Snooper is a
multipurpose debugging tool for Microsoft Lync Server 2010 communications
software. Snooper parses server and client trace log files and makes protocol (for
example, SIP and HTTP) messages and traces easier to read. It can also read call
details and stored procedure execution reports for errors. In addition, Snooper
can display reports about users, conferences, and conferencing servers (also
known as multipoint control units or MCUs). You can download this tool and
other Microsoft Lync Server 2010 Resource Kit tools from the Download Center.
Authors: Sankaran Narayanan, Dhigha Sekaran, Namendra Kumar
Publication date: January 2011
Product version: Microsoft Lync Server 2010
developed to make the task of finding and analyzing debugging information for
Lync Server 2010 easier. It can be used for the following tasks:
You can download this tool and other Microsoft Lync Server
2010 Resource Kit tools from the Download Center.
The following sections give an overview of each feature.
Snooper can be used to view traces in server and client UCCP log files. Figure
1 shows the output after the file is opened.
Figure 1. Trace viewer
Trace viewer can do the following:
Figure 2. Log filter options
Figure 3. Warning and error example
Figure 4. Marked row
Figure 5. Clearing filters
Other Notes About Trace Viewer
You can change the maximum number of traces shown at one
time by clicking Options and then
clicking Advanced. Most of the
options in this dialog box shown in Figure 6 make sense only for protocol
Figure 6. Global Options
If the number of traces in the log file is greater than the
maximum configured number (the limit is 2^31 -1), click Parse Forward on the toolbar. This opens the Options menu and you can see an indication on the status bar that
more traces are present. You can use Parse
Forward and Parse Backward to
navigate through all the traces.
In case of a local client UCCP log file, Snooper watches for
changes in the file. If the file changes, Parse
Forward is enabled, and you can view the recent additions without having to
reopening the file.
earlier, Snooper can parse the protocol messages from the server and client log
files and then display them in a fashion that is easy to follow.
Viewer is integrated with Trace Viewer. Trace Viewer (Traces tab) shows all the traces, while message viewer (Messages tab) shows only protocol
By default, the protocol viewer is organized horizontally,
with the message preview list on the left and the message display pane on the
right as shown in Figure 7. You can use the Toggle View option to switch to a vertical layout with the list on
The following sections describe the features in the Message
Viewer part of the tool.
Figure 7. Protocol Message viewer
The message preview list (left pane) shows a status icon and
the timestamp, direction (in/out), to and from users, and the start line of the
message. Usually, each message is a protocol message sent. For some log types,
internal diagnostic information is also shown as a message but it does not
represent a protocol message.
You can sort messages by clicking the column headers in the
message preview list. Clicking a row displays the message in the display pane.
Right-click a row to display a context menu, where you can select the following
The color of a message's row in the message preview list can
be used to quickly get information about the message. The following color
scheme is used:
The following symbols are used to indicate information:
The display pane (right pane on the message viewer) shows
the currently selected message from the preview list. The entire text of the
message is shown and is formatted to distinguish headers and body portions of
the message. The colors used for formatting can be changed as shown in Figure 8.
Figure 8. Global options
When text is selected in the display pane, you can copy that
text to the clipboard, search for other messages with the text, or add the
selected text to the current search.
Search Box and Toolbar
Above the message preview list and the display pane is a
search box and toolbar. The toolbar offers easy access to commands from the
You can enter search terms, separated by spaces, and the
message preview list will show only messages that containing all of the search
terms. By default, the entire text of the messages is searched. You can also target
your searches by using search commands. For example, you can search only the
TO or FROM fields or only at the message start line. For more details, see the
Search Reference section later in this document.
If text is enclosed
in quotes (" or "), the search treats it as one term, Search commands are not
processed inside quotes. If you want to search for a term that contains quotes,
surround it with back quotes.
Search commands are specified in the form
"command:value" (the command name, followed by a colon, followed by a
value string). These search commands are used to narrow the scope of the search
to particular fields or properties of the message. The value may be a quoted
string or just a simple word. The complete syntax for search commands is provided
below. As an example, the search string, "direction:out
to:email@example.com 'some text'", searches all outgoing messages
addressed to firstname.lastname@example.org containing the phrase, "some text".
The following commands are valid only for the search box
when the Messages tab is active (and
not for the search box that is shown with the Traces tab). Text search is supported only when the Traces tabs is active.
From the Reports menu, you can access three types of
database reports. For each report type, you will need to specify the pool
backend database instance to query as well as parameters appropriate to the
report type. The types of supported reports are:
Each Type of report will be examined now.
Error Analysis Report This
report lets you connect to a Monitoring Server backend to review automatic
problem reports generated by client programs. You will need to specify the Monitoring
Server database instance and database name to load the problem reports. You can
review reports by user or problem type and specify a date range. Each problem
report appears as a message.
Conferencing and presence reports The
second type of database report is the conferencing and presence reports. This
is a set of several different report types that load as text.
For Standard Edition servers, the backend database might not be reachable
remotely. In such cases, run Snooper locally on the Standard Edition server.
Execution Error Report The third type of report is the
stored procedure error analysis report. This report lists stored procedure
execution errors over the specified period of time and facilitates drilling
down into each error type and viewing the error occurrence pattern in a bar
chart as shown in Figure 9.
Figure 9. Stored procedure report
Snooper can be used to view traces in server and client UCCP
The purpose of this tool is to enable easy analysis of trace
files and provide an easy interface for showing error reports, and conferencing
and presence reports.
This tool requires .NET framework (version 3.5 SP1) to be
In this document, we went over the various features of
Snooper, and saw how it can assist in debugging Lync Server-related issues. The
most important functionality of Snooper is its trace and protocol message
viewing capability, but its database report feature can also come in very
Keywords: Snooper, trace, log, analysis
Thanks a ton for a nice article.
Good work.Ill book mark this page for future reference,Thanks for sharing.