Message Analyzer Update Released

Message Analyzer 1.4 version 8111 has been released. This update contains some small new features and bug fixes. Here are the details:

Update: Version is now 8111 (was 8110).  Special thanks to Eric Lawrence @EricLaw for pointing out that some FWLINKS were being followed over HTTP.

  • Decode as Unicode – Now you can display raw binary as Unicode, which lets you read unparsed data more easily.


  • Network Time Protocol (NTP) assets – Included are an analysis grid layout with NTP related columns, a Chart which shows the time offset over time, and a grouping which organizes the NTP conversations. The chart can be easily filtered by selecting a single server side conversation in the grouping view. This can be used to understand the time offset from the network perspective and to troubleshoot time related issues.
  • Perfmon Profiles – Added profiles for BLG files which display an chart Analysis Grid by default. It also has accompanying Chart and Grouping layouts.
  • TLS Decryption – Added support for extended certificate request for RFC 5246. Also fixed TLS decryption issue with Windows 10. Added new logic to buffer handshake messages and use the buffer to calculate the hash.
  • Ethernet Friendly Names - Added Ethernet Friendly names for MAC addresses so you can see the Ethernet NIC manufacture name.


  • Patterns – Updated TCP pattern to work with WFP provider, which has no IP layer. Also added TLS patterns to detect TLS connections and provide some basic information like TLS version and Cipher Suite. Updated RPC pattern to consider the network/transport conversation.
  • Updated Parsers – RPRN, MS-RSVD, EFSR, WSRM10.
  • Extended “View As” - Properties and Tracking window allows “View As” functionality.

We also fixed various bugs, crashes and memory related issues. A few of the more notable fixes are below:

  • The Flatten Message feature can properly display message that contain EtwEvent fragmentation. Now using Flatten Messages provides a clearer display of network traffic for NDIS and WFP tracing when etw fragments exist.
  • Filtering on WiFi MAC filtering works properly now.
  • Previously when authoring OPN, operations were limited to 15 per contract. The limit has been increased to 100.
  • Searching for newly created comments now works properly.
  • Fixed issue where Open Select Message in Analysis Grid from Pattern Match viewer wasn’t working properly.

Please continue to help us prioritize fixes and features on our forums by voting on the most important issues. Hope you enjoy this small update!

Comments (1)

Skip to main content