How to setup a local network trace on the LAN using Message Analyzer v1.3 UI?

Applies to:

Windows 10

Windows Server 2012 R2

Windows 8.1

Windows Server 2012

Windows 8

Windows Server 2008 R2

Windows 7


Does not apply to:

Windows Server 2008

Windows Vista

Windows Server 2003

Windows XP


There are several network tracing (packet sniffing) tools out there such as:

  • NetSh trace start
  • Network Monitor (Netmon) which Message Analyzer replaced.
  • Wireshark

For those coming from the Unix/Linux world:

  • Wireshark (used to be known as Ethereal).
  • Tcpdump
  • Cain and Abel
  • Kismet
  • Dsniff
  • NetStumbler
  • Ettercap
  • Ntop
  • EtherApe

For Windows, to collect the network traces we prefer the Microsoft “Message Analyzer”.  And there is one (1) out of many reason that we personally like.  We get the process which we don’t in other network capture tools.  Thus, when we are correlating to a log file (i.e. Cluster.log) or a perfmon or a WPT (WPRUI/WPR/xperf) data set, we are able to correlate the process and threads that were doing the work or misbehaving.

Step 1.  To install Message Analyzer, here is a step-by-step instruction:

Tool: Installing the Microsoft Message Analyzer version 1.3

Step 2.  Before you capture any network trace, here are questions you should have ready when you are capturing it:

Network tracing (packet sniffing) data to provide when troubleshooting.

Step 3. How much memory does it use during a network trace capture?

The installation requirements are documented here:  Installing and Upgrading Message Analyzer

On a machine with 4GB (1GB being used by the bus and video card):


The good news is that it doesn’t seem to use that much Non-paged pool memory.


The application itself uses at least 621 MB of Private Bytes (Commit size).


How much disk space does it use?  350 MB for the install and we recommend at least 50GB of free disk space for the network captures.

Where are the temp files kept?  c:\Users\UserProfileName\AppData\Local\Temp\MessageAnalyzer\MessageAnalyzer\{GUID}\

In this example, it’s in c:\Users\UserProfileName\AppData\Local\Temp\2\MessageAnalyzer\MessageAnalyzer\{GUID}\



So, our Server team builds the C: drive to only have 60GB of disk space, by the time that the O.S., apps, tools and all the security updates are installed, we are down to less than 10GB of free disk space.  How do we change the path where the temp files are written to?

In order to change the location of the temp folders, you will need to:


Browse to C:\Program Files\Microsoft Message Analyzer


Right click on “MessageAnalyzer.exe.config”

Click on “Open with”


Click on “Try an app on this PC”


Select “Notepad”


Under <configuration>, add the following:


                <add key="TempFolderPath" value="<drive:>\<your temp folder>\"/>


Note:  Where <drive:>\<your temp folder>\ is your drive and folder that has enough free disk space.

Step 4.  Minimize the noise.

Close all the applications that are unnecessary for the issue that you are investigating.


Step 5.  Clear any caching that has been done.

Clear all name resolution cache as well as all cached Kerberos tickets.

To clear DNS name cache you type in: IPConfig /FlushDNS

To clear NetBIOS name cache you type in: NBTStat -R

     Note:  This command requires you to be a “Local Aministrator” (i.e.  CMD ( Run as admin)).

To clear Kerberos tickets will need KList.exe: KList purge

Note:  Depending on what permissions the service or application has, you might have to open a Command Prompt (CMD.exe) using those permissions.  For example:  If the app or service uses the System account, you will need to use Sysinternals Psexec.

PSExec.exe -s -i cmd.exe

And then run the commands above in the new command prompt that opened to clear the cache(s).

i.e.  If you are troubleshooting Internet Explorer (IE), clear the IE cache.


Step 6.  In this blog post, I’ll be discussing on how to setup a network capture based on Message Analyzer version 1.3 when you are connected via an Ethernet network cable (RJ-45 CAT 5, CAT5e, CAT6, CAT6a, CAT 7, etc…)


Right click on “Message Analyzer”
Click on “Run as administrator”


Gotcha #1:

If you don’t run it as a local admin, you will get the following error message when trying to setup the capture:


Gotcha #2:

On machines without internet access, you will get the following error message:


If you click on the “Show Log”, you will see something similar to:






Click on “New Session”


You should see the screen above.


Next to “Parsing Level:”

Change from “Full” to “High Performance Capture without Parsing”


You should see the screen above.


Under “Select a trace scenario”

Select “Local Network Interfaces (Win 8.1 and later)”.


If you have multiple NIC’s and you want to select which NIC is being monitored, click on “Configure”


Click on the “Provider” tab


Select the NIC based on it’s “MAC Address”

Or to find out which IP address correlate to the “MAC Address”


gwmi Win32_NetworkAdapterConfiguration  | ft MacAddress,IpAddress


Click on “OK”


Click on “Start”


You will notice that under “Session Explorer” > “Session 1” a green bar is moving across.

And you should also notice the message numbers start to fill out.


<Reproduce the issue>

TIP:  Make the repro as simple and short as you can make it.



When you are ready to stop the network trace, click on the “Stop” icon (or press Shift+F5).


Click on the “Save” icon (or press CTRL+S).


Click on “Save as” and add a name to your network capture.


If you are going to be using it in Wireshark or still want to use Network Monitor 3.4 (Netmon), click on “Export” and add a name to your network capture.


If you are sharing the network trace, make sure to provide a detailed description of what was occurring when the network trace was taken, include screen shots if you can.





Microsoft Open Specifications Support Team Blog

Message Analyzer has Released – A New Beginning

Introduction to Network Trace Analysis Using Microsoft Message Analyzer: Part 1    

Introduction to Network Trace Analysis Using Microsoft Message Analyzer— Part 2

Introducing the Netlogon Parser (v1.0.1) for Message Analyzer 1.1

Troubleshooting Basics for the Netlogon Parser (v1.0.1) for Message Analyzer

Troubleshooting TLS1.2 and Certificate Issue with Microsoft Message Analyzer: A Real World Example

So you want to use Wireshark to read the netsh trace output .etl?

Microsoft Message Analyzer Operating Guide

Comments (5)

  1. jim says:

    most of your images are not available, generating 404 – File or directory not found errors

  2. @jim, the website has been flaky, the images are back, and I didn’t change anything.

  3. Anonymous says:

    Applies to: Windows 10 Windows Server 2012 R2 Windows 7 Windows Server 2012 Windows 8 Windows Server

Skip to main content