Экспорт (0) Печать
Развернуть все
EN
Данное содержимое не доступно на вашем языке, используйте версию на английском языке.

Using the Data Viewing Features

The procedures in this section encapsulate the usage of numerous Message Analyzer features that are described in the Viewing Message Data section. The procedures are intended to serve as examples of how you can analyze trace data with the use of Message Analyzer viewer features and other integrated functions.

Apply Gradient Style Color Rules — provides an example of how to utilize gradient style Color Rules to quickly flag messages that meet the filtering criteria of multiple Color Rules.

Apply a Predefined View Layout — provides an example of a predefined View Layout that presents a data column configuration that is useful for diagnosing TCP messages when applied, while also automatically grouping messages by IP conversations (IP Network column) and TCP ports (TCP Transport column) to enhance diagnostic capabilities.

Perform Data Grouping Operations — provides several examples of data grouping operations that demonstrate how you can filter and consolidate data from designated Analysis Grid viewer columns and reorganize them into separate groups of common properties that greatly enhance your ability to analyze data and resolve issues.

Perform Top-Level Summary Analysis — provides an example of how to use the Protocol Dashboard viewer to obtain top-level summaries at a glance for a set of trace results.

Perform Interactive Analysis with Data Viewers — illustrates a simple method for using the Protocol Dashboard and Analysis Grid viewers together in an interactive manner to enhance data analysis perspectives.

Apply Viewpoints to Trace Data — provides an example that shows you how to use the Message Analyzer Viewpoints feature, which enables you to examine data from the viewpoint of a protocol, where the messages of a specific viewpoint protocol are displayed at top-level in the Analysis Grid viewer with no message layers above them.

Apply a Quick Filter to Trace Results — provides an example that shows you how to apply a Quick Filter to a set of trace results, so that you can view data in a selected window of time.

Drive Analysis Grid Viewer and Tool Window Interactions — provides an example that demonstrates interaction between the Analysis Grid viewer and various tool windows, such as the Message Data, Field Data, Call Stack, Details, and Diagnostics windows.

Using the Filtering Features — see this procedural topic for extensive coverage of different ways to apply View Filters.


Apply Gradient Style Color Rules

In the procedure that follows, you will apply the predefined IPv4 Right Gradient and TCP left gradient Color Rules to a Local Link Layer trace that captured data with the Microsoft-PEF-NDIS-PacketCapture provider. This procedure demonstrates a simple way to expose TCP messages that have an IPv4 network layer in the call stack. It also provides an example of how you can design multiple gradient-style Color Rules with visually coordinated opposite facing gradients, which you can then use as a troubleshooting mechanism to quickly identify call stack components at a glance.

To identify Transport and Network layer messages with gradient-style Color Rules

  1. From the Start menu or taskbar of a target computer, click the Microsoft Message Analyzer icon to open Message Analyzer.

  2. Click the Message Analyzer File tab to display the Backstage View and then click Capture/Trace to open the Trace Session configuration interface.

  3. In the Trace Scenarios pane of the Trace Session, under Network, click a Local Link Layer scenario.

    The Trace Scenario Configuration list is populated with the Microsoft-PEF-NDIS-PacketCapture provider name and Id (GUID), and the default ETW Provider Core Configuration appears in a separate pane below the list.

  4. Click the green arrow on the Start With button to automatically select the default Analysis Grid viewer and start capturing data.

    The captured data begins to accumulate in the Analysis Grid viewer on the Message Analyzer Home tab.

  5. While Message Analyzer is capturing data, attempt to reproduce any conditions that are related to a particular TCP or IPv4 issue you are trying to isolate.

  6. Stop the trace at a suitable point by clicking the Stop button in the Session group on the Ribbon of the Message Analyzer Home tab.

    Tip  You can temporarily suspend tracing operations by clicking the Pause button and you can resume tracing by clicking the Pause button again.

  7. Click the Color Rules button in the View Options group on the Message Analyzer Ribbon, and then under the Network category of the drop-down that displays, select the TCP left gradient and IPv4 Right Gradient Color Rules.

    All top-level TCP messages or other top-level messages that have TCP in the origins tree are highlighted with the light blue left-to-right gradient Color Rule style. Also, all TCP messages that have an IPv4 network layer are highlighted in the olive green right-to-left gradient Color Rule style, thus enabling you to easily view messages that meet the filtering criteria of both the applied Color Rules.

    Note  To isolate either TCP or IPv4 messages for further analysis, you can apply a TCP or IPv4 viewpoint as appropriate.

Apply a Predefined View Layout

In the procedure that follows, you will apply the predefined TCP with Network Grouping view layout to trace data that is displayed in the Analysis Grid viewer. This View Layout has a column layout configuration that contains various TCP fields, the values of which can be important when diagnosing TCP issues. The columns that hold TCP field data include DestinationPort, SourcePort, Payload, SequenceNumber, AcknowledgementNumber, and Window size columns. In addition, a TimeDelta field is also included to measure the difference in Timestamp values for TCP messages. The predefined layout also includes groupings of Network and Transport columns that present the details of the IP conversations that took place on corresponding TCP ports within a trace. Note that the Network and Transport columns were removed before this View Layout was saved in the default View Layout Library item collection.

To apply a predefined View Layout for TCP diagnosis

  1. Perform steps 1 through 6 of the previous procedure “To identify Transport and Network layer messages with gradient-style Color Rules”.

  2. Click the View Layout button in the View Options group on the Ribbon of the Message Analyzer Home tab and then click the TCP with Network Grouping item in the drop-down that appears.

    The new column configuration displays and the data is grouped into Network and Transport groups, as indicated by corresponding labels above the tree grid. The data groups are also organized such that the Transport nodes are nested within the Network nodes.

  3. Expand a particular Network node to expose the Transport node it contains.

    The exposed Transport node provides an indication of the number of messages that it contains, along with the source and destination ports over which IP conversations took place.

  4. Expand the Transport node to display the TCP messages, so that you can examine the TCP field data.

  5. Repeat steps 3 and 4 for other Network and Transport nodes as appropriate.

  6. To obtain a different perspective on the data, drag the Transport group label and drop it to the left of the Network group label.

    The data is now grouped and organized with Network nodes nested within the Transport nodes.

Perform Data Grouping Operations

In the procedure that follows, you will execute the Group command on various Analysis Grid viewer data columns, including the ContentType, Transport, Source or Destination, and Diagnosis data columns. The grouping operations will enable you to quickly determine the object types being requested by your web browser, assess the heaviest port traffic, determine the highest bandwidth consumers, and examine grouped diagnosis messages types, respectively. In this procedure, the Analysis Grid viewer will be populated with message data that you capture with the Microsoft-PEF-WFP-MessageProvider in a Firewall trace and the focus will be on Application (HTTP) and Transport layer messages.

To perform multiple data grouping operations for analysis

  1. From the Start menu or taskbar of a target computer, click the Microsoft Message Analyzer icon to open Message Analyzer.

  2. Click the Message Analyzer File tab to display the Backstage and then click Capture/Trace to open the Trace Session configuration interface.

  3. In the Trace Scenarios pane of the Trace Session, under Network, click the Firewall scenario. Alternatively, click the Firewall scenario in the Quick Trace area of the Start Page and proceed to step 5.

    The Trace Scenario Configuration list is populated with the Microsoft-PEF-WFP-MessageProvider name and Id (GUID), and the default ETW Provider Core Configuration and PEF WFP Settings configuration appears in a separate pane below the list.

  4. Click the green arrow on the Start With button to automatically select the default Analysis Grid viewer and start capturing data.

    The captured data begins to accumulate in the Analysis Grid viewer on the Message Analyzer Home tab.

  5. While Message Analyzer is capturing data, launch a web browser and attempt to reproduce any conditions that are related to a particular HTTP issue you are trying to troubleshoot, for example, a poorly performing web server.

  6. Stop the trace at a suitable point by clicking the Stop button in the Session group on the Ribbon of the Message Analyzer Home tab.

  7. Click the Choose Columns button in the View Options group on the Ribbon of the Message Analyzer Home tab to display the Column Chooser in its default location.

  8. Open the HTTP node in Column Chooser and navigate to the ContentType field in the HTTP Operation message hierarchy, right-click the field, and then select the Add As Column context menu item to add the ContentType column to the Analysis Grid viewer.

  9. Open the TCP node in Column Chooser and navigate to the Transport field in the Segment message hierarchy, right-click the field, and then select the Add As Column context menu item to add the Transport column to the Analysis Grid viewer.

  10. Right-click the ContentType column in the Analysis Grid viewer and select the Group command from the context menu.

    The trace data is grouped according to the different content types associated with HTTP messages, so that you can examine the types of objects being passed to your web browser by the server.

    Tip  If you want to limit the display to the viewpoint of HTTP messages only, you can specify an HTTP viewpoint by clicking the Viewpoints button in the Viewpoints group on the Ribbon of the Message Analyzer Home tab and selecting the HTTP Viewpoint menu item.

  11. Remove the ContentType group by clicking the “x” in the ContentType label above the tree grid.

  12. Right-click the Transport column in the Analysis Grid viewer and select the Group command from the context menu.

    The trace data is grouped according to the different Transport types, such as TCP and UDP, so that you can examine the ports across which the most substantial traffic is transiting.

  13. Remove the Transport grouping in the indicated manner and then execute the Group command on the default Source or Destination column of the Analysis Grid viewer.

    The trace data is grouped according to Source or Destination, as appropriate, so that you can determine the highest bandwidth consumers in the groups that indicate the most traffic. Note that you can obtain similar statistics by executing a Group command on the Network column, which you can add from the IP message hierarchy.

  14. Remove the Source, Destination, or Network grouping, as appropriate, and then execute the Group command on the default Diagnosis column in the Analysis Grid viewer.

    The trace data is grouped according to the different types of diagnosis messages, which includes Application, InsufficientData, Parsing, and Validation message types, so that you can immediately assess the types of errors that occurred in your trace.

Perform Top-Level Summary Analysis

In the procedure that follows, you will use several viewing infrastructure components to accomplish simple data analysis tasks. For example, you will use graphic Chart visualizer components of the Protocol Dashboard viewer, including the Top Level Protocol Summary bar and pie charts and Top Level Protocols Over Time timeline visualizer components, to view top-level protocol summary data that can reflect bandwidth consumption for all message types in a trace, along with message activity within selected windows of time. This example also shows how to use the SMB Reads and Writes viewer to expose file sharing statistics.

To analyze top level summary data

  1. From the Start menu or taskbar of a target computer, click the Microsoft Message Analyzer icon to open Message Analyzer.

  2. Click the Message Analyzer File tab to display the Backstage and then click Capture/Trace to open the Trace Session configuration interface, or click Browse to open the Browse Session configuration.

  3. Configure a Trace Session or Browse Session to retrieve messages from a data source, and start the session by clicking the Start With or View With button, respectively.

    The data displays by default in the Analysis Grid viewer.

  4. In the Session Explorer tool window, right-click a session node, highlight the New Viewer item, and then select the Protocol Dashboard item under Charts in the context menu.

  5. In the Protocol Dashboard viewer, observe the numerical and graphical presentation of top protocol activity in the trace by examining the Top Level Protocol Summary and Top Level Protocols Over Time visualizer components, which expose the relevant statistics.

    From the Top Level Protocol Summary, you should be able to observe messages with the highest volume which can be an indication of which protocols are consuming the most bandwidth. If you suspect an issue where a protocol has particularly high bandwidth consumption, you can double-click the bar or pie chart segment representing the protocol in the Top Level Protocol Summary to display only those specific messages in a separate Analysis Grid viewer tab for further investigation. You can also adjust the time window slider controls of the Top Level Protocols Over Time visualizer component to zoom into specific messages in a particular time slot and then double-click a message node to display that traffic only in a separate Analysis Grid viewer tab for further investigation.

  6. Run a Firewall trace and capture messages while performing file access operations.

  7. Stop the trace at a suitable point and launch the SMB Reads and Writes data viewer from the Session Explorer context menu to obtain statistics that reflect the network bandwidth being consumed by the file access/sharing activities of the Server Message Block (SMB) protocols.

    Adjust the time window slider controls in the SMB Reads and Writes viewer to zoom into specific messages in a particular time slot.

  8. Double-click a message node or timeline in the SMB Reads and Writes data viewer to display specific traffic in a separate Analysis Grid viewer tab for further investigation.

    Tip  You can also use the Column Chooser to add an SMB FileName or SMB2 FileName column to the Analysis Grid viewer and then execute a Group command on the new column so that you can examine the SMB traffic that is associated with access to specific files.

Perform Interactive Analysis with Data Viewers

In the procedure that follows, you will find a simple example of how you might utilize the Analysis Grid and Protocol Dashboard viewers interactively to analyze captured message data:

To analyze data through data viewer interaction

  1. From the Start menu or taskbar of a target computer, click the Microsoft Message Analyzer icon to open Message Analyzer.

  2. Click the Message Analyzer File tab to display the Backstage and click Capture/Trace to open the Trace Session configuration interface.

  3. Select a trace scenario from the Trace Scenarios pane, such as a Local Link Layer or Firewall scenario, and start the trace by selecting the Protocol Dashboard viewer item from the Start With menu.

  4. Stop the trace at a suitable point and observe the relative distribution of captured message volumes in the Top Level Protocol Summary bar chart visualizer component, in an attempt to isolate suspected message traffic that might be related to failures in a particular component or system.

  5. In the bar chart, double-click the graphic bar representing the message traffic you want to target, for example, a protocol that has a high volume of messages.

    A separate Analysis Grid viewer tab opens and contains only the traffic that you targeted.

  6. Sort or Group the Diagnosis column of the Analysis Grid viewer to bubble up any errors that might have occurred for the targeted traffic.

    To perform the indicated Grouping operation, right-click the Diagnosis column and select the Group command from the context menu that displays.

  7. View the Summary column descriptions in the Analysis Grid viewer to study the underlying failures that are associated with the diagnosis errors that occurred.

  8. Optionally, Group the Summary column by right-clicking it and selecting Group to present the messages in groups that each represent a different Summary column category or description, for an enhanced analytical perspective on the data.

Apply Viewpoints to Trace Data

In the procedure that follows, you will apply HTTP and TCP Viewpoints so that you can view HTTP or TCP related traffic without having to drill down into the message stack to expose these messages. In addition, you will alternately toggle operations off and on so that you can expose typical request and response pairs in either chronological order or encapsulated in top-level operation rows in the Analysis Grid viewer, respectively.

To analyze data with applied Viewpoints

  1. From the Start menu or taskbar of a target computer, click the Microsoft Message Analyzer icon to open Message Analyzer.

  2. Click the Message Analyzer File tab to display the Backstage and then click Capture/Trace to open the Trace Session configuration interface.

  3. In the Trace Scenarios pane of the Trace Session, under Network, click the Firewall scenario.

    The Trace Scenario Configuration list is populated with the Microsoft-PEF-WFP-MessageProvider name and Id, and the default ETW Provider Core Configuration and PEF WFP Settings configuration appears in a separate pane below the list.

  4. Click the green arrow on the Start With button to automatically select the default Analysis Grid viewer and start capturing data.

    The captured data begins to accumulate in the Analysis Grid viewer on the Message Analyzer Home tab.

  5. While Message Analyzer is capturing data, launch a web browser and attempt to reproduce any conditions that are related to a particular HTTP issue you are trying to isolate.

  6. Stop the trace at a suitable point by clicking the Stop button in the Session group on the Ribbon of the Message Analyzer Home tab.

  7. In the Analysis Grid viewer, note that you have HTTP messages displaying as top-level operation message rows, as signified by messages with a blue cubes icon to the left of the message number, along with some TCP messages at top-level and others hidden within the call stack. You may also have HTTP fragments hidden within Analysis Grid expansion nodes.

  8. Click the Viewpoints button in the Viewpoints group on the Ribbon of the Message Analyzer Home tab and select the HTTP Viewpoint item from the drop-down that displays.

    All HTTP messages display in top-level message rows in the Analysis Grid viewer, which includes both operations and fragments. In this view configuration, you can focus on HTTP messages without the encumbrance of other message types in display. However, because HTTP request and response messages are grouped into operations to provide context, there can be some chronological displacement of operation messages in this configuration that you can resolve by hiding the operations.

  9. Click the Hide Operations button in the Viewpoints group on the Ribbon of the Message Analyzer Home tab.

    Note that the HTTP messages that were formerly grouped under operation nodes are now displayed in chronological order in the Analysis Grid viewer.

  10. Click the Hide Operations button again to show operations and then click the Default ViewPoint button in the Viewpoints group on the Ribbon to return to the default Analysis Grid viewpoint.

  11. Next, isolate TCP messages in the trace by selecting the Diagnose at the TCP Layer Viewpoint.

    All TCP messages display in top-level message rows in the Analysis Grid viewer.

  12. From the TCP Viewpoint, you can use your typical data analysis tools such as sorting, grouping, filtering, annotating, and so on, when assessing your data. You might also apply the predefined TCP Diagnosis View Layout from the View Layout drop-down in the View Options group on the Ribbon of the Home tab so you can focus on important TCP message data.

Apply a Quick Filter to Trace Results

In the procedure that follows, you will apply a Quick Filter to a data set imported from a saved trace or log file, so that you can temporarily focus on analyzing messages in a specified window of time. You will also verify that you can toggle back and forth between the time-filtered data and your original data, as your analysis might require.

To apply a time window filter to trace results with a Quick Filter

  1. From the Start menu or taskbar of a target computer, click the Microsoft Message Analyzer icon to open Message Analyzer.

  2. Click the Message Analyzer File tab to display the Backstage and then click Browse to open the Browse Session configuration interface.

  3. In the Browse Session configuration, click the Add Files button on the Import files toolbar to launch the Open dialog, select a large trace or log file containing data that you want to view in a specific time window, and then click Open.

    The name of the data file appears in the Import files list.

  4. Without configuring a Time Filter or adding a Selection Filter in the Browse Session configuration, click the green arrow on the Start With button to automatically select the default Analysis Grid viewer and start importing the message data.

  5. After the message data is imported and displayed in the Analysis Grid viewer, click the Quick Filter button in the View Filter group on the Ribbon of the Message Analyzer Home tab to open the Quick Filtering dialog.

  6. In the Quick Filtering dialog, ensure that the Data Source check box is selected for the data source to which the Quick Filter will be applied.

  7. Select the Use Start Filter and Use End Filter check boxes and then adjust the left and right Time Filter slider controls to configure a window of time in which you want to view data. As you do this, the following occurs:

    • The number of messages that are contained in the configured time window display in the Filtered Messages read-only text box.

    • As you adjust the left and right slider controls, the text boxes to the left and right of the controls respectively indicate the lower and upper boundaries of the time window in which you will view data.

    • A Timestamp filter is automatically generated as you adjust the left and right Time Filter slider controls to define the start and end time-filtering criteria of the target time window.

  8. When you finish with the Quick Filter configuration, click the Apply button to filter the message data according to the time window you specified.

    The number of messages displaying in the Analysis Grid viewer is reduced in accordance with the specified Quick Filter configuration, thus enabling you to perform analysis on a focused data set.

  9. To remove the time filtering configuration that you applied, click the Quick Filter drop-down arrow in the View Filter group on the Ribbon and select the Remove Quick Filter menu item to return to your original data.

  10. To reapply the time filtering configuration, click the Quick Filter drop-down arrow in the View Filter group again and select the Apply Quick Filter menu item.

    Notes  Quick Filters do not persist across sessions, which means that you will need to create a new Quick Filter configuration for every session where you want to apply time window filtering. Also note that you can save any data set to which you have applied a Quick Filter by clicking Save As in the Backstage area and selecting the Filtered Messages – Analysis Grid option in the Save/Export Session dialog.

Drive Analysis Grid Viewer and Tool Window Interactions

In the procedure that follows, you will run a trace and display data in the Analysis Grid viewer. Thereafter, through message selection in the Analysis Grid viewer, or message and field selection in various tool windows, the procedure will demonstrate how to interactively drive the display of data in these viewing components to facilitate rapid assessment of message details, which include field values and types, hexadecimal data, diagnosis message types and details, call stack configurations, and so on.

To drive interaction between the Analysis Grid viewer and tool windows

  1. From the Start menu or taskbar of a target computer, click the Microsoft Message Analyzer icon to open Message Analyzer.

  2. Click the Message Analyzer File tab to display the Backstage and then click Capture/Trace to open the Trace Session configuration interface.

  3. In the Trace Scenarios pane of the Trace Session, under Network, click a Local Link Layer scenario.

    The Trace Scenario Configuration list is populated with the Microsoft-PEF-NDIS-PacketCapture name and Id, and the default ETW Provider Core Configuration appears in a separate pane below the list.

  4. Click the green arrow on the Start With button to automatically select the default Analysis Grid viewer and start capturing data.

    The captured data begins to accumulate in the Analysis Grid viewer on the Message Analyzer Home tab.

  5. While Message Analyzer is capturing data, reproduce any conditions that are related to a particular issue on which you are working.

  6. Stop the trace at a suitable point by clicking the Stop button in the Session group on the Ribbon of the Message Analyzer Home tab.

  7. Click the Tool Windows button in the Windows group on the Ribbon of the Message Analyzer Home tab and select the Diagnostics menu item to display the Diagnostics tool window in its default docking location.

  8. Click the Tool Windows button in the Windows group again and select the CallStack menu item to display the Call Stack tool window in its default docking location.

  9. Ensure that the Call Stack tool window is in focus and then select any message in the Analysis Grid viewer.

    Observe that message selection in the Analysis Grid drives message selection in both the Call Stack and Details tool windows.

  10. Click the Diagnostics tool window tab in its default docking location to bring it into focus and then select one or more diagnosis message types in the Diagnostics grid.

    Observe that message selection in the Diagnostics tool window drives top-level message selection in the Analysis Grid viewer and message details in the Details tool window.

    Note  You should be aware that even though top-level messages are highlighted, the actual message that contains a diagnosis error might be at a lower layer. You can determine that by expanding message nodes in the Analysis Grid viewer under the highlighted top-level message. In addition, note that the Diagnostics tool window data columns make the diagnosis message details readily accessible without having to drill down into the origins tree through node expansion to see them.

  11. Click the Message Data tool window tab in its default docking location to bring it into focus and then select any message in the Analysis Grid viewer.

    Observe that message selection in the Analysis Grid viewer drives the display of message details in the Details tool window and hexadecimal data selection in the Message Data tool window.

  12. Select any message in the Analysis Grid viewer and then select a field Name in the Details tool window.

    Observe that field selection in the Details tool window drives the display of a hexadecimal field data value in the Message Data tool window and a field data values in the Field Data tool window.

Была ли вам полезна эта информация?
(1500 символов осталось)
Спасибо за ваш отзыв
Показ:
© 2014 Microsoft