Quick Start Procedures
To start using Microsoft Message Analyzer, run the procedures in this section to learn how to utilize analyzer features and functions to accomplish basic tasks such as the following:
Important If you have not logged off from Windows after the first installation of Message Analyzer, please log off and then log back on before performing these procedures. This action ensures that all subsequent logons receive the required security credentials for the Message Capture Users Group. Otherwise, you will be unable to capture network traffic in Link Layer or Firewall trace scenarios unless you start Message Analyzer with the right-click Run as administrator option.
Displaying Data Quickly From a Saved Trace File
The procedure that follows shows you how to use the Message Analyzer Quick Open feature to rapidly access and display data from a saved trace or log file.
To quickly open a saved trace file and display its data
From the Start menu or task bar, click on the Microsoft Message Analyzer icon to open Message Analyzer.
Click the Message Analyzer File tab to display the Backstage and then click Quick Open to launch the Message Analyzer Open dialog.
Navigate to a saved trace or log file containing the data you want to display and then click Open.
The saved data displays in the default Analysis Grid viewer.
Tip From the Message Analyzer Start page, click a trace file under Recent Files to quickly display its data in the Analysis Grid viewer. You can also quickly import data from one or more saved files by dragging and dropping them on the Message Analyzer Start page. In drag-and-drop mode, the imported data from each file in a selected set displays in separate Analysis Grid viewer tabs on the Message Analyzer Home tab.
Starting a Live Trace with a Default Trace Scenario
The procedure that follows shows you how to select the Firewall default Trace Scenario that uses the Microsoft-PEF-WFP-MessageProvider to capture live trace data at the Transport layer.
Tip As an alternative to this procedure, you can simply click the Firewall Trace Scenario in the Quick Trace section on the Message Analyzer Start Page to quickly start a live Firewall trace.
To start a live capture with the Firewall trace scenario
Click the Message Analyzer File tab to display the Backstage and then click Capture/Trace.
In the Trace Scenarios pane of the Trace Session configuration interface, under Network, click the Firewall scenario.
The Trace Scenario Configuration pane is populated with configuration settings for the Microsoft-PEF-WFP-MessageProvider.
Click the green arrow on the Start With button to automatically select the Analysis Grid viewer in which to display your data and start the trace.
Tip If you click the down arrow in the Analysis Grid section of the Start With button, you can choose a different data viewer in which to display your trace data.
The trace data displays in the Analysis Grid or other selected data viewer on the Message Analyzer Home tab.
Stop the trace at a suitable point by clicking the Stop button in the Session group of the Ribbon on the Message Analyzer Home tab.
Note If you let a trace session run for an extended period, it will consume a large amount of memory.
Loading and Displaying Saved Trace Data
The procedures that follow show you how to open a Message Analyzer Browse Session from where you can specify one or more saved files containing the message data you want to load and display in the Analysis Grid viewer on the Message Analyzer Home tab. The second procedure describes how to modify your Browse Session so that you can import data from additional files into Message Analyzer. The option to import a filtered view of your data with the use of a Selection Filter is also described.
To use a Browse Session to load and display saved trace data
Click the Message Analyzer File tab to display the Backstage and then click Browse to display the Browse Session configuration interface from where you can load saved trace data into the UI.
In the Import files pane of the Browse Session configuration, click Add Files to launch the Open dialog and then navigate to the trace file/s containing the data you want to display.
In the Open dialog, select the file/s containing the data you want to import, then click Open.
In the Import files list, ensure that there is a check mark in the check box next to the file/s containing the data you want to import.
Click the View With icon to automatically select the default Analysis Grid viewer and begin importing the data.
Tip If you click the down arrow in the Analysis Grid section of the View With button, you can choose a different data viewer in which to display your imported message collection.
The imported data displays in the Analysis Grid or other selected data viewer on the Message Analyzer Home tab.
If you want to modify an existing Browse Session so that you can import additional data from a group of files such as logs, perform the following steps.
Modifying a Browse Session
Click the Configuration button in the Session group on the Ribbon of the Message Analyzer Home tab to return to the current Browse Session. Ensure that you select the viewer tab containing the Browse Session that you want to modify before doing this.
Click Add Files to add one or more saved trace files to the Import files list and then select the check box next to each file containing data you want to import.
Click the Apply Changes button to display the new imported data in the Analysis Grid viewer on the Message Analyzer Home tab.
Note When you load data from additional files after an initial import, the messages from these files are added to the existing data displayed in the Analysis Grid viewer in chronological order.
When importing data from saved files, you can also select or configure a Filter Expression in the Selection Filter pane of the Browse Session configuration to filter the imported messages to specific criteria. For example, you might add a simple expression such as
*Port != IANA.Port.LDAP from the Selection Filter Library to remove LDAP traffic on TCP and UDP transports. If you manually configure a Filter Expression, you can confirm the validity of the expression by clicking the Verify button in the Selection Filter pane. If you have an invalid expression, a Compile query error message will be displayed.
Note After performing an import and your message collection is displayed in a selected data viewer, you have the option to add a predefined or manually configured View Filter to further isolate specific data of interest. A View Filter Library for selecting predefined filters is available in the View Filter group of the Ribbon on the Message Analyzer Home tab.
Displaying Different Data Viewers for Analysis
The procedure that follows runs one or more live traces and then imports a message collection to create initial data views in separate Analysis Grid viewer tabs on the Message Analyzer Home tab. You can then select several different data viewers that provide high-level data summaries and statistics in graphic format.
To display different data viewers
Perform one or more live traces and then import a saved message collection into Message Analyzer by following the steps of the above procedures, as appropriate.
The trace and imported data displays in separate Analysis Grid viewer tabs on the Message Analyzer Home tab.
If the Session Explorer tool window is hidden, click the Tool Windows button in Windows group on the Ribbon of the Message Analyzer Home tab and select the Session Explorer drop-down item to restore it.
To create a different view of the data, right-click a Browse Session in Session Explorer, highlight New Viewer, and then select the Protocol Dashboard viewer.
The Protocol Dashboard displays in a separate data viewer tab that contains top-level summaries of the imported trace data. The Protocol Dashboard is considered a Chart data viewer in Message Analyzer because it is made up of several graphic data visualizer components.
Repeat step 3 and configure a different data view by displaying the SMB Reads and Writes viewer.
Note This viewer will display data only if SMB, SMB2, or SMB3 protocol packets were captured in the trace.
Right-click a Browse Session in Session Explorer, highlight New Viewer, and then select Sequence Match.
To start the sequence matching process, select a sequence expression from the Sequence Expression drop-down in the View Options group on the Ribbon of the Message Analyzer Home tab, and then select a sequence expression check box.
To learn more about sequence matching, refer to Matching Message Sequences.
You can also select the Call Stack tool window in the Tool Windows drop-down menu to expose the underlying message stack that supported any top-level transaction, and the Diagnostics tool window to display summary groups of the different types of diagnosis errors that occurred in the trace.
To poll through the various views for data analysis purposes, click each viewer type under the appropriate Browse Session in Session Explorer or select different viewer tabs.
Repeat these steps to display different data views for the Trace Session you ran in step 1.
Tip Comparing live trace data with associated data imported from a Browse Session provides a convenient method for analyzing current and historical data side by side. To learn how to display data viewer tabs side by side, see Redocking Data Viewers and Tool Windows.
Creating and Saving a Customized Trace Scenario
In the procedure that follows, you will create and save a Trace Scenario to serve as a trace template with predefined tracing functionality that you can run on demand. The Trace Scenario specified in this simple example enables you to isolate traffic to a specific IP address, where you can use two different methods of filtering to achieve that result.
To create and save a Trace Scenario
From the Start menu or task bar, click the Microsoft Message Analyzer icon to open Message Analyzer.
Click the Message Analyzer File tab to display the Backstage and then click Capture/Trace to open the Trace Session configuration interface.
In the Trace Scenarios pane of the Trace Session configuration, click the Local Link Layer (Windows 8/Windows Server 2012 or earlier) provider under the Network category.
The Microsoft-PEF-NDIS-PacketCapture provider and its Id display in the provider list in the Trace Scenario Configuration pane.
In the Trace Scenario Configuration pane, click the Configure link to display the Microsoft-PEF-PacketCapture Advanced Settings dialog and configure the following:
In the Name column under System Network, expand the Machine node, and then under Adapters, make sure that the In and Out check boxes for the Ethernet network adapter are selected. This ensures that the Trace Scenario will capture both inbound and outbound traffic on the Ethernet adapter. Unselect these check boxes for all other listed adapters.
In the Fast Filters pane of the Microsoft-PEF-PacketCapture Advanced Settings dialog, click the black arrow next to the Filter 1 designator in Group 1 and select the IPv4Address option from the drop-down menu that displays.
The intent with this low-level filter is to pass only a specified IPv4 address when you run the Trace Scenario.
Specify an IPv4 address value in the format 192.168.1.1 in the text box adjacent to the drop-down menu, to isolate traffic to the specfied IPv4 address. Make sure to substitute appropriately for the IP address placeholder italics value specified in this example.
Highlight the row in which the Ethernet adapter exists in the System Network tree grid of the Microsoft-PEF-NDIS-PacketCapture Advanced Settings dialog, and then click the Apply to Highlighted button in Group 1.
The name of the Ethernet adapter displays as the Target of the filter Group. Click OK to exit.
Note Instead of configuring a Fast Filter, you can optionally specify a Trace Filter such as
IPv4.Address == 192.168.1.1in the Trace Filter pane of the Trace Session configuration interface. However, you should note that a Trace Filter requires more processing time. If you choose to use a Trace Filter, you can optionally remove the previously set Fast Filter configuration.
- In the Name column under System Network, expand the Machine node, and then under Adapters, make sure that the In and Out check boxes for the Ethernet network adapter are selected. This ensures that the Trace Scenario will capture both inbound and outbound traffic on the Ethernet adapter. Unselect these check boxes for all other listed adapters.
If you are using a Trace Filter in your scenario, you can optionally click the Verify icon to ensure that it compiles as a valid filter expression.
Click the Save Scenario button to display the Edit Trace Scenario dialog and specify values for the Name, Description, and Category fields, and choose a data viewer in the Default View drop-down.
When your Trace Scenario save configuration is complete, click the Save button in the Edit Trace Scenario dialog.
When you save a Trace Scenario, it becomes a new Trace Scenarios Library item, from where you can run it at any time. It also becomes part of the Message Analyzer Sharing Infrastructure that enables you to mutually share the scenarios in the Trace Scenarios Library with other team members or the larger Message Analyzer community.
Tip After you run a Trace Scenario template from the Trace Scenarios pane, you can open the session Configuration from the Message Analyzer Home tab, reconfigure the Trace Scenario as required, and save the new template configuration again by clicking Save Scenario.
To learn more about creating Trace Scenario templates, see Developing and Managing Trace Scenarios.
To learn more about managing the Trace Scenarios Library as part of the Message Analyzer Sharing Infrastructure, see Managing Trace Scenarios.