How to setup a local network trace on the LAN using Message Analyzer v1.3 UI?

Applies to:

Windows 10

Windows Server 2012 R2

Windows 8.1

Windows Server 2012

Windows 8

Windows Server 2008 R2

Windows 7

 

Does not apply to:

Windows Server 2008

Windows Vista

Windows Server 2003

Windows XP

 

There are several network tracing (packet sniffing) tools out there such as:

  • NetSh trace start
  • Network Monitor (Netmon) which Message Analyzer replaced.
  • Wireshark

For those coming from the Unix/Linux world:

  • Wireshark (used to be known as Ethereal).
  • Tcpdump
  • Cain and Abel
  • Kismet
  • Dsniff
  • NetStumbler
  • Ettercap
  • Ntop
  • EtherApe

For Windows, to collect the network traces we prefer the Microsoft “Message Analyzer”.  And there is one (1) out of many reason that we personally like.  We get the process which we don’t in other network capture tools.  Thus, when we are correlating to a log file (i.e. Cluster.log) or a perfmon or a WPT (WPRUI/WPR/xperf) data set, we are able to correlate the process and threads that were doing the work or misbehaving.

Step 1.  To install Message Analyzer, here is a step-by-step instruction:

Tool: Installing the Microsoft Message Analyzer version 1.3

Step 2.  Before you capture any network trace, here are questions you should have ready when you are capturing it:

Network tracing (packet sniffing) data to provide when troubleshooting.

Step 3. How much memory does it use during a network trace capture?

The installation requirements are documented here:  Installing and Upgrading Message Analyzer

On a machine with 4GB (1GB being used by the bus and video card):

image

The good news is that it doesn’t seem to use that much Non-paged pool memory.

image

The application itself uses at least 621 MB of Private Bytes (Commit size).

 

How much disk space does it use?  350 MB for the install and we recommend at least 50GB of free disk space for the network captures.

Where are the temp files kept?  c:\Users\UserProfileName\AppData\Local\Temp\MessageAnalyzer\MessageAnalyzer\{GUID}\

In this example, it’s in c:\Users\UserProfileName\AppData\Local\Temp\2\MessageAnalyzer\MessageAnalyzer\{GUID}\

image

 

So, our Server team builds the C: drive to only have 60GB of disk space, by the time that the O.S., apps, tools and all the security updates are installed, we are down to less than 10GB of free disk space.  How do we change the path where the temp files are written to?

In order to change the location of the temp folders, you will need to:

image

Browse to C:\Program Files\Microsoft Message Analyzer

image

Right click on “MessageAnalyzer.exe.config”

Click on “Open with”

image

Click on “Try an app on this PC”

image

Select “Notepad”

image

Under <configuration>, add the following:

  <appSettings>

                <add key="TempFolderPath" value="<drive:>\<your temp folder>\"/>

  </appSettings>

Note:  Where <drive:>\<your temp folder>\ is your drive and folder that has enough free disk space.

Step 4.  Minimize the noise.

Close all the applications that are unnecessary for the issue that you are investigating.

 

Step 5.  Clear any caching that has been done.

Clear all name resolution cache as well as all cached Kerberos tickets.

To clear DNS name cache you type in: IPConfig /FlushDNS

To clear NetBIOS name cache you type in: NBTStat -R

     Note:  This command requires you to be a “Local Aministrator” (i.e.  CMD ( Run as admin)).

To clear Kerberos tickets will need KList.exe: KList purge

Note:  Depending on what permissions the service or application has, you might have to open a Command Prompt (CMD.exe) using those permissions.  For example:  If the app or service uses the System account, you will need to use Sysinternals Psexec.

PSExec.exe -s -i cmd.exe

And then run the commands above in the new command prompt that opened to clear the cache(s).

i.e.  If you are troubleshooting Internet Explorer (IE), clear the IE cache.

 

Step 6.  In this blog post, I’ll be discussing on how to setup a network capture based on Message Analyzer version 1.3 when you are connected via an Ethernet network cable (RJ-45 CAT 5, CAT5e, CAT6, CAT6a, CAT 7, etc…)

image

Right click on “Message Analyzer”
Click on “Run as administrator”

 

Gotcha #1:

If you don’t run it as a local admin, you will get the following error message when trying to setup the capture:

image

Gotcha #2:

On machines without internet access, you will get the following error message:

image

If you click on the “Show Log”, you will see something similar to:

image

 

 

 

image

Click on “New Session”

image

You should see the screen above.

image

Next to “Parsing Level:”

Change from “Full” to “High Performance Capture without Parsing”

image

You should see the screen above.

image

Under “Select a trace scenario”

Select “Local Network Interfaces (Win 8.1 and later)”.

image

If you have multiple NIC’s and you want to select which NIC is being monitored, click on “Configure”

image

Click on the “Provider” tab

image

Select the NIC based on it’s “MAC Address”

Or to find out which IP address correlate to the “MAC Address”

Powershell:

gwmi Win32_NetworkAdapterConfiguration  | ft MacAddress,IpAddress

 

Click on “OK”

image

Click on “Start”

image

You will notice that under “Session Explorer” > “Session 1” a green bar is moving across.

And you should also notice the message numbers start to fill out.

 

<Reproduce the issue>

TIP:  Make the repro as simple and short as you can make it.

 

image

When you are ready to stop the network trace, click on the “Stop” icon (or press Shift+F5).

image

Click on the “Save” icon (or press CTRL+S).

image

Click on “Save as” and add a name to your network capture.

Or

If you are going to be using it in Wireshark or still want to use Network Monitor 3.4 (Netmon), click on “Export” and add a name to your network capture.

 

If you are sharing the network trace, make sure to provide a detailed description of what was occurring when the network trace was taken, include screen shots if you can.

Yong

 

References:

MessageAnalyzer

Microsoft Open Specifications Support Team Blog

Message Analyzer has Released – A New Beginning

Introduction to Network Trace Analysis Using Microsoft Message Analyzer: Part 1    

Introduction to Network Trace Analysis Using Microsoft Message Analyzer— Part 2

Introducing the Netlogon Parser (v1.0.1) for Message Analyzer 1.1

Troubleshooting Basics for the Netlogon Parser (v1.0.1) for Message Analyzer

Troubleshooting TLS1.2 and Certificate Issue with Microsoft Message Analyzer: A Real World Example

So you want to use Wireshark to read the netsh trace output .etl?

Microsoft Message Analyzer Operating Guide