Grouping Viewer – AKA ‘Conversation Tree’ – In Message Analyzer 1.2


The Network Monitor Conversation Tree serves several different purposes, as follows:

  • It enables you to select any message and find related messages based on the network and transport layer. For example, you can select a random TCP message in a trace and filter the view to only those messages belonging to the same TCP message, via right-click.
  • It provides an overview of your network based on the addresses of IP conversations and the TCP or UDP ports that carried those conversations. By selecting any node in this Conversation Tree, your view of data is filtered to a single TCP/UDP conversation that exposes the flow of all traffic between two computers. Since programs use ports as a way of segmenting traffic, this gives you a clean and interleaved view of a single conversation.

Introducing the Grouping Viewer clip_image002

In Message Analyzer 1.2 a new Grouping viewer has been added to provide functionality that is similar to the Network Monitor Conversation Tree. Below are some examples and comparisons between the Conversation Tree and the Grouping viewer.

For comparison purposes, the example below shows the default View Layout for the Grouping viewer with the first two groups removed—the Data Source and ProcessId groups—by clicking the red X on their group labels. In this example, there is only one data source, as the data was captured from one machine only, rather than several. Also, the Process ID is not yet valid for Network Monitor captures. It is valid for outgoing traffic with new traces you capture using Message Analyzer. This example also has a View Filter applied as shown in the new tool tip that displays for each viewer tab or in Session Explorer when you hover over a tab or session node with your mouse, respectively. This tool tip enables you to quickly differentiate between various views of your data; for example, multiple Analysis Grid viewer tabs, each with a different filter.

clip_image003

The Grouping view is implemented as a viewer and not as a Tool Window. Functionally, it has some special characteristics, as follows:

  • Group node selection can drive filtering in all other viewer instances of the same session when the default Filtering mode of the Grouping viewer is active.
  • Group node selection can drive message selection in the Analysis Grid viewer and in the Selection Tool Window, which builds a collection that keeps track of selected messages, when the Selection mode of the Grouping viewer is active.
  • You can only open one Grouping viewer per session.
  • It opens on the left side of the UI and is docked alongside the Analysis Grid viewer, providing a visually similar appearance to the Network Monitor Conversation Tree view.
  • You can open a new Grouping viewer for each session.

Session-level filtering should be easy to understand for Network Monitor experts. However, since multiple viewers can be opened in Message Analyzer, it’s important to understand that filtering in the Grouping viewer will affect all views in the same session. This means you can now drive a Chart, Gantt, or Swim-lane viewer, based on message selection in the Grouping viewer, which is a pretty cool thing to do. J

Conversation Tree++

Along with re-establishing some of the previous work flows, significant improvements have been made in Message Analyzer 1.2 that enable you to do the following with the Grouping viewer:

  • Choose different group layouts — the default View Layout for the Grouping viewer is the Network Conversation Tree with Process ID layout, which is similar to Network Monitor’s Conversation Tree. However, note that the Grouping viewer also provides other predefined group layouts from the View Layouts drop-down list in the Grouping group on the Ribbon of the Message Analyzer Home tab, when the Grouping viewer has focus. These additional View Layouts enable you to drill down into different grouped and nested field configurations to obtain a unique analytical focus of target data, which is particularly useful in large data sets.
  • Customize your Grouping view — do this by adding fields as new groups, with the use of the Field Chooser Tool Window or Details Tool Window context menus, as shown in the figure below. Note that right-click commands in these windows will apply exclusively to only the viewer that has focus, for example, the Analysis Grid viewer or the Grouping viewer.

clip_image005

  • Select multiple group nodes — this creates a logical OR of all selected nodes. Note that you can unselect a particular group node among several that you previously selected without affecting other selections, by holding down the Ctrl key and selecting the node that you want to unselect.
  • Quickly assess possible hot spots in a trace — for each node, an associated message count is specified, along with the count of child messages and a heat map indicator. These features enable you to quickly find the hot spots in the trace. You can also sort columns, although only the top grouping is currently sorted. The heat map represents percentages of messages which you can expose by cutting & pasting selected rows. For comparison, the figure that follows shows this data pasted into Excel.

clip_image006clip_image007

  • Filter the Grouping view — you can focus on a specific type of traffic by applying a view filter. For example, you might use filtering to isolate all network conversations with HTTP traffic.
  • Change the Grouping viewer mode — change the default Filtering mode to the Selection mode, which drives all other data viewers to select those messages, rather than filter them. This applies to data viewers such as the Analysis Grid that allow message selection to occur.

clip_image008

  • Organize/nest the groupings however you want —Drag and drop the nested groups to a different location and the data reorganizes (pivots) accordingly.

Using the Find in Grouping feature from the Analysis Grid

The Find in Grouping Viewer feature is a new in Message Analyzer 1.2 that is similar to the “follow the stream” feature in Wireshark or the “find conversation” feature in Network Monitor. An important thing to realize about network and some text log data, is that it is not necessarily contiguous. In many types of traces, especially network traces, adjacent messages might not be related, as they are often massively interleaved. In many cases, you will find an interesting message such as one with an HTTP error state and you want to see the conversation that led up to problem. You can now open the Grouping viewer, right-click a message in the Analysis Grid viewer, and then select the Find in Grouping Viewer context menu item. This causes the related group node in the Grouping viewer to be selected, which in turn also causes the message/s to be filtered in the Analysis Grid viewer.

clip_image009

In addition, this provides context for other messages that are possibly related. For instance, you can now see all other related TCP conversations between the same client and server. You can easily navigate the list of alternate conversations, or select multiple ones to see how they intermix. For instance, in the illustration below, a TCP conversation on port 49201 is highlighted as a result of using the Find in Grouping Viewer command, but perhaps the TCP network conversation node shown with 7 messages also has some interesting and related data. To assess these messages in context, you can simply use Ctrl+Click to add the node messages to the filtered view in the Analysis Grid viewer, or you can select the node individually to quickly look at that particular stream of data.

clip_image010

A New Old Friend

The Network Monitor conversation tree is something our users commonly cited as a missing feature in Message Analyzer. This new and improved control should provide all of the missing functionality plus some new powerful ideas that is sure to please many users. Be sure to download Message Analyzer 1.2 (or later versions when they become available), visit our announcement Blog, and give the new Grouping feature a try.

Comments (2)

  1. Anonymous says:

    We often talk about correlation with Message Analyzer. The word relating might be a more simple word

  2. Anonymous says:

    Because Message Analyzer enables you to see multiple views of the same data in a session and message

Skip to main content