Message Analyzer Filtering Kung Fu


Filtering is a key skill in Message Analyzer and the corner stone of removing noise and finding the data you want to work with. In Message Analyzer, you can apply filtering to any view, making it universal. For example, in the table below, you can certainly apply the sample filtering to the Analysis Grid viewer, however, each view can also have an independent filter. Complex, perhaps, but very powerful.

One reason this is tricky is because we automatically coalesce frames that have been fragmented, and we group messages by operations in the tree grid, as described in the Message Analyzer: Why so different from Network Monitor blog. Today, with Message Analyzer v1.2, filters are always applied at the top-level, and are evaluated for every child message. This means that even if any of the top-level’s child messages contain a match for the applied filter, the top-level message will also be displayed. For example, a filter that specifically matches a TCP fragment for HTTP causes the entire top-level HTTP operation to be returned. Viewpoints and Viewpoint filters are the way to work deeper into the network stack, but just keep that in the back of your mind for now.

So get ready Wizards, Gurus, Black Belts, or whatever moniker that you want to label your “10,000 hours” achievement, as I’ve mapped the levels of mastery in the table that follows. You can work through the levels to increase your skills.

Level

Skill

Example

Description

None

 

Right Click

Right-click a field in the Details Tool Window and add as filter.

You can right-click fields in Details, the Analysis Grid, and other places.  Right-clicking exposes contextual functionality.

White

 

Module exists

HTTP

By using a module name as a filter, you can show only those messages that match.

 

Field exists

TCP.Options

Specify a field name to find messages that contain that field.

 

Port

*port==80

Matches messages that have any kind of field called “port” for a matching value for HTTP(80).

Yellow

 

OR Combinations

HTTP or LDAP

Combine traffic, perhaps to see how they interact.

 

AND Combinations

TCP.Port==80 AND TCP.Port== 1234

Look at a specific TCP Conversation.

 

NOT Combinations

TCP.Port != 3389

Get rid of RDP traffic noise.

 

Inclusive NOT

TCP.Port ~= 80

Return only TCP traffic that is not port 80.

Bronze

 

Search all content

Contains “text”

Return any message that has the specified “text” value.

 

Search a field

HTTP.Payload contains "get"

Return messages with an HTTP Payload that contain the word “get”.

 

IP Subnet

IPv4.Address in 10.1.0.0/16

Return all IPv4 messages in the 10.1.0.0/16 subnet.

 

In Operator

TCP.Port in [80 ,53]

Return any TCP traffic with HTTP or DNS.

Silver

 

Top Level

TCP

Search for any top-level message that is TCP.  This exposes Syn and Rst flags.

 

Layer Specific I

HTTPTCP

Returns only HTTP messages that are directly above TCP.

 

Layer Specific II

HTTP\IPv4

Return HTTP messages that have IPv4 at some level underneath.

Gold

 

Search Properties

*Summary contains "error"

Returns message Summary lines that match “error”.

 

Search Annotations

#DiagnosisLevels

Returns all messages that have a diagnosis error set.

 

Slow Transactions

#TimeElapsed > .5

Returns operations or messages that span more than .5 seconds.

Diamond

 

Regex I

*Summary regex @"d+"

Returns messages that have a number with one or more digits.

 

Regex II

*Summary regex @"w+-w+"

Return hyphenated words in the Analysis Grid Summary column.

 

Regex III

regex @"bthisW+(?:w+W+){1,6}?thatb"

Returns messages that have “this” close to “that” anywhere in the payload

For certain, the Diamond level is designated for advanced users of Regex, although these examples are more to show you the range of complexity. You can devise Regex expressions to accomplish whatever you want. MSDN has a great reference that you can use, and this related Message Analyzer blog about Regex and extending parsing with Text Log configurations. But keep in mind, Regex is also the slowest.

Become a Master

For other resources on filtering, we have an older Filtering blog that contains other examples. Also our Filtering Message Data topic in the Message Analyzer Operating Guide on TechNet has even more detailed information about filtering. Learn the first few levels and become enlightened with your new found filtering powers, or advanced to the final level and become a Filtering Zen-Master.


Comments (1)

  1. Alexander says:

    And the Platinum achievement gets the one who masters to filter out two modules with *ModuleName !=”Windows_Kernel_Trace” && *ModuleName !=”Etw”

Skip to main content