Message Analyzer 1.3 has Released (Build 7540)

This release of Message Analyzer 1.3 reveals a new streamlined user experience focusing on simplifying some common tasks. We reviewed all your feedback as well as interviewed users, which has to be a tremendous help. As always, we continue to listen and incrementally ship new versions. You won’t have to wait too long to pick-up the next version. Read more below about the details and new features.

Please download from the: Microsoft Download Center

Fresh and intuitive Start Page Quickly start a live Local Trace session or a Favorite Scenario, open Recent Files, access New Session configuration features, and evaluate useful resources – all directly from the newly simplified Start Page interface. Get help from the Message Analyzer blog, which has links to everything else.

We removed low usage features from the Start Page. Use the Asset Manager from the Message Analyzer Tools menu to manage Message Analyzer assets, rather than managing them from the Downloads tab on the former Start Page configuration.


Improved look and feel

Provides a new global menu that conveniently reorganizes access to many features and functions, while saving screen real estate. Also, a new global toolbar with the essential commands now replaces the icons and buttons of the old ribbon. Many visualizers now have a context-specific toolbar, to enable easier control of side-by-side data views and for better discovery of integrated features that assist the analysis process.

Process Tracking

Process Tracking is being rebirthed. The first steps are to use the built-in Windows ETW process mechanism so that we expose what the OS can already capture. As you can see in the picture above, a new Grouping viewer exposes the process name and ID that is captured by NetSh scenarios. These can also be manually captured with a Message Analyzer scenario via a process I will detail more in a later blog. However, an OS limitation is that for inbound traffic, packets are assigned to the currently running process. From a high level, this means you can accurately measure client application (outgoing) messages, but not server based communication (incoming) messages. We’ll continue to listen and understand the most important next steps.

New enhanced Pattern Matching visualizer

Sequential Patterns describe a complex chain of events across an entire set of messages. The TCP Three Way Handshake pattern exposes TCP connections and their configurations. The improved Pattern Match visualizer enables you to explore patterns in traces and logs so you can:

  • Discover important issues that otherwise could be difficult to find.
  • Extract relevant message pattern information for troubleshooting network issues.


Improved and feature-rich graphical Pattern Expression builder

The vastly improved workflow enables you to edit sequences while looking at your data and to explore two patterns next to each other, or even on another screen. Let’s face it, creating patterns takes some skill. But the new interface enables you to create more powerful patterns by using a new UI that provides graphical access to important pattern searching techniques.

New Compare individual message tool preview

A preview for a new tool to enables you to compare two messages side by side. You can access the new tool from Tools-Windows->Compare Tool. Select the first message, then right-click in the tool window to set it as the baseline. Then select other messages to find the differences.


Updated Details view exposes Properties and Tracking Fields

The Details window now exposes Properties, via a toolbar command pointed to below, and the Tracking window next to it. The properties contain Meta data, which is not part of the transmitted data. Instead, it’s derived from the data. For instance Transport is a property that combines the Source and Destination Address to form a useful Conversation string, or a TCP State property string indicates the TCP message state.


New Parsers and improved performance

We’ve refactored 49 OPN protocol parsers which results in a performance improvement of up to %10 for TCP based protocols. For LDAP, specifically, improvements can range over %120! Also there are some new parsers, such as HTTP2 and 802.11ac.[EDIT: these are plan for the next release] I’ve included the full list below which includes parser for new protocols as well as existing protocols.

  • New Windows 10 Protocols: SQOS, RNAS
  • Other New Protocols: CSSP, NetFlow, IPFIX, RDPEFS, RDPERP, RDPESC, SCMR 

Please tell us if you don’t see improvements. Many issues we have found to date are data specific and we need your help to continue to improve performance.
New ways to retrieve data

Message Analyzer can now retrieve data in new ways. Analyze them individually or combine them with other data as well:

  • SQL/Azure – Open SQL and Azure Tables and import that data to correlate against other information. Import Azure Blob data as well.
  • PowerShell – Execute a PowerShell command and retrieve the resulting data. For instance enter “dir” as a script, which maps to the Get-ChildItem cmdlet. This will show you the results in the Analysis Grid.
  • Event Logs – Directly open local or remote event logs in to a static session.

Ability to configure protocol ports

The practice of using alternative ports different than the standard is becoming more popular as a way to limit exposure. Use the Analysis Grid context menu Parse As command to dynamically parse data on alternate ports. This feature is currently available for the following protocols: HTTP, LDAP, RDP, SMB/SMB2, SSL/TLS, TCP, TDS, TURN. This list is extensible, so if something is missing, please let us know.
Support for Windows 10 non-manifest ETW

  • Windows 10 has a new format for ETL files, which allows it to be parsed dynamically. This new ETL format is now supported by Message Analyzer.
    New Window 10 capturing mechanisms
  • A new HTTP Direct Trace Scenario enables you to capture local or remote HTTP client traffic directly from the WinInet provider. Like Fiddler, you can capture traffic pre-encryption which is often important for diagnosing issues. As an alternative to the HTTP Fiddler method, more scenarios are now covered and the provider is inbox.
  • An updated Windows-NDIS-PacketCapture provider which can now use the Promiscuous mode. Local or remote, you can capture network level traffic from the Network Interface.

The Windows Filtering Platform (WFP) message provider enables you to use Message Analyzer to capture messages higher in the stack so you could see IPSec encrypted traffic in the clear, in addition to capturing Loopback and Tunnel traffic. Included is an updated Microsoft-PEF-WFP-MessageProvider, which is now built-in to the OS. It is enabled for capturing local and remote traffic. Note that for computers running supported operating systems earlier than Windows 10, Message Analyzer will include this provider as part of the installation or upgrade process.

Scenario base Feedback Center

As you try different features, the Feedback center lets us prompt for specific details regarding that scenario. Just provide us with a rating or add more information to help us further improve Message Analyzer.


And so much more…

Of course there are so many more small improvements and bug fixes, that we can’t list them all here. With this release, we’ve taken an important step toward improving the usability but we are not done yet. We look forward to your continued feedback, so please give Message Analyzer 1.3 a try and let us know!

Comments (13)

  1. Paul E Long says:

    Yes, it’s a feature on our radar. There’s some churn here in how to enable this feature and it’s not as simple as just porting from the Network Monitor code. But hopefully we will get to the point where Message Analyzer will self update.

  2. Paul E Long says:

    @Piotr, right now there is more than one file required to parse any of the data. The installer is required. We also have ideas to go inbox, but it’s unclear when that might happen. Is the installer to heavy a process because of it’s size?

  3. Is there any chance that Message Analyzer gets added as a category to WSUS?

    I don’t understand why it isn’t, when NetMon and even the new Technical Previews for Windows Server and Desktop are out there.

    Please. A lot of companies still use WSUS for updates, and being able to update this app would be great.

  4. Anonymous says:

    Applies to: Windows 10 Windows Server 2012 R2 Windows 8.1 Windows Server 2012 Windows 8.0 Windows Server

  5. Anonymous says:

    Applies to: Windows 10 Windows Server 2012 R2 Windows 8.1 Windows Server 2012 Windows 8 Windows Server

  6. Piotr Siódmak says:

    How about a lighter non-install version just for log parsing? Message Analyzer is great with ETW log parsing and the filtering just adds to it. It would be nice if I could just copy MA as a single exe (or a folder like debugging tools for windows) to my
    client’s machine and open the multi-GB ETL file I normally need to send over a weak wire.

    I could see this tool as a great replacement for the oldie Event Viewer, which doesn’t give much filtering possibilities. Maybe include it with Windows 10?

  7. Piotr Siódmak says:

    No, the installer is OK. It’s more about XCOPY deployment. Consider the following workflow: copy a few files to a temporary directory, open and analyze etl files that are already there (captured with netsh trace or logman), remove all files when you’re
    done without leaving anything on the client’s machine (registry entries, capture drivers and such).

    Clients rarely allow to install additional software on their machines (especially network sniffers), so we have to ask them to send us sometimes multi-gigabyte ETL traces over the wire. Being able to analyze them on site without leaving registry entries and
    drivers behind would be awesome.

  8. Paul E Long says:

    Would it work if you did this?

    * copy MSI
    * MSIEXEC /I MessageAnalzyer.msi

    * MSIEXEC /U MessageAnalyzer.msi

  9. Piotr Siódmak says:

    Only if the uninstallation really cleans up everything. Even then, anything that appears in Add/Remove Programs is frowned upon by the other company’s admins.

    It would be nice if it worked like sysinternals tools, PerfView or Debugging Tools for Windows (those you have to install locally, but then you can salvage the exe and dlls and just copy over to another machine).

    It’s not that it renders MA unusable, it’s just that turning it into a portable "log reader" would be awesome. I’d always carry it on my diagnostic USB drive.

  10. Paul E Long says:

    If you find the uninstallation doesn’t clear up everything, then we should fix that. I know there’s a stigmatism against installed software, even though we know copying an EXE is just as dangerous. But I understand your basic scenario about being able
    to get in and out fast. I think in our current infrastructure wouldn’t allow for a single EXE, but perhaps longer term we can think about the scenario more.

    What kind of troubleshooting do you do? Is it as varied as troubleshooting all protocols or just networking? Are you commonly checking just a few things, or do you spend lots of time doing analysis until you find root cause?

  11. Piotr Siódmak says:

    I use Message Analyzer mainly to view ETL files gathered with netsh trace and logman. For example there’s this ADFS or AppFabric diagnostic ETW log that is disabled by default and it’s better to leave it like that, but when there’s a problem I use logman
    to turn it on and write the trace to ETL. Then I copy the ETL to my machine and open it with MA, because Event Viewer is not so good at viewing big debug traces – those which show only if you click View -> Show Analytic and Debug Logs in Event Viewer.

    As for netsh trace I mainly do HTTP (grabbing soap messages that go from web service to web service) and Kerberos.

    I often enter Dev VMs to help with issues, so using built-in tools (netsh, logman) is more comfortable.

  12. Kartik says:

    Is there a way to capture data with message Analyzer as in Netmon without selecting any scenario tracing ?

  13. Paul E Long says:

    @Kartik, you can click the Start Local Trace button from the start page. Does that solve your problem? Or are you asking if there is a command line way to capture traffic (which there is using PowerShell).

Skip to main content