Viewpoint Tool Window

As described in Understanding and Managing Viewpoints, you can achieve a unique analytical perspective on your message data by applying a Viewpoint. To assist your troubleshooting efforts in this context, Message Analyzer provides a robust set of built-in Viewpoints that you can apply from the Viewpoint Tool Window. These Viewpoints are contained in a manageable asset collection Library that is accessible from the toolbar of the Viewpoint window. They enable you to filter and reorganize your data view to display messages from the perspective of different protocols, modules, or message layers, as configured in the built-in Viewpoints that are accessible from the Viewpoint window.

Using the Viewpoint Features

This section describes the built-in Viewpoints that ship with Message Analyzer, along with the features that support the following tasks:

Displaying the Viewpoint Tool Window — specifies several locations from where you can access this window.
Applying Built-In Viewpoints — as applied to messages displaying in a data viewer.
Displaying and Removing Viewpoints — to undo the application of a Viewpoint to a set of messages.
Toggling Operations — to obtain different analysis perspectives, for example, by hiding operations to separate request/response pairs into their original chronological order versus condensing these pairs back into a top-level operation for faster analysis.
Applying Viewpoint Filters — to enhance the analysis context.

Displaying the Viewpoint Tool Window

If the Viewpoint Tool Window is not already displayed, you can open it by selecting the Viewpoint item from the Windows submenu of the global Message Analyzer Tools menu.

Applying Built-In Viewpoints

By default, Message Analyzer provides numerous built-in Viewpoints that exist in the categories specified below. You can apply these to any set of messages that are displayed in any data viewer by selecting a chosen Viewpoint from the Viewpoint drop-down list while a particular data viewer has focus. After you apply a Viewpoint to such a data viewer, you can hover over the data viewer tab or the viewer node in Session Explorer at any time thereafter to view a popup that indicates which Viewpoint is currently applied to the data set, along with any Viewpoint Filter, View Filter, or Message Range filter (Bookmarks or Gantt viewer context menu item) that is currently applied to the viewer.

The default Viewpoint categories and the assets they contain consist of the following:

• Network category

  • Network layer — enables you to display messages at top-level from the IPv4, IPv6, DHCPv4, DHCPv6, and DNS protocols only, including their origins messages.

  • TCP — this Viewpoint reorganizes your data to enable easier diagnosis of the TCP layer. It places TCP messages on top, which can facilitate diagnosis of TCP performance issues that include the analysis of TCP SequenceNumber and AcknowledgementNumber values, TCP flags such as SYNs and ACKs, retransmits, broken three-way handshakes, window size, TCP options, and so on.

    Tip

    To enhance your analytical perspective with the TCP Viewpoint, you can use the TCP Deep Packet Analysis View Layout to display the relevant field data in a predefined Grouped configuration.

  • Data Link layer — enables you to display messages at top-level from protocols related to the Data Link layer, such as the Ethernet, PPP, ARP, and WiFi protocols, and their origins.

  • Ethernet layer — enables you to display Ethernet messages at top-level with no further parsing.

  • ETW — enables you to remove all messages above the ETW layer to simplify event diagnostics. This Viewpoint can also make event analysis easier when you are developing message providers or other components that write ETW events.

  • HTTP — an application-layer Viewpoint that places HTTP messages at top-level in the Analysis Grid. Provides a convenient way to analyze the request/response pairs of HTTP operations.

    Note

    It is possible that HTTP messages can be hidden in the stack of SOAP messages. If you apply the HTTP Viewpoint when this is the case, SOAP messages should disappear and HTTP messages will display at top-level. However, the HTTP messages may not display as operations, that is, if operations are enabled.

  • IPv4 — a network-layer Viewpoint that enables you to more easily troubleshoot IP conversations, by pushing all IPv4 messages to top-level in the Analysis Grid. Note that you can enhance your analysis capabilities by using the Group command to partition the IPv4 conversations into groups.

  • IPv6 — a network-layer Viewpoint that enables you to more easily troubleshoot IP conversations, by pushing all IPv6 messages to top-level in the Analysis Grid. You can also enhance your analysis capabilities by grouping, as specified in the previous bullet point.

  • SMB/SMB2 — an application-layer Viewpoint that places SMB and SMB2 messages at top-level in the Analysis Grid by removing RPC and any other message layers on top, such as GSSAPI and Kerberos.

  • TCP Reassembled — since Message Analyzer automatically reassembles payloads, the details can be hidden under a TCP Virtual Reassembled Segment. By applying this Viewpoint, you can observe the TCP Viewpoint after reassembly has occurred.

    Note

    If you apply either of the TCP Viewpoints, operations will no longer be visible.

  • Transport layer — enables you to display messages at top-level from the TCP and UDP protocols only, including their origins.

  • UDP — provides perspective from the Viewpoint of the UDP transport protocol.

  • WinInet (HTTP/s) event layer — enables you to display and diagnose HTTP and unencrypted HTTPS events.

• Other Viewpoints category

  • SOAP — enables you to display messages at top-level from the SOAP protocol only, plus the origins messages.

Displaying and Removing Viewpoints

When messages are parsed by Message Analyzer, they are indexed. When you apply a Viewpoint to a set of parsed messages, Message Analyzer simply reorganizes the data display by retrieving messages whose indexes correlate with the applied Viewpoint filtering criteria. The result is that you can display the viewpoint messages at the top-most level in the Analysis Grid viewer, which can include all operations that exist at the current Viewpoint, if they are enabled. For example, if you apply the SMB/SMB2 Viewpoint, then operations for the SMB and SMB2 protocol will display. The current exception to this is if an upper-layer protocol that is above a set Viewpoint also defines operations. In this case, operations for the latter protocol will display at top-level.

The Viewpoint that displays by default in the Analysis Grid viewer is a summary view of top-level messages that have no other message layers above them. After applying a Viewpoint to a set of messages and changing the data to the perspective of a particular protocol, you can return to the default Viewpoint by clicking the Default Viewpoint item in the Viewpoint drop-down list on the toolbar of the Viewpoint window. You can also remove the current Viewpoint by selecting another one from the Viewpoint drop-down list.

Toggling Operations

When you capture messages that are part of an operation, Message Analyzer normally collapses this traffic to combine related request and response message pairs into a single, top-level message line that contains a blue cubed icon to indicate an operation. However, because it is important to understand the interaction between requests and responses, Message Analyzer also enables you to toggle operations from the Operations drop-down list on the toolbar of the Viewpoint window, so you can alternately hide and show operation message nodes in the Analysis Grid viewer. You can also specify a setting that enables you to display the top-level operations only for a particular protocol that defines them, such as HTTP or SMB, without also showing other non-operation messages of the same protocol that normally get pushed to top-level by application of a related Viewpoint. The Operations drop-down list on the Viewpoint window toolbar contains three options that enable these features, as follows:

• Show Operations and Messages — displays operation nodes for a particular Viewpoint protocol that defines request/response messages, such as HTTP or SMB2, but also shows other non-operation messages of the Viewpoint protocol, if any exist. This is the default configuration that is applied for Operations.

• Show Operations Only — enables you to focus on operations only for a specified Viewpoint protocol that defines request/response messages, without the display of other non-operation messages of that particular Viewpoint protocol.

• Show Messages Only — enables you to remove the default association of request/response message pairs as operation nodes, which Message Analyzer configures during Runtime parsing, and simply display all messages in chronological order.

When you hide operations, you can expose additional messages that match the currently applied Viewpoint. For example, if you apply an HTTP Viewpoint to a trace that captured HTTP messages, you will see only top-level HTTP message nodes; some of these will be operations that contain request and response message pairs and some will not be operations, for example, payload reassembly messages. For nodes that are operations (blue cubed icons), the HTTP request and response component messages are readily observable by expanding the top-level operation nodes. If you select Show Messages Only in the Operations drop-down list, the operations are broken apart and the constituent request and response message pairs are then displayed in chronological order instead. In this display configuration, you might lose some context as the request and response messages will no longer be grouped together as a single operation, but rather, they assume their original chronological position in the trace before Message Analyzer created the operation nodes. This may provide some analytical value in other ways, but the response messages can still be buried inside multiple expansion nodes in the Analysis Grid viewer, making them difficult to locate. However, if you select the Show Operations and Messages or Show Operations Only item in the Operations drop-down list, you can return to the display configuration that collapses all related request and response message pairs into single, top-level operation nodes in the Analysis Grid viewer, for ease of analysis.

Applying Viewpoint Filters

Message Analyzer provides a Viewpoint Filter Library on the toolbar of the Viewpoint Tool Window that is the identical centralized Library that is located on the toolbar of the View Filter Tool Window and in other locations. This enables you to Apply further filtering to a set of messages that is already filtered by the criteria of an applied Viewpoint. The advantage of using a Viewpoint Filter is that it enables you to drill down further to expose messages of interest based on the applied filtering. Obviously, the filtering you apply should be relevant to the Viewpoint context in which you are working. A typical usage scenario might look like this: You have first applied a View Filter to a set of trace results and you then realize you should set the Viewpoint to a particular layer so you can focus on a condensed and more relevant message set for your current analysis. All messages above the Viewpoint level disappear. Once the Viewpoint is set, you can drill down even further to isolate a message or messages that meet the criteria of a Viewpoint Filter that you specify.

Filtering Behaviors
The behavior of View Filters and Viewpoint Filters is similar within the context in which they are applied. More specifically, View Filter behavior with respect to an entire trace results set is similar to the way a Viewpoint Filter behaves when applied to a Viewpoint results set. The difference in the Viewpoint filtering scenario is that you are able to generate a more precise focus on specific messages of interest. In general, Viewpoints enable you to do this by removing all messages above the Viewpoint protocol/s. However, by also applying a Viewpoint Filter, you can be even more selective of the messages you are exposing in the Analysis Grid or other viewer for analytical purposes. The scenario that follows may help explain the differences between using View Filters and Viewpoint Filters.

Viewpoint Filtering Example
As an example of Viewpoint filtering, if any top-level message or one of its origins messages in a set of trace results matches the criteria of a View Filter, Message Analyzer returns that top-level message and its origins (stack) when the View Filter is applied. If you then apply a Viewpoint while the same View Filter is applied, the Viewpoint will cause any message that matches the Viewpoint criteria within the existing View-filtered display to appear at top-level in accordance with the applied Viewpoint's functionality. For instance, if the View Filter  TCP.SequenceNumber == 667053237 is applied to the original set of trace results, and a top-level message or one of its origin messages matches that sequence number, then that top-level message (and its origins) is isolated in the Analysis Grid. This is expected behavior, as all View Filters work in this manner. If you now apply a TCP Viewpoint to this display configuration, all TCP messages that are contained in the stack of the former top-level message are pushed to top-level so that only TCP messages display with nothing above that layer, which also includes the message that met the filtering criteria of the applied View Filter. If you now apply the same filter (TCP.SequenceNumber == 667053237) as a Viewpoint Filter, it results in displaying only the TCP message that meets that filtering criteria along with its underlying stack messages. This behavior is similar to the way a View Filter works against the original set of trace results with no Viewpoint applied. The only difference between them is the context in which the filtering is applied.

_______________

See Also

Understanding and Managing Viewpoints