Экспорт (0) Печать
Развернуть все
EN
Данное содержимое не доступно на вашем языке, используйте версию на английском языке.

Using the Data Viewing Features

The procedures in this section encapsulate the usage of numerous Message Analyzer features that are described in the Viewing Message Data section. The procedures are intended to serve as examples of how you can analyze trace data with the use of Message Analyzer viewer features and other integrated functions.

Apply Gradient Style Color Rules — provides an example of how to utilize gradient style Color Rules to quickly flag messages that meet the filtering criteria of multiple Color Rules.

Apply a Predefined View Layout — provides an example of a predefined View Layout that presents a data column configuration that is useful for diagnosing TCP messages when applied, while also automatically grouping messages by IP conversations and ports (Group operations on the Network and Transport columns, respectively) to enhance diagnostic capabilities and perspectives.

Perform Data Grouping Operations — provides several examples of data grouping operations that demonstrate how you can filter and consolidate data from designated Analysis Grid viewer columns and reorganize them into separate groups of common properties that greatly enhance your ability to analyze data and resolve issues.

Perform Top-Level Summary Analysis — provides an example of how to use the Protocol Dashboard viewer to obtain top-level summaries at a glance for a set of trace results.

Perform Interactive Analysis with Data Viewers — illustrates a simple method for using the Protocol Dashboard and Analysis Grid viewers together in an interactive manner to enhance data analysis perspectives.

Apply Viewpoints to Trace Data — provides an example that shows you how to use the Message Analyzer Viewpoints feature, which enables you to examine data from the viewpoint of a protocol, where the messages of a specific viewpoint protocol are displayed at top-level in the Analysis Grid viewer with no message layers above them.

Apply a Quick Filter to Trace Results — provides an example that shows you how to apply a Quick Filter to a set of trace results, so that you can view data in a selected window of time.

Drive Analysis Grid Viewer and Tool Window Interactions — provides an example that demonstrates interaction between the Analysis Grid viewer and various tool windows, such as the Message Data, Field Data, Message Stack, Details, and Diagnostics Tool Windows.

Create an Alias for a Data Field Value — provides an example that demonstrates how to simplify data analysis by creating an Alias that substitutes for a cryptic field value.

Create a Union of Two Data Fields — provides an example that demonstrates how to create a Union that correlates/combines two data fields with similar values but different names into a single new field that is specified by the Union configuration.

Using the Data Filtering Features — see this procedural topic for extensive coverage of different ways to apply View Filters.


Important  If you have not logged off Windows after the first installation of Message Analyzer, please log off and then log back on before performing these procedures. This action ensures that in all subsequent logons following installation, your security token will be updated with the required security credentials from the Message Capture Users Group (MCUG). Otherwise, you will be unable to capture network traffic in Trace Scenarios that use the Microsoft-PEF-NDIS-PacketCapture provider, Microsoft-Windows-NDIS-PacketCapture provider, or the Microsoft-PEF-WFP-MessageProvider, unless you start Message Analyzer with the right-click Run as administrator option.

Apply Gradient Style Color Rules

In the procedure that follows, you will apply the predefined IPv4 Right Gradient and TCP left gradient Color Rules to a Link Layer trace that captured data with the Local Network Interfaces Trace Scenario that uses the Microsoft-PEF-NDIS-PacketCapture provider (available on Windows 7, Windows 8, and Windows Server 2012 operating systems).

Note  If your machine is running the Windows 8.1 or later operating system, you can capture sample data referenced in this example with the Local Network Interfaces Trace Scenario that uses the Microsoft-Windows NDIS-PacketCapture provider.

This procedure demonstrates a simple way to expose TCP messages that have an IPv4 Network Layer in the message stack. It also provides an example of how you can design multiple gradient-style Color Rules with visually coordinated opposite facing gradients, which you can then use as a troubleshooting mechanism to quickly identify message stack components at a glance.

More Information
To learn more about the concepts upon which this example procedure is based, see Using and Managing Color Rules.

To identify Transport and Network Layer messages with gradient-style Color Rules

  1. From the Start menu, Start page, or task bar of your computer, click the Microsoft Message Analyzer icon to launch Message Analyzer.

  2. Click File to open the Message Analyzer File menu, click New Session, and then select Blank Session in the New Session submenu to display the New Session dialog.

  3. Under Add Data Source in the New Session dialog, click the Live Trace button to display the Live Trace tab along with the associated session configuration features that it contains in the New Session dialog.

  4. In the Network category of the Select a trace scenario drop-down list on the Live Trace tab, click the Local Network Interfaces Trace Scenario.

    If your operating system is Windows 7, Windows 8, or Windows Server 2012, the ETW Providers list on the Live Trace tab is populated with the Microsoft-PEF-NDIS-PacketCapture provider Name and Id (GUID). Otherwise, for Windows 8.1, Windows Server 2012 R2, or later operating systems, the Microsoft-Windows-NDIS-PacketCapture provider information displays.

  5. Click the Start button in the New Session dialog to automatically select the default data viewer and start capturing data. Assuming that you have not changed the default data viewer in the Session Viewer pane on the General tab of the global Options dialog, the default viewer will be the Analysis Grid. Therefore, the captured data begins to accumulate in the Analysis Grid viewer on the Message Analyzer Home tab.

  6. While Message Analyzer is capturing data, attempt to reproduce any conditions that are related to a particular TCP or IPv4 issue you are trying to isolate, for example, network connection or packet loss problems.

  7. Stop the trace at a suitable point by clicking the Stop button in the Session group on the Ribbon of the Message Analyzer Home tab.

    Tip  You can temporarily suspend tracing operations by clicking the Pause button and you can resume tracing by clicking the Pause button again.

  8. Click the Color Rules button in the View Options group on the Message Analyzer Ribbon, and then under the Network category of the drop-down that displays, select the TCP left gradient and IPv4 Right Gradient Color Rules.

    All top-level TCP messages or other top-level messages that have TCP in the origins tree are highlighted with the light blue left-to-right gradient Color Rule style. Also, all TCP messages that have an IPv4 network layer are highlighted in the olive green right-to-left gradient Color Rule style, thus enabling you to easily view messages that meet the filtering criteria of both the applied Color Rules.

    Note  To isolate either TCP or IPv4 messages at top-level to further enhance analysis, you can apply a TCP or IPv4 viewpoint as appropriate.

Apply a Predefined View Layout

In the procedure that follows, you will apply the predefined TCP with Network Grouping View Layout to trace data that is displayed in the Analysis Grid viewer. This View Layout has a column layout configuration that contains various TCP fields, the values of which can be important when diagnosing TCP issues. The columns that hold TCP field data include DestinationPort, SourcePort, PayloadLength, SequenceNumber, AcknowledgementNumber, and WindowScaled columns. In addition, a TimeDelta field is also included to measure the difference in Timestamp values for TCP messages. The predefined layout also includes groupings of Network and Transport columns that present the details of the IP conversations that took place on corresponding TCP ports within a trace. Note that the Network and Transport columns were removed after the Grouping operation, but before this View Layout was saved in the default View Layout Library item collection.

More Information
To learn more about the concepts upon which this example procedure is based, see Applying and Managing View Layouts.

To apply a predefined View Layout for TCP diagnosis

  1. Perform steps 1 through 7 of the procedure To identify Transport and Network Layer messages with gradient-style Color Rules to start and stop a Message Analyzer Live Trace Session that uses the Local Network Interfaces Trace Scenario.

  2. Click the View Layout button in the View Options group on the Ribbon of the Message Analyzer Home tab and then click the TCP with Network Grouping item in the drop-down list that appears.

    The new column configuration displays and the data is grouped into Network and Transport groups, as indicated by corresponding labels above the tree grid. The data groups are also organized such that the Transport nodes are nested within the Network nodes. Note that the Network conversations can use either IP or Ethernet addresses.

  3. Expand a particular Network node to expose the Transport node it contains.

    The exposed Transport node provides an indication of the number of messages that it contains, along with the source and destination TCP ports over which IP or Ethernet conversations took place.

  4. Expand the Transport node to display the TCP messages, so that you can examine the TCP field data. If you are dealing with loss of packets, you might check the WindowScale field for low values.

  5. Repeat steps 3 and 4 for other Network and Transport nodes as appropriate.

  6. To obtain a different perspective on the data, drag the Transport group label and drop it to the left of the Network group label.

    The data is now grouped and organized with Network nodes nested within the Transport nodes.

Perform Data Grouping Operations

In the procedure that follows, you will execute the Group command on various Analysis Grid viewer data columns, including the ContentType, Transport, Source or Destination, and Diagnosis data columns. The grouping operations will enable you to quickly determine the object types being requested by your web browser, assess the heaviest port traffic, determine the IP addresses carrying the most traffic, and examine grouped diagnosis messages types, respectively. In this procedure, the Analysis Grid viewer will be populated with message data that you capture with the Microsoft-PEF-WFP-MessageProvider in the Loopback and Unencrypted IPSEC Trace Scenario and the focus will be on Application Layer (HTTP) and Transport Layer messages.

More Information
To learn more about the concepts upon which this example procedure is based, see Using the Data Grouping Feature.

To perform multiple data grouping operations for analysis

  1. Perform steps 1 through 3 of the procedure To identify Transport and Network Layer messages with gradient-style Color Rules, to start Message Analyzer and open the New Session dialog for Live Trace Session configuration.

  2. In the Network category of the Select a trace scenario drop-down list on the Live Trace tab, click the Loopback and Unencrypted IPSEC Trace Scenario. Alternatively, click the Loopback and Unencrypted IPSEC Trace Scenario in the Quick Trace list that is accessible from the Message Analyzer File menu.

    The Microsoft-PEF-WFP-MessageProvider information displays in the ETW Providers list on the Live Trace tab, which includes the provider Name, GUID, and a Configure link that opens the Advanced Settings dialog for this provider.

    Note  In addition to capturing loopback traffic and unencrypted IPSEC messages, the Microsoft-PEF-WFP-MessageProvider minimizes other lower-level noise such as broadcast traffic at the Data Link Layer, so that you can focus your analysis on Transport Layer messages and above. Also note that messages below the Transport Layer are typically represented in the message stack as a WFPCapture and below that ETW.

  3. If the Start With drop-down list in the New Session dialog does not indicate the Analysis Grid viewer, then click the drop-down list and select it.

  4. Click the Start button in the New Session dialog to start capturing data.

    The captured data begins to accumulate in the Analysis Grid viewer on the Message Analyzer Home tab.

  5. While Message Analyzer is capturing data, launch a web browser and attempt to reproduce any conditions that are related to a particular HTTP issue you are trying to troubleshoot, for example, you might attempt to navigate to a poorly performing web server with your browser.

  6. Stop the trace at a suitable point by clicking the Stop button in the Session group on the Ribbon of the Message Analyzer Home tab.

  7. Click the Choose Columns button in the View Options group on the Ribbon of the Message Analyzer Home tab to display the Column Chooser Tool Window in its default location, if it is not already displayed.

  8. Open the HTTP node in Column Chooser and navigate to the ContentType field in the HTTP Operation message hierarchy, right-click the field, and then select the Add As Column context menu item to add the ContentType column to the Analysis Grid viewer.

  9. Open the TCP node in Column Chooser and navigate to the Transport field in the Segment message hierarchy, right-click the field, and then select the Add As Column context menu item to add the Transport column to the Analysis Grid viewer.

  10. Right-click the ContentType column in the Analysis Grid viewer and select the Group command from the context menu.

    The trace data is grouped according to the different content types associated with HTTP messages, so that you can examine the types of objects being passed to your web browser by the server. You might also add the ResponseTime field from the Global Annotations node in Column Chooser as a new column in the Analysis Grid so that you can determine how quickly the web server is responding to HTTP requests. You can even sort the ResponseTime column in descending order and then Group this column to quickly expose the slowest server responses and associated messages.

    Tip  To create a more focused analysis, you can limit the display to HTTP messages only by specifying an HTTP Viewpoint; you can do this by clicking the Viewpoints button in the Viewpoints group on the Ribbon of the Message Analyzer Home tab and selecting the HTTP menu item.

  11. Remove all Group configurations from the Analysis Grid, including the ContentType group, by clicking the “x” in the group label/s above the tree grid.

  12. Right-click the Transport column in the Analysis Grid viewer and select the Group command from the context menu.

    The trace data is grouped according to the different Transport types, such as TCP or UDP, so that you can examine the ports across which the most substantial traffic is transiting.

  13. Remove the Transport grouping in the indicated manner and then execute the Group command on the default Source or Destination column of the Analysis Grid viewer.

    The trace data is grouped according to Source or Destination, as appropriate, so that you can determine which IP addresses are carrying the most traffic. Note that you can obtain similar statistics by executing a Group command on the Network column, which you can add from the IP message hierarchy in the Column Chooser.

    Note  You can also nest groups by performing successive Group operations on multiple columns. For example, you can Group each of the Source and Destination columns, in that order, to organize all the Destination traffic that is associated with each Source address, or vice versa.

  14. Remove all Group configurations to return to the original Analysis Grid display and then execute the Group command on the DiagnosisTypes column in the Analysis Grid viewer.

    The trace data is grouped according to the different types of diagnosis messages, which includes Application, InsufficientData, Parsing, and Validation message types, so that you can immediately assess the types of errors that occurred in your trace. For more information about the meaning of these diagnosis message types, see the “Enum Values for DiagnosisType filters” table in the Diagnosis Category topic.

Perform Top-Level Summary Analysis

In the procedure that follows, you will use several viewing infrastructure components to accomplish simple data analysis tasks. For example, you will use graphic chart visualizer components of the Protocol Dashboard viewer, including the Top Level Protocol Summary bar and pie charts and the timeline visualizer components of the Top Level Protocols Over Time graph, to view top-level protocol summary data that can reflect traffic volume levels for the message types in a trace, along with message activity across selected windows of time into which you can zoom. In the first part of the procedure, you will use the Microsoft-PEF-NDIS-PacketCapture provider in the Local Network Interfaces Trace Scenario to capture message data in a Live Trace Session. However, if you are running the Windows 8.1 or Windows Server 2012 R2 operating system, you will be using the Microsoft-Windows-NDIS-PacketCapture provider in this Trace Scenario.

This example also shows how to use the SMB Reads and Writes, SMB File Stats, and SMB/SMB2 Service Response Time viewers to expose file access activities and statistics. In this part of the procedure, you will start a new session with the Loopback and Unencrypted IPSEC Trace Scenario, in which you will use the Microsoft-PEF-WFP-MessageProvider to focus on statistical summaries of SMB/SMB2 file access operations at and above the Transport Layer.

More Information
To learn more about the Protocol Dashboard viewer, see the Protocol Dashboard topic.
To learn more about the SMB chart viewers, see the subtopics in the File Sharing Category section.

To analyze top level summary data

  1. Perform steps 1 through 5 of the procedure To identify Transport and Network Layer messages with gradient-style Color Rules to start a Message Analyzer Live Trace Session with the Local Network Interfaces Trace Scenario.

  2. While Message Analyzer is capturing data, attempt to reproduce any conditions that are related to a particular issue you might be trying to resolve, for example, a high volume of TCP traffic to a target computer.

  3. Stop the trace at a suitable point by clicking the Stop button in the Session group on the Ribbon of the Message Analyzer Home tab.

  4. In the Session Explorer Tool Window, right-click a session node, highlight the New Viewer item, and then select the Protocol Dashboard item in the Dashboards category of the context menu.

  5. In the Protocol Dashboard viewer, observe the numerical and graphical presentation of top protocol activity in the trace by examining the Top Level Protocol Summary and Top Level Protocols Over Time visualizer components, which expose the relevant statistics.

    In the Top Level Protocol Summary table and bar chart sections of the dashboard, you can observe message traffic volume that is sorted in a descending scale from highest to lowest. Note that an extraordinarily high traffic volume for a particular module can immediately expose the top bandwidth consumer, or heavy TCP traffic might indicate that you have a large quantity of TCP retransmits or duplicate ACK messages in your trace.

    If you suspect there is an issue with a protocol or module that has particularly high traffic volume, you can double-click the bar or pie chart segment representing the module in the Top Level Protocol Summary to display only those specific messages in a separate Analysis Grid viewer tab for further investigation. You can also adjust the time window slider controls of the Top Level Protocols Over Time visualizer component to zoom into specific messages in a particular time slot and then double-click a message node to display that traffic only in a separate Analysis Grid viewer tab for further investigation.

  6. Start another Live Trace Session with the Loopback and Unencrypted IPSEC Trace Scenario and capture data live with Message Analyzer while performing file access operations.

  7. Stop the trace at a suitable point and launch the SMB Reads and Writes data viewer from the File Sharing category of the Session Explorer context menu to obtain statistics that reflect the network bandwidth being consumed by the file access/sharing activities of the Server Message Block (SMB) protocols.

    Adjust the time window slider controls in the SMB Reads and Writes viewer to zoom into specific messages in a particular time slot.

  8. Double-click a message node or timeline in the SMB Reads and Writes data viewer to display specific traffic in a separate Analysis Grid viewer tab for further investigation.

    Tip  You can also use the Column Chooser to add an SMB FileName or SMB2 FileName column to the Analysis Grid viewer and then execute a Group command on the new column so that you can examine the SMB traffic that is associated with access to specific files.

  9. Optionally, select the SMB File Stats viewer in the File Sharing category from the New Viewer drop-down list in the Session group on the Ribbon of the Message Analyzer Home tab. In this viewer, you can examine a summary of SMB file statistics that includes access duration, total number of bytes for each file or folder access operation, and the data transmission rates, as described in SMB File Stats.

    You might also consider selecting the SMB/SMB2 Service Response Time viewer to examine statistics that expose how long first responses to SMB operations are taking (ResponseTime), as an indication of a slow server; and how long it is taking for operations to complete (ElapsedTime), as a possible indication of network issues; as described in SMB/SMB2 Service Response Time.

Perform Interactive Analysis with Data Viewers

The procedure that follows provides a simple example of how you might utilize the Analysis Grid and Protocol Dashboard viewers interactively to analyze captured message data:

More Information
To learn more about data viewers and how they interact, see Data Viewer Concepts.

To analyze data through data viewer interaction

  1. Perform steps 1 through 4 of the procedure To identify Transport and Network Layer messages with gradient-style Color Rules. To start Message Analyzer, open the New Session dialog for Live Trace Session configuration, and select the Local Network Interfaces Trace Scenario.

  2. Click the Start With drop-down list in the New Session dialog and select the Protocol Dashboard viewer in the Dashboards category.

  3. Click the Start button in the New Session dialog to begin capturing data in a Live Trace Session.

    The captured data begins to accumulate in the Protocol Dashboard viewer on the Message Analyzer Home tab.

  4. While Message Analyzer is capturing data, attempt to reproduce any conditions that are related to a particular issue you are trying to isolate.

  5. Stop the trace at a suitable point and observe the relative distribution of captured message volumes in the Top Level Protocol Summary bar chart visualizer component, in an attempt to isolate suspected message traffic that might be related to failures in a particular component or system.

  6. In the bar chart, double-click the graphic bar representing the message traffic you want to target, for example, a protocol that has a high volume of messages.

    A separate Analysis Grid viewer tab opens and contains only the traffic that you targeted.

  7. Sort the DiagnosisTypes column in the Analysis Grid viewer to bubble up any errors that might have occurred in the target traffic.

  8. Perform a Group operation by right-clicking the DiagnosisTypes column in the Analysis Grid viewer and selecting the Group command from the context menu that displays. The data is then organized into expandable group nodes that contain different diagnosis message types. By expanding each node, you can view the messages that contain the diagnosis errors.

  9. Click the diagnosis error icons in the DiagnosisTypes column under the expanded group nodes to review the error message text. You might also examine the Summary column descriptions for these messages in the Analysis Grid viewer to discover any evidence of the underlying failures that are associated with the diagnosis errors that occurred.

    For more information about the meaning of diagnosis message types, see the “Enum Values for DiagnosisType filters” table in the Diagnosis Category topic.

Apply Viewpoints to Trace Data

In the procedure that follows, you will apply HTTP and TCP Viewpoints so that you can view HTTP- or TCP-related traffic at top-level, without having to drill down into the message stack to expose these messages. In addition, you will alternately toggle operations off and on so that you can expose typical request and response messages, either in their original chronological order (operations off) or encapsulated in top-level operation rows (operations on) in the Analysis Grid viewer, respectively.

More Information
To learn more about Viewpoints, see Applying and Managing Viewpoints.

To analyze data with applied Viewpoints

  1. From the Start menu, Start page, or task bar of your computer, click the Microsoft Message Analyzer icon to launch Message Analyzer.

  2. Click File to open the Message Analyzer File menu, click New Session, and then select Blank Session in the New Session submenu to display the New Session dialog.

  3. Under Add Data Source in the New Session dialog, click the Live Trace button to display the Live Trace tab along with the associated session configuration features that it contains in the New Session dialog.

  4. In the Network category of the Select a trace scenario drop-down list on the Live Trace tab, click the Loopback and Unencrypted IPSEC Trace Scenario. Alternatively, click the Loopback and Unencrypted IPSEC Trace Scenario in the Quick Trace list that is accessible from the Message Analyzer File menu.

    The Microsoft-PEF-WFP-MessageProvider information displays in the ETW Providers list on the Live Trace tab, which includes the provider Name, GUID, and a Configure link that opens the Advanced Settings dialog for this provider.

    Note  In addition to capturing loopback traffic and unencrypted IPSEC messages, the Microsoft-PEF-WFP-MessageProvider minimizes other lower-level noise such as broadcast traffic at the Data Link Layer, so that you can focus your analysis on Transport Layer messages and above.

  5. If the Start With drop-down list in the New Session dialog does not indicate the Analysis Grid viewer, then click the drop-down list and select it.

  6. Click the Start button in the New Session dialog to start capturing data.

    The captured data begins to accumulate in the Analysis Grid viewer on the Message Analyzer Home tab.

  7. While Message Analyzer is capturing data, launch a web browser and attempt to reproduce any conditions that are related to a particular HTTP issue you are trying to isolate, for example, a slowly responding or non-responsive web server.

  8. Stop the trace at a suitable point by clicking the Stop button in the Session group on the Ribbon of the Message Analyzer Home tab.

  9. In the Analysis Grid viewer, note that you have HTTP messages displaying as top-level operation message rows, as signified by messages with a blue cubes icon to the left of the message number, along with some TCP messages at top-level and others hidden within the message stack. You may also have HTTP fragments hidden within Analysis Grid viewer expansion nodes. This configuration of displayed messages is typical of the results returned by the Microsoft-PEF-WFP-MessageProvider, which focuses on Transport Layer messages and above.

  10. Click the Viewpoints button in the Viewpoints group on the Ribbon of the Message Analyzer Home tab and select the HTTP viewpoint item from the drop-down list that displays.

    All HTTP messages display in top-level message rows in the Analysis Grid viewer, which can also include fragments in the message origins tree. In this view configuration, you can focus on HTTP messages without the encumbrance of other message types in display. However, because associated HTTP request and response messages are grouped as operations to provide context, there can be some chronological displacement of response messages in this configuration that you can resolve by hiding the operations. See the Important note below.

  11. Click the Hide Operations button in the Viewpoints group on the Ribbon of the Message Analyzer Home tab.

    Note that the HTTP messages that were formerly grouped under operation nodes are now displayed in chronological order in the Analysis Grid viewer.

  12. Click the Hide Operations button again to show operations and then click the Default ViewPoint button in the Viewpoints group on the Ribbon to return to the default Analysis Grid viewpoint.

  13. Next, isolate TCP messages in the trace by selecting the TCP viewpoint item in the Viewpoints drop-down list.

    All TCP messages display in top-level message rows in the Analysis Grid viewer. Note that you will not see any operation message nodes in this view because the TCP Viewpoint filters them out.

  14. From the TCP Viewpoint, you can use your typical data analysis tools such as sorting, grouping, filtering, sequence expression matching, annotating, and so on, when assessing your data. You might also apply the predefined TCP or TCP with Network Grouping View Layout from the View Layout drop-down in the View Options group on the Ribbon of the Home tab so you can focus on important TCP field data.

Important  Pairing up request and response messages in operation nodes for protocols that typically use request/response pairs such as HTTP, DNS, and SMB, provides immediate access to response messages rather than having to search through hundreds of messages to find them. Another advantage of this configuration is that you can readily measure important values such as ResponseTime and ElapsedTime, which specify how long it took for the first server response and how long it took to receive all message fragments in the operation, respectively. High values for these times can provide an indication of a poorly responding server in the first case and network latency issues in the second. The ElapsedTime is displayed by default in the Analysis Grid viewer; however, you must add the ResponseTime column by right-clicking it under Global Annotations in the Column Chooser Tool Window and selecting Add as Column.

Apply a Quick Filter to Trace Results

In the procedure that follows, you will start a Data Retrieval Session and apply a Quick Filter to a data set that you will load into Message Analyzer from a saved trace or log file, so that you can temporarily focus on analyzing messages in a specified window of time. You will also verify that you can toggle back and forth between the time-filtered data and your original data, as your analysis might require.

More Information
To learn more about Quick Filters, see Applying Quick Filters.

To apply a time window filter to trace results with a Quick Filter

  1. From the Start menu, Start page, or task bar of your computer, click the Microsoft Message Analyzer icon to launch Message Analyzer.

  2. Click File to open the Message Analyzer File menu, click New Session, and then select Blank Session in the New Session submenu to display the New Session dialog.

  3. Under Add Data Source in the New Session dialog, click the Files button to display the Files tab along with the associated session configuration features that it contains in the New Session dialog for a Data Retrieval Session.

  4. On the Files tab of the New Session dialog, click the Add Files button on the Files tab to launch the Open dialog, select a large trace or log file containing data that you want to view in a specific time window, and then click Open.

    The name of the trace or log file appears in the files list.

  5. If you loaded a log file, you can optionally choose an applicable configuration file from the Text Log Configuration drop-down list on the toolbar of the Files tab for your log, to enable full parsing of messages.

  6. Without configuring a Time Filter or adding a Session Filter to the Data Retrieval Session configuration, click the Start button in the New Session dialog to automatically select the default data viewer and start loading the message data.

  7. After the message data is loaded and displayed in a data viewer such as the Analysis Grid, click the Quick Filter button in the Filter group on the Ribbon of the Message Analyzer Home tab to open the Quick Filtering dialog.

  8. In the Quick Filtering dialog, ensure that the Data Source check box is selected for the data source to which the Quick Filter will be applied.

  9. In the Time Filter pane of the Quick Filtering dialog, select the Use Start Filter and Use End Filter check boxes and then adjust the left and right Time Filter slider controls to configure a window of time in which you want to view data. As you do this, the following occurs:

    • The number of messages that are contained in the configured time window display in the Filtered Messages read-only text box.

    • As you adjust the left and right slider controls, the text boxes to the left and right of the slider controls respectively indicate the lower and upper boundaries of the time window in which you will view data.

    • A Timestamp filter is automatically generated as you adjust the left and right Time Filter slider controls to define the start and end time-filtering criteria of the target time window.

  10. When you finish with the Quick Filter configuration, click the Apply button to filter the message data according to the time window you specified.

    The number of messages displaying in the default data viewer is reduced in accordance with the specified Quick Filter configuration, thus enabling you to perform analysis on a focused data set.

  11. To remove the time filtering configuration that you applied, click the Quick Filter drop-down menu in the Filter group on the Ribbon and select the Remove Quick Filter item to return to your original data.

  12. To reapply the time filtering configuration, click the Quick Filter drop-down menu in the Filter group again and select the Apply Quick Filter item. Note that you can toggle application and removal of a Quick Filter as many times as your analysis requires.

    Notes  Quick Filters do not persist across sessions, which means that you will need to create a new Quick Filter configuration for every session where you want to apply time window filtering. Also note that you can save any data set to which you have applied a Quick Filter by clicking Save As on the Message Analyzer File menu and using the Filtered Messages option to perform the save with the Save/Export Session dialog.

Drive Analysis Grid Viewer and Tool Window Interactions

In the procedure that follows, you will run a trace and display data in the Analysis Grid viewer. Thereafter, through message selection in the Analysis Grid viewer, or message and field selection in various tool windows, the procedure will demonstrate how to interactively drive the display of data in these viewing components to facilitate rapid assessment of message details, which include field values and types, hexadecimal data, diagnosis message types and details, message stack configurations, and so on. This procedure assumes that certain tool windows you will be working with are not currently displayed in the Message Analyzer analysis surface. If they are already displayed, please ignore the steps that specifically require you to display them.

More Information
To learn more about how to position Message Analyzer data viewers and Tool Windows for enhanced data analysis, see Redocking Data Viewers and Tool Windows.

To drive interaction between the Analysis Grid viewer and tool windows

  1. Perform steps 1 through 7 of the procedure To identify Transport and Network Layer messages with gradient-style Color Rules to start and stop a new Message Analyzer Live Trace Session that uses the Local Network Interfaces Trace Scenario.

  2. Click the Tool Windows drop-down list in the Windows group on the Ribbon of the Message Analyzer Home tab and select the Diagnostics menu item to display the Diagnostics Tool Window in its default docking location.

    Note  The Diagnostics window is a preview feature that will not be included in the Tool Windows drop-down list unless you have first selected it on the Features tab of the global Options dialog. This dialog is accessible from the Message Analyzer File menu. Note that a Message Analyzer restart is required after this selection.

  3. Click the Tool Windows in the Windows group again and select the Message Stack item to display the Message Stack Tool Window in its default docking location.

  4. Ensure that the Message Stack window is in focus (click its tab) and then select any message in the Analysis Grid viewer.

    Observe that message selection in the Analysis Grid drives message selection in the Message Stack window and message details in the Details Tool Window.

  5. Click the Diagnostics window tab in its default docking location to bring it into focus and then select one or more diagnosis message types in the Diagnostics grid.

    Observe that message selection in the Diagnostics window drives selection of one or more top-level messages in the Analysis Grid viewer and message details in the Details window.

    Note  You should be aware that even though top-level messages are highlighted, the actual message that contains a diagnosis error might be at a lower layer. You can determine this by expanding message nodes in the Analysis Grid viewer under the highlighted top-level message. In addition, note that the Diagnostics window data columns make the details of all diagnosis messages in the current trace results readily accessible without having to drill down into the origins tree through node expansion to see them.

  6. Click the Message Data window tab in its default docking location to bring it into focus and then select any message in the Analysis Grid viewer.

    Observe that message selection in the Analysis Grid viewer drives the display of message details in the Details window and hexadecimal data selection in the Message Data window.

    Note  If you select the top-level message in any operation row, it does not display any data in the Message Data window. Rather, you must expand the operation node in the Analysis Grid and select one of the nested messages that it contains to display hexadecimal data selection.

  7. Select any message in the Analysis Grid viewer and then select a field Name in the Details window.

    Observe that field selection in the Details window drives the display of a hexadecimal field value in the Message Data window and a field value in the Field Data Tool Window as well.

Create an Alias for a Data Field Value

In the procedure that follows, you will perform a live trace and display the results data in the Analysis Grid viewer. You will then create an Alias for an IPv6 address and name it with a string value of “MyComputer”. You will then use the new Alias in a Filter Expression that you apply to the trace.

More Information
To learn more about the Aliases feature, see Using and Managing Aliases.

To create a field value Alias

  1. Perform steps 1 through 7 of the procedure To identify Transport and Network Layer messages with gradient-style Color Rules to start and stop a new Message Analyzer Live Trace Session that uses the Local Network Interfaces Trace Scenario.

  2. In the Destination column of the Analysis Grid viewer, right-click an IPv6 address for the local computer and select the Create Alias for ‘Destination’… item in the context menu that displays. If you do not know the IPv6 address of the local computer, run IPConfig /All at the command line.

    The Alias Editor dialog displays, in which you can specify an Alias name, Description, and Category.

  3. In the Alias text box of the Alias Editor dialog, specify a friendly name such as “MyComputer”, or specify another name that is appropriate for your environment.

  4. In the Description text box of the Alias Editor dialog, enter a description that identifies the purpose of the Alias, for future reference and for identification when sharing the Alias with other users.

    The Description text will display in a tool tip when you hover over the Alias name in the Aliases drop-down list with your mouse, or when you hover over the Alias name in the Manage Alias dialog.

  5. In the Category combo box of the Alias Editor dialog, either select an existing Category or specify a new one, for example “IPv6 Addresses”.

    Any new Category that you specify appears as a subcategory under the top-level My Items category and will contain the new Alias after you Save it.

  6. In the Alias Editor dialog, ensure that the Auto Refresh Views check box is selected if you want Message Analyzer to immediately perform a refresh of all data viewers that will be impacted by application of the new Alias.

  7. In the Alias Editor dialog, click the Save button to save your new Alias.

    All data viewers, including the Analysis Grid and Charts, are updated to reflect application of the new Alias, providing that the Auto Refresh Views check box was selected when you saved the Alias. If this is the case, observe that the IPv6 address of the local computer is now identified in the Source and Destination address columns of the Analysis Grid viewer as “MyComputer”.

    Also verify that the new Alias appears in the Aliases drop-down list in the Customize Fields group on the Ribbon of the Home tab, and in the Category that you specified. In a similar manner, the Alias should also appear in the Manage Alias dialog.

  8. In the Filter Expression text box of the View Filter Tool Window, enter the following text to create a Filter Expression that uses your new Alias:

    *Source == “MyComputer”

    Note  If the View Filter window is not currently displayed, click the View Filter button in the Filter group on the Ribbon of the Message Analyzer Home tab to display the window in its default location.

  9. Click the Apply button on the toolbar of the View Filter window and observe that the specified filter removes all traffic except the messages in which “MyComputer” represents either the Source or Destination (local) computer IPv6 address.

Note  If you want to save the filter you created in this procedure, select the New Filter item in the Library drop-down of the View Filter window and provide a Name, Description, and Category for the filter in the Edit Filter dialog before you Save it. The filter might look similar to either of the following, depending on the message provider in use: IPv6.Source == "MyComputer" or WFPCapture.Source=="MyComputer".

Create a Union of Two Data Fields

In the procedure that follows, you will load data into Message Analyzer from two saved files that contain related data that was captured in a common environment and within the same timeframe; one from a log file and the other from a former live trace. The procedure specifies files that contain messages from SMB operations that have identical value data for certain fields, but which are named differently. After you load your data files into Message Analyzer, the data will display by default in the Analysis Grid viewer and in an interlaced fashion. Thereafter, you will create a Union that combines two fields of equal value but with different names into a single field with a new name, to simplify your data analysis processes with Message Analyzer.

Advisory  Because creating a working Union in your Message Analyzer installation depends on combining fields that are specific to your environment, the procedure that follows must use hypothetical field names, such as Command.smb_cmd and Command. Therefore, when using this procedure to create a working Union, you should substitute actual field names that are contained in actual data files that are specific to your environment. In addition, you have the option to specify any Union name that is appropriate for your needs.

Note  Message Analyzer does not yet support creating Unions for text logs.

More Information
To learn more about Unions, see Configuring and Managing Unions.

To create a Union of two related data fields

  1. From the Start menu, Start page, or task bar of your computer, click the Microsoft Message Analyzer icon to launch Message Analyzer.

  2. Click File to open the Message Analyzer File menu, click New Session, and then select Blank Session in the New Session submenu to display the New Session dialog.

  3. Under Add Data Source in the New Session dialog, click the Files button to display the Files tab along with the associated session configuration features that it contains in the New Session dialog for a Data Retrieval Session.

  4. On the Files tab of the New Session dialog, click the Add Files button on the Files tab toolbar to launch the Open dialog, select the trace and log files that contain the data fields for which you will create a Union, and then click Open.

    The name of the trace and log files appear in the files list.

  5. Observe the current View With drop-down list selection in the New Session dialog; if it is not the Analysis Grid viewer, click the drop-down list and select the Analysis Grid item.

  6. Click the Start button in the New Session dialog and observe that the messages loaded into Message Analyzer from the log and trace files display in a chronological interlaced fashion in the Analysis Grid, with a column for each differently named field of interest that displays similar values in each corresponding column.

  7. Click the Unions drop-down arrow in the Customize Fields group on the Ribbon of the Message Analyzer Home tab and select the New Union item to display the Edit Union dialog.

  8. In the Edit Union dialog, perform the following:

    • In the Name text box, specify a name for the Union. Be sure to enter a name that is meaningful in your environment. In this example, the hypothetical Union name is SMBCommand2.

    • In the Category combo-box, either select an existing Category or type a new one.

    • To add the fields you want to combine in the Union, click the Add button to display the Field Chooser tool, in which you can locate the field names. Note that you can add only one field at a time with the Field Chooser. In this example, the hypothetical field names are Command.smb_cmd and Command.

      As you add fields, you should notice the Type label displaying the most appropriate data type for the combined fields, as calculated by Message Analyzer; see Creating Unions for more information.

    • When you are finished configuring the Union, click the Save button in the Edit Union dialog.

      The new Union is added to the root Unions node in the Field Chooser and Column Chooser Tool Windows.

  9. Open the Column Chooser window by clicking the Choose Columns button in the View Options group on the Ribbon of the Message Analyzer Home tab.

  10. Expand the root Unions node in the Column Chooser and then double-click the name of the new Union to add it as a new column in the Analysis Grid viewer.

    Observe that the new Union column correlates the data field values for the disparate field names that you specified in the Union. Note that you can remove the disparate field columns from the Analysis Grid viewer by selecting the Remove command that displays as a context menu item when you right-click the corresponding column header for each field. When the original field columns are removed from the Analysis Grid viewer, the Union name column will continue to correlate the values for the underlying data fields contained in the Union.

Была ли вам полезна эта информация?
(1500 символов осталось)
Спасибо за ваш отзыв
Показ:
© 2014 Microsoft