Network Capture is Dead!

Long Live Capture! In this continuing series of differences between Message Analyzer and Network Monitor, we’ll explore the trace capture experience. I reference the iconic cliché because Message Analyzer (note not Network Analyzer) is about exploring any kind of structured message data. Capturing falls in line because we don’t just capture network traffic, but any kind of ETW (Event Tracing for Windows) events. Let’s explore.

Event Tracing for Windows

ETW has been around forever, well at least since Windows 2000. This is the standard event messaging system built into the OS used by components to provide diagnostic info. So, Message Analyzer is a kind of stethoscope for the Windows OS. While Message Analyzer only works on Windows 7 and above, the plan is to be able to read any ETL log. Certainly there are other ways of capturing this data, but our focus is to provide simple templates for capturing that a user can modify, save and share. And also, that you can watch this data live as it happens.


Going back to the main point, ETW providers populate the right side which are registered with Windows. Selecting a provider gives you provider specific configuration which varies. I won’t go into details here but instead offer our Network Trace Scenario help documentation which has lots of great info. But you can add as many providers as you want to a scenario, configure it how you want and save it. And once you save the scenario, it appears in your Trace Scenario templates.

NDIS, Firewall, HTTP Proxy Provider in Box

I mentioned you can the list all of providers installed. There are ones for USB, Bluetooth, and many others that are not network specific. These are here whether you install Message Analyzer or not. However, we do install 3 of our own providers. The Network Monitor way of capturing was through an NDIS Filter driver. We’ve upgraded this, in a sense, to provide ETW messages for Message Analyzer. You can see this by expanding the stack, which is done by clicking on the blue or green cubes on the left hand side of the row. This shows multiple ETW fragment messages which form into our NdsiProvider message. And above that comes your typical network stack. (If you don’t already know, you can also explore this stack in full by clicking on the ‘+’ icon on the left.)


The Firewall is another great place you can capture from now. It provides a different inspection point into the stack. At this layer IPSec traffic is decrypted and you have access to Loop Back traffic. If you have a SQL server and client on the same machine, you can now capture that traffic!


Additionally, we updated the Firewall capture scenario to show when a message has been discarded. With this and a provider to list out all the firewall rules, you can now understand when the firewall is involved in blocking your traffic. And of course we’ve wrapped this up into a new scenario template you can select.


HTTP Proxy is the third provider. It can capture HTTPS traffic from your browser. This makes a very efficient and lean HTTP capture machine.


You’ll notice that even visually, as you move up the stack, you capture less information. The closer you get to the source, the more efficient you capturing becomes. Your computer has already done the heavy lifting of ‘parsing’ the message to get it to the application, why have us do it again?

Another unique thing about our providers is that we expose some advanced, non ETW, settings. For instance, each of the providers support filtering that is done before we parse. The NDIS provider can be configured to look for a specific IP address. The Web Proxy provider can look at a specific HOST. This type of filter is much quicker because it’s one quick check in the provider, rather than the parsing involved when a trace filter is used. So this allows for a high performance way to filter out data on busy machines.


Advanced Configuration

Finally there are some advanced configurations that relate to the ETW engine. If you find that you are dropping messages (which is not reported in Beta 2) you can change the buffer settings. ETW documentation might help more in this regard, but at this point I just want to point out it exists.


Mix and Match

So once you get the hang of various providers, you can combine them together. You can get all the data in one session and then use Grouping, Quick Filtering or an alternate viewer to see what you want and how it’s connected. Then save your trace scenario and share it with your colleagues.

Of course you can still add a Trace Filter (previously called a Capture Filter), which throws out traffic that doesn’t match. A major difference here is that the message numbering still increments for those that are not captured. If you have a filter of UDP and there are 5 UDP message, then 20 TCP messages, the UDP message that follows will have a message number of 26.

Starting another New Session

So, now you want to start another capture session? Today when you enter the back stage page from a running session, we default to showing you the current session configuration. You can press the arrow next to the session info to show other sessions or start a new one.


Evolution of Capture

We want to make capturing traces easier. And with all the new streams of data ETW provides, won’t it be wonderful to configure a scenario for a more novice user, and then share the trace scenario with them? Also, by targeting the data you need, you put less stress on the machine and result in a trace which is more compact. There’s still some more interesting work to be done here, but we are off to a great start.

More Information

To learn more about some of the concepts described in this article, see the following topics in the Message Analyzer Operating Guide on TechNet:

Comments (17)

  1. Baron, whiteknight, ronvo,

    Sorry for not replying earlier. As Paul mentioned in a previous post, you'll need to join our connection to see the download.  Please check out the Directory and make sure you are part of the "Message Analyzer, Network Monitor and Protocol Test Suites" Product.  There are several different products you could join which will present different downloads.

    You should be able to see the MA download afterwards. Sorry for the inconvenience!

  2. Paul E Long says:

    Long Live Network Capture!  🙂

  3. Paul E Long says:

    Just to be clear, the statement "Network Capture is Dead" is an allusion to the Who's Long Live Rock.  It supposed to mean a re-inventing of term Network Capture.  So Network Capture is not going away, but rather what we know as capturing is changed by the way we include more things and more ways to capture with Message Analyzer.

    Sorry if there is confusing by the blog title.


  4. Nicolas D. says:

    Amaziiiiiiiiiiiiiiing work, so good that few person know it yet, it is like I have X-Ray vision while everybody is in the fog.

    Thanks to all the team, this is life changer.

  5. Vamshi says:

    Amazing. I am going to install it today and try it out with different event providers. This is going to change everything related to tracing in windows.

  6. Paul F. says:

    Very good post! Wasn't aware of such functionalities.

    This week it's the second time I discover network capture tools for newbie, after Debookee a network capture for iPhone and mobiles. It's a really good news for non-techie people who will be able to look at the network side without fears of jumping into bits and bytes.

  7. Greg Gille says:

    Check out the Message Analyzer Usage Scenario documentation in the TechNet Library for lots of supportive information in using this awesome tool !!…/jj649776.aspx

  8. Baron says:

    Hey Paul, looks great!

    However, when I go to download at…/Downloads
    , all I see are test suites and Netmon parsers. Did you remove the MA download?

  9. whiteknight says:

    Concur with the last comment – no MA download visible anywhere?

  10. ronvo says:

    any update on the download issue? is anyone monitoring this board?

  11. Uchujin says:

    Any updates to NMApi in the future? It seems this tool uses the same library as Network Monitor.

  12. james says:

    Looks awesome, but I would hesitate in saying that “Network Capture is Dead”, when indeed it is one of the most powerful methods of troubleshooting. Now I will say that Network Monitor was a very weak tool compared to something like Wireshark, and adding the features you have to Message Analyzer certainly will help troubleshoot on a specific system. But sometimes you may still need a Network Capture, actually taken on the network, to point you in the right direction.  

  13. Daniele Grandini says:

    Hi Paul, I'm currently troubleshooting some network issues on a hyper-v cluster and teaming. Is there any documentation at which level the NDIS capture filter sets in? I need to capture the traffic at the physical NIC level and be sure what I see is what the NIC sees without any chance some other NDIS driver or the vSwitch sets in to drop or change packets.



  14. Anonymous says:

    When learning a new program, it’s often helpful to have a high level view of the various pieces and parts

  15. Anonymous says:

    While tracing with a UI is simple, it has limitations today. When it comes to tracing a sticky problem

  16. Anonymous says:

    We are excited to announce the official release of Message Analyzer to the Microsoft Download Center

  17. show box says:

    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?
    For more info on showbox please refer below sites:
    Latest version of Showbox App download for all android smart phones and tablets. – It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.
    For showbox on iOS (iPhone/iPad), please read below articles:
    Showbox for PC articles:
    There are countless for PC clients as it is essentially easy to understand, simple to introduce, gives continuous administration, effectively reasonable. it is accessible at completely free of expense i.e., there will be no establishment charges and after establishment
    it doesn’t charge cash for watching films and recordings. Not simply watching, it likewise offers alternative to download recordings and motion pictures. The accompanying are the strides that are to be taken after to introduce Showbox application on Android. The above
    all else thing to be done is, go to the Security Settings on your Android telephone, Scroll down and tap on ‘Obscure sources’.
    Movie Box, an esteemed movies application in which you can find stacks of programs and films. The guide is given here to download Movie Box app to Android and to Apple iOS 9.0.2, iOS 8.4/8.3 and also for the lower versions without Jailbreak.
    Please do login to Showbox application with the help of Ymail. You can login in Ymail from here –
    Sign Up & Do registration for latest movies on Showbox application – See more at:

Skip to main content