Meet the successor to Microsoft Network Monitor!

It’s a very exciting week for me and my team!  This week I’m attending the SNIA SDC 2012 conference in Santa Clara, CA and this is where we will announce Message Analyzer.  There are so many new features and aspects to discuss, but for now I’ll leave you with the official announcement:

Microsoft Message Analyzer has been released to the public, available here: (you’ll have to join the Message Analyzer and Network Monitor program to see the downloads and access other parts of or our site.)

As you might guess from the name, Message Analyzer is much more than a network sniffer or packet tracing tool. Key capabilities include:

  • Integrated "live" event and message capture at various system levels and endpoints
  • Parsing and validation of protocol messages and sequences
  • Automatic parsing of event messages described by ETW manifests
  • Summarized grid display – top level is “operations”, (requests matched with responses)
  • User controlled "on the fly" grouping by message attributes
  • Ability to browse for logs of different types (.cap, .etl, .txt) and import them together
  • Automatic re-assembly and ability to render payloads
  • Ability to import text logs, parsing them into key element/value pairs
  • Support for “Trace Scenarios” (one or more message providers, filters, and views)

We are providing this beta release to give you an opportunity to let us know what you like and don’t like and where we need to focus our energy as we drive towards a mid-2013 RTM date.

Please install, take it for a spin, and send us your thoughts! There are “Report Issue” and “Community” buttons built into the ribbon, and we have a new blog here:

(To capture at the NDIS and Firewall layers without running as admin, you must log off and back on after installation to pick up the necessary credentials. Please do this!)

Have a ball!

[update: adding a picture]


Comments (51)

  1. Paul E Long says:

    You need to make sure you are part of the Message Analyzer and Network Monitor program.  Go to the Directory link at the top and look for that program and select Join.

  2. Anonymous says:

    Couple of more answers:

    @kenw – You can use the grouping function to pivot data however you'd like to see it.  This can help analyze traffic in different ways like you are suggestion.  You can tie this functionality in with the summary views to get a more high-level view of it, though it's not that straight-forward to set up at the moment.  We just have it there as a demo for a particular scenario, look forward to more info on this in the future.

    @paul – I haven't seen NetworkMiner before, but looks to aggregate a lot of data instead of looking at specific scenarios for troubleshooting, we also summarize a lot of the general operations on the network.  They're really two different tools suited for two different purposes.  Ours just happens to have some ability of the other, but that's not its sole purpose, please download and try out our tool and provide more thoughts.  We'd love to hear them.


  3. Mike Kline says:

    I noticed in the screenshot it is called "message analyzer".  Will network monitor be in the final name of the tool.  I wonder if people will think message analyzer is an exchange tool.

    Looking forward to taking it for a text run.

  4. Mike Kline says:

    I meant test* run 🙂

  5. asliwxM says:

    any chance there is a view of  SAN iscsi messages like from 'bustrace' … I see SMB which is great ….

    Also is their the other have of NAS – NFS ?

    I know things are changing towards NAS(File) …. but exchange, sqlserver and other rely heavily on ISCSI ..which piggy packs on TCP/IP …. which has been the suite spot for network monitoring tool….

    Also any thoughts or insights into intergrating views Application Centric views and then deep dive via  Xperf in order to not only improve performance and or scalability via bottleneck identification then bottleneck optimization and validation across tiers (or vms) ….

    You guys have done an outstanding job !!!!    If you could provide a example ..maybe using nttccp or something even simpler …. would go along way for us trying to prove that windows observability tools meet the enterprisabilities of those os that ends with X.

  6. Paul E Long says:

    A-Concerned, I know Vista support is s a concern.  However, the hope is that you'll be doing most of you analysis on a modern UI, which requires a modern OS.  For capturing on Vista, Oneclick or Network Monitor could still be used to capture the traffic.  Even Netsh and many pcap versions are support directly.  But it was a concession to get an improved UI experience.

    As for your question about filtering syntax, is what you typed equivalent to *Source== && *Destination == "JOHN COMPUTER"?  Or do you know the current equivalent?

    In terms of seeing passwords, we don't do any kind of fuzzing of data for our providers.  Components can individually hide what they want to hide or add extra security protection if warranted.  The protection is that we only add the installer to the necessary security groups (Message Capture Users and Performance Logging Users Group).  If you think this security model causes issues, please let us know.



  7. Anonymous says:

    Message Analyzer is the final name.  The tool is no longer focused only on network traffic.  We can read messages of many types, including ETW and text logs.  So we chose the name because it more broadly covers the type of analysis we can did.  Granted, messages might be confused with Exchange, but I suppose we might be able to load those at some point too 🙂



  8. @Thorkell – We have a good amount of documentation on TechNet in the form of scenarios where we introduce different features as we walk you through various Message Analyzer usage contexts. The documentation is available at…/jj649776.aspx or in the Message Analyzer tool, select File > Start Page, and then select the Guidance tab.

    Hope this helps!

  9. Daniel Barroso says:

    Wow Great! Thx Guys great net tool ever.

  10. Paul E Long says:

    @MSA, can’t you just right click in the lower left hand corner and run Computer Management from there? Do you see that option? If not, I’ll have to do some more research, but I thought user management would not be limited to more advanced versions of Windows.

  11. Paul E Long says:

    You can safely remove the user from the group. It’s purpose is to allow a user to get a capture without having to have Administrative privileges. But running as Admin is a simple way you can get around this, if they are not in the Group.

    Our forums are a better place for this type of question. If you continue to have issues, please post there. The link is on the right side of the blog. (



  12. Paul E Long says:

    @MSA, if you run lusermgr.msc, does that work on your machine (look at for an example).

    If not, perhaps we can use command line version described on this page ( You can type
    "net localgroup "Message Capture Users"" to see if you user comes up. If that works, then I think you can do something like this to remove the user. I’m pretty sure you’ll have to log our and back in for this to take effect.

    net localgroup "Message Capture Users" /delete UserName

    And Yes, Network Monitor will have the same issue as we also create a group, thought a different one.

    Let me know if that helps,


  13. Jonathan says:

    Maybe I'm not seeing it… but I don't seem to have access to download the Message Analyzer beta. I only see 3.4 parsers and the test suites…

  14. good old xp says:

    "We are providing this beta release to give you an opportunity to let us know what you like and don’t like and where we need to focus our energy as we drive towards a mid-2013 RTM date.

    Please install, take it for a spin, and send us your thoughts! There are “Report Issue” and “Community” buttons built into the ribbon"


    I wish Microsoft cared about what *I* do and don't like about their file and shell manager as much as they do with message analyzer.

  15. rupello says:

    Is anyone else getting 'too many redirects' errors after clicking to join the program on the connect page?

  16. A-Concerned says:

    don't work with VISTA at all!  by design!

    can I please have a user file for OUI identites(hardware modem defintions), and a user map for KNOWN NEIGHBOURS, IP to Network-names…

    for example  to JOHN COMPUTER , or to LIGHTBULB (connect -name) SSID in our language.  making it more vernacular makes it less geeky!

    I also assume that PASSWORDS are "not-shown" in any form at all.

  17. Keith says:

    Will NetMon 3.x parsers be compatible with MessageAnalyzer?

  18. Jason says:

    So Microsoft is including Wireshark in its distro now?

  19. Brian says:

    Thanks, Paul!

    Is this going to be chargeable when it gets out of Beta?

  20. I'll answer a couple of questions:

    * Parsers aren't compatible. But, we have a number of ways to bootstrap from various artifacts such as IDL and Microsoft Technical Document sources, and extensible input model. OPN is much more descriptive or higher "fidelity" than NPL. We are looking at a basic NPL bootstrapper but haven't made a determination on the value prop for that.

    * We don't currently plan to charge for Message Analyzer, but components of it could certainly make their way into other things. Our mission is to improve the interoperability and diagnostic experience of our customers and partners.

    – Dave

  21. Reporting on bandwidth by URL? says:

    Is MessageAnalyzer going to be able to report on bandwidth utilization by URL, as opposed to by IP address?

    Many packet sniffers can provide statistical bandwidth utilization by IP address (e.g. Top Talkers, etc.), but these days HTML redirection winds up pointing lot of traffic to IPs for service sites like Akamai, completely hiding what is actually happening, or what service is being provided.  

    Will MessageAnalyzer be able to track that traffic by URL, so that we can get an idea what is happening to bandwidth at higher protocol layers?


  22. paul says:…/networkminer

    Haven't accessed the program here yet but by the look of it, NetworkMiner does a lot of this and more for forensics purposes. The fact that it does other formats as well as packet captures is interesting, but may ultimately be moot if its only ever used for its primary value function.

    Do one thing and do it well, I say.

  23. Matt says:

    Have anybody tried this end to end network monitor software –

  24. Network Monitoring Tool says:

    Thank you for providing the information of Microsoft network monitoring tool.

  25. Nick Lowe says:

    Any support for MACsec (802.1ae) and EAPOL 3 (802.1X-2010)?

  26. Thorkell says:


    Just started to use this new tool.

    I am a fan of documentation and manuals and would like to ask if there are any documentation how to use this new tool

  27. Keith Hill says:

    Isn't it about time for a new drop?  🙂

  28. Antony Lee says:

    Don't harass others with things like registering and ask for email. why you need people to join your group? if you wish to proof how success is the project, to show off or whatever, just count the download is good enough, if you need to charge it, mark a price on it. Require people to register and bomb them with newsletter isn't a good idea, just leave a place to let people to join mailing list willingly rather than force them to do so will be much better.

  29. Quraishi Miyaan says:

    Brian :- No its completely free and you can download it from this blog that i have created today

  30. Anonymous says:

    Pingback from Set-CsLync2013Prereqs.ps1 – install prereqs and tools for Lync 2013

  31. Anonymous says:

    Mark and Tom here again, continuing our series on ADFS. In this post, we'll show you how to use some

  32. Anonymous says:

    Pingback from Set-CsLync2013Prereqs.ps1 – install prereqs and tools for Lync 2013

  33. Anonymous says:

    Having decided to start this blog to convey my experience with network analysis and troubleshooting,

  34. shobnaamkoly says:

    Great information, I really like all your post. I will keep visiting this blog very often. It’s good to visit your website. And also please Read link bvba Woodstone which provide information server monitoring software & Network monitoring tools:

  35. shobnaamkoly says:

    Awesome Artical Really i have searching this type of valuable information From a lot of days i found satisfaction when Read your blog Thanks for giving this type blog and also please Read link bvba Woodstone which provide information server monitoring software & Network monitoring tools:

  36. Anonymous says:

    Authored by Andrea Keating [MSFT] & Eliyas Yakub [MSFT]

    The new Microsoft Message Analyzer (MMA

  37. Anonymous says:

    This list is an expansion of an earlier blog of mine. I plan to continue to improve and enlarging this

  38. Anonymous says:

    Pingback from Free Tools for the SharePoint Mechanic Toolbox

  39. Anonymous says:

    Pingback from Set-CsLync2013Prereqs.ps1 – install prereqs and tools for Lync 2013

  40. Anonymous says:

    Meet the successor to Microsoft Network Monitor! – MessageAnalyzer – Site Home – TechNet Blogs

  41. Anonymous says:

    Unless you’ve just returned for a Mars mission, you are likely aware that Message Analyzer is the

  42. MSA says:

    After installing Message Analyzer, my regular non-admin user has lost access to the D: drive (local HDD non-system partition)

    It seems that installing Message Analyzer has created a group "Message Capture Users" and that my regular user is part of that group. The drive security settings for D: have a permission entry that denies all access to the drive for that group, thus denying
    access for my user. Even granting explicit full control access to that user does not fix the issue!

    This is for Windows 8.1 64bit (NOT the pro version).

    How can I fix the problem? How can I remove this user from the group or otherwise make sure that the user gets access to the drive back? What would the implications be of removing the "Deny" entry for the "Message Capture Users" group? I assume there is a good
    reason for that setting?!?!

    Is there a better place for this question (forums, etc)??? Please let me know where…

  43. MSA says:

    Paul, how do I remove the user from that group in this "cheaper" non-pro version of Windows 8.1? I don’t have gpedit.msc or secpol.msc, and there is no such option in the user maintenance. All I can do is select for a user to be an Admin user or a Normal
    user, but no explicit group assignments…
    Thank you…

  44. MSA says:

    @Paul: I Googled and found screenshot with the "Local Users and groups" entry in "Computer Management"/"System Groups". I have most entries in "System Tools", but not "Local Users and groups". Must be the basic version…

    What now??? Seems like MS is messing up people with leaving that part out of the system. As this issue shows, this is a necessary core functionality to make sure the system runs properly, not something that should be considered optional.

    For now I uninstalled MessageAnalyzer in order to be able to use my computer again. Will I run into the same issue with the older NetworkMonitor as well?

  45. MSA says:

    lusrmgr.msc does come up, but only to show a message saying that it may not be used with this edition of windows.

    Will try the rest later.

    MS should really consider this problem – it’s like selling someone an inexoesive small car and saying "you are not allowed to ever use a car jack with it". Good luck changing your tires…

  46. 3vi1 says:

    You had me until I saw the ribbon.

  47. Anonymous says:

    By now you are probably aware that Message Analyzer is the replacement to good ol’ Network Monitor

  48. lucy says:

    Great post from your hands again. I loved the complete article.
    By the way nice writing style you have. I never felt like boring while reading this article.

    I will come back & read all your posts soon. Regards, Lucy.

  49. show box says:

    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?
    For more info on showbox please refer below sites:
    Latest version of Showbox App download for all android smart phones and tablets. – It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.
    For showbox on iOS (iPhone/iPad), please read below articles:
    Showbox for PC articles:
    There are countless for PC clients as it is essentially easy to understand, simple to introduce, gives continuous administration, effectively reasonable. it is accessible at completely free of expense i.e., there will be no establishment charges and after establishment
    it doesn’t charge cash for watching films and recordings. Not simply watching, it likewise offers alternative to download recordings and motion pictures. The accompanying are the strides that are to be taken after to introduce Showbox application on Android. The above
    all else thing to be done is, go to the Security Settings on your Android telephone, Scroll down and tap on ‘Obscure sources’.
    Movie Box, an esteemed movies application in which you can find stacks of programs and films. The guide is given here to download Movie Box app to Android and to Apple iOS 9.0.2, iOS 8.4/8.3 and also for the lower versions without Jailbreak.
    Please do login to Showbox application with the help of Ymail. You can login in Ymail from here –
    Sign Up & Do registration for latest movies on Showbox application – See more at:

Skip to main content