for capturing, displaying, and analyzing protocol messaging traffic, events, and other system or application messages in troubleshooting and diagnostic scenarios. Message Analyzer also enables you to load, aggregate, and analyze data from log and saved trace files. It is the successor to Microsoft Network Monitor 3.4 and a key component in the Protocol Engineering Framework (PEF) that was created by Microsoft for the improvement of protocol design, development, documentation, testing, and support. With Message Analyzer, you can choose to capture local and remote traffic live or load archived message collections from multiple data sources simultaneously.


Message Analyzer enables you to display trace, log, and other message data in numerous data viewer formats, including a default tree-grid view, interactive tool windows, and other selectable graphical views that employ grids, charts, and timeline visualizer components that provide high-level data summaries and other statistics. Message Analyzer also enables you to configure your own custom data viewer charts. In addition to being an effective tool for troubleshooting network issues and system messages, Message Analyzer enables you to test and verify protocol implementations.


Quick Links
Message Analyzer download and installation information — get a free download and install Message Analyzer on your system.
Message Analyzer Feature Summary — get a quick overview of Message Analyzer features and navigate links to more information.
Participate in Community — review options for participating in various Message Analyzer community venues.
Use TechNet Export — build a customized manual from Message Analyzer Operating Guide topics.


Information Roadmap

The topics outlined in this section provide a map into the documentation contained in the Message Analyzer Operating Guide. Use this map to quickly navigate to the topics that show you how to get started with Message Analyzer, how to use its basic and more advanced features, and to understand the underlying frameworks on which it is built. At a high level, the map breaks out into the three content spaces that are specified in the following table, within which you will find quick links that point to topics of interest in these spaces:

 

Content Space Description Quick Links

Usage tasks

Review features and functions that you can use to perform various Message Analyzer operations.

Message Analyzer Usage Tasks

Usage procedures

Run procedures to see Message Analyzer in action and quickly familiarize yourself with its capabilities.

Message Analyzer Usage Procedures

Technology concepts

Review conceptual information to understand Message Analyzer features and the underlying technologies upon which they are built.

Message Analyzer Technology Concepts


Message Analyzer Usage Tasks

In this Operating Guide, Message Analyzer guidance is presented in the form of usage tasks. Each task provides some conceptual background with respect to the functions and features you will be working with, discusses how to use the associated UI features, and also includes example procedures to help you walk through various Message Analyzer usage contexts. To proceed directly to the usage tasks presented in this Operating Guide, click a task link below such as Capturing Message Data:

 

Getting Started with Message Analyzer

See the following topics to learn how to get started with Message Analyzer:

  • Message Analyzer Feature Summary — review the main features of Message Analyzer and use the topic links to access more detailed feature descriptions.

  • Quick Start Procedures — run several simple procedures to quickly see Message Analyzer in action.

  • Technology Overview — explore the main navigation features and high-level functions of the Message Analyzer user interface.

  • Technology Tutorials — read a brief tutorial on Message Analyzer functions before you dive into the usage tasks and procedures. Also, see the Protocol Engineering Framework (PEF) architecture and Event Tracing for Windows (ETW) framework tutorials to understand the technologies upon which Message Analyzer is built.

  • Startup Options — review the methods you can use to start Message Analyzer, which includes the arguments and command switches that are available to launch Message Analyzer from the command line.

  • Setting Message Analyzer Global Options — set global options such as default values and settings that can affect Message Analyzer performance, display configurations, or feature activations.

Capturing Message Data

Review the following topics to learn how to configure, start, and edit a Message Analyzer session, or configure a session scenario. Also examine various session scenarios that you can employ with multiple data sources, including local and multiple concurrent remote sessions. Discover how to start a session quickly with predefined Trace Scenario configurations, understand the message providers, how to create and save custom Live Trace Session configurations to run on-demand, how to use decryption, and how to enhance capture configurations with filtering and ETW system providers:

  • Starting a Message Analyzer Session — familiarize yourself with the types of sessions you can configure and start with Message Analyzer; also review common steps that you can use to create a basic session.

  • Editing Existing Sessions — learn how to reconfigure an existing session and apply the changes to existing data.

  • Configuring Session Scenarios — discover how to make use of the flexible session framework with multiple data sources capability that enables you to create Data Retrieval Sessions with multiple data loading configurations or Live Trace Sessions with multiple capture configurations for local and remote tracing.

  • Default Trace Scenarios — review the functions and usage configurations of the built-in Message Analyzer Trace Scenarios in the network, device, system, and file sharing categories.

  • PEF Providers — review conceptual background on the PEF providers that install with Message Analyzer, including information about Fast Filters and provider manifests.

  • Using the Decryption Feature — specify a server certificate and password to enable decryption and analysis of TLS/SSL encrypted traffic.

  • Creating and Modifying a Live Trace Session — select and configure predefined Trace Scenarios, set predefined Parsing Levels, configure Fast Filters and Session Filters, configure system ETW providers, use advanced session configuration, select data viewers, and more.

  • Capturing Data Remotely — learn how to capture traffic concurrently on multiple remote hosts, which includes traffic on virtual machines that are serviced by a Hyper-V-Switch, along with advanced packet filtering and other special filters.

  • Developing and Managing Trace Scenarios — design a custom capture configuration template, save it as a Trace Scenario, and run it on demand.

  • Obtaining Provider Manifests — understand provider manifests and how to generate them when needed.

Retrieving Message Data

View the following topics to learn how to load input data from saved files, and how to filter input data and present it in a chosen viewer when loading messages through a Message Analyzer Data Retrieval Session:

  • Browse-Select-View Model — learn about the Message Analyzer BSV infrastructure that enables you to browse for multiple data sources, filter or select specific data from those sources, and present results in a viewer of choice for data manipulation and analysis.

  • Targeting Saved Data as Input Sources — browse for and load saved trace data and logs into Message Analyzer.

  • Configuring a Data Retrieval Session — learn how to configure a Data Retrieval Session and make use of such features as Truncated Parsing, Parsing Levels, Decryption, Text log parsing, and more.

  • Selecting Data to Retrieve — use a Session Filter and/or a Time Filter to select specific data that you want to load into Message Analyzer.

  • Choosing a Data Viewer — learn how to specify a data viewer that displays message data that you load from one or more data sources in a Data Retrieval Session.

  • Processing WPP-Generated Events — learn how to enable parsing of Windows software trace preprocessor (WPP)-generated events in Message Analyzer.

Viewing Message Data

Review the following topics to learn about the different data viewers that Message Analyzer provides, along with some of the capabilities that enable you to manipulate data views:

  • Data Viewer Concepts — review background concepts about the Message Analyzer data viewing infrastructure to learn how data viewers work and interact.

  • Data Viewers — learn about the data viewers that are available for analysis, including how to use the Analysis Grid viewer and the data manipulation components that are unique to it, such as Color Rules, View Layouts, data Grouping, Find filters, and so on. Also discover how to use Chart viewers that provide top-level protocol summary information, and learn about the Sequence Matching viewer, which detects message patterns across a set of trace results.

  • Specifying Data Viewers — find out how to open various data viewers from multiple locations.

  • Common Data Viewer Features — learn about Message Analyzer data manipulation tools that are common to the Analysis Grid and other viewers, such as Time Shifts, View Filters, Quick Filters, Aliases, Unions, and Viewpoints.

  • Tool Windows — understand how to use message-specific and session-specific tool windows that provide additional message details or configuration capabilities in Message Analyzer. Also learn about message annotations (Comments and Bookmarks), Diagnostics, Message Stack, Decryption, and other tool windows in this section.

  • Redocking Data Viewers and Tool Windows — find out how to enhance your data analysis perspectives by redocking interactive data viewers.

Filtering Message Data

View the following topics to learn about selecting data from a Data Retrieval Session, applying filters to a Live Trace Session to isolate specific data, applying filters to trace results for analysis, using color rules to create conditional alerts in trace results, and understanding the Filtering Language:

  • Filtering Loaded Input Data — apply a Session Filter to isolate specific data from a specified input file/s configuration.

  • Filtering Live Trace Session Data — apply a Fast Filter, Keyword filter, WFP Layer Set filter, Advanced Settings filters, or an HTTP filter at the driver level to a Live Trace Session, or apply a predefined or custom Filter Expression as a Session Filter in the New Session dialog when configuring a Live Trace Session.

  • Filtering Live Trace Session Results — select a filter expression from a common Library of predefined filters and apply it as a View Filter to the results of a Live Trace Session.

  • Writing Filter Expressions — understand the Filtering Language so you can create your own filter expressions.

Saving Message Data

Review the following topics to learn how to save session data, which includes selecting messages to save, specifying the save file format, and using session naming conventions.

  • Saving Session Data — read a quick overview of how to save your message data from a Data Retrieval Session or a Live Trace Session.

  • Selecting Messages to Save — review the options that are available for saving message data.

  • Naming Saved Files — review some naming strategies and other considerations for saving message data.


Automating Tracing Functions

Get a quick overview of the Message Analyzer functions that are enabled for the PowerShell scripting environment, as described in the following:

  • PowerShell Cmdlets for Message Analyzer — read a synopsis for action, trigger, and other cmdlets that are available to automate various Message Analyzer functions.

  • PowerShell Script Example — review an example PowerShell script that configures a message provider, adds a Trace Filter, and sets various triggers for starting, filtering, stopping, and saving a trace session.

  • Access PowerShell Cmdlets and Help — find out how to get PowerShell v3, access and update cmdlet help, and view the cmdlet help for Message Analyzer.

Managing Message Analyzer Assets

Review the following topics to learn about the Message Analyzer Sharing Infrastructure, user Libraries, automatic updates, downloading asset collections, and creating user feeds for sharing assets with others:

  • Sharing Infrastructure — learn about the Message Analyzer Sharing Infrastructure; the user Library item collections that enable you to manipulate how data is captured, viewed, and analyzed; and how to manage these user Libraries.

  • Managing Item Collection Downloads and Updates — find out how to download user Library item collections and how to utilize the auto-sync feature to automatically receive user Library updates that are pushed out by a Microsoft web service.

  • Managing Microsoft OPN Parser Packages — learn how to auto-sync updates to OPN Parser packages and download them from the Microsoft web service.

  • Creating Custom User Feeds — create your own user feeds to which others may subscribe, for mutually sharing Message Analyzer assets with other team members, for example, Filters, Trace Scenarios, Chart viewers, and so on.

  • Sharing Item Collections on a User File Share — learn how to share user Library item collections directly with other users by exporting/importing collections or items to/from a file share.

Extending Message Analyzer Data Viewing Capabilities

Review the following topics to discover how to create new chart-style data viewers that you can customize for your needs with the use of various graphic visualizer components and data formulas, to extend Message Analyzer data viewing capabilities. Also learn how you can edit/customize any predefined Chart data viewer:

  • Configuring Chart Data Viewers — learn how to use the Message Analyzer Chart configuration features. Also learn how to export any of the predefined Charts or any new Chart assets that you create, for sharing with others.

  • Using the Chart Configuration Features — perform a procedure that creates an HTTP Content Type data viewer that you can run immediately, save it to the Charts Library, and thereafter edit the Chart as needed.


Message Analyzer Usage Procedures

If you want to proceed directly to usage procedures that demonstrate Message Analyzer features in the context of the usage tasks contained in this Operating Guide, click a link below:

 

Quick Start Procedures — display saved data with the Quick Open feature; start a Live Trace Session, display data quickly from your favorite Trace Scenarios by using the Quick Trace feature on the Message Analyzer File menu; load saved data through a Data Retrieval Session; and deploy Chart viewers to display your data.

Using the Network Tracing Features — run a Local Network Interfaces trace that isolates data to a particular network adapter and IPv4 address; perform a Loopback and Unencrypted IPSEC trace with a high-performance, driver-level Fast Filter that is set to capture HTTP traffic from TCP port 80; run an Unencrypted HTTPS trace with driver-level Hostname and Port filters to isolate client and server HTTP message exchanges; capture traffic with a Remote Network Interfaces trace on a virtual machine (VM) that is serviced by a Hyper-V-Switch on a remote Windows 8.1 or Windows Server 2012 R2 host; and design a custom Trace Scenario and run it on demand.

Using the Data Retrieval Features — browse for data and create a message collection to load into Message Analyzer; apply a Session Filter to loaded input data to isolate specific messages that you want to work with; display saved trace data in different viewers; use the Recent Files feature to display saved trace data to resume previous work; load data from multiple sources and save it as a single message collection; and apply a Time Filter to data being loaded into Message Analyzer.

Using the Data Viewing Features — learn how to apply gradient style Color Rules or a predefined View Layout; execute Group commands to group data and streamline message analysis; use the graphic visualizer components of the Protocol Dashboard to analyze top-level summary data such as top bandwidth consumption and message activity within a specified time window; analyze data with the interactive features of the Protocol Dashboard and Analysis Grid viewers; apply Quick Filters and Viewpoints; configure friendly Aliases for field values; create Unions of two or more message fields; and drive the display of various message details through Analysis Grid viewer and tool window interactions.

Using the Data Filtering Features — create and apply filters to loaded, live, and trace results data to address and solve commonly encountered, real-world issues; and create color rules to serve as an alert when certain message types, states, or values are present in a displayed message set, for example, TCP diagnostic information and SMB error status.

Using the Asset Management Features — perform procedures that demonstrate how to manage user Library items and share them with others, or download and update Library item collections from the default Message Analyzer subscriber feed.

Using the Chart Configuration Features — walk through a procedure that shows you how to create a working Chart that presents a visualization of HTTP content type volumes, to provide an indication of web server loads.


Message Analyzer Technology Concepts

If you want to expand your knowledge of the technologies upon which Message Analyzer is built, click the link below:

 

Technology Tutorials — get an overview of Message Analyzer functions and technology concepts, and learn about the PEF architecture and ETW framework components that support them.


Message Analyzer Installation

If you have not already installed Microsoft Message Analyzer, go to the Microsoft Message Analyzer page on the Microsoft Download Center for a free download and installation of Microsoft Message Analyzer v1.1. The Microsoft Message Analyzer release is available for installation in 32-bit and 64-bit versions. Installation requirements are listed in the following table for convenience:

Table 1 Message Analyzer Installation Requirements

Component Requirement

Supported Operating Systems

32-bit and 64-bit: Windows 7, Windows 8, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

Redistributable Packages

Minimum —.NET Framework 4; Recommended —.NET Framework 4.5

Display Resolution

1024 x 768 or higher

Hard disk space

Installation — Minimum: 350MB

Capturing and loading traces — Recommended: 50GB

RAM

64-bit — Minimum: 2GB; Recommended: 8GB

32-bit — Minimum: 2GB; Recommended: 4GB

CPU

Minimum — 1.4 GHz, Recommended — 2 x 2.80 GHz (64-bit)


Important  If you intend to perform long captures or load large traces, it is recommended that you use a 64-bit computer.

Warning  If you are reinstalling Message Analyzer, see the Reinstalling Message Analyzer topic to learn how to avoid the loss of certain user data.

Advisory  If you are installing Message Analyzer on a Windows 7 computer, you might experience a random reset of the TCP stack and a TCP connection loss. If this impacts an application, you may have to restart it. Otherwise, there is a possibility that you might have to restart your computer.

Security Contexts

If you want to use Message Analyzer immediately after installing it, you should log off and then back on. This action ensures that in all subsequent logons following installation, your security token will be updated with the required security credentials from the Message Capture Users Group (MCUG). Otherwise, you will be unable to capture network traffic in Trace Scenarios that use the Microsoft-PEF-NDIS-PacketCapure provider, Microsoft-Windows-NDIS-PacketCapture provider, or the Microsoft-PEF-WFP-MessageProvider, unless you start Message Analyzer with the right-click Run as administrator option. You should also be aware that if you elect to run Message Analyzer as an administrator, it can result in varying security contexts between applications. With regard to Message Analyzer, this means that you will be unable to use the drag-and-drop feature to open saved trace and log files while running in administrative context.

Note  Even if you log off your system, log back on, and receive the required security credentials from the MCUG, you will still need to use the Run as administrator option if you want to capture message data in Message Analyzer Trace Scenarios that use the Microsoft-Windows-NDIS-PacketCapture provider. This is the result of the inherent remote capabilities of this provider and the security restrictions that must therefore be applied to it.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft