Message Analyzer Glossary

With the release of Message Analyzer 1.2, I thought it’s a good time to discuss the vocabulary. I’ve written before about the Anatomy of Message Analyzer Analysis. Its goal was to present how different pieces of the UI fit together. This glossary is a simple reference you can use to understand Message Analyzer terms.



Contains your trace data as a collection of parsed Messages, along with any added bookmarks or comments, which you can save as an MATP file. You visualize your session data with Viewers. Message Analyzer can open multiple Sessions. There are two types of sessions which have different capabilities, a Live Trace Session and a Data Retrieval Session, as described in Starting a Message Analyzer Session.



Visualizes your data in different ways. You can specify a viewer in which to visualize data, for example, the Analysis Grid (clip_image004) with its typical linear view of data, or other alternate visualizers such as Charts (clip_image006) or Sequence Match (clip_image008) viewers.


Tool Windows

Displays contextual information when you select a message/frame/layer. A tool window such as the Message Stack (clip_image011), Details (clip_image013), or Field Data (clip_image015) window updates based on your selection. A tool can also be contextual to a Session, for example, Session Explorer (clip_image017), or the new Selection (clip_image019) and Decryption (clip_image021) tool windows.

clip_image022 clip_image024


Describes a single protocol frame, Operation, line of a text log, or ETW message, or even the origin of a set of child Messages.


Describes a type of Message which contains a correlated set of Messages, for instance, a Request/Response pair.



Eliminates noise with expressions such as TCP.Port == 80, to focus on a network conversation. Or TCP.Port != 80 to remove HTTP noise. Also there are View Filters which temporarily change the view of your data in each Viewer. In addition, there are Session filters which limit the data you acquire with Message Analyzer, either through a Data Retrieval Session or Live Trace Session.



Provides the capability to select messages globally across a Session for every Viewer. For example, a selection in the Analysis Grid viewer signals other Viewers to update their selection, which includes the in-focus Message (of which there is only one). The in-focus Message is what the Details ( ) Tool displays. Note that some viewers will not respond to selection of a message.



Enables you to control the automatic reassembly of fragments and coalescing of request/response Messages as Operations (clip_image029), and to limit how far up the stack messages are displayed in a Viewer for analysis purposes. See the Viewpoints blog for more details.


View Layout

A View Layout remembers how the related Viewer is configured to address a specific analysis scenario. A View Layout can include user-added fields and can be saved. For instance, “TCP Deep Packet Analysis” is a View Layout for the Analysis Grid viewer.



A property that you can specify when configuring a Message Analyzer Asset such as a Chart or View Filter. As a default Analysis Grid viewer column, it contains Protocol names, or in the case of Log files and ETW, the component names.


Message Type

Modules can have different Message types. For example, TCP and UDP have only one type, a Segment and Datagram, respectively. Other Modules such as SMB have many different types of messages that include Create, Open, and Read and Writes types.



Each Message Type has fields that represent the binary data they describe, for example, the fields TCP.SourcePort and IPv4.DestinationAddress. Field Chooser (clip_image037) is a Tool Window that enables you to explore Fields and Properties.



Usually derived from Field data, properties do not directly map to a value in a message payload. For instance, TCP.PayloadLength, which is calculated based on the IP header size and length in combination with the TCP header size.



Analytical instruments that you and others can mutually share by using the Message Analyzer Export feature. These tools include View Filters (clip_image041), Color Rules (clip_image043), Charts (clip_image044), View Layouts (clip_image045), Aliases (clip_image047), and Unions (clip_image049), along with others. You can also share Assets through custom feeds (clip_image051) that you create, to which users can subscribe and keep up to date.

Sometimes just knowing the vocabulary can help you find and discover new features, and helps you understand a program. If there are other terms you’ve encountered and need defined, let me know. We can always expand the list.

Comments (2)

  1. Paul E Long says:

    We have flipped the model on it’s header. Rather than showing you the Ethernet, IP, and TCP frames, we show the application side. You drill down using high level indications like long Response Times and Diagnosis messages which can flag retransmits, then
    dive down using Viewpoints if need to confirm the low level TCP/IP/Ethernet layer behaviors.

    These blogs might help explain in further detail. But feel free to use the Forums to get more information.

  2. Steve says:

    I find that it is very difficult to relate the Messages to Frames, Segments, Datagrams, Packets etc. which are network terms. I found the older tools showing Ethernet frames and their contents was very easy to understand. The messages seem to relate to
    things I have no knowledge of or reference to. I can see datagrams hidden in the messages or operations but I don’t understand how this relates to network traffic directly or how the scenario relates to what gets captured. It looks like a stiff learning curve
    for an occasional user like myself.

Skip to main content