Export (0) Print
Expand All

Quick Start Procedures

To start using Microsoft Message Analyzer, run the procedures in this section to learn how to utilize analyzer features and functions to accomplish basic tasks such as the following:

Displaying Data Quickly From a Saved Trace File

Starting a Live Trace Session with a Predefined Trace Scenario

Starting and Modifying a Data Retrieval Session

Displaying Different Data Viewers for Analysis Perspectives

Creating and Saving a Customized Trace Scenario


Important  If you have not logged off from Windows after the first installation of Message Analyzer, please log off and then log back on before performing these procedures. This action ensures that in all subsequent logons following installation, your security token will be updated with the required security credentials from the Message Capture Users Group. Otherwise, you will be unable to capture network traffic in Trace Scenarios that use the Microsoft-PEF-NDIS-PacketCapure provider, Microsoft-Windows-NDIS-PacketCapture provider, or the Microsoft-PEF-WFP-MessageProvider, unless you start Message Analyzer with the right-click Run as administrator option.

Displaying Data Quickly From a Saved Trace File

The procedure that follows shows you how to use the Message Analyzer Quick Open feature to rapidly access and display data from a saved trace or log file.

To quickly open a saved trace file and display its data

  1. From the Start menu, Start page, or task bar of your computer, click the Microsoft Message Analyzer icon to launch Message Analyzer. Start Message Analyzer with the right-click Run as Administrator option if necessary, as described in the previous Important note.

  2. Click the Message Analyzer File menu and then click Quick Open to display the Windows Open dialog.

    Note  If you have already opened files with Quick Open, a Recent Files list displays in a submenu to the right, from where you can select a file and immediately open it in the default data viewer.

  3. In the Open dialog that displays, navigate to a saved trace or log file containing the data you want to display and then click the Open button to exit the dialog.

    The saved data displays in the default data viewer.

Tip  You can quickly retrieve data from one or more saved trace files by dragging and dropping them on the Message Analyzer File menu, Session Explorer tool window, or the Start page. In drag-and-drop mode, the data retrieved from each file in a selected set displays in separate default viewer tabs on the Message Analyzer Home tab.

You can also drag and drop log files to display their data. However, instead of the data immediately displaying in the default data viewer, the New Session dialog opens to the Data Retrieval Session configuration, with the log file/s that you selected as the data source/s for the session. This gives you the opportunity to specify additional configurations, such as a Time Filter, Session Filter, or Parsing Level, to define the scope of messages to be retrieved. Other session configurations that you can specify consist of selecting a Text Log Configuration file, setting the Truncated Parsing mode, adding more files to the session as data sources, and specifying the data viewer you want to use.

To learn more about these additional configuration capabilities, see Configuring a Data Retrieval Session.

Starting a Live Trace Session with a Predefined Trace Scenario

The procedure that follows shows you how to select the predefined Loopback and Unencrypted IPSEC Trace Scenario that uses the Microsoft-PEF-WFP-MessageProvider to focus your live data capture at the Transport layer, while minimizing lower-level network traffic. Although this scenario enables you to capture loopback and unencrypted IPSec traffic, this is not the focus of this example.

Tip  Whenever you make a Trace Scenario a Favorite, such as the Loopback and Unencrypted IPSEC scenario, you can simply click it in the submenu of the Quick Trace item in the Message Analyzer File menu to quickly start a live trace base on the favorite scenario.

To start a Live Trace Session with the Loopback and Unencrypted IPSEC trace scenario

  1. Launch Message Analyzer as specified in the previous procedure.

  2. Click File to open the Message Analyzer File menu, click New Session, and then select Blank Session in the New Session submenu to display the New Session dialog.

  3. Under Add Data Source in the New Session dialog, click the Live Trace button to display the Live Trace tab along with the associated session configuration features that it contains in the New Session dialog.

  4. Select the Loopback and Unencrypted IPSEC item in the Select a trace scenario drop-down menu on the Live Trace tab of the New Session dialog.

    The Microsoft-PEF-WFP-MessageProvider is added to the ETW Providers list on the Live Trace tab of the New Session dialog.

  5. Optionally, select a predefined Session Filter from the centralized Filter Expression Library, such as IPv4Address==<192.168.1.1> to capture messages that are sent to and received from a specific computer. The IP address in this example filter is a placeholder for an actual IP address that you must provide.

    Note  A Session Filter enables you to define the scope of the data capture while at the same time improve performance by limiting how much data you collect.

  6. Click the Start With drop-down menu arrow and select the data viewer in which to display your trace results, or use the default Analysis Grid data viewer setting.

  7. Click the Start button in the New Session dialog to start capturing data in your Live Trace Session.

  8. While the Live Trace Session is running, launch a web browser and click some links to navigate to several web locations.

    Message Analyzer starts to accumulate messages in the data viewer that you specified.

  9. Stop the trace at a suitable point by clicking the Stop button in the Session group of the Ribbon on the Message Analyzer Home tab.

    Inspect your trace results in the data viewer that you chose and observe that Message Analyzer has captured a set of messages, including HTTP, as a result of the browser links that you clicked.

    To learn more about how you might analyze this type of data, see the following topics for some examples of how to apply HTTP and TCP View Filters in an Analysis Session:
    Applying an HTTP View Filter to Loopback and Unencrypted IPSEC Trace Results
    Applying TCP View Filters to Loopback and Unencrypted IPSEC Trace Results

Advisory  If you let a trace session run for an extended period, it can consume a large amount of memory.

To learn more about the configuration capabilities that are available for a Live Trace Session, see Capturing Message Data.

Starting and Modifying a Data Retrieval Session

The first procedure in this section shows you how to open a Message Analyzer Data Retrieval Session from where you can specify one or more saved files that contain the message data you want to load and display in the Analysis Grid viewer on the Message Analyzer Home tab. The second procedure describes how to modify a Data Retrieval Session so that you can load data from additional files into the existing Message Analyzer session. The option to create a filtered view of the loaded data with the use of a Session Filter is also described.

To use a Data Retrieval Session to load saved trace data into Message Analyzer

  1. Launch Message Analyzer as indicated in earlier procedures.

  2. Click File to open the Message Analyzer File menu, click New Session, and then select Blank Session in the New Session submenu to display the New Session dialog.

  3. Under Add Data Source in the New Session dialog, click the Files button to display the Files tab along with the associated session configuration features that it contains in the New Session dialog.

  4. On the Files tab, click the Add Files button to display the Open dialog, from where you can navigate to the trace files that contain the data you want to load into Message Analyzer.

  5. In the Open dialog, select the file/s that contain the data you want to retrieve, then click the Open button to exit the dialog.

    Message Analyzer displays the files you selected in a list on the Files tab that includes columns of data such as Name, File Size, File Type, Message Count, Start Time, End Time, and Text Log Configuration.

    Note  The data from the files that display in this list is not yet loaded into Message Analyzer. At this point, the files are simply the target data sources from which data will be loaded after you click the Start button in the New Session dialog.

  6. In the files list, ensure that there is a check mark in the check box next to the file/s containing the data you want to load into Message Analyzer. Note that you can select or unselect files in the list to create specific combinations of data sources from which to load data.

  7. In the Start With drop-down menu of the New Session dialog, select a data viewer in which to display the results of your Data Retrieval Session; otherwise, the default data viewer setting will be used.

    Note  You have the option to change the default data viewer from the Options page that is accessible from the Message Analyzer File menu. Message Analyzer ships with the Analysis Grid viewer as the default setting.

  8. Optionally, select a Session Filter from the Filter Expression Library in the New Session dialog, or configure a Time Filter from the Files tab in the dialog to define the scope of data retrieval or narrow the window of time in which to view data, respectively.

    To learn more about applying these filters, see Selecting Data to Retrieve.

  9. Click the Start button in the New Session dialog to begin loading the data into Message Analyzer.

    After the data is loaded, it displays in the default or selected data viewer.

    To learn more about how to manipulate and analyze saved trace data that you have loaded into the Message Analyzer Analysis Grid viewer, see the following sections:
    Analysis Grid
    Common Data Viewer Features
    Tool Windows
    Filtering Live Trace Session Results

If you want to modify an existing Data Retrieval Session so that you can load additional data from one or more files such as logs, or specify other configurations such as filtering, perform the steps of the following procedure.

Modifying a Data Retrieval Session

  1. In the Session group on the Message Analyzer Home tab, click the Edit button to return to the current Data Retrieval Session. If you have more than one session tab displaying, ensure that you select the viewer tab for the Data Retrieval Session that you want to modify before clicking Edit.

  2. Click Add Files to add one or more saved trace files to the files list and then select the check box next to each file containing the data you want to load into Message Analyzer.

    Important  When you click the Edit button in the Home tab Session group, by default the Data Retrieval Session opens in Limited Edit mode. This mode enables you to add saved files as new data sources, but it disables other configuration capabilities, such as setting a Time Filter, choosing a Session Filter, or setting the Parsing Level. The advantage of the Limited Edit mode is that you can add the new data without triggering a reload of all data and incurring a performance hit. However, if you want to enable the indicated configuration features to specify changes, you can select the Full Edit mode, although you should be aware that a reload of all data will be required if you Apply the changes.

  3. Click the Apply button to load and display the new data in the Analysis Grid viewer on the Message Analyzer Home tab.

    Note  When you load data from additional files in an edited Data Retrieval Session, the messages from these files are interlaced with the existing messages in the Analysis Grid viewer in chronological order.

Configuring a Session Filter
When loading data from saved files into Message Analyzer, you can select a predefined Filter Expression or manually configure one in the Session Filter pane of the New Session dialog to filter the input messages to specific criteria. For example, you might add a simple expression such as *Port != IANA.Port.LDAP from the Session Filter Library to remove LDAP traffic on TCP and UDP transports. Note that if you manually configure a Filter Expression and it is invalid, a Compile query error message will be displayed.

Note  After loading a collection of messages from specified files and displaying the data in a selected viewer, you have the option to add a predefined or manually configured View Filter to further isolate specific data of interest. A Filter Expression Library for selecting predefined filters is available in the View Filter Tool Window, which you can display by clicking the View Filter button in the Filter group of the Ribbon on the Message Analyzer Home tab.

To learn more about how to manually configure your own filters, see Writing Filter Expressions.

Displaying Different Data Viewers for Analysis Perspectives

The procedure that follows runs a live Loopback and Unencrypted IPSEC trace and then loads a message collection to create initial data views in separate Analysis Grid viewer tabs on the Message Analyzer Home tab. You can then select several different data viewers that provide high-level data summaries and statistics in graphic format.

To display different data viewers

  1. Follow the guidelines of the second procedure in this section to start a live Loopback and Unencrypted IPSEC trace. In this scenario, you will capture SMB traffic as you perform file access activities while your Live Trace Session is running.

  2. Stop the Live Trace Session at a suitable point by clicking the Stop button in the Session group on the Message Analyzer Home tab.

  3. Load messages from saved files into Message Analyzer through a Data Retrieval Session by following the guidelines of the third procedure in this section.

    The trace results and loaded data display in separate Analysis Grid viewer tabs on the Message Analyzer Home tab, assuming that you specified the Analysis Grid as your data viewer in the New Session dialog for your Live Trace Session and Data Retrieval Session.

  4. If the Session Explorer Tool Window is hidden, click the Tool Windows button in Windows group on the Ribbon of the Message Analyzer Home tab and select the Session Explorer drop-down item to restore it.

  5. To create a different view of the live trace results data, right-click the appropriate session node in Session Explorer, highlight New Viewer, and then select the Protocol Dashboard viewer item from the context menu.

    The Protocol Dashboard displays in a separate data viewer tab that contains top-level summaries of the trace data.

    Note  The Protocol Dashboard is considered a Chart data viewer in Message Analyzer because it is made up of several graphic data visualizer components.

  6. Repeat step 5 and select the SMB Reads and Writes or SMB File Stats viewer to display a view of the live trace data that provides SMB statistics and charted timeline information.

    Note  This viewer will display data only if SMB, SMB2, or SMB3 protocol packets were captured in the Live Trace Session that you ran.

  7. Right-click the node for the Data Retrieval Session in Session Explorer, highlight New Viewer, and then select Sequence Match.

    To start the sequence matching process, specify a predefined sequence expression from the Sequence Expression drop-down in the View Options group on the Ribbon of the Message Analyzer Home tab, by selecting the check box of the sequence expression. For example, you might select the TCP Retransmit Pairs or TCP Three-Way Handshake sequence expressions to identify those pattern types across the loaded set of messages.

    To learn more about sequence matching, refer to Matching Message Sequences.

  8. To quickly create different analysis perspectives, poll through the various views of data by clicking the viewer nodes under each session name in Session Explorer, or select different viewer tabs in the main analysis surface.

    As you select viewer nodes in Session Explorer, the data for those viewers displays in separate viewer tabs. As you poll the data views, you obtain unique perspectives on the data that enhance your analysis capabilities.

  9. Optionally, to obtain alternate but integrated views of the saved message data, select the Message Stack Tool Window in the Tool Windows drop-down list in the Windows group to expose the underlying message stack that supported top-level transactions; and select the Diagnostics Tool Window to display summary groups of the different types of diagnosis errors that occurred in the retrieved data.

    Note  To use the Diagnostics window, it must be enabled on the Features tab of the Options dialog which is accessible from the Message Analyzer File menu, and Message Analyzer must be restarted.

Tip   Comparing Live Trace Session results with related data that is loaded into Message Analyzer from a Data Retrieval Session, provides a convenient method for analyzing current and historical data side by side. To learn how to display data viewer tabs side by side, see Redocking Data Viewers and Tool Windows.

Creating and Saving a Customized Trace Scenario

In the procedure that follows, you will create and save a Trace Scenario to serve as a trace template with predefined tracing functionality that you can run on demand. The Trace Scenario specified in this simple example enables you to isolate traffic to a specific IP address, where you can use two different methods of filtering to achieve that result.

To create and save a Trace Scenario

  1. From the Start menu, Start page, or task bar of your computer, click the Microsoft Message Analyzer icon to launch Message Analyzer.

  2. Click File to open the Message Analyzer File menu, click New Session, and then select Blank Session in the New Session submenu to display the New Session dialog.

  3. Under Add Data Source in the New Session dialog, click the Live Trace button to display the Live Trace tab along with the associated session configuration features that it contains in the New Session dialog.

  4. Select the Local Network Interfaces item in the Select a trace scenario drop-down menu on the Live Trace tab of the New Session dialog.

    Note  If you are running the Windows 7, Windows 8, or Windows Server 2012 operating system, the Microsoft-PEF-NDIS-PacketCapture is added to the ETW Providers list on the Live Trace tab of the New Session dialog. Otherwise, for later operating systems, the Microsoft-Windows-NDIS-PacketCapture provider with remote capabilities is added to the list.

  5. In the earlier operating system scenarios, click the Configure link to the right of the Microsoft-PEF-NDIS-PacketCapture provider in the ETW Providers list to display the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture dialog. Select the Provider tab in the dialog and then specify the configurations that follow:

    • In the Name column under System Network, expand the Machine node, and then under Adapters, make sure that the In and Out check boxes for the Ethernet network adapter are selected. This ensures that the Trace Scenario will capture both inbound and outbound traffic on the Ethernet adapter. Unselect these check boxes for all other listed adapters.

    • In the Fast Filters pane of the Advanced Settings - Microsoft-PEF-PacketCapture dialog, click the black arrow next to the Filter 1 designator in Group 1 and select the IPv4Address option from the drop-down menu that displays.

      Note  With a low-level IPv4 address Fast Filter, the Trace Scenario will deliver messages to the PEF Runtime that transited to or from a specified IPv4 address only, as the Trace Scenario is running. This avoids the additional parsing that is normally required when you specify a similar Session Filter, thereby improving Message Analyzer performance.

    • Specify an IPv4 address value in the format 192.168.1.1 in the text box adjacent to the drop-down menu, to isolate traffic to the specified IPv4 address. Make sure to substitute appropriately for the IP address placeholder italics value specified in this example.

    • Highlight the row in which the Ethernet adapter exists in the System Network tree grid of the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture dialog, and then click the Apply to Highlighted button in Group 1.

      The name of the Ethernet adapter displays as the Target of the filter Group. Click OK to exit.

      Note  Instead of configuring a Fast Filter, you can optionally specify a Session Filter such as IPv4.Address == 192.168.1.1 in the Session Filter pane of the New Session dialog. However, you should note that a Session Filter requires more processing time, as indicated earlier. If you choose to use a Session Filter, you can remove the previously set Fast Filter configuration.

  6. In later operating system scenarios, click the Configure link to the right of the Microsoft-Windows-NDIS-PacketCapture provider in the ETW Providers list to display the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture dialog. Select the Provider tab in the dialog and then specify an IP Address filtering configuration.

    To learn more about special filtering configurations for the Windows-NDIS-PacketCapture provider, see Using the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture Dialog.

  7. Click the Save Trace Scenario button to display the Edit Trace Scenario dialog and specify values for the Name, Description, and Category fields.

    Note  When you run your customized Trace Scenario, the trace results will display in the default data viewer that is specified on the General tab of the global Options page, which is accessible from the Message Analyzer File menu.

  8. When your Trace Scenario configuration is complete, click the Save button in the Edit Trace Scenario dialog.

Running the Custom Trace Scenario
When you save a customized Trace Scenario, it becomes a new Trace Scenario Library item in the My Items top-level category, from where you can select and run it at any time. It also becomes part of the Message Analyzer Sharing Infrastructure that enables you to mutually share the scenarios in the Trace Scenario Library with others.

Tip  After you run a custom Trace Scenario template from the New Session dialog, you can reopen the session configuration by clicking the Edit button in the Session group on the Message Analyzer Home tab. Thereafter, you can reconfigure the Trace Scenario as required and save the new template configuration again by clicking Save Trace Scenario.


More Information
To learn more about how to use the advanced settings dialog for the Microsoft-PEF-NDIS-PacketCapture provider, see Using the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture Dialog.
To learn more about creating Trace Scenario templates, see Developing and Managing Trace Scenarios.
To learn more about managing the Trace Scenarios Library as part of the Message Analyzer Sharing Infrastructure, see Managing Trace Scenarios.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft