Message Analyzer Feature Summary
Updated: May 20, 2016
Microsoft Message Analyzer contains a broad and versatile range of features that build upon and exceed many of those of its predecessor, Microsoft Network Monitor. These features are designed to improve your usability experiences and to expand your capabilities set when loading, capturing, analyzing, and troubleshooting message traffic with Message Analyzer. The following provides a summary of these features, along with the means by which you can access them.
Message Analyzer provides a global menu for quick access to various features that you will regularly use. The menu names are located in the upper-left section of the Message Analyzer user interface and consist of the following:
File menu — provides access to the following features:
New Session — click this item to open the New Session dialog, from where you can choose a source from which to acquire data; for example a Live Trace or saved Files. Clicking the New Session item also displays a submenu that contains various items that determine what type of session you will start. With the exception of the first two bullet items immediately below, the remaining submenu items also appear in the New Session dialog as Data Source buttons that you can click to begin the configuration of a new session, based on the type of input message data you want to acquire:
Blank Session — opens the New Session dialog from where you can select a data source under Add Data Source to use as input to Message Analyzer.
From Current Session — opens the New Session dialog to a new session configuration that derives configuration settings from the current in-focus session.
Live Trace — opens the New Session dialog with the Live Trace tab selected, from where you can specify one or more target computers on which to capture data; select a predefined Trace Scenario from the scenario Library; and configure various provider settings and filters to customize your trace configuration before starting the live trace. The New Session dialog also enables you to specify global session settings such as a Session Filter, Start With data viewer selection, and Parsing Level.
You also have the capability to run multiple concurrent Live Trace Sessions with different message providers on different target computers by adding one or more Live Trace input sources by clicking the New Data Source tab and specifying the hosts from which to capture the data. You can also use a single session with a specified message provider to collect data from multiple specified host machines.
To learn more about starting a new Live Trace Session, see Starting a Message Analyzer Session.
If you intend to capture messages that are encrypted with the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) security protocols, for example, HTTPS and Remote Desktop Protocol (RDP) messages, you have the option to enable any Live Trace Session for Decryption so that you can view the decrypted data along with decryption session statistics. For more information, see Using the Decryption Feature for TLS, SSL, and RDP.
Files — opens the New Session dialog with the Files tab selected, from where you can configure a Data Retrieval Session to acquire data that exists in one or more saved files. You can also select specific data to retrieve from such sources by using filters, for example a Time Filter and/or Session Filter.
A Truncated Parsing check box is also included in the Files tab configuration to indicate when truncated messages exist in files from which you are retrieving data, at which time Message Analyzer switches to a pared-down truncation parser set. You have the option to unselect this check box or to select it manually if Message Analyzer did not automatically detect truncated messages.
To learn more about starting a new Data Retrieval Session, see Starting a Message Analyzer Session.
If you intend to retrieve messages that are encrypted with the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) security protocols, for example, HTTPS and Remote Desktop Protocol (RDP) messages, you have the option to enable the Data Retrieval Session for Decryption so that you can view the decrypted data along with decryption session statistics. For more information, see Using the Decryption Feature for TLS, SSL, and RDP.
In addition, the Files tab configuration provides you with the capability to retrieve data from textual log files and to select from a list of configuration files that support log file parsing. The Truncated Parsing, Decryption, and text log parsing features are described in Configuring a Data Retrieval Session.
Azure Table — opens the New Session dialog to a configuration interface that enables you to specify an Account Name, Account Key, and Table Name, from which you can load Azure event log data into Message Analyzer.
Event Logs — opens the New Session dialog to the Event Logs tab, which contains a large list of event logs that were generated on your computer. You can select one or more of the event log check boxes and click Start to retrieve the data from the selected logs.
PowerShell — opens the New Session dialog to the PowerShell tab, from where you can write a PowerShell query. If your PowerShell script obtains data from a remote source, you can specify a Host name and connection credentials in the New Session dialog. Note that if your PowerShell script captures event or network traffic and logs to an event log (*.etl) or Message Analyzer *.matp file, respectively, you can import the data from such files through a Data Retrieval Session.
Sql — opens the New Session dialog to the Sql tab, from where you can load data into Message Analyzer from any SQL database table. Provides facilities to specify a Connection string, user credentials, Table name, Timestamp, and a WHERE clause.
Open — provides a submenu with the following two items:
From File Explorer — click this item to launch Windows Explorer and locate data from a saved file, such as a trace or log, and immediately load it into the Message Analyzer default Analysis Grid viewer.
From Other File Sources — click this item to display the File Selector dialog, from where you can specify input file sources that have a unique format. Currently, the File Selector is limited to working with Azure storage binary large objects (BLOBs) only. For more information, see Handling Azure Data.
Recent Files — click this item to see a list of up to 10 recent files from which you loaded data into Message Analyzer. Data from a file in the Recent Files list is immediately loaded into Message Analyzer.
Favorite Scenarios — click this item to quickly start a Live Trace session with a single click on a Trace Scenario item in the list, for example, the Local Network Interfaces, Loopback and Unencrypted IPSEC, or Pre-Encryption for HTTPS scenario.
Save — saves changes to a Data Retrieval Session such as bookmarks, comments, and time shifts. If you click this item after capturing data from a Live Trace Session that is not yet saved, the Save/Export Session dialog displays with several options for saving data.
Save As — opens the Save/Export Session dialog that provides several save configuration options for the current set of trace results, which includes saving filtered, selected, or all messages in the data set.
Start Page — click this item in the File menu to display the Message Analyzer Start Page.
Exit — click this item to close Message Analyzer. If you have any unsaved changes, you will be prompted with the option to save them.
Session menu — provides access to the following features after you display a set of trace results:
New Viewer — click this item to open the New Viewer drop-down list, from where you can choose a built-in data viewer or custom Chart that you created for the current in-focus session. You can also display the configuration controls to create a custom Chart of your own by clicking the New Chart item in the list.
Edit Session — click this item to launch the Edit Session dialog, which displays the initial configuration of either a Data Retrieval Session or Live Trace Session, depending on the type of existing session that is currently in focus. Enables you to edit the session configuration and then re-run it with your applied changes.
Reparse — click this command to reparse the messages in the current set of trace results.
Shift Time — click this item to display a submenu with the following items:
Shift Time — click this item to display the Shift Time dialog, from where you can specify a time shift for message Timestamps in a set of session results, to accommodate for time zone changes or skewed clock values in a message collection that is comprised of multiple disparate sources.
Remove All Time Shifts — click this command to remove any previously specified time shifts from the current in-focus session.
Quick Filter — click this item to display a submenu with the following items:
Edit — click this item to display the Quick Filtering dialog, from where you can configure a time window in which to view data for a specified Data Source.
Apply — this command is enabled only after you have configured a Quick Filtering time window, applied it, and then removed it with the Remove command. Enables the Remove command to toggle into the enabled state. Working together with the Remove command, enables you to alternately Apply and Remove the current Quick Filtering configuration.
Remove — click this command to remove the current Quick Filtering time window that you configured. Enables the Apply command to toggle into the enabled state. Working together with the Apply command, enables you to alternately Remove and Apply the current Quick Filtering configuration.
ViewerName — a placeholder for which the name changes depending on the type of session viewer that is currently in focus. For example, if the Grouping viewer is in focus, then the name of this Session menu item changes to Grouping. If an Analysis Grid session tab is currently in focus, the item name changes to Analysis Grid, and so on. Click the viewer name item in the Session menu to display a submenu with a set of commands that apply to the indicated data viewer only. Typically reproduces the commands that exist on the respective data viewer toolbar.
Tools menu — provides access to the following features:
Windows — utilize interactive tool windows that respond to message selection or session selection to provide additional message details. The tool windows that are available consist of the following:
Session Explorer Tool Window — monitor operational status and session statistics, and observe real-time progress indicators when loading, capturing, filtering, sorting, finding, grouping data, and applying sequence matching; navigate among different data viewers in various sessions; and select new data viewers from a context menu.
Message Details Tool Window — view field names and values for any message that you select in the Analysis Grid.
Message Data Tool Window — highlight hexadecimal values for any field that you select in the Details tool window or Analysis Grid, including payloads.
Field Data Tool Window — display the value of any field that you select in the Details window.
View Filter Tool Window — display this tool window to specify a predefined View Filter or to create a new Filter Expression. Enables you to select or create filters that apply specified filtering criteria to trace results to narrow the focus to messages with specific properties or values.
Viewpoint Tool Window — specify predefined viewpoints so you can view data from the perspective of a protocol, in addition to adding a Viewpoint filter, hiding operations in the current view, and resetting the default viewpoint.
Bookmarks Tool Window — mark one or more messages of interest, which includes adding links, attachments, and different colored flags.
Comments Tool Window — quickly add basic comments to one or more messages.
Diagnostics Tool Window — currently a preview feature that summarizes diagnosis errors and enables you to easily jump to a corresponding diagnosis message in the Analysis Grid viewer. You can also filter Diagnostics tool window columns to isolate specific column data.
Message Stack Tool Window — display the message stack for any selected message row in the Analysis Grid viewer.
Decryption Tool Window — display statistics, summary, and analysis information for a decryption session.
Selection Tool Window — undo erroneous message selections or maintain the context of multiple message selection in the Analysis Grid viewer in a separate space that is independent of the grid selection, to facilitate ease of analysis.
Field Chooser Tool Window — specify additional message fields in the Analysis Grid Viewer when it is in focus, for deeper analysis of message data. Specify additional message field Groups in the Grouping Viewer, when it is in focus. Expands the scope of data presentation and further enhances data examination and troubleshooting. Also use Field Chooser for configuration tasks when creating Pattern Expressions, Chart formulas, Unions, and so on.
Output Tool Window — display this tool window to monitor the Message Analyzer log file output for errors when loading modules.
Add-Ins — click this item to display a submenu with the Compare (Preview) tool item. A preview feature that displays the Session Comparison Utility, which performs type and field check differences between two specified sessions.
Aliases — click this item to display the Aliases drop-down list, from where you can select an Alias to apply to the currently in-focus session viewer tab. An Alias substitutes for cryptic or otherwise unfriendly field values that display in the Message Analyzer Analysis Grid viewer, for example an IPv6 address or a TCP port, for ease of analysis.
Unions — configure and manage Unions of two or more fields that have identical values but different names in different data sources. Enables the correlation of field values from such sources with a single field name in Message Analyzer, for ease of analysis.
Asset Manager — click this item to display the Asset Manager dialog, from where you can manage Message Analyzer asset collections such as Charts, Color Rules, Correlations, Filters, OPN Parsers, and so on. Enables you to download asset collections and auto-sync them for automatic updates provided by a Microsoft web service. Also enables you to create custom feeds where you can share Message Analyzer assets that you developed on your own.
Options — click this item to open the Options dialog, which displays the following configuration tabs:
General tab — enables you to specify various default global settings for Message Analyzer, as follows:
Live Trace Message Buffer — provides settings that determine the rate at which packets are dropped when exceeding the ETW buffer limit.
Session Viewer — provides a drop-down menu that enables you to select the default data viewer for the display of all live trace and saved session data.
Text Log Files — provides a drop-down menu that enables you to select a predefined default or custom configuration file for parsing text logs.
Display tab — provides the controls for setting the format for date-time and Binary Values:
Time Display — enables you to specify the date-time format that Message Analyzer will use across all features that display time data.
Binary Values — enables you to specify different formats for the display of numeric data, which includes ASCII, Hex, and Decimal options.
Decryption tab — provides the controls that allow you to import and select server certificates and to specify passwords that are required to enable Message Analyzer to decrypt traffic that is encrypted with the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) security protocols.
Features tab — provides for selection of preview features such as viewers and Tool Windows that you want to enable in Message Analyzer.
Memory tab — specifies the current memory statistics for Message Analyzer, the current state of Server Garbage Collection, and instructions for how to disable Server Garbage Collection to reduce memory consumption.
Parsing tab — enables you to reparse a set of trace results based on alternate ports that you specify for specific protocols, to accommodate for network traffic that used alternate ports for security purposes.
Privacy tab — enable Microsoft to collect information about stability issues, system configuration, and your frequently used features to help improve your Message Analyzer experience. Also enables you to opt-in to provide feedback on features, if you opted-out at the first Message Analyzer start up.
Help menu — provides access to the following features:
Feedback Center — click this item to open the Feedback Center dialog, from where you can provide feedback for predefined questions about various Message Analyzer features. Note that the feedback features are reproduced by the Feedback Center and Feedback controls in the upper-right section of the Message Analyzer user interface.
Message Analyzer Feedback — click this item to display a submenu that offers the following options for providing feedback:
Send a Smile — tell us what you liked.
Send a Frown — tell us what we can do better.
Report a Bug — provide us with details about problems that you encountered.
Request a Feature— request a feature that you think would improve your experiences with Message Analyzer.
Guidance — click this item to access the Message Analyzer Operating Guide on TechNet, from the Message Analyzer user interface.
Message Analyzer Team Blog — click this item to open the Message Analyzer Team Blog site to review regularly posted blog articles on various Message Analyzer subjects. Also enables you to provide comments, ask questions, and receive feedback directly from Microsoft.
Discussion Forum — click this item to open the Message Analyzer Forum site, where you can start a discussion thread and view responses from the Message Analyzer community of users and Microsoft.
About — displays release information such as the current Message Analyzer version and build number, along with a Privacy Alert.
Message Analyzer also provides a global toolbar, from which you can access most of the same features that are provided in the global menus, but with fewer clicks and submenu selections. Fuller descriptions for many of these features are provided in the "Global Menu" section. The global Message Analyzer toolbar contains the following items:
Items on the global toolbar change depending on whether you are displaying the results of a Data Retrieval Session (saved files) or a Live Trace Session.
New Session — click this toolbar item to open the New Session dialog, where you can choose a source from which to acquire data, as described earlier.
Favorite Scenarios — click this toolbar item to quickly start a Live Trace session with a single click on a Trace Scenario item in the list.
Open — provides a submenu that enables you to display either the Open dialog for Windows Explorer, or the File Selector, which is currently configured to open Azure storage BLOBs only.
Save — click this toolbar button to save bookmarks, comments, and time shifts, as described earlier.
New Viewer — click this toolbar drop-down list to specify additional data viewer configurations against a set of trace results or loaded data, for diagnostic and analysis purposes. For example, you might select the Protocol Dashboard or Top Talkers data viewers.
Edit Session — click this toolbar button to open the Edit Session dialog to reconfigure an existing Data Retrieval Session or Live Trace Session, and then apply your changes by clicking the Apply button in the dialog. Requires a Restart to capture data with the updated configuration that you specify.
Restart — this toolbar button enables you to restart a Live Trace Session. For example, after you edit an existing Live Trace Session through the Edit Session dialog, click the Restart button to apply the configuration changes that you specified. Note that this action starts a new Live Trace Session and abandons any previous data you collected. Also note that this control is included on the global toolbar only if you are displaying a set of trace results from a Live Trace Session.
Pause/Resume — click this toolbar button to pause a Live Trace Session in progress and then click it again to resume capturing data again. Toggles back and forth between the paused state and the capture resumed state as you click this button successively. Note that this control is included on the global toolbar only if you are displaying a set of trace results from a Live Trace Session.
Stop — click this toolbar button to stop the capture of messages in a Live Trace Session. Note that this control is included on the global toolbar only if you are displaying a set of trace results from a Live Trace Session.
Shift Time — specify time shifts that enable you to adjust the time stamps in a message set, for example to compensate for machine skew or time-zone changes across multiple data sources.
Aliases — click this toolbar item to display the Aliases drop-down list, from where you can select an Alias to apply to the currently in-focus session viewer tab.
Unions — configure and manage Unions of two or more fields that have identical values but different names in different data sources.
The Message Analyzer Start Page contains a top row of button commands for quick access to the following features or functions:
New Session — to start a new Data Retrieval Session or a Live Trace Session, open the New Session dialog with a single click on the New Session button.
Start Local Trace — start a local Link Layer trace in a basic configuration with a single click, with no additional configuration required.
Open — launch the Windows Explorer Open dialog with a single click, to locate a saved file containing message data and quickly load it into Message Analyzer.
Message Analyzer Team Blog — go to the Message Analyzer Blog to review numerous blog postings about Message Analyzer features and use. Also, leave comments, rate articles, and get feedback from Microsoft.
Discussion Forum — go to the Message Analyzer Forum to start a discussion thread, where you can get feedback from Microsoft.
From the Start Page, you can also view Recent Files, Favorite Scenarios, edit Favorite Trace Scenarios, and review News items.
Message Analyzer enables you to select various built-in Chart Viewer Layouts against a set of trace results to enhance your data analysis perspectives. It also provides the configuration tools and other features needed to create, edit, save, and share Chart viewers that you can configure with custom pie, bar, timeline, and grid chart components, each of which you will find in the built-in Protocol Dashboard viewer. You can use the centralized Field Chooser Tool Window to specify message fields for your Chart and you can also create data manipulation formulas for diverse data display configurations that empower visual analysis capabilities. Message Analyzer Chart configuration also supports Unions and union sets. You can access the Chart configuration controls by clicking the New Chart item in the New Viewer drop-down list on the global Message Analyzer toolbar.
Message Analyzer provides a Sharing Infrastructure that enables you to download default user asset collections to your local Libraries for manipulating and viewing data; this also includes downloading OPN packages for parsing messages that you capture with Message Analyzer. You can configure synchronization for automatic updates to these collections and packages that are periodically pushed out by a Microsoft web service to the default Message Analyzer subscriber feed that you can access from the Asset Manager dialog on the global Message Analyzer Tools menu. Because the user Libraries are integrated with the Sharing Infrastructure, you can import, export, and share these items with others, including any that you create or modify. Library item types include Trace Scenarios, Filters, Viewpoints, Color Rules, View Layouts, Charts, Pattern Expressions, and so on. To enable sharing these Library items, you can configure your own user feeds or post items to a user file share. You can also manage all user Library types with the common and centralized management dialog.
Other prominent Message Analyzer capabilities include the following:
Capturing Data Remotely — capture remote traffic on Windows 8.1, Windows Server 2012 R2, and Windows 10 hosts. Use the Remote Network Interfaces Trace Scenario with the Microsoft-Windows-NDIS-PacketCapture provider to target one or more computers with supported operating systems for remote capture in a Live Trace Session.
Configuring Host Adapter and Hyper-V-Switch Filters — capture traffic from one or more host adapters and/or virtual machines (VMs) that are serviced by a Hyper-V Switch on remote Windows 8.1, Windows Server 2012 R2, or Windows 10 hosts, or on the local computer. Customize the capture configuration by specifying packet traversal paths on switch extension layers and on the NDIS driver filter stack, along with configuring other special filters, such as packet Truncation, EtherType, and IP Protocol Number filters through use of the Advanced Settings - Microsoft-Windows-NDIS PacketCapture dialog.
Process MOF-Generated Events — fully parse messages that are captured by Message Analyzer from MOF-instrumented providers. Message Analyzer supports registered event providers on your system that use the MOF schema as the basis of generating their events.
Process WPP-Generated Events— parse and display Windows software trace preprocessor (WPP)-generated events. Because such events make use of the ETW framework, Message Analyzer can capture them live or load them from a saved event trace log (ETL) file. To enable parsing of WPP-generated events, users must provide supplementary information that defines the WPP event structure.
PEF-WFP Fast Filters — specify Fast Filters for the Microsoft-PEF-WFP-MessageProvider in a Loopback and Unencrypted IPSEC trace.
PEF-NDIS Fast Filters — configure logically chained Fast Filter groups that you assign to host adapters by using the Advanced Settings - Microsoft-PEF-NDIS PacketCapture dialog in a Local Network Interfaces trace on Windows 8 and earlier hosts.
Microsoft-Windows NDIS Packet Capture Provider — enabled for capturing remote traffic, with support for capturing from VMs that are managed by a Hyper-V-Switch. Also supports advanced filtering that includes packet direction, NDIS stack, and Hyper-V extension layer filters.
Microsoft-PEF-WFP-MessageProvider — In Message Analyzer v1.3, the Microsoft-PEF-WFP-MessageProvider has the capability to capture messages from remote computers that are running the Windows 10 operating system. You can capture this data in any Trace Scenario that uses this provider by starting your Live Trace Session with this scenario from any computer that is running the Windows 8.1, Windows Server 2012 R2, or the Windows 10 operating system.
Promiscuous Mode (P-Mode) — with the use of the Get-NetEventPacketCaptureProvider, you can configure the Microsoft-Windows-NDIS-PacketCapture provider to capture local or remote traffic on network adapters that support p-mode.
Filtering Language — discover how to write your own Filter Expressions for filtering data that is loaded into Message Analyzer, captured live, or analyzed after trace results are complete.
ResponseTime — add this Global Annotation entity from the Field Chooser as a data column in the Analysis Grid viewer. Enables you to measure the time interval between a request operation to a server and the first server response, to provide a context for assessing server performance.
Definitions — display OPN definitions for capture modules or message fields from the Analysis Grid viewer or Details tool window context menu, respectively.
Analysis Grid Toolbar Features — the Analysis Grid viewer now provides a toolbar for quick access to tools that assist in common analysis tasks.
Grouping Viewer — select the Grouping viewer to organize your traffic into summary group hierarchies that expose targeted information that you can quickly extract from a large data set, which can otherwise be difficult to achieve.
Track Fields and Properties — a Details Tool Window feature that exposes the values of message-specific fields, along with the additional global message properties and global annotations that are generated by Message Analyzer, to enable you to do the following from the Details Tool Window context menu:
Utilize these new entities when configuring filters, groupings, adding columns, and so on.
Track any message field, global property, or global annotation value — this enables you to compare the value of the same field or property in other messages that you select or scroll to in the Analysis Grid viewer.
Pattern Match Viewer — enables you to execute predefined Pattern expressions that locate message sequences or patterns that occur across a set of trace results, for example, a TCP Three-Way Handshake pattern. Also provides facilities for creating your own Pattern expressions, with or without user interface automation assistance.
Parse As — a global Options dialog feature that enables you to parse an existing set of trace results with a different port value, for example, one that deviates from a standard port value for a particular protocol. Accommodates traces that used alternate port values for security purposes.
Message Analyzer dramatically extends the network traffic diagnostics and analysis capabilities of Network Monitor; however, some Network Monitor features such as process name vs process ID correlation and WiFi tracing are not yet fully implemented in Message Analyzer. For a high-level comparison of several Message Analyzer and Network Monitor features and why new approaches have been taken for capturing, displaying, and analyzing message traffic, see the following Blog articles: