Экспорт (0) Печать
Развернуть все
EN
Данное содержимое не доступно на вашем языке, используйте версию на английском языке.

Procedures: Quick Start

To start using Microsoft Message Analyzer, run the procedures in this section to learn how to utilize analyzer features and functions to accomplish basic tasks such as the following:

Displaying Data Quickly From a Saved Trace File

Starting a Live Trace Session with a Predefined Trace Scenario

Starting and Modifying a Data Retrieval Session

Displaying Different Data Viewers to Change Analysis Perspectives

Creating and Saving a Customized Trace Scenario

Note  Although these procedures demonstrate the use of Message Analyzer capabilities in some basic scenarios, they are only a sampling of what you can accomplish with Message Analyzer, given that you can also apply the methodologies described here to many other scenarios. This is also true of other procedural content in this Operating Guide.


Important  If you have not logged off from Windows after the first installation of Message Analyzer, please log off and then log back on before performing these procedures. This action ensures that in all subsequent logons following installation, your security token will be updated with the required security credentials from the Message Capture Users Group. Otherwise, you will be unable to capture network traffic in Trace Scenarios that use the Microsoft-PEF-NDIS-PacketCapure provider, Microsoft-Windows-NDIS-PacketCapture provider, or the Microsoft-PEF-WFP-MessageProvider, unless you start Message Analyzer with the right-click Run as administrator option.

Displaying Data Quickly From a Saved Trace File

The procedure that follows shows you how to use the Message Analyzer Open feature to rapidly access and display data from a saved trace or log file.

To quickly open a saved trace file and display its data

  1. From the Start menu, Start page, or task bar of your computer, click the Microsoft Message Analyzer icon to launch Message Analyzer. Start Message Analyzer with the right-click Run as Administrator option if necessary, as described in the previous Important note.

  2. Click the global Message Analyzer File menu and then click Open to display the Windows Open dialog.

    Tip  If you have already opened files with the Open command, a Recent Files item is available just below the Open command on the File menu that displays a submenu to the right, from where you can select a file and immediately open it in the default data viewer.

  3. In the Open dialog that displays, navigate to a saved trace or log file containing the data you want to display and then click the Open button to exit the dialog.

    The saved data displays in the default data viewer.

Tip  You can quickly retrieve data from one or more saved trace files by dragging and dropping them almost anywhere on the Message Analyzer user interface. In drag-and-drop mode, the data retrieved from each file in a selected set displays in separate default viewer tabs, although each file will be in a different session that is designated by a unique color code. Note that drag-and-drop function does not work if you are running Message Analyzer as an Administrator, due to varying security contexts that can occur between applications.

You can also drag and drop *.log files to display their data. However, instead of the data immediately displaying in the default data viewer, the New Session dialog opens to the Data Retrieval Session configuration, with the log file/s that you selected as the data source/s for the session. This gives you the opportunity to specify a Text Log Configuration file, which is required for parsing *.log files (unless you have already specified a default configuration file in the Options dialog to use for all *.log files, in which case Message Analyzer immediately proceeds to loading the data). Other session configurations that you can specify include a Time Filter, Session Filter, or Parsing Level, to define the scope of messages to be retrieved, or setting the Truncated Parsing mode, adding more files to the session as data sources, and specifying the data viewer you want to use.

To learn more about these additional configuration capabilities, see Configuring a Data Retrieval Session.

Starting a Live Trace Session with a Predefined Trace Scenario

The procedure that follows shows you how to select the predefined Loopback and Unencrypted IPSEC Trace Scenario that uses the Microsoft-PEF-WFP-MessageProvider to focus your live data capture above the Network Layer, while minimizing lower-level network traffic. Although this scenario enables you to capture loopback and unencrypted IPSec traffic, this is not the focus of this example.

Tip  Whenever you make a Trace Scenario a Favorite, such as the Loopback and Unencrypted IPSEC scenario, you can simply click it in the submenu of the Favorite Scenarios item in the Message Analyzer File menu to quickly start a live trace base on the favorite scenario.

To start a Live Trace Session with the Loopback and Unencrypted IPSEC trace scenario

  1. Launch Message Analyzer as specified in the previous procedure.

  2. Click the global Message Analyzer File menu and then click the New Session item to display the New Session dialog.

  3. Under Add Data Source in the New Session dialog, click the Live Trace button to display the Live Trace tab along with the associated session configuration features that it contains in the New Session dialog.

  4. Select the Loopback and Unencrypted IPSEC item in the Select a trace scenario drop-down menu on the Live Trace tab of the New Session dialog.

    The Microsoft-PEF-WFP-MessageProvider is added to the ETW Providers list on the Live Trace tab of the New Session dialog.

  5. Optionally, select a predefined Session Filter from the centralized Filter Expression Library, such as IPv4Address==<192.168.1.1> to capture messages that are sent to and received from a specific computer. The IP address in this example filter is a placeholder for an actual IP address that you must provide.

    Note  A Session Filter enables you to define the scope of the data capture while at the same time improve performance by limiting how much data you collect.

  6. Click the Start With drop-down menu arrow and select the data viewer in which to display your trace results, or use the default Analysis Grid data viewer setting.

  7. Click the Start button in the New Session dialog to start capturing data in your Live Trace Session.

  8. While the Live Trace Session is running, launch a web browser and click some links to navigate to several web locations.

    Message Analyzer starts to accumulate messages in the data viewer that you specified.

  9. Stop the trace at a suitable point by clicking the Stop button on the global Message Analyzer toolbar.

    Inspect your trace results in the data viewer that you chose and observe that Message Analyzer has captured a set of messages, including HTTP, as a result of the browser links that you clicked.

    To learn more about how you might analyze this type of data, see the following topics for some examples of how to apply HTTP and TCP View Filters in an Analysis Session:
    Applying an HTTP View Filter to Loopback and Unencrypted IPSEC Trace Results
    Applying TCP View Filters to Loopback and Unencrypted IPSEC Trace Results

Advisory  If you let a trace session run for an extended period, it can consume a large amount of memory.

To learn more about the configuration capabilities that are available for a Live Trace Session, see Configuring a Live Trace Session.

Starting and Modifying a Data Retrieval Session

The first procedure in this section shows you how to open a Message Analyzer Data Retrieval Session from where you can specify one or more saved files that contain the message data you want to load and display in the Analysis Grid viewer. The second procedure describes how to modify a Data Retrieval Session so that you can load data from additional files into the existing Message Analyzer session. The option to create a filtered view of the loaded data with the use of a Session Filter is also described.

To use a Data Retrieval Session to load saved trace data into Message Analyzer

  1. Launch Message Analyzer as indicated in earlier procedures.

  2. Click the global Message Analyzer File menu and then click New Session to display the New Session dialog.

  3. Under Add Data Source in the New Session dialog, click the Files button to display the Files tab along with the associated session configuration features that it contains in the New Session dialog.

  4. On the Files tab, click the Add Files button to display the Open dialog, from where you can navigate to the trace files that contain the data you want to load into Message Analyzer.

  5. In the Open dialog, select the file/s that contain the data you want to retrieve, then click the Open button to exit the dialog.

    Message Analyzer displays the files you selected in a list on the Files tab that includes columns of data such as Name, File Size, File Type, Message Count, Start Time, End Time, and Text Log Configuration.

    Note  The data from the files that display in this list is not yet loaded into Message Analyzer. At this point, the files are simply the target data sources from which data will be loaded after you click the Start button in the New Session dialog.

  6. In the files list, ensure that there is a check mark in the check box next to the file/s containing the data you want to load into Message Analyzer. Note that you can select or unselect files in the list to create specific combinations of data sources from which to load data.

  7. In the Start With drop-down menu of the New Session dialog, select a data viewer in which to display the results of your Data Retrieval Session; otherwise, the default data viewer setting will be used.

    Note  You have the option to change the default data viewer from the Options dialog, which is accessible from the global Message Analyzer Tools menu. Note that Message Analyzer ships with the Analysis Grid viewer as the default setting.

  8. Optionally, select a Session Filter from the Filter Expression Library in the New Session dialog, or configure a Time Filter from the Files tab in the dialog to define the scope of data retrieval or to narrow the window of time in which to view data, respectively.

    To learn more about applying these filters, see Selecting Data to Retrieve.

  9. Click the Start button in the New Session dialog to begin loading the data into Message Analyzer.

    After the data is loaded, it displays in the default or selected data viewer.

    To learn more about how to manipulate and analyze saved trace data that you have loaded into the Message Analyzer Analysis Grid viewer, see the following sections:
    Analysis Grid Viewer
    Common Data Viewer Features
    Tool Windows
    Filtering Live Trace Session Results

If you want to modify an existing Data Retrieval Session so that you can load additional data from one or more files such as logs, or specify other configurations such as filtering, perform the steps of the following procedure.

Modifying a Data Retrieval Session

  1. On the global Message Analyzer toolbar, click the Edit Session button to return to the original configuration of the currently in-focus Data Retrieval Session. Moreover, if you have more than one session tab displaying, ensure that you select the viewer tab for the Data Retrieval Session that you want to modify before you click Edit Session.

  2. On the Files tab of the New Session dialog, click Add Files to add one or more saved trace files to the files list and then select the check box next to each file containing the data you want to load into Message Analyzer.

    Important  When you click the Edit Session button on the global Message Analyzer toolbar, by default your Data Retrieval Session opens in Restricted Edit mode. This mode enables you to add saved files as new data sources, but it disables other configuration capabilities, such as setting a Time Filter, choosing a Session Filter, or setting the Parsing Level. The advantage of the Restricted Edit mode is that you can add the new data files without triggering a reload of all data and incurring a performance hit. However, if you want to enable the indicated configuration features to specify changes, you can select the Full Edit mode, although you should be aware that a reload of all data will be required if you Apply the changes.

  3. When you are done with configuration, click the Apply button to load and display the new data in the Analysis Grid viewer.

    Note  When you load data from additional files in an edited Data Retrieval Session, the messages from these files are interlaced with the existing messages in the Analysis Grid viewer in chronological order.

Configuring a Session Filter
When loading data from saved files into Message Analyzer, you can select a predefined Filter Expression from the Library drop-down list above the Session Filter text box, or you can manually configure one in the same text box; this results in filtering the input messages to specific criteria. For example, you might add a simple expression such as *Port != IANA.Port.LDAP from the Library drop-down list to remove LDAP traffic on TCP and UDP transports. Note that if you manually configure a Filter Expression and it is invalid, a Compile query error message will be displayed after you click the Apply button in the New Session dialog.

Note  After loading a collection of messages from specified files and displaying the data in a selected viewer, you have the option to add a predefined or manually configured View Filter to further isolate specific data of interest. A Filter Expression Library for selecting predefined filters is available in the View Filter Tool Window, which is accessible from the Windows submenu of the global Message Analyzer Tools menu.

To learn more about how to manually configure your own filters, see Writing Filter Expressions.

Displaying Different Data Viewers to Change Analysis Perspectives

The procedure that follows runs a live Loopback and Unencrypted IPSEC trace and then loads a message collection to create initial data views in separate Analysis Grid viewer tabs. You can then select several different data viewers that provide high-level data summaries and statistics, some in graphic formats.

To display different data viewers

  1. Follow the guidelines of the second procedure in this section to start a live Loopback and Unencrypted IPSEC trace.

  2. Capture SMB traffic by performing file access activities while your Live Trace Session is running.

    Note that the Microsoft-PEF-WFP-MessageProvider in the Loopback and Unencrypted IPSEC Trace Scenario captures data above the Network Layer, which makes it a good choice for capturing SMB traffic at the Application Layer while minimizing lower layer noise.

  3. Stop the Live Trace Session at a suitable point by clicking the Stop button on the global Message Analyzer toolbar.

  4. Load messages from one or more saved trace files (preferably related SMB data) into Message Analyzer through a Data Retrieval Session by following the guidelines of the third procedure in this section.

    The trace results and loaded data display in separate Analysis Grid viewer tabs, assuming that you specified the Analysis Grid as your data viewer in the New Session dialog for your Live Trace Session and Data Retrieval Session configurations.

  5. If the Session Explorer Tool Window is hidden, click the global Message Analyzer Tools menu, select the Windows submenu, and then click the Session Explorer item to restore it to the default location.

  6. To create a different view of the live trace results data (in addition to the Analysis Grid viewer instances), right-click an appropriate session node in Session Explorer, highlight New Viewer, and then select the Protocol Dashboard viewer item from the context menu that appears.

    The Protocol Dashboard displays in a separate data viewer tab that contains top-level summaries of the trace data. Note the SMB traffic volume in the Top Level Protocol Summary area.

    Note  The Protocol Dashboard is considered a Chart data viewer in Message Analyzer because it is made up of several graphic data visualizer components.

    To learn more about the Protocol Dashboard viewer, see the Protocol Dashboard topic.

  7. Double-click the SMB bar element in the Top Level Protocol Summary bar chart visualizer component in the dashboard to display the SMB messages in a separate Analysis Grid viewer tab for further analysis.

  8. Repeat step 6 and select the SMB Reads and Writes or SMB File Stats viewer to display a view of the live trace data that provides SMB statistics and charted timeline information.

    Important  This viewer will display data only if SMB, SMB2, or SMB3 protocol packets were captured in the Live Trace Session that you ran.

  9. Right-click the node for the Data Retrieval Session in Session Explorer, highlight New Viewer, and then select the Grouping viewer in the Common category.

    Note the hierarchy of message groups that display for the Process Name and Conversations grouping view Layout, which is the default layout for the Grouping viewer. This layout isolates trace data into nested groups consisting of ProcessName, ProcessId, Network (IP conversations), and Transport (ports that carried the IP conversations), to enable a focused analytical perspective.

  10. While the Grouping viewer has focus, click the Layout drop-down list on the Grouping viewer toolbar and select the File Sharing SMB/SMB2 view Layout to isolate the data by SMB SessionId, TreeId, and FileName.

    This will enable you to drill down into the hierarchically organized group display to analyze the messages associated with each file, as nested under SMB session and tree IDs, perhaps to search for diagnostic errors. Note that if you select a group node under the Group Values column of the Grouping viewer, you will display the messages associated with the selected group node in the Analysis Grid viewer for further analysis, provided that the Filtering Mode is enabled on the Grouping viewer toolbar.

    To learn more about the Grouping viewer, refer to the Grouping Viewer topic.

  11. Next, right-click the node for the Data Retrieval Session in Session Explorer, highlight New Viewer, and then select Pattern Match in the Common category.

    To start the Pattern matching process, specify a predefined Pattern expression in the Available Patterns list of the Pattern Match viewer, by selecting the check box of a chosen Pattern expression. For example, you might select the TCP Retransmit Pairs or TCP Three-Way HandshakePattern expression to identify those sequential pattern types across the retrieved message set, to expose network or connectivity issues, respectively.

    To learn more about Pattern matching, refer to the Pattern Match Viewer topic.

  12. To quickly vary your analysis perspectives, poll through the various views of data by clicking the viewer nodes under each session name in Session Explorer, or select different viewer tabs in the main analysis surface.

    As you select viewer nodes in Session Explorer, the data for those viewers displays in separate viewer tabs. As you poll the data views, you obtain unique perspectives on the data that enhances your analysis capabilities.

  13. Optionally, to obtain alternate but integrated views of the saved message data, select the Message Stack Tool Window from the Windows submenu of the global Message Analyzer Tools menu, if the window is not already open, to expose the underlying message stack that supported top-level transactions; also select the Diagnostics Tool Window from the same menu location to display summary groups of the different types of diagnosis errors that occurred in the retrieved data.

    Important  The Diagnostics window is currently a preview feature. To use this tool, you must be enable it on the Features tab of the Options dialog, which is accessible from the global Message Analyzer Tools menu, and you must then restart Message Analyzer.

Tip   Comparing Live Trace Session results with related data that is loaded into Message Analyzer from a Data Retrieval Session, provides a convenient method for analyzing current and historical data side by side. To learn how to display data viewer tabs side by side, see Redocking Data Viewers and Tool Windows.

Creating and Saving a Customized Trace Scenario

In the procedure that follows, you will create and save a Trace Scenario to serve as a trace template with predefined tracing functionality that you can run on demand. The Trace Scenario specified in this simple example enables you to isolate traffic to a specific IP address, where you can use two different methods of filtering to achieve that result.

To create and save a Trace Scenario

  1. From the Start menu, Start page, or task bar of your computer, click the Microsoft Message Analyzer icon to launch Message Analyzer.

  2. Click the global Message Analyzer File menu and then click New Session to display the New Session dialog.

  3. Under Add Data Source in the New Session dialog, click the Live Trace button to display the Live Trace tab along with the associated session configuration features that it contains in the New Session dialog.

  4. Select the Local Network Interfaces item in the Select a trace scenario drop-down menu on the Live Trace tab of the New Session dialog.

    Note  If you are running the Windows 7, Windows 8, or Windows Server 2012 operating system, the Microsoft-PEF-NDIS-PacketCapture is added to the ETW Providers list on the Live Trace tab of the New Session dialog. Otherwise, for later operating systems, the Microsoft-Windows-NDIS-PacketCapture provider with remote capabilities is added to the list.

  5. In the earlier operating system scenarios, click the Configure link to the right of the Microsoft-PEF-NDIS-PacketCapture provider in the ETW Providers list to display the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture dialog. Select the Provider tab in the dialog and then specify the configurations that follow:

    • In the Name column under System Network, expand the Machine node, and then under Adapters, make sure that the In and Out check boxes for the Ethernet network adapter are selected. This ensures that the Trace Scenario will capture both inbound and outbound traffic on the Ethernet adapter. Unselect these check boxes for all other listed adapters.

    • In the Fast Filters pane of the Advanced Settings - Microsoft-PEF-PacketCapture dialog, click the black arrow next to the Filter 1 designator in Group 1 and select the IPv4Address option from the drop-down menu that displays.

      Note  With a low-level IPv4 address Fast Filter, the Trace Scenario will deliver messages to the PEF Runtime that transited to or from a specified IPv4 address only, as the Trace Scenario is running. This avoids the additional parsing that is normally required when you specify a similar Session Filter, thereby improving Message Analyzer performance.

    • Specify an IPv4 address value in the format 192.168.1.1 in the text box adjacent to the drop-down menu, to isolate traffic to the specified IPv4 address. Make sure to substitute appropriately for the IP address placeholder italics value specified in this example.

    • Highlight the row in which the Ethernet adapter exists in the System Network tree grid of the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture dialog, and then click the Apply to Highlighted button in Group 1.

      The name of the Ethernet adapter displays as the Target of the filter Group. Click OK to exit.

      Note  Instead of configuring a Fast Filter, you can optionally specify a Session Filter such as IPv4.Address == 192.168.1.1 in the Session Filter text box of the New Session dialog. However, you should note that a Session Filter requires more processing time, as indicated earlier. If you choose to use a Session Filter, you can remove the previously set Fast Filter configuration.

  6. In later operating system scenarios, click the Configure link to the right of the Microsoft-Windows-NDIS-PacketCapture provider in the ETW Providers list to display the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture dialog. Select the Provider tab in the dialog and then specify an IP Address filtering configuration.

    To learn more about special filtering configurations for the Windows-NDIS-PacketCapture provider, see Using the Advanced Settings - Microsoft-Windows-NDIS-PacketCapture Dialog.

  7. Click the Save Trace Scenario button to display the Edit Trace Scenario dialog and specify values for the Name, Description, and Category fields.

    Note  When you run your customized Trace Scenario, the trace results will display in the default data viewer that is specified in the Session Viewer pane on the General tab of the Options dialog, which is accessible from the global Message Analyzer Tools menu.

  8. When your Trace Scenario configuration is complete, click the Save button in the Edit Trace Scenario dialog.

Running the Custom Trace Scenario
When you save a customized Trace Scenario, it becomes a new Trace Scenario Library item in the My Items top-level category, from where you can select and run it at any time. It also becomes part of the Message Analyzer Sharing Infrastructure that enables you to mutually share the scenarios in the Trace Scenario Library with others.

Tip  After you run a custom Trace Scenario template from the New Session dialog, you have the option to reopen the session configuration by clicking the Edit Session button on the global Message Analyzer toolbar. Thereafter, you can reconfigure the Trace Scenario as required and save the new template configuration again by clicking Save Trace Scenario.


More Information
To learn more about how to use the advanced settings dialog for the Microsoft-PEF-NDIS-PacketCapture provider, see Using the Advanced Settings - Microsoft-PEF-NDIS-PacketCapture Dialog.
To learn more about creating Trace Scenario templates, see Developing and Managing Trace Scenarios.
To learn more about managing the Trace Scenarios Library as part of the Message Analyzer Sharing Infrastructure, see Managing Trace Scenarios.

See Also

Была ли вам полезна эта информация?
(1500 символов осталось)
Спасибо за ваш отзыв

Добавления сообщества

ДОБАВИТЬ
Корпорация Майкрософт проводит интернет-опрос, чтобы выяснить ваше мнение о веб-сайте MSDN. Если вы желаете принять участие в этом интернет-опросе, он будет отображен при закрытии веб-сайта MSDN.

Вы хотите принять участие?
Показ:
© 2015 Microsoft