When learning a new program, it’s often helpful to have a high level view of the various pieces and parts. With Message Analyzer, if you know the names of its parts and pieces and how they work together, you can get a feeling of mastery. In the sections that follow, we will attempt to dissect the different pieces and capabilities of Message Analyzer, mostly as they relate to analysis.

Sessions

Sessions are a collection of all the data you want to analyze. This could be a single trace, if you used Quick Open, Drag and Drop, or if you double-clicked a trace file. This could consist of multiple traces, for example, network traces in .cap and .pcap format, Event Logs such as EVTX and ETL, and text files including .CSV or .LOG files and support text logs). After you start a new session it is displayed in Session Explorer, as indicated in the following figure:

clip_image001

The name of the session will match the input file you opened or the new trace scenario you started, but the name can be modified. The indented items below the session nodes are different views, for example the Analysis Grid and Sequence Match views. A view is a particular projection of all the data that is part of a session. The numbers next to each session node indicate how many messages are in the session. If the session references a single trace, this maps to the number of frames. If it’s an ETL file, then it shows the number of ETW messages, because that is the smallest unit for ETL. The number next to each view indicates how many top level messages you are looking at. Remember that we coalesce messages so that fragments are hidden which means this number will usually be less than the session total. However, you can use Viewpoints to view a slice of data based on the perspective of protocol or module-based layers. For example, you could apply a TCP Viewpoint to focus on the TCP fragments. In this case the view count will match the session count, assuming the fragmentation is exclusively TCP. By the way, the filtered message count next to each view is reflected in the status bar for the selected view.

All commands associated with a session are contained on the Home ribbon. You can open the configuration for any session from the Session group on this tab. In the Session group, you can also click the New Viewer button to display data in a new view or shift the timestamps of trace sources for a session by using the Shift Time feature.

clip_image002.

When you click Configuration for live sessions, you return to the Trace Session configuration interface (Capture / Trace in the backstage area), however for static sessions, you return to the Browse Session configuration interface In the case where you’ve opened only one trace file, you will see only one file in your browse session. Note that you can add other traces and data sources and improve performance by filtering and limiting the data that you import.

Viewers

As previously mentioned, each session node can contain one or more views. As an already opened viewer comes into focus, the Home tab Ribbon changes context and shows what parts are valid and in some cases show new commands that are specific to the in-focus viewer.

You can create a new data view by selecting a viewer from the New Viewer drop down or by using the Session Explorer context menu. For example, the Analysis Grid and Protocol Dashboard are two examples of viewers that we offer. You can even have multiple instances, or views, of the same viewer type for a given session. For example, you can launch two separate instances of the Analysis Grid for a session, where each one might contain a different View Filter.

View Filters and Viewpoints work on virtually any viewer. These types of analysis commands are core for deciding how and what to analyze. We try to locate all the commands that are most likely to be global towards the left side of the Ribbon on the Home tab. But there are always exceptions to this approach based on viewer type.

clip_image004

The Analysis Grid is the type of viewer that you’ve likely come to expect with most protocol analyzers. It shows the nitty-gritty detail for every “row” of data. It provides features such as Grouping, sorting, Color Rules, and View Filters to help organize and minimize the data you want to look at. You can spawn multiple Analysis Grids to get different views of the same data.

The Sequence Match viewer enables you to execute predefined sequence expressions or write your own sequence expressions. A sequence expression enables you to locate defined patterns among messages in a data set, whereas a View Filter enables you to search for individual messages that match specific filtering criteria. As a result, you currently cannot apply a View Filter to your data in the Sequence Match viewer. However, you can apply Viewpoints in this viewer to influence what data a sequence expression will visit. In this context, Viewpoints can be useful in changing the sequence matches that are returned, and in some cases are required for certain types of sequences.

Lastly we have the default Chart viewers, however you can customize Chart configurations which show up in the New Viewer drop-down menu. By default, we ship with two Chart viewers; the Protocol Dashboard and SMB Reads and Writes charts, but you can modify these or create new Charts from scratch and add them to your list of viewers. As we create more Charts, you can receive dynamic updates through the auto-sync and download service on the Start Page. Also, some Charts have an associated View Filter, although you can modify the working instance. Just keep in mind that the modifying a filter can affect how the Chart works. If you must change the View Filter, appending the existing filter expression with an “AND” is the best way to further limit the Chart data.

Tools

Tools are special windows that change based on the viewer and/or selection in focus. So you only have one instance of any Tool Window open at a time. Tool Windows can view data based on message selection or even field selection. But Tool Windows are not tied to any one session and will change based on global session selection. Once you select a new session’s viewer, the Tool Window data updates based on that session’s current selection.

clip_image005

You can select the available tools from the Tool Windows on the Ribbon of the Home tab, as shown above. By default, these windows will open in the same location, but you can reposition them as necessary. Some Tool Windows analyze or interact with a session such as the Diagnostics, Comments, and Bookmarks Tool Windows. Some Tool Windows analyze the selected message, for example, the Details, Message Data or Call Stack windows. There are also Tool Windows that analyze the current message based on the last selected data field or remembered data field, for example, the Message Data and Field Data windows. The Message Data Tool Window is also interactive based on the selected field of the current message. However, the Field Data Tool Window, which tries to display the data based on its context, only interacts on the last selected or last remembered field.

Selection

Selection of a message is maintained per session across all views. It allows you to correlate data from different views, for example, in a bar of a bar chart, or a selected sequence. When a selection is made in one viewer, the selection is global and all views will try to reflect that selection if possible. In fact, you can redock the Tool Windows by laying out windows side by side. This is a way to leverage this synchronized selection feature. Also, in many cases, Message Analyzer remembers data field selection in the Details window as other messages of the same type are selected.

Master Message Analyzer

Key to mastering Message Analyzer is to understand its capabilities and how its constituent pieces and functionality map to the user interface. The associated vocabulary and anatomy are key pieces to this puzzle that we’ll continue to reference in our documentation and other blogs.

More Information

To learn more about some of the concepts described in this article, see the following topics in the Message Analyzer Operating Guide on TechNet: