Export (0) Print
Expand All

Sequence Match

Filtering is an important technique for isolating messages in a trace that meet specific filtering criteria. However, because the application of filtering is restricted to the boundaries of individual messages, it cannot expose the context or “sequence” in which events occur across the timeline of a trace. To enable sequences of events to be detected, Message Analyzer provides a sequence matching capability that can identify message sequences or patterns in a group of messages. The sequence detection process is carried out by a sequence matching engine that provides a fast and easy way to get at this information. In Message Analyzer, you can utilize sequence matching functionality by invoking the Sequence Match viewer from the locations described in Specifying Data Viewers. This includes specifying the Sequence Match viewer when starting a Data Retrieval Session, starting a Live Trace Session, or when opening it in an Analysis Session.

Executing Sequence Expressions
After you launch the Sequence Match viewer, you must execute a sequence expression to view the results of pattern matching. You can do so by clicking the Sequence Expression button in the View Options group on the Message Analyzer Ribbon to display a drop-down menu, from where you can select and execute an expression that will return any pattern matches it finds. From this drop-down menu, you can either specify a predefined sequence expression or you can create your own with the Sequence Expression Editor.

Currently, the predefined Sequence Expressions that are available by default in Message Analyzer are contained in the following categories:

  • Network — the Sequence Expressions that are available in this category consist of the following:

    • TCP Connect Scan — returns TCP sessions that are actively reset by the destination. Can be useful to find malware scans on the network.

    • TCP FIN Stealth Scan — searches for matches to TCP three-way handshakes that have no response, as an indication that a port is blocked or not listening. A significant number of matches could indicate network scanning is taking place.

    • TCP Syn Half Open Connections — searches for TCP Syn/half open connections, such as a session that had a response where a port was opened but then Reset. Could indicate a port attack, for example, a denial of service (DoS) attack.

    • TCP Inactive Session Scan — searches for TCP sessions where connection attempts have no response from an inactive port, which could be an indication of a security attack.

    • Three Way Handshake— enables you to isolate all three-way handshakes that occurred when setting up TCP connections, for both IPv4 and IPv6 transports, in the current set of messages. Also displays the approximate round trip time as the time delta between Syn messages and Syn Acknowledgement messages.

    • Sack Detection — searches for all selective acknowledgement (SACK) messages which indirectly indicate the same network issues that cause TCP retransmits to occur, providing that SACK is enabled.

    • TCP Retransmit Pairs — enables you to identify pairs of retransmitted TCP messages with the same sequence and acknowledgement numbers and an identical payload size, that occurred in the current set of messages.

  • RPC — the Sequence Expression that is available in this category consists of the following:

    • Endpoint Mapper Block — searches for occurrences where a port is blocked and reset in RPC communications.

  • FTP — the Sequence Expression that is available in this category consists of the following:

    • FTP Port Negotiate — searches for occurrences of FTP Port Negotiate and the associated TCP connections, for failed or successful connections alike.

When you execute a Sequence Expression, the results display as a list of matches within a node that you can expand. Moreover, you obtain a collection of sequences with each sequence representing an occurrence of the pattern for which you searched. If you select a particular message in the matched list, the corresponding message will also be highlighted in the Analysis Grid viewer for ease of analysis, providing that you opened an instance of this viewer in your Analysis Session. To see this interactive message selection capability more clearly, you can undock the Sequence Match viewer tab and the Analysis Grid viewer tab and redock them side by side by dragging them to the central docking navigator. As you traverse through messages in the matched list, the redocking placement can provide the full context in which a particular sequence occurred.

The subtopics in this section provide further details about pattern or sequence matching with Sequence Expressions. The discussions include a code walkthrough for two of the default TCP Sequence Expressions, how to modify and create Sequence Expressions, and how to manage Sequence Expressions item collections, including sharing them with others through the Message Analyzer Sharing Infrastructure.

More Information
To learn more about sequence matching, including how the predefined Sequence Expressions work, see Matching Message Sequences.
To learn more about how to build your own Sequence Expressions, see Using the Sequence Expression Editor.
To learn more about managing Sequence Expressions, see Managing Sequence Expressions.
To learn more about downloading updates to your local Sequence Expression user Library item collection and sharing these items with others through the Message Analyzer Sharing Infrastructure, see Managing Message Analyzer Assets.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2014 Microsoft