by Serge Mera
Filtering is one of the most popular techniques for narrowing down data and understanding what’s going wrong with your traffic. It is very useful for multiple troubleshooting scenarios, however, filtering criteria is restricted in its application to the boundaries of a message. Filtering cannot capture the context where a particular event occurs, and this can be very important in a lot of situations. For example, are you receiving an error after trying to read or write a file? Is your server response time slow after opening too many connections, or is the issue independent of the number of connections? These are just a few examples of circumstances in which sequence identification could be helpful. Moreover troubleshooting is usually about identifying a particular sequence of events.
Executing sequence expressions
Sequence expressions provide a way to describe a pattern of messages that span across time. These expressions can be selected and managed in the Sequence Match View that is accessible from the Session Explorer on the Message Analyzer Home tab. You can execute a sequence expression by selecting one in the Sequence Expression drop-down menu in the View Options group on the Ribbon. So once you have Trace Session or Browse Session results displayed, you can launch the Sequence Match viewer by right-clicking on an Analysis Grid label in Session Explorer:
In this view, the ribbon provides a new Sequence Expression button that enables you to manage and execute different sequence expressions:
So let’s try to execute one of the sequence expressions that are included in the sequence library. One of the expressions included by default in Message Analyzer enables you to identify messages that belong to a TCP 3-way handshake:
By clicking on ThreeWayHandshake you will apply this sequence expression to the session you selected in Session Explorer. The results of execution are displayed as a list of matches, with each one representing a sequence of messages that correspond to a 3-way handshake pattern. You can click on each of these results to see the actual messages that met the pattern matching criteria:
The nice part of this is, when clicking on a match, the corresponding messages are also selected in the grid view that belongs to the same session. A convenient way to see this is laying out the tabs side by side, so you have the Analysis Grid on one side and the result of the sequence matching on the other. You can drag the session tab for the Sequence Match viewer and dock it on one side:
This enables you to traverse the list of matches on the right-hand side and see what messages are being selected on the left-hand side, together with the full context where the particular sequence occurred.
Creating sequence expressions
Sequence expressions are defined by using a language that resembles standard regular expressions. This language enables you to identify messages that conform to a particular criteria, in the same way regular filters do, and also provides a set of operators that enable composing message patterns to denote temporal constraints. In fact, the sequence expressions from the library are built with this language and are not different than the ones you can create yourself.
To quickly get started building your own sequences, you can select multiple messages in the Analysis Grid and launch the Sequence Expression Editor. The following is an example with SMB2 traffic:
The Sequence Expression Editor has a Quick tab that is initially populated with the selected messages.
This tab is meant for creating very simple expressions and the temporal relation between messages is fixed: every specified message should follow, in a temporal manner, the previously specified one (this is represented by the ‘->’ operator, which we will talk about later). Other non-specified messages are allowed in between. You can add clauses to each message to specify extra constraints. For example, you could configure the first TreeConnect to have the TreeId value equal to 1.
But let’s leave that blank for now and see how this expression looks in the Free Form tab. This tab will show the equivalent expression displayed in the Quick tab, but in plain text:
In this tab, any valid expression is allowed and you can define more complicated sequence patterns than the ones the Quick tab allows. Observe that the ‘->’ operator we used for connecting messages represents the concept of ‘loose next’ we discussed before. So let’s modify this expression and add another operator, for example, we want to allow multiple Reads after a Create, not just one. To accomplish that, we will use the ‘interleave’ operator, which allows for identifying an undetermined number of matches and permits non-specified messages in between. If you are familiar with regular expressions, this is a sort of ‘loose’ Kleene star. The modified expression then is:
scenario SequenceExpression = SMB2.VirtualOperations.TreeConnect -> SMB2.VirtualOperations.Create -> (SMB2.VirtualOperations.Read interleave);
You can read this expression as: a TreeConnect message arrives, later a Create message should follow, and finally an undetermined number of Reads. Other message can occur in between. So now click the Save button to save the expression and let’s see what happens when we execute it:
You can see that there are multiple Reads being identified, which is a consequence of adding the ‘interleave’ operator on SMB2.VirtualOperations.Read.
There are many more operators that you can utilize besides than the ones discussed here, so we will expand this topic later on to show how to identify other interesting sequences. In the meantime, you can explore the sequences that are available in the library by right-clicking them and choosing Edit.
We think this is a cool feature with a lot of potential, so please try it out and send us feedback. We will definitely try to include any interesting sequences that you come up with for your troubleshooting scenarios in our next release!
To learn more about some of the concepts described in this article, see the following topics in the Message Analyzer Operating Guide on TechNet: