Export (0) Print
Expand All

PEF Architecture Tutorial

This tutorial describes the main features of the Protocol Engineering Framework (PEF) that directly support the functions of Message Analyzer. A diagram of PEF architecture is included along with supporting conceptual descriptions, to show how Message Analyzer functions are enabled by the framework.

PEF Components

Message Analyzer is a new tool for capturing, displaying, and analyzing network traffic, system messages, and log data. It is the key, outwardly-facing component in the Protocol Engineering Framework. PEF was created for the improvement of protocol design, development, documentation, and testing. The following major messaging functions are provided by various PEF components:

  • Message capturing

  • Message parsing and analysis, including message reassembly and representation

  • Message validation (data, behavior, and architecture) per protocol standards

Message Analyzer directly relies upon the following components of the PEF architecture to support its functionality:

  • Open Protocol Notation (OPN) — the protocol description language that enables developers to model protocol architecture, behavior, and data. The entire OPN system, including types, actors, endpoints, and flow is implemented in .NET classes. OPN and .NET classes are compiled to produce a binary representation of each OPN protocol description that defines specific protocol architecture, behavior, and data.

    Message Analyzer relies upon the presence of compiled OPN protocol descriptions so it can display messages that have been captured and parsed by the PEF Runtime.

  • OPN Compiler — provides the compilation infrastructure for OPN protocol descriptions. The OPN Compiler generates the binary structures that comprise the OPN Protocol Object Model (POM).

    Message Analyzer relies upon the OPN Compiler to ensure that all OPN definitions, descriptions, and filter expressions are verified, so that messages captured in a Trace Session or imported from logs and trace files in a Browse Session can be properly parsed by the PEF Runtime and thereafter displayed in a Message Analyzer viewer.

  • POM — a binary representation of a set of OPN text files in the form of a decorated syntax tree. These descriptions are utilized by the PEF Runtime to parse messages whenever you run a live trace or when you load an unparsed trace file.

  • PEF Runtime — accepts messages from various components, such as providers and logs, and processes them by using the parsing information (compiled protocol descriptions) described in the POM. The Runtime component also provides an API that enables Message Analyzer to interface with PEF. Message Analyzer relies upon the Runtime to capture and parse messages and to provide those messages in its API so Message Analyzer can access and display them in selected data viewers.

    The PEF Runtime is of central importance to Message Analyzer in performing the following tasks:

    • Listening for message packets from network driver interfaces, input adapters, and other components that are instrumented as ETW providers.

    • Querying the POM for OPN protocol descriptions that correspond to retrieved message packets.

    • Constructing OPN versions of packets retrieved from the network, providing that corresponding OPN protocol message descriptions were written.

    • Dispatching the OPN packet versions to endpoints that are monitored by POM "listeners", or “actors”, which in turn decode the packets and pass them to higher endpoints up the processing chain, repeating this process until all packets in the message stack are decoded.

    • Enabling Message Analyzer to access the decoded messages through the Runtime API and to display them in a data viewer such as the Analysis Grid.

  • PEF Driver-Providers — provide the network interfaces for capturing events and messages that are passed to the Runtime parsing engine. The Microsoft-PEF-NDIS-PacketCapture provider captures data on the wire at Link Layer; the Microsoft-PEF-WFP-MessageProvider captures at the Firewall level; and the Microsoft-PEF-WebProxy provider captures unencrypted HTTP and HTTPS browser traffic. All PEF drivers are instrumented for Event Tracing for Windows (ETW) so they can take advantage of the ETW infrastructure and deliver captured messages as events. In turn, the events are passed to the Runtime parsing engine and thereafter Message Analyzer can display them.

    Note  The Microsoft-Windows-NDIS-PacketCapture provider also captures messages at the Link Layer, however, this provider also has remote capabiltities that you can employ in certain scenarios, as described in Default Trace Scenarios.

    More Information
    To learn more about PEF providers and their features, see PEF Providers.

  • Input Adapters — provide the interfaces that define entry points or “chokepoints” into the PEF Runtime for various Import Entities, in message file formats such as .etl, .cap, .log, .matu, and .matp.

PEF architecture also contains other components, such as a POM Adapter that provides importing and exporting facilities; Simulation, which enables modeling of protocol test suites; and technical document (TD) generation, which produces documentation artifacts. These components are mentioned here because they interact with OPN protocol descriptions as part of PEF architecture, but are not directly related to Message Analyzer functions, with exception of certain POM adapters.

The diagram that follows shows how Message Analyzer fits into the PEF architecture.

Message Analyzer in PEF Architecture

Figure 6: PEF component architecture

More Information
To learn more about PEF components, including OPN programming, tutorials, walkthroughs, standard library, language, and other managed reference documentation, an OPN SDK will be available in the near future on MSDN. However, an OPN Programming Guide is currently available as a download.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2014 Microsoft