The single most versatile feature in Message Analyzer is “Grouping”. It’s basically a replacement for the conversation tree where the conversation tree is just one kind of grouping. Slicing of data has never been better. It’s like your Ginsu knife deal just got better.
Grouping by Module
A great first example is grouping by Module. Just right click the module column in summary grid and select Group.
Each group is displayed in the analysis grid with a count of the matching messages in the parenthesis. If you have multiple levels of groups, the number indicates the number of subgroups. At the top, you’ll notice that a grouping box has been added for Module. You can remove it with the red X, or move it to change the order of grouping. This view has conveniently collated the traffic.
And since we reassemble and associate request/response as operations, the list is concise and complete. The TCP group will contain all the TCP specific handshake stuff and unidentified traffic, but none of the SMB2 related fragments. Keep in mind that the Module is determined by the top level. This is a general rule about columns as there is a tree underneath with many different values. So even though there might be TCP in the tree, the top level takes precedence and is displayed.
Where’s the Conversation View?
This question has two answers, because it’s really two questions. One could be, where’s that tree control on the left side? The other more precise question is, how can you dice data like the Network Monitor 3.x conversation tree?
As for the control, we are working on it. The new embedded tree has some advantages, like it takes up less space. But when you want to see related traffic and drive traffic from the tree the separate control is better. For now the control is still on the design table.
For the second part of the question, providing a grouping that represents the conversation view is easy, though with some differences. We can map the Process ID/Network/Transport type view by using the ProcessId field of ETW and some properties we’ve created to expose the Network and Transport conversations as strings. The process ID is buried down in the ETW layer, where all messages from our new providers start. By right clicking and selecting ProcessId, you can quickly add it as a grouping.
For the Network and Provider properties, you have to go to the Column Chooser. In fact you need to add them as columns first, and then right click and add as grouping. In the future I’m sure we can remove some steps.
Here’s the Network property which exists at multiple modules:
And here is the Transport property, again in multiple modules:
One difference concerning the Network/Transport properties and Network Monitor conversations is that the properties don’t define the hierarchy. They only provide a string to describe the port definition. Also there is no conversation ID anymore. Also, if there is tunneled traffic, the last property wins again. So only the top layer is exposed.
Then you can start expanding Processes and Network parents to see the structure.
Another huge benefit of the tree being in the grid is that filtering now affects the tree. How many times have you wanted the tree to be filtered? No longer do you need a sharp eye to pick out a specific IPV4 address and related TCP connections. Now the grouping tree is shown based on the current filter so you can apply an IPv4.Address==192.168.1.13 and see only parts of the tree that involve that single client address.
Changing Group Order
As I mentioned previously you can move groupings around. Select and drag a grouping box to another location and re-pivot your data.
Transport is at the end:
Transport moved to the middle:
Group by Anything
And now, this is where you should go out and play with grouping. Group by Diagnosis and see how many messages are affected by a diagnosis and what kinds there are. Group by destination or source and see who is getting the largest cut of the messages. Group by HTTP.ContentType and see types of objects being requested by your browser. And group by *FileName, (SMB2.FileName and SMB.FIleName), to see what traffic is associated with which file for SMB traffic. And of course you can save your groups by using Manage Columns, “save column layout as…”, which includes your groupings. Let grouping become a normal part of your analysis and embrace the power of this new feature.
To learn more about some of the concepts described in this article, see the following topics in the Message Analyzer Operating Guide on TechNet: