Message Analyzer v1.3 vs Network Monitor v3.4


by Greg Gille

Message Analyzer uses some new approaches to capturing and analyzing traffic that includes limiting network noise and exposing at top-level the issues that occur at lower levels. This enables you to immediately see the most important information for any particular message exposed at top-level in the primary analysis surface, the Analysis Grid. On the other hand, Network Monitor shows only flat or static message packets in original capture order without hiding any noise, reassembling fragments, or simulating protocol behavior to allow for interpreting states and maintaining a protocol model, such as Message Analyzer does.

For more information, see Message Analyzer: Why so different from Network Monitor ?

Comparing Message Analyzer and Network Monitor Features

In this article, a feature summary is provided that compares Microsoft Message Analyzer and Microsoft Network Monitor, side by side. Although Network Monitor is a very popular network traffic analysis tool that has widespread acceptance and use, Message Analyzer brings new features to the table that even the most avid Network Monitor user will be delighted to discover. Whether it is a rich set of graphic data visualizer Chart components that offer unique data analysis perspectives; predefined and shareable asset collections, capturing traffic from multiple remote sources simultaneously—including ETW events, or configuring your own custom text log parsers; Message Analyzer was designed to anticipate the tools that you will need to perform common data acquisition, troubleshooting, and analysis tasks with expediency.

Table 1 below compares the top 15 Microsoft Message Analyzer features with similar Microsoft Network Monitor features. To drive down into further comparison of capabilities, see Table 2.

Table 1:   Top 15 Message Analyzer and Network Monitor Features Comparison

TASKS TO PERFORM

MESSAGE ANALYZER CAPABILITIES

NETWORK MONITOR CAPABILITIES

Load trace data in flexible input configurations

Provides a dialog for Data Retrieval Session configuration, which enables:

  • Loading and aggregating data from multiple input files and formats simultaneously, including the .matp, .cap, .etl, .log, .csv, .tsv, .saz, and .pcapng formats. See Locating Supported Input File Types
  • Retrieving Azure, OS event logs, PowerShell script, and SQL data.
  • Parsing common text logs with built-in parsers.
  • Using truncated parsing for files with truncated messages, such as *.cap.
  • Applying flexible filtering on multiple data sources, including a time window, Session Filter, and/or a Parsing Level.

Loads data from *.cap, *.pcap, and *.etl files only.

Design new parsers for custom text logs

Input extensibility enables custom text log parsers to be written in the OPN language. See the OPN Configuration Guide for Text Log Adapter document.

Does not support text log parser design or input from text logs.

Create flexible capture configurations for a Live Trace Session

Provides a dialog for Live Trace Session configuration which enables:

  • Choosing a built-in Trace Scenario to focus on specific message types or layers.
  • Selecting adapters on which to capture.
  • Limiting data capture with a predefined Session Filter, Parsing Level, driver-level Fast Filter or WFP Layer Set filter, and/or ETW Keyword and Level filters.
  • Configuring advanced host adapter NDIS layer and Hyper-V-Switch extension layer filters.
  • Controlling the underlying ETW session configuration.

Note: Capture in P-Mode with the Add-NetEventNetworkAdapter PowerShell cmdlet on Windows 10 computers.

NMCap enables capturing from a single source/local computer only. Manual configuration required to specify capture settings, such as a Capture Filter, adapter selection, P-Mode, and a Parser Profile.

Capture remote traffic on multiple target computers at once

Enables remote capture with the Microsoft-Window-NDIS-PacketCapture provider (Windows 8.1/later), the Microsoft-PEF-WFP-MessageProvider (Windows 10 only), or any system ETW provider:

  • Specify one or more remote computers and authentication credentials.
  • Include/omit capture on local computer.
  • Specify a Trace Scenario, Session Filter, Parsing Level, and/or advanced filtering.

Enables creating multiple subsession configurations with the Data Source feature and aggregating all subsession results in the Analysis Grid viewer.

Enables remote capture on a single target; supported in Network Monitor 2.x with the NDIS provider.

Capture at various network stack levels

Has the following message providers:

  • Microsoft-Windows-NDIS-PacketCapture — captures at Link Layer and above.
  • Microsoft-WFP-MessageProvider — captures above the Network Layer.
  • Microsoft-WebProxy/Fiddler — captures at the Application Layer.

Note: Also captures tunnel traffic.

Captures at Link Layer and above only, using the NDIS provider. Also captures tunnel traffic.

Select built-in Trace Scenarios to focus on specific data

Provides multiple built-in scenarios in the Network, Device, System, File Sharing, and My Items categories for Live Trace Sessions.

NMCap has some similar functionality; for more complex configurations, a batch file may be required.

Optimize capture speed and focus through message provider filter configurations

Enables specifying a provider/driver-level Fast Filter, a Fast Filter Group for a host adapter, and a WFP Layer Set directional filter; also enables applying NDIS layer filters and switch extension layer filters, and to log discarded packets.

Does not support driver-level filters. Fast filtering with fully qualified filter expressions only—limited to certain filter types. Not as fast as Message Analyzer Fast Filters.

Decrypt encrypted messages

Provides the following capabilities:

  • Decrypting protocols that use TLS and SSL decryption. Requires a *.cert file and password. Message Analyzer attempts to decrypt all conversations and reports results to the Decryption tool window for analysis.
  • Capturing SMB traffic unencrypted with the SMB2 Client with Full Payload trace scenario.
  • Capturing HTTP client-side traffic unencrypted in the Pre-Encryption for HTTPS trace scenario.
  • Capturing HTTP traffic unencrypted with the Microsoft-Windows-WinInet-Capture provider in the Pre-Encrypted HTTPS Direct trace scenario.

Provides the NMDecrypt Expert, which performs limited decryption for specifically selected TLS conversations.

Automate data capture

Provides PowerShell-enabled features with various action, trigger, and configuration cmdlets. See Automating Tracing Functions with PowerShell.

Provides NMCap; has some limited automation functionality.

Perform advanced data analysis with graphic visualizers and high-level summaries

Provides built-in Chart style data viewers, such as the Gantt and Interaction chart viewers, and tools for creating new Charts. Also includes preview Chart viewers and other Tools that can be enabled.

Provides Experts for Top Users and Top Protocols displays.

Quickly reorganize traffic as network/transport conversations and correlate process names and process Ids

Provides the following capabilities:

  • The Grouping viewer with the Process Name and Conversations view layout.
  • The Analysis Grid viewer Group command.

Note: Both of these features allow reorganization of traffic by pivoting on selected field-groups.

Provides a static Conversation Tree — with process icons and inbox process tracking.

View entire message stack at a glance

Provides the following capabilities:

  • Multiple Message Stack tool windows containing configurable stack views, along with advanced window pinning capabilities for data comparisons.
  • Inline display of the message stack for any Analysis Grid viewer message.

Provides stack nodes integrated into Frame Details.

Focus on Operations (grouped request/response pairs) that expose critical information at top-level.






Reassemble message fragments

Provides the following capabilities:

  • Displays Operations by default in the Analysis Grid viewer; also enables hiding Operations.
  • Convenient analysis of server response times versus time elapsed to expose slow server responses and network latency issues, respectively.
  • Automatically reassembles fragments and locates them in the message stack for quick correlation.

Provides flat/static display only, for all message packets.







Provides manual Frame Reassembly only.

Find data trends and sequences of events in a message set; create custom pattern matching assets

Provides these features:

  • Pattern Match viewer — provides built-in Pattern Expressions that expose specified sequences of events, values, and other relationships in a set of trace results.
  • Pattern Editor — an extensibility feature that enables users to create their own Pattern Expressions in the OPN language, with or without UI automation.

Detects only individual messages that meet filtering criteria.

Quickly access diagnostic information to pinpoint errors

Provides these features:

  • Diagnostics tool window, which summarizes diagnostic information across large and small data sets alike.
  • DiagnosisTypes column in the Analysis Grid viewer, which exposes errors at top-level.

Detects only individual messages that meet specified filtering criteria.

Conclusion

Even though Message Analyzer is a new tool, currently at version 1.3, in many ways it surpasses Network Monitor capabilities right now, although we are working hard to address user requests for new features and fixes that will continue to make it the network protocol and system message analysis tool of choice going forward. We are also working on incorporating features into Message Analyzer that have long been prized by Network Monitor users, such as the Conversation Tree. Right now, we have the previously described Grouping Viewer which performs a similar function and we are working to further develop its features.

So please download Microsoft Message Analyzer for free and give it a try if you haven’t already !

More Information
To learn more about Message Analyzer and the capabilities described in this article, see the Message Analyzer Operating Guide on TechNet.

_________________________________________________________

Additional Details

The table that follows provides additional details for comparison of Message Analyzer features with similar Network Monitor features.

Table 2:   Additional Message Analyzer and Network Monitor Feature Comparisons

TASK TO PERFORM

MESSAGE ANALYZER CAPABILITY

NETWORK MONITOR CAPABILITY

Retrieving Message Data  :   Loading data from saved input trace and log files

Apply a Time Filter to input data

Provides time window filtering for saved input file data loaded through a Data Retrieval Session.

Does not support time window filtering.

Utilize flexible input data source configurations

Provides the Add Data Source feature to enable creating different input data configurations through file selection and filtering during session configuration.

Does not support data source configurations.

Work with Azure data

Processes the following types of Azure data:

  • Azure Tables.
  • Azure Storage BLOB containers — connect to this source via the File Selector dialog.

Does not support access to Azure data.

Change loaded data results through parsing options

Provides these features:

  • Setting a Parsing Level in the New Session dialog, to control the top level to which parsing occurs and to limit messages displayed.
  • Reparsing a message set with specified alternate protocol ports.
  • Parsing with a pared-down parser set when Truncation support is needed.

Note: Reparsing a message set also supported.

Parser Profiles provide some parsing options.

Capturing Message Data  :   Capture live data on the network, from components and devices, and applications

Specify advanced capture settings

Provides the following capabilities:

  • Enables capture of remote traffic on selected host adapters or from a Hyper-V-Switch.
  • Provides NDIS layer and Switch extension layer filter capability, packet traversal path settings, and more.

Does not support advanced layer filtering.

Capture ETW events

Provides these features or capabilities:

  • All trace providers instrumented for ETW.
  • Capture all the events of registered ETW components, or specific events with the use of event Keyword and error Level filters (if configured in the component).
  • Create custom capture configurations by combining PEF providers with any registered system ETW provider in Live Trace Session configuration.

Does not support capture of ETW events.

Set ETW session properties

Enables control (from the user interface) of ETW session buffer size, buffer count, and flush timer interval settings to minimize dropped packets.

NMCap enables buffer configuration through registry settings.

Use a filter to limit the scope and number of captured messages

Provides the Message Analyzer Filters asset collection Library from which to choose a Session Filter during Live Trace Session configuration.

Provides a filter Library in Capture Settings, for specifying a Capture Filter during session configuration.

Modify displayed trace data through parsing options

Enables the following:

  • Setting a Parsing Level in session configuration to control the top level to which parsing occurs.
  • Reparsing a message set with specified alternate protocol ports.
  • Reparsing a message set.

Provides Parser Profiles, which have some parsing options.

Create custom, user-defined Trace Scenarios

Enables the following:

  • Saving customized Trace Scenarios — configure and save a Live Trace Session configuration with a target computer/s, a Session Filter, message provider settings, a data viewer, and/or a Parsing Level, based on a modified built-in scenario or a specified configuration.
  • Running custom scenarios on demand where repetitive use is required.

NMCap provides some scenario functionality.

Viewing Message Data   |   Analyzing Message Data   :   View and analyze trace results

Develop custom Chart style data viewers

Provides Chart configuration tools for creating custom graphic visualizer components, based on selected data fields and predefined formula configurations.

Provides some support for charts through the Expert plug-in model and API.

Select and create View Filters

Provides the following:

  • Enables selecting filters from a centralized View Filter asset collection Library with Azure Storage, Address Filtering, Diagnosis, General Examples, RegEx, Contains Filters, HTTP, TCP, LDAP, Remove Noise, File Sharing, USB, and My Items categories.
  • Enables creating filters in OPN with the IntelliSense© statement completion service; see Writing Filter Expressions.

Provides the following:

  • Enables loading Display Filters from a filter Library.
  • Enables creating filters with limited statement completion service support.

Locate specific messages in large data sets

Provides these capabilities:

  • Go To Message feature, to search across multiple data sources for a specific message number.
  • Find command, which can filter for specific messages.

Provides these capabilities:

  • Go To frame number.
  • Find Frame data.

Obtain flexible views of stack messages

Provides the Viewpoint tool window for displaying data from the perspective of selected stack layers, protocols, or modules. Contains:

  • A Viewpoint Library with predefined Viewpoint filters.
  • Options for toggling (hiding and displaying) Operations.

Does not coalesce messages into operations; provides flat/chronological view of raw packets only.

Replace cryptic field values with user-defined aliases

Enables creating aliases from/for certain Analysis Grid values, applying built-in or custom aliases, and managing with the Alias Editor.

Enables creating, applying, and managing aliases.

Correlate message fields

Provides the following:

  • Grouping, as the main tool for message correlation.
  • Unions, for correlating fields that contain similar data, but with disparate names and types. Includes creating, applying, and managing Unions (also known as Correlations).
  • Shift Time, which enables correlation of messages by aligning timestamps across multiple data sources.

Does not support these types of correlations.

Expose message field details and use advanced capabilities

Provides these features or capabilities:

  • Details tool window and inline display of message Details for any Analysis Grid viewer message.
  • Pinning message field values in Details for comparison.
  • Additional global Properties and Annotations generated by Message Analyzer for analysis enhancements.
  • Common context menu to create View Filters, new data columns, Grouping viewer groups; changing field value formats; and viewing field definitions in OPN.
  • Tracking field and property values across a trace with toolbar controls.

Provides the following:

  • Frame Details with expandable stack nodes and field values.
  • Context menu for creating Display Filters and Color Rules, and displaying field and type definitions.

Analyze hexadecimal message field values

Provides multiple Message Data tool windows for displaying the hexadecimal values of any selected field. Also enables:

  • Pinning hex values for comparing messages.
  • Flexible display options for Hex, ASCII, and Binary formats.

Provides Hex Details with the Decode As function.

Track message selection to enhance navigation and analysis

Provides the Selection tool window for:

  • Enhanced message navigation to recover previously selected messages, if focus is lost.
  • Backtracking or forward navigating message selections across Message Analyzer sessions.

Does not support enhanced message selection capabilities.

Expose new fields and focus analysis by selecting built-in View Layouts

Provides for selection of multiple built-in View Layouts that expose specific data fields in the following:

  • Grouping viewer.
  • Analysis Grid viewer.
  • Selection tool window.

Also enables creating, saving, and selecting new View Layouts.

Provides these capabilities:

  • Selecting Column layouts from a minimal asset collection of predefined items.
  • Creating and saving new Column layouts.
  • Creating, saving, and selecting new window Layouts.

Expand analysis by exposing key message fields as new data columns or other entities

Provides these features:

  • Centralized Field Chooser with all parsed fields available to other Message Analyzer features, such as Charts and Pattern Expressions.
  • Select from a hierarchical message display and add as a column to the Analysis Grid viewer, as a group in the Grouping viewer, or use in a Chart formula.

Provides the Column Chooser with limited fields; non-hierarchical.

Dynamically alter trace data through session reconfiguration

Provides the Edit Session dialog — opens from Live Trace and Data Retrieval Session results. Enables specifying a different session configuration, applying changes, and creating an altered view of data which can improve performance.

Does not support alteration of trace data through session reconfiguration.

Expose messages as alerts or troubleshooting flags by using text decoration

Provides selection of multiple built-in Color Rules. Provides rich configuration capabilities, including gradient styles.

Does not provide predefined Color Rules. Configurable with minimal capabilities only.

Shift timestamp values to correlate time-skewed data in multiple input files

Provides the Shift Time dialog to enable discrete time shifts and time zone changes for different data sources.

Does not support time shifting for correlating data.

Quickly explore multiple trace sessions and data viewer content

Provides the Session Explorer tool window for quick access to data from multiple sessions and session viewers:

  • Contains a rich set of progress and status indicators.
  • Identifies each session and related viewers by common node colors in Session Explorer and by matching colors on each related session viewer tab.
  • Uses icons or glyphs to indicate assets applied to a session.

Does not support multiple session/viewer exploration.

Enhance analysis perspectives by using multiple viewing formats for trace data

Provides the following:

  • Access to the built-in Message Analyzer Charts asset collection containing multiple data viewing formats, including Charts with graphic data visualizers.
  • Correlation of data from different views.

Has a single tree-grid view only. Network Monitor Experts provide some additional viewing functionality, but do not allow data correlation between views.

Preview new viewers and analysis tools and provide feedback to Microsoft

Provides the following:

  • Enable preview Features from the Options dialog.
  • Test new data viewers or tool windows and provide feedback to Microsoft for improvements.

Does not provide any preview features.

Explore internal parser code

Enables display of OPN parser definitions.

Enables display of NPL code.

Perform alternate message decoding

Enables reparsing trace results with alternate port definitions for certain message types.

Provides the Decode As feature for reparsing frames that did not originally parse.

Annotate messages with Comments and Bookmarks

Provides the Comments and Bookmarks tool windows.

Enables Frame Comments only.

Configure window layouts

Provides the following:

  • Window redocking navigation controls.
  • Saving and restoring the current window layout.

Note: Window layout presets not yet supported.

Provides window Layout presets; does not allow window redocking.

Managing Message Analyzer Assets   :   Share, manage, and auto update asset collections

Share Filters, Charts, and other asset collections with others

Manage asset collections

Provides the Message Analyzer Sharing Infrastructure:

  • Auto-sync asset collections for automatic updates and downloads, including Filters, Parsing Levels, View Layouts, Charts, Pattern Expressions, Trace Scenarios, Viewpoints, Color Rules, Parser packages, and so on.
  • Create custom user feeds.
  • Manage individual asset collections.
  • Export/import assets to/from a file share, respectively, for sharing with others.

Checks for updates only.

Saving Message Data   :   Choose messages to save or export

Save specific data

Provides selectable options for saving data:

  • Save all messages.
  • Save filtered messages.
  • Save selected messages.

Provides selectable options for saving data:

  • Save all captured frames.
  • Save displayed frames.
  • Save selected frames.
  • Save frame range.

Specify save format

Enables saving to *.matp file format or exporting to *.cap file format.

Enables saving to *.cap file format only.

Feedback   :   Provide feedback to Microsoft from the Message Analyzer user interface

Provide feedback on experience with specific features
Suggest new features or improvements

Provides the following features or capabilities:

  • Use Message Analyzer Feedback dialogs.
  • Participate in the Experience Improvement Program.
  • Feedback Center — answer predefined questions about your experience with using Message Analyzer features.

Feedback options are not provided.


Comments (13)

  1. GS says:

    What is the point. We all know Message Analyzer has more features. Yet UI so convoluted then every time I have a choice what to use I go and download Network Monitor.

  2. Paul E Long says:

    We have also been working to make the UI flow better, and we have even more plans as we move forward. If there are specific problems, I’d love to hear your specific feedback.

  3. Andy Pennell says:

    Long live NetMon. I have yet to figure out how to actually get a network trace from Message Analyzer: it shouldn’t be this hard.

  4. Paul E Long says:

    Start Message Analyzer as Administrator (required by Win8 and above), select the Start Local Trace button from the top.

  5. Amy Lee says:

    Hi Paul. I am trying to trace a USB scenario where I am writing/reading 1 GB to/from a USB 3.0 stick. However, I cannot find the column or data that shows the amount of data in bytes transferred per packet in the trace session. The sum of the payload size
    per message does not even sum up to 1 GB, so I thought that "TransferBufferLength" column would display the values that would add up to 1 GB, but there are no values displayed in the column. I was wondering if you guys are working on a feature to capture the
    messages with the actual amount of data that is passed through the transfer, or there is a specific column in MMA that displays the values for the amount of data transferred per message. My other problem is that when I plug the USB 3.0 device and start a live
    trace session, the name of the device does not show up under "UsbDevice" column, which makes me question if MMA is even capturing data passing through the USB (even though I have specified the USB scenario before starting the live trace).

  6. Anonymous says:

    Applies to: Windows 10 Windows Server 2012 R2 Windows 7 Windows Server 2012 Windows 8 Windows Server

  7. asliwxM says:

    How is Windows 10 support looking?

  8. Paul E Long says:

    We can run and capture on Windows 10, however are currently investigating some issues, so if you have a problem please tell us about it in the forums.

  9. bill says:

    Know where we can find additional View Layouts? And is there a NetMon type View Layout I can import?

  10. Paul E Long says:

    At this point we only ship new layouts with the product. For a Netmon layout, what is important to you? Do you simply want the TimeDelta column? Or are you also interested in seeing the flat layout of messages and all the fragments?

  11. Dr Sylvester Benson says:

    GET YOUR PROBLEM SOLVE TODAY WITH MY PROFESSION IN ANY SPIRITUAL SPELL OR ANY KIND OF PHYSICAL BATTLE THAT NEED, MY NAME IS DR SYLVESTER AND THIS IS MY EMAIL FOR CONTACT (stbenson391@gmail.com) OR YOU CAN FOLLOW HIM UP ON FACEBOOK BY MY NAME (SYLVESTER E BENSON)
    ON FACEBOOK OR CALL ME ON MY MOBILE NUMBER +2348136090988, AM ALWAYS AVAILABLE TO RENDER YOU HELP WITH EXPERIENCE OF 32 YEARS IN SPELL CASTING AND HERBAL MEDICURE TO CURE ANY KIND OF DISEASE THAT YOU MAY HAVE, CONTACT ME ON ANY KIND OF ISSUES.

  12. G D P says:

    Any tip to run Message Analyzer as User and not as Administrator ?

    1. Paul E Long says:

      You only have to run as Admin if you want to capture NDIS provider traffic from the network. This is required by the OS and not specific to Message Analyzer.
      Thanks,
      Paul

Skip to main content