Announcing Message Analyzer 1.2

Introducing the next version of Message Analyzer which includes highly requested features like “Goto (Ctrl+G)” and “Find Conversation/Follow the Stream” along with the “Conversation Tree” from Network Monitor. Plus there’s a ton of smaller fixes and performance improvements.

Updates and Features

Grouping Viewer – Enables you to group and summarize messages by different fields. Selecting a group in this viewer will either select messages or filter messages in all other viewers in the same session, depending on the mode you select on the Home tab ribbon.   The default View Layout organizes network traffic by addresses and ports, allowing you to quickly drill into specific network conversations and filter the traffic for all other views in the same session.  You can quickly find associated traffic in the Grouping viewer by right-clicking messages in the Analysis Grid (aka “follow the stream”), so you can analyze related grouped messages.


Go To Message (Ctrl+G) – Allows you to go to a message by entering a message number in the Go To Message dialog.   If you have a single data source loaded, the first message in that source that matches your entry will be found.  When there is more than one data source loaded you can select a specific data source in which to search for a message, or you can search across all sources.

Fiddler .SAZ – Now you can open .SAZ files from Fiddler directly. Now correlate fiddler traffic with network traces, ETL’s and log files.

Viewpoint Improvements – Viewpoint has been separated as a separate tool, to centralize it’s functionality in one place, including the hiding of Operations. Now a View Filter before Viewpoints, so that you can drill down with a filter, change your Viewpoint, and still see all the data based on the high-level View Filter.  You can also apply a new Viewpoint Filter that is relative to the currently applied Viewpoint, which works like the previous view filter behavior.


Session improvements – Enables you to identify traces from the same session based on a common color cue.  A new filter icon (clip_image005) in viewer tab and Session Explorer tells you when a filter is applied to a view, and a tooltip lets you understand the difference between two views.


GZIP decompression – Message Analyzer can now automatically decompress HTTP payloads that have been compressed using GZIP.

Decryption Improvements – Support for TLS decrypted protocols like RDP, TDS and LDAP. Also we’ve improved some of the error messages reported by the Decryption tool window.

Parser and Text Log Updates – New protocol parsers like SRVS, RDWR, WSH, EVEN, and many more. Updates to the Netlogon parser and the addition log file parsers for Lync, SCCM (System Center Configuration Manager), ULS (SharePoint), and VMM (Virtual Machine Manager) logs.


Selection Tool Window Improvements – Enables you to improve message correlation and analysis capabilities, by using a separate space that independently monitors and displays message selection in multiple viewers and builds a selection collection for back- and forward-navigating among messages as necessary, while maintaining the context of the last selected message. You can undo any message selection that you made accidentally during analysis, without affecting the message collection. You can also select various Column Layouts that expose different message fields. In addition, you can change modes to diversify the scope of message selection, for example to track message selection in:

  • A single data viewer in a session.
  • Across multiple data viewers in the same session.
  • Across multiple data viewers in different sessions.

New Preview Features – Enable the following new preview features on the Features tab of the Options dialog, restart Message Analyzer, and then try them out:

  • Message Summary Tiles Viewer — Summarizes important data for live or saved traces, by displaying a high-level overview of major trace statistics and important values that you can examine at-a-glance to obtain a quick top-level analysis of results.
  • Azure Table Import — Provide an Azure account name, access key, and table name in the Message Analyzer UI and retrieve data stored in an Azure Table. Display your Azure data as rows of messages and add Azure table properties as column fields in the Analysis Grid data viewer for filtering and other analysis.

Try It Out

You can now upgrade from previous versions, the only caveat is that we do reset your window layout, but that shouldn’t take long to restore assuming you did any customization in the first place. We wanted to make sure users discovered some important tools, like the Message Stack, so we decided on this trade off. Please give it a spin, and use the feedback buttons (clip_image009 ) in the UI for casual feedback and simple issues and the Message Analyzer forums for more involved support and investigation.


More Information

For additional details about some of the concepts described in this article, see the following topics in the Message Analyzer Operating Guide on TechNet:

Comments (25)

  1. Paul E Long says:

    @John, what device are you using? I tried on the ones I have and it seems to be a pretty good size for me.


  2. Paul E Long says:

    @Jon, thanks for your feedback. I’d like to hear more about the ‘ease-of-use’ issues. We certainly are aware of things we want to address. We are hoping that Quick Trace is simple enough for starting a trace with 3 clicks. Is there an option you are missing
    there that makes Network Monitor better?

    Certainly process tracking is on our list, but do you have any other specific feedback about the resulting view? What kind of troubleshooting do you focus on?



  3. Anonymous says:

    I may have missed this by looking at the wrong places in the MA OG. Is there a default scenario for the W32Time synchronization request/response? I want to monitor, capture and analyze these at a dedicated Windows time server. Thanks.



  4. Paul E Long says:

    @Son, if NTP is broadcast then you should be able to capture the NTP traffic using the Local Network Interfaces scenario, or the Loopback and Unencrypted IPsec scenario. For Network Monitor and Message Analyzer use a very similar mechanism to capture traffic,
    and the only difference is that we don’t’ currently support Promiscuous mode.

    When you capture the NTP traffic with Network Monitor, do you have to turn on p-mode?

    BTW, if you require high speed filtering, the Loopback and Unencrypted IPsec scenario will let you config a fast filter on the Port (123), so you put a small a load on the capturing machine as possible.

  5. Anonymous says:

    Sweet! Thanks Paul. 8^)

  6. Paul E Long says:

    As for the 1.1 references, we are still working on those and publishing the final 1.2 operating guide. That should happen today. But the download is certainly the latest version and technet is up to date with the documentation as well.

  7. Paul E Long says:

    @Mitch, the term “message”, in Message Analyzer is generic and meant to represent a frame, or an ETW Message or other things (ETW is where we borrowed our vocabulary as we are a consumer and produce of ETW messages now). However, we do have Exchange Web
    service parsers available, and we can probably parse some basic Exchange network traffic, or if we don’t, we might be able to in the future. If you have a specific scenario, we could start a thread in the forums, and perhaps somebody from the Exchange world
    could also help out.

  8. Anonymous says:

    The Network Monitor 3.4 captured (S)NTP messages can be analyzed by MA, but I’m looking to see if it’s possible to stay within MA for the entire exercise. Is it possible to capture just (S)NTP messages with MA 1.2?



  9. Paul E Long says:

    @Graeme, this is certain part of the plan, but it’s unclear now what priority this has over other work we are doing. However, we do talk about this frequently during our planning, and hopefully we’ll be able to support WSUS soon.


  10. Paul E Long says:

    We currently use the inbox provider to capture traffic, and that doesn’t support promiscuous mode. However, we are working on enabling this currently and hope to provide it, inbox, in the future. I would love to hear your use case, as any justification
    can help us understand how this feature will be used.

  11. Anonymous says:

    Since the latest MMA tool still does not support promiscuous mode capture of the network traffic, can it be used to view and analyze the captured (.CAP) packets from Network Monitor? Thanks.



  12. Paul E Long says:

    @Son, yes we can analyze .cap, .pcap, .pcapng. and .ETL (from netsh or logman). For that matter you can also analyze Event Logs, CSV/TSV, .SAZ (fiddler) and many different kinds of text logs, all together in the same session and correlate the data between
    them 🙂

  13. colin says:

    Thanks for the update. The Download page is sending mixed messages. Parts of the text imply v1.1 and parts imply v1.2. Also the documentation file says v1.1. Was it updated as well?

  14. Geoff says:

    Great to see the Go To feature – will be using it a lot I think :).

  15. colin says:

    I am looking forward to trying out the Fiddler functionality. The web group uses Fiddler extensively.

  16. Anonymous says:

    L’annonce de la version 1.2 de Message Analyser a été faite sur le blog de l’équipe en charge de sa conception

  17. Mitch says:

    Do people really use this tool much? if so what for?…

  18. Mitch says:

    ^^^ In terms of exchange…

  19. John says:

    can you make the font a little smaller on this webpage, I can still barley see it.

  20. Anonymous says:

    With the release of Message Analyzer 1.2 , I thought it’s a good time to discuss the vocabulary. I’ve

  21. Graeme says:

    What about WSUS Updates for Message Analyzer? With the more rapid release cycles of products from Microsoft, it sure would be nice to have the Updating application support this software as well…

  22. Jon says:

    I still use Network Monitor as it offers better ease-of-use to quickly start a trace across the whole machine, and the results view is also quicker/easier to filter by process or conversation within a process.

    However I look forward to using Message Analyzer when it reaches feature parity with Netmon.

  23. Richard Samuelson says:

    Does Message Analyzer support promiscuous mode yet?

  24. MJM says:

    The main case I have for needing promiscuous mode is network forensics. This is a crucial feature! I was a huge NetMon fan and like Microsoft Message Analyzer, but will be switching to Wireshark if you can’t add promiscuous mode anytime soon.

  25. Paul E Long says:

    @MJM, we were able to work with the OS and have enabled Promiscuous mode in box for Windows 10. There is also a hotfix for Windows Server 2012 R2 (
    Now while we haven’t added something to the Message Analyzer UI yet, you can leverage this mode using PowerShell cmdlets that are built-in to the OS.

Skip to main content