Life of a troubleshooter in an IT team is not easy. There are those instances when there's no alternative to really digging in and getting a holistic view of what exactly is going on within the system. At these moments, you want the analysis tool to support you in all possible ways. Sadly, with traditional Microsoft tools and their makeshift alternatives, this had never been the case.
With massive number of logs to analyze, and several mini analyses to be managed quickly, you need a tool that can crunch the data, present it in and intuitive manner, and is customizable. Matching information packets and event logs is a headache, truth be told.
Thankfully, Microsoft Message Analyzer makes things better. Let’s understand what it does, and what’s new about this tool. (For an overview of Microsoft Message Analyzer, go here.)
Introduction to Microsoft Message Analyzer 1.4
Microsoft Message Analyzer 1.4 is the successor of Microsoft Network Monitor 3.4. (This, however, might be an over simplification; more on this later.) It's the perfect tool to capture, display, and analyze protocol messaging traffic, all kinds of system messages and application messages, and events in diagnostics and network troubleshooting endeavor.
Using this tool, you can load, aggregate, understand, and analyze massive message exchange and log data from the saved trace documents. No, it will not write the script for “True Detective” Season 3, someone else needs to do that!
Microsoft Message Analyzer 1.4, hence, is a vital component of Protocol Engineering Framework, which itself aims at significantly improving protocol designs, developments, implementations, documentation, testing, and support. It also enabled capturing remote traffic in real time, and helps load archived message logs from several sources in parallel.
A comparison with Microsoft Network Monitor
Remember Network Monitor from Microsoft? It was okay, at best, and mostly was very troublesome to work on. It's natural to envisage Microsoft Message Analyzer as Network Monitor plus some more features.
However, Message Analyzer 1.4 is more powerful than that, and completely reinvents the way things work. For starters, it allows you to capture traffic info from a whole spectrum of sources (Windows event logs, SQL, Azure, PowerShell, and even Wireshark .pcapng files.). It follows this up with several new features, which we'll explain now.
Basics of Microsoft Message Analyzer 1.4
The basic unit of data in Message Analyzer is called “message,” which can be anything, right from a frame to an event, or a captured packet. These messages are then arranged in different conversations and sessions.
Here's an example of how a message stack in a TCP packet will look in Message Analyzer. See the granular level of information presented in the Module column. More views can be added to see more detailed information for the packet.
The entire message stack can be reviewed in order, each data field, and message details. Packets of two-way communication between hosts is represented by a blue icon, and you can use the sub message stack to drill down to the binary data.
What’s so magnificent about it?
Well, a lot. Let’s take a quick look at the most value-adding features it offers.
Advanced layouts and presentation options
Using Microsoft Message Analyzer 1.4, you can display traces and logs in many visual formats. Using Layouts, you can showcase the information in the form of a tree-grid (default view), or you can use the interactive Tool Windows.
Using design elements such as grids, timelines, and bar elements among others, you can deliver broad summaries as well as deep-dive analyses with equal ease. Why not configure your custom Layouts for the Chart viewer? Microsoft Message Analyzer 1.4 offers this option.
Customizable work and analysis environments
You can use the Profiles feature and create integrated and interactive analysis environments for displaying predefined layouts when you load specific kinds of input files. These customized environments are your custom Profiles, which are preset to load specific layout types and data viewer, dependent on the input data format. Your custom profiles make Microsoft Message Analyzer 1.4 a highly personalized tool to use.
Remote capture from multiple computers – like a pro
From Windows 8.1/2012 R2 onwards, the packet capture driver of Message Analyzer is planted in the Windows OS. So with proper WinRM config., you can capture data from remote machines as well. What's more, data can be captured from several machines simultaneously. You can just add the name or IP address of the computers you need to capture data from. When you start a live session, just enter the IP in the Computer Name/IP Address field, as shown:
Advanced encryption of data
Enterprise networks are witnessing all-time high levels of intrusion risks, which underscores the need for encryption of all data. Message Analyzer recognizes and delivers on this requirement. Go to Tools, and choose Options. Here, in the Decryption tab, you can Add Certificate (SSL) and decrypt all data.
Other options you can explore are:
- Capture data at the Windows Firewall level, before the local IPsec encryption has occurred.
- Capture data at the application level, before HTTPS encrypts it.
With Message Analyzer, you can troubleshoot SMB directly, Bluetooth, and USB. While setting the trace up, select the suitable trace scenario, and you're set (but of course we are not really set until Kiefer Sutherland plays out his Jack Bauer role in the best show of all time, which is “24,” though this is another topic). The tool also checks messages for warnings, anomalies, or errors.
Message Analyzer gives you ample visibility into the processes by displaying information related to process names, kernel modules, packet timings, and system responses. Just select the suitable views, and you will have all the info you need. Here’s an example of the range of info you can see.
The most alluring part about Microsoft Message Analyzer is that it allows you never-seen-before flexibility in your system analyses. You can arrange data from different sources in grids, or you can place them side by side for comparison.
Configurable layouts and profiles make it a highly personalized tool. IT network experts have had the cold shoulder from developers of system analysis and troubleshooting tools. Microsoft Message Analyzer 1.4 has changed this situation and this relationship.
Photo credit: Flickr / Karlis Dambrans