Applying and Managing View Filters
After you display message data in one or more of the Message Analyzer data viewers, you can apply a View Filter to reduce the scope of the presented data in a viewer according to filtering criteria that you define. You can select a predefined View Filter from the common Filter Expression Library drop-down list in the View Filter Tool Window, or you can write one of your own in the text box of the same window. You might use a View Filter to isolate specific information for presentation, while still preserving the original contents of your session results. For example, after you apply a Filter Expression in the View Filter window, you can simply undo the filtering action by selecting the Remove or Remove and Clear Text command from the Remove drop-down list in the View Filter window. All View Filters and Session Filters are available from the same common user Library and are based on the Filtering Language that is described in Writing Filter Expressions.
You can display the View Filter Tool Window in either of the following ways:
Click the View Filter button in the Filter group on the Ribbon of the Message Analyzer Home tab.
Click the Tool Windows drop-down list in the Windows group on the Ribbon of the Message Analyzer Home tab and select the View Filter item.
Applying a View Filter
By default, the filtering action of a View Filter impacts only the selected view in which you apply the filter, meaning that its action is specific to the current in-focus viewer only. The default action is initiated by clicking the Apply Filter button on the toolbar of the View Filter window.
Tip You can also apply a View Filter by using the keyboard shortcut Ctrl+Enter and you can remove an applied View Filter by using the keyboard shortcut Ctrl+Shift+Enter. However, the View Filter window needs to have the focus for this to work properly.
Note A View Filter does not alter the original message data that you capture live or load into Message Analyzer. Whenever you run a Live Trace Session or Data Retrieval Session, a View Journal is automatically created as a repository for the results. A View Filter simply allows you to return a subset of View Journal data to your session viewer based on specified filtering criteria, for analysis purposes.
Using the Filter Expression Library
Message Analyzer provides a centralized Filter Expression Library that contains predefined filters that you can apply as a View Filter to data displaying in a chosen message viewer. For example, you might apply the predefined Filter Expression
*SourcePort == IANA.Port.SMB to the Protocol Dashboard viewer to filter for messages from any protocol that have a top-level SourcePort field equal to 445. You could then double-click the bar in the Top Level Protocol Summary bar chart corresponding to the filtered messages and automatically display them in the Analysis Grid viewer for further examination.
Compiling and Applying a View Filter
You can also create your own custom Filter Expression to apply to results that are displayed in a chosen data viewer. However, if you create your own Filter Expression, it is subject to successful compilation verification; otherwise you will be unable to use it. Note that Message Analyzer automatically performs a compilation verification of any View Filter that you specify after you click the Apply button on the toolbar of the View Filter window. This ensures that you have a valid Filter Expression before it is applied to your session results. If the Filter Expression does not pass the compilation check, an error message displays. At this point, you will either need to correct the expression or abandon it; otherwise, the filter you configured will be applied to the data.
Note A similar compilation check is applied to any Session Filter that you specify in the New Session dialog after you click the Start button to begin a session.
Adding a Custom Filter to the Library
If you intend to add a custom-created View Filter to the centralized user Library for future use or to share with others, you will first need to display the Edit Filter dialog by selecting the New Filter item in the Library drop-down list on the View Filter window toolbar. From this dialog, you can specify Name, Description, and Category information. To ensure that the Filter Expression successfully compiles before saving it to the Library as a new asset, Message Analyzer automatically performs a compilation check after you click the Save button. If the Filter Expression is invalid, a Compile Query Error message displays. Otherwise, you can assume that compilation succeeded.
Creating View Filters from the Analysis Grid
You can also create and apply a View Filter very quickly to your data by right-clicking a data field value in most columns in the Message Analyzer Analysis Grid viewer column layout and selecting the Add <columnName> to Filter command from the context menu that displays. The columnName value in this command is a placeholder for the actual name of the Analysis Grid viewer column containing the data value that you right-click. The column name is automatically retrieved and displayed in the right-click menu, and when you select it, Message Analyzer builds a Filter Expression based on existing message field data values. For example, by clicking an IPv4 address in the Destination column, Message Analyzer builds a Filter Expression such as
IPv4.Destination==192.168.1.1. Moreover, by clicking a Module column value such as TCP, Message Analyzer creates the atomic Filter Expression
TCP. As a result of the way these filters are created, they are guaranteed to return results.
Note A Filter Expression such as
TCP is called an atomic filter in Message Analyzer because it is a simple, left-hand-side-only filter that does not use an “equals” sign or any operators or combinators such as OR, AND, or NOT.
Creating View Filters from the Details Tool Window
Similar to the way you create a right-click View Filter from the Analysis Grid viewer, you can also create a View Filter from the Details Tool Window on the Message Analyzer Home tab, by right-clicking any field in the Name column of the Details window and selecting the Add <fieldName> to Filter context menu item. The fieldName value in this command is a placeholder for the actual field name in the Name column.
Tip If the Details window is not displayed, select the Details item from the Tool Windows drop-down list in the Windows group on the Ribbon of the Message Analyzer Home tab to restore it.
Managing View Filters as Shared Items
Your local View Filter Library contains a default collection of Filter Expression items plus any items that you create, and you can share all of these items with others. To do this, Message Analyzer provides a simple way to expose your Filter Expression items to others for sharing, or to retrieve Filter Expressions that others have shared. You can share your View Filter Library items directly with others by using the Export feature in the Manage Filter dialog to save one or more Filter Expression items to a designated file share. You can also use the Import feature in the same dialog to access Filter Expression items that have been shared by others. The Manage Filter dialog is accessible by selecting the Manage Filters item from the Library drop-down list on the toolbar of the View Filter Tool Window.
Sharing Filters on a Feed
You can share your Filter Expression items through a user feed that you configure in the Message Analyzer Sharing Infrastructure. You can create your own feed from the Settings tab on the Message Analyzer Start Page and it will appear on the Downloads page. Thereafter, you can update existing Filter Expression items or add others and make them available to team members or other users through the configured feed, where they can view, synchronize, and download them from the Downloads or Settings tabs. However, the synchronization aspect of the publishing feature on user feeds requires some manual configuration at this time to enable updates, as described in Manual Item Update Synchronization.
Updating Filter Assets
Message Analyzer also has a default subscriber feed on the Start Page that enables you to download Filter item collections from a Microsoft web service and to synchronize with item collection updates that are periodically pushed out by the service, as useful Filter items are developed at Microsoft for the community of Message Analyzer users. To receive these updates that will appear in the Message Analyzer category of your local View Filter Library, you must set the Message Analyzer Filters collection to the auto-sync state on the Message Analyzer Start Page. At any time, you can perform a download of an auto-synced collection from the Settings tab on the Start Page.
To learn more about applying View Filters, see Filtering Message Data.
To learn more about the Filtering Language and how to write filter expressions, see Writing Filter Expressions.
To learn more about sharing Message Analyzer Library items, including further details about the common Manage <Items> dialog, see the Sharing Infrastructure topic.
To learn more about auto-syncing item collections, see Managing Item Collection Downloads and Updates.