Export (0) Print
Expand All

PEF Architecture Tutorial

This tutorial describes the main features of the Protocol Engineering Framework (PEF) that directly support the functions of Message Analyzer. A diagram of PEF architecture is included along with supporting conceptual descriptions, to show how Message Analyzer functions are enabled by the framework.

PEF Components

Message Analyzer is a new tool for capturing, displaying, and analyzing network traffic, system events, device messages, and log data. It is the key, outwardly-facing component in the Protocol Engineering Framework. PEF was created for the improvement of protocol design, development, documentation, and testing. The following major messaging functions are provided by various PEF components:

  • Message capturing

  • Message parsing and analysis, including message reassembly and message representation in OPN

  • Message validation (data, behavior, and architecture) per protocol-specification standards

Message Analyzer directly relies upon the following components of the PEF architecture to support its functionality:

  • Open Protocol Notation (OPN) — the protocol description language that enables developers to model protocol architecture, behavior, and data. The entire OPN system, including types, actors, endpoints, and flow is implemented in .NET classes. OPN and .NET classes are compiled to produce a binary representation of each OPN protocol description that defines specific protocol architecture, behavior, and data.

    Message Analyzer relies upon the presence of compiled OPN protocol descriptions so it can display messages that have been captured and parsed by the PEF Runtime.

  • OPN Compiler — provides the compilation infrastructure for OPN protocol descriptions. The OPN Compiler generates the binary structures that comprise the OPN Protocol Object Model (POM).

    Message Analyzer relies upon the OPN Compiler to ensure that all OPN definitions, descriptions, and filter expressions are verified, so that messages captured in a Live Trace Session or loaded into Message Analyzer from logs and/or trace files in a Data Retrieval Session can be properly parsed by the PEF Runtime and thereafter displayed in a Message Analyzer viewer.

  • POM — a binary representation of a set of OPN text files in the form of a decorated syntax tree. These descriptions are utilized by the PEF Runtime to parse messages whenever you run a Live Trace Session, if you load an unparsed trace file in .matu format, or if an input trace file requires reparsing.

  • PEF Runtime — accepts messages from various components, such as drivers, providers, and logs, and processes them by using the parsing information (compiled protocol descriptions) described in the POM. The Runtime component also provides an API that enables Message Analyzer to interface with PEF. Message Analyzer relies upon the Runtime to capture and parse messages and to provide those messages in its API so Message Analyzer can access and display them in selected data viewers.

    The PEF Runtime is of central importance to Message Analyzer in performing the following tasks:

    • Listening for message packets from network driver interfaces, input adapters, and other components that are instrumented as ETW providers.

    • Querying the POM for OPN protocol descriptions that correspond to retrieved message packets.

    • Constructing OPN versions of packets retrieved from the network, providing that corresponding OPN protocol message descriptions were written.

    • Dispatching the OPN packet versions to endpoints that are monitored by POM "listeners", or “actors”, which in turn decode the packets and pass them to higher endpoints up the processing chain, repeating this process until all packets in the message stack are decoded.

    • Enabling Message Analyzer to access the decoded messages through the Runtime API and to display them in a data viewer such as the Analysis Grid.

  • PEF Driver-Providers — provide the network interfaces for capturing events and messages that are passed to the Runtime parsing engine. The Microsoft-PEF-NDIS-PacketCapture provider captures data on the wire starting at the Data Link Layer; the Microsoft-PEF-WFP-MessageProvider captures above the Network Layer; and the Microsoft-PEF-WebProxy provider captures HTTP client browser traffic, unencrypted HTTPS, and other messages at the Application layer. All PEF drivers are instrumented for Event Tracing for Windows (ETW) so they can take advantage of the ETW infrastructure and deliver both events and captured network traffic. In turn, the events and network messages are passed to the Runtime parsing engine and thereafter Message Analyzer can display them.

    Note  The Microsoft-Windows-NDIS-PacketCapture provider also captures messages at the Data Link Layer, however, this provider also has remote capabilities that you can employ in certain scenarios, as described in Default Trace Scenarios.

    More Information
    To learn more about PEF providers and their features, see PEF Message Providers.

  • Input Adapters — provide the interfaces that define entry points or “chokepoints” into the PEF Runtime for various Import Entities, in message file formats such as .etl, .cap, .log, .matu, and .matp.

PEF architecture also contains other components, such as a POM Adapter that provides importing and exporting facilities; Simulation, which enables modeling of protocol test suites; and technical document (TD) generation, which produces documentation stubs and other artifacts for writers. These components are mentioned here because they interact with OPN protocol descriptions as part of PEF architecture, but are not directly related to Message Analyzer functions, with exception of certain POM adapters.

The diagram that follows shows how Message Analyzer fits into the PEF architecture.


Figure 7: PEF component architecture

More Information
To learn more about PEF components, including OPN programming, tutorials, walkthroughs, standard library, language, and other managed reference documentation, an OPN SDK may be available in the future on MSDN. However, an OPN Programming Guide is currently available from the Microsoft download site.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2015 Microsoft