This release of Message Analyzer 1.3 reveals a new streamlined user experience focusing on simplifying some common tasks. We reviewed all your feedback as well as interviewed users, which has to be a tremendous help. As always, we continue to listen and incrementally ship new versions. You won’t have to wait too long to pick-up the next version. Read more below about the details and new features.
Please download from the: Microsoft Download Center
Fresh and intuitive Start Page Quickly start a live Local Trace session or a Favorite Scenario, open Recent Files, access New Session configuration features, and evaluate useful resources – all directly from the newly simplified Start Page interface. Get help from the Message Analyzer blog, which has links to everything else.
We removed low usage features from the Start Page. Use the Asset Manager from the Message Analyzer Tools menu to manage Message Analyzer assets, rather than managing them from the Downloads tab on the former Start Page configuration.
Improved look and feel
Provides a new global menu that conveniently reorganizes access to many features and functions, while saving screen real estate. Also, a new global toolbar with the essential commands now replaces the icons and buttons of the old ribbon. Many visualizers now have a context-specific toolbar, to enable easier control of side-by-side data views and for better discovery of integrated features that assist the analysis process.
Process Tracking is being rebirthed. The first steps are to use the built-in Windows ETW process mechanism so that we expose what the OS can already capture. As you can see in the picture above, a new Grouping viewer exposes the process name and ID that is captured by NetSh scenarios. These can also be manually captured with a Message Analyzer scenario via a process I will detail more in a later blog. However, an OS limitation is that for inbound traffic, packets are assigned to the currently running process. From a high level, this means you can accurately measure client application (outgoing) messages, but not server based communication (incoming) messages. We’ll continue to listen and understand the most important next steps.
New enhanced Pattern Matching visualizer
Sequential Patterns describe a complex chain of events across an entire set of messages. The TCP Three Way Handshake pattern exposes TCP connections and their configurations. The improved Pattern Match visualizer enables you to explore patterns in traces and logs so you can:
- Discover important issues that otherwise could be difficult to find.
- Extract relevant message pattern information for troubleshooting network issues.
Improved and feature-rich graphical Pattern Expression builder
The vastly improved workflow enables you to edit sequences while looking at your data and to explore two patterns next to each other, or even on another screen. Let’s face it, creating patterns takes some skill. But the new interface enables you to create more powerful patterns by using a new UI that provides graphical access to important pattern searching techniques.
New Compare individual message tool preview
A preview for a new tool to enables you to compare two messages side by side. You can access the new tool from Tools-Windows->Compare Tool. Select the first message, then right-click in the tool window to set it as the baseline. Then select other messages to find the differences.
Updated Details view exposes Properties and Tracking Fields
The Details window now exposes Properties, via a toolbar command pointed to below, and the Tracking window next to it. The properties contain Meta data, which is not part of the transmitted data. Instead, it’s derived from the data. For instance Transport is a property that combines the Source and Destination Address to form a useful Conversation string, or a TCP State property string indicates the TCP message state.
New Parsers and improved performance
We’ve refactored 49 OPN protocol parsers which results in a performance improvement of up to %10 for TCP based protocols. For LDAP, specifically, improvements can range over %120! Also there are some new parsers, such as HTTP2 and 802.11ac.[EDIT: these are plan for the next release] I’ve included the full list below which includes parser for new protocols as well as existing protocols.
- Updated Protocols: TCP, HTTP, LDAP, RDPBCGR, KerberosV5, MSRPCE, IMAP, RPCH, TLS, SSL, TDS, TSGU, SIP, LPR, NNTP, TURN, POP3, SMTP, MPA, FTP, iSCSI, NBTNS, NBTSS, SOCKS, SunRPC, SMB2, RSVD
- New Windows 10 Protocols: SQOS, RNAS
- Other New Protocols: CSSP, NetFlow, IPFIX, RDPEFS, RDPERP, RDPESC, SCMR
Please tell us if you don’t see improvements. Many issues we have found to date are data specific and we need your help to continue to improve performance.
New ways to retrieve data
Message Analyzer can now retrieve data in new ways. Analyze them individually or combine them with other data as well:
- SQL/Azure – Open SQL and Azure Tables and import that data to correlate against other information. Import Azure Blob data as well.
- PowerShell – Execute a PowerShell command and retrieve the resulting data. For instance enter “dir” as a script, which maps to the Get-ChildItem cmdlet. This will show you the results in the Analysis Grid.
- Event Logs – Directly open local or remote event logs in to a static session.
Ability to configure protocol ports
The practice of using alternative ports different than the standard is becoming more popular as a way to limit exposure. Use the Analysis Grid context menu Parse As command to dynamically parse data on alternate ports. This feature is currently available for the following protocols: HTTP, LDAP, RDP, SMB/SMB2, SSL/TLS, TCP, TDS, TURN. This list is extensible, so if something is missing, please let us know.
Support for Windows 10 non-manifest ETW
- Windows 10 has a new format for ETL files, which allows it to be parsed dynamically. This new ETL format is now supported by Message Analyzer.
New Window 10 capturing mechanisms
- A new HTTP Direct Trace Scenario enables you to capture local or remote HTTP client traffic directly from the WinInet provider. Like Fiddler, you can capture traffic pre-encryption which is often important for diagnosing issues. As an alternative to the HTTP Fiddler method, more scenarios are now covered and the provider is inbox.
- An updated Windows-NDIS-PacketCapture provider which can now use the Promiscuous mode. Local or remote, you can capture network level traffic from the Network Interface.
The Windows Filtering Platform (WFP) message provider enables you to use Message Analyzer to capture messages higher in the stack so you could see IPSec encrypted traffic in the clear, in addition to capturing Loopback and Tunnel traffic. Included is an updated Microsoft-PEF-WFP-MessageProvider, which is now built-in to the OS. It is enabled for capturing local and remote traffic. Note that for computers running supported operating systems earlier than Windows 10, Message Analyzer will include this provider as part of the installation or upgrade process.
Scenario base Feedback Center
As you try different features, the Feedback center lets us prompt for specific details regarding that scenario. Just provide us with a rating or add more information to help us further improve Message Analyzer.
And so much more…
Of course there are so many more small improvements and bug fixes, that we can’t list them all here. With this release, we’ve taken an important step toward improving the usability but we are not done yet. We look forward to your continued feedback, so please give Message Analyzer 1.3 a try and let us know!