Message Analyzer Glossary


With the release of Message Analyzer 1.2, I thought it’s a good time to discuss the vocabulary. I’ve written before about the Anatomy of Message Analyzer Analysis. Its goal was to present how different pieces of the UI fit together. This glossary is a simple reference you can use to understand Message Analyzer terms.

clip_image001

Session

Contains your trace data as a collection of parsed Messages, along with any added bookmarks or comments, which you can save as an MATP file. You visualize your session data with Viewers. Message Analyzer can open multiple Sessions. There are two types of sessions which have different capabilities, a Live Trace Session and a Data Retrieval Session, as described in Starting a Message Analyzer Session.

clip_image002

Viewers

Visualizes your data in different ways. You can specify a viewer in which to visualize data, for example, the Analysis Grid (clip_image004) with its typical linear view of data, or other alternate visualizers such as Charts (clip_image006) or Sequence Match (clip_image008) viewers.

clip_image009

Tool Windows

Displays contextual information when you select a message/frame/layer. A tool window such as the Message Stack (clip_image011), Details (clip_image013), or Field Data (clip_image015) window updates based on your selection. A tool can also be contextual to a Session, for example, Session Explorer (clip_image017), or the new Selection (clip_image019) and Decryption (clip_image021) tool windows.

clip_image022 clip_image024

Messages

Describes a single protocol frame, Operation, line of a text log, or ETW message, or even the origin of a set of child Messages.

Operation

Describes a type of Message which contains a correlated set of Messages, for instance, a Request/Response pair.

clip_image025

Filter

Eliminates noise with expressions such as TCP.Port == 80, to focus on a network conversation. Or TCP.Port != 80 to remove HTTP noise. Also there are View Filters which temporarily change the view of your data in each Viewer. In addition, there are Session filters which limit the data you acquire with Message Analyzer, either through a Data Retrieval Session or Live Trace Session.

clip_image026

Selection

Provides the capability to select messages globally across a Session for every Viewer. For example, a selection in the Analysis Grid viewer signals other Viewers to update their selection, which includes the in-focus Message (of which there is only one). The in-focus Message is what the Details ( ) Tool displays. Note that some viewers will not respond to selection of a message.

clip_image027

Viewpoint

Enables you to control the automatic reassembly of fragments and coalescing of request/response Messages as Operations (clip_image029), and to limit how far up the stack messages are displayed in a Viewer for analysis purposes. See the Viewpoints blog for more details.

clip_image030

View Layout

A View Layout remembers how the related Viewer is configured to address a specific analysis scenario. A View Layout can include user-added fields and can be saved. For instance, “TCP Deep Packet Analysis” is a View Layout for the Analysis Grid viewer.

clip_image031

Module

A property that you can specify when configuring a Message Analyzer Asset such as a Chart or View Filter. As a default Analysis Grid viewer column, it contains Protocol names, or in the case of Log files and ETW, the component names.

clip_image033

Message Type

Modules can have different Message types. For example, TCP and UDP have only one type, a Segment and Datagram, respectively. Other Modules such as SMB have many different types of messages that include Create, Open, and Read and Writes types.

clip_image035

Field

Each Message Type has fields that represent the binary data they describe, for example, the fields TCP.SourcePort and IPv4.DestinationAddress. Field Chooser (clip_image037) is a Tool Window that enables you to explore Fields and Properties.

clip_image038

Properties

Usually derived from Field data, properties do not directly map to a value in a message payload. For instance, TCP.PayloadLength, which is calculated based on the IP header size and length in combination with the TCP header size.

clip_image039

Assets

Analytical instruments that you and others can mutually share by using the Message Analyzer Export feature. These tools include View Filters (clip_image041), Color Rules (clip_image043), Charts (clip_image044), View Layouts (clip_image045), Aliases (clip_image047), and Unions (clip_image049), along with others. You can also share Assets through custom feeds (clip_image051) that you create, to which users can subscribe and keep up to date.

Sometimes just knowing the vocabulary can help you find and discover new features, and helps you understand a program. If there are other terms you’ve encountered and need defined, let me know. We can always expand the list.


Comments (2)

  1. Paul E Long says:

    We have flipped the model on it’s header. Rather than showing you the Ethernet, IP, and TCP frames, we show the application side. You drill down using high level indications like long Response Times and Diagnosis messages which can flag retransmits, then
    dive down using Viewpoints if need to confirm the low level TCP/IP/Ethernet layer behaviors.

    These blogs might help explain in further detail. But feel free to use the Forums to get more information.

    http://blogs.technet.com/b/messageanalyzer/archive/2013/09/25/message-analyzer-why-so-different-from-network-monitor.aspx
    http://blogs.technet.com/b/messageanalyzer/archive/2013/08/14/viewpoints-osi-model-and-apstndp.aspx

  2. Steve says:

    I find that it is very difficult to relate the Messages to Frames, Segments, Datagrams, Packets etc. which are network terms. I found the older tools showing Ethernet frames and their contents was very easy to understand. The messages seem to relate to
    things I have no knowledge of or reference to. I can see datagrams hidden in the messages or operations but I don’t understand how this relates to network traffic directly or how the scenario relates to what gets captured. It looks like a stiff learning curve
    for an occasional user like myself.

Skip to main content