Compartilhar via


Working With Message Analyzer Profiles

To analyze message data that you load from saved files through a Data Retrieval Session, Message Analyzer enables you to choose different data viewer and view Layout configurations that provide various analysis contexts based on the viewing formats in which you present data. These configurations facilitate different perspectives on message data to enhance your analysis process. Because you have many options when selecting different data viewers and layouts, determining which is the most appropriate for the data you are examining could be challenging. Given that the viewing components you select can expose the data in different ways, it is important that you make the most appropriate choice to maximize your analysis capabilities. But if your experience with Message Analyzer is limited, your success in this effort will largely depend on trial-and-error methods.

For this reason, Message Analyzer now provides the Profiles feature, which enables you to utilize a set of built-in Profiles that contain specific viewer and layout presets that activate whenever you are loading data from specific types of input files. The Profiles feature also enables you to configure your own custom-designed Profiles so that you have the option to specify the viewers and layouts in which you want to expose your data. When you are configuring a Profile, you can associate a supported input file type with the Profile by making a selection from a drop-down list. After you save your Profile, it automatically applies the specified viewer/layout configuration to your Data Retrieval Session whenever you load data from the specified file type. Generally, the manner in which a custom Profile or built-in Profile is applied by Message Analyzer is functionally identical. The notable difference between them is that built-in Profile configurations are ReadOnly and predefined by Microsoft, while all custom Profiles are editable and predefined by you.

A simple scenario in which you could use a built-in Profile might be if you regularly analyze event trace log (ETL) files for specific types of information that require a particular view of data that quickly exposes the information you need to examine for ETW analysis. To display a typical view configuration, Message Analyzer enables you to use the built-in Network Monitor Profile for *.etl files, which defines a data viewer and layout configuration that is suitable for analysis of ETL data. When this Profile is enabled and you load data from an ETL file, Message Analyzer will automatically present the viewing configuration described ahead in "Exploring the Configuration of a Built-In Profile". If you do not want this Profile to activate when you are loading data from an ETL file, you can simply disable it, as described in Enabling and Disabling Profiles; or you can create a new Profile that specifies your own configuration, as described in Configuring a New Profile.

Tip

Network Monitor users who are new to Message Analyzer can create a familiar analysis environment by employing one of several Network Monitor built-in Profiles that are available. For example, when the Network Monitor Profile for a *.cap or *.etl file type is enabled, the resulting viewer and layout configuration provides the look and feel of a Capture or ETL file opened in Network Monitor. However, the viewer and layout configuration of these and other Network Monitor Profiles is suitable for any Message Analyzer user who wants to analyze such data.

Exploring the Configuration of a Built-In Profile Although all Microsoft-defined Profiles are ReadOnly, you can still explore the viewer and layout configuration of any ReadOnly Profile by first selecting it in the Advanced Profiles list and then clicking the Edit Profile button to display the Profile configuration. For example, you could explore any of the Performance Top Down Profile configurations, so that you can better understand the internal workings. You may find it helpful to review the built-in Profile configurations when you create your own Profile, because you can use an existing Profile to create a baseline configuration that you can customize.

To explore a specific Profile such as the Network Monitor Profile for ETLs, select it in the Advanced Profiles list and then click Edit Profile and you will see the following configuration of viewers and layouts for this particular Profile. Note that the viewers described in the list that follows are common to all Profiles, built-in or custom-designed; however, the basic analysis context that is provided by each of these viewers is significantly enhanced by the view Layouts that are applied to them.

  • Analysis Grid viewer — is set to use the Network Monitor Viewpoints Layout, a description for which is provided in Applying and Managing Analysis Grid Viewer Layouts. Because the Analysis Grid viewer is set as the default viewer for this Profile, the Analysis Grid viewer should automatically display with this particular layout shortly after you load data from an ETL file.

  • Grouping viewer — is set to use the Network Address and Ports Layout, a description for which is provided in Understanding the Built-In Grouping View Layouts. Because the Automatically open Grouping Viewer check box is selected in this Profile, the Grouping viewer should automatically display with this layout shortly after you load data from an ETL file.

  • Chart viewer — is set to use the Top TCP/UDP Conversations by Message Count view Layout, a description for which is included in the Chart Viewer Layouts section of this Operating Guide. Because Charts do not display by default in any of the built-in Profiles , you will need to manually launch them by selecting the Default item from the Charts drop-down list in the New Viewers drop-down list on the global Message Analyzer toolbar. As a result of this action, the Layout that is specified in the Charts Layout section of this Profile conveniently displays in a separate session tab.

By default, a number of built-in Profiles that Message Analyzer provides are enabled, which means that whenever you load data from a file type that is associated with one of these Profiles, for example, a .cap, .etl, or .log file, the Profile will automatically activate and present the data viewer and layout arrangement that it is configured to provide to your Data Retrieval Session results. If none of the built-in Profiles meet your requirements, you have the option to create one or more of your own by using the Add Profile feature on the toolbar under the Advanced Profiles section of the Profiles tab in the Options dialog, which is accessible from the global Message Analyzer Tools menu. If the file type from which you are loading data into Message Analyzer is not associated with any existing and enabled Profile, then viewer and layout configurations are not impacted by the Profiles feature.

What You Will Learn In the remaining topics of this section, you will learn more about understanding and working with Profiles:


Understanding the Built-In Profiles
Applying and Managing Profiles
Enabling and Disabling Profiles
Configuring a New Profile
Example of Configuring a Profile to Create a Targeted Analysis Environment
Editing and Removing Profiles


Understanding the Built-In Profiles

The table that follows describes built-in Profiles that are provided by Message Analyzer along with the associated input file types that activate the application of such Profile configurations when you are loading data into Message Analyzer. On the Profiles tab of the Options dialog that is shown in Using Message Analyzer Profiles, you may notice that there are several Profiles that have the same name but apply to different File Types. In some cases, the viewer and layout configurations are identical, while others vary. In cases where the configurations are identical in several Profiles, repetitive descriptions of these are omitted in the table that follows.

Important

If you enable more than one Profile that applies to the same File Type, for example, capture (*.cap) files, Message Analyzer determines which Profile is applied to your loaded trace results based on an internal algorithm.

Table 14. Message Analyzer Built-In Profiles

Profile Name Applicable File Extension Description
Performance Top Down .cap Enable this Profile to display the Analysis Grid as the default viewer along with the Performance Top Down view Layout populated with data, whenever you load data into Message Analyzer from a capture (*.cap) file for performance analysis. Also displays the Grouping viewer with the Process Name and Conversations view Layout, given that the Automatically open Grouping Viewer check box is selected in this Profile. To display the Chart configuration specified in this Profile, you will need to manually highlight the Chart item in the New Viewer drop-down list on the global Message Analyzer toolbar and then select the Default item in the list. This action will display the Top TCP/UDP Conversations By Message Count view Layout for the Chart viewer in a new session viewer tab. This latter Layout uses a Table grid visualizer component.

Usage Overview — the advantages of the viewer and layout configuration of this Profile are that first, it provides the Analysis Grid viewer as a standard environment for detailed analysis that includes quick access to diagnosis errors and top-level messages that encapsulate message stacks, fragments, and any Operations. It also modifies the default Layout for this viewer, so that the configuration includes the TopModule, TopSummary, and ResponseTime columns, and also sorts the TimeElapsed column in descending sort order. This sorted configuration can highlight performance issues by exposing messages with the highest elapsed time, possibly indicating delays in receiving message fragments. In addition, because ResponseTime data is available, you can correlate the time of the first server response to a request message with TimeElapsed data, to help determine whether performance issues are related to a server or to network latency.

More Information
To learn more about the ResponseTime annotation for Operations, see Average Elapsed Time for Operations.

With the Grouping viewer Process Name and Conversations Layout, you can obtain a view that is similar to the Network Monitor Conversation Tree, in that the groupings enable you to isolate messages based on process name, process ID, network, and transport.

With the Top TCP/UDP Conversations By Message Count view Layout for the Chart viewer, you can quickly obtain a summary of the Transport Layer conversations that carried the highest message count from data in the Count column, which is sorted in descending order. Other statistics are also included in this Layout such as Bytes, which indicates the total payload byte volume of all messages (containing this property) that are associated with each conversation; the data transmission rates in bytes-per-second (BPS) and kilobytes-per-second (KBs); along with data columns for conversation StartTime, EndTime, and Duration.

After you display the Layout for this Chart, you might redock the Chart session tab, as described in Redocking Data Viewers and Tool Windows, so that it appears next to the Analysis Grid viewer. You can then drive selection of messages in the Analysis Grid viewer by double-clicking conversation data lines in the Top TCP/UDP Conversations By Message Count view Layout. You can also select different groups in the Grouping viewer to correlate group messages with the results that display in both this Chart viewer and the Analysis Grid viewer.

A summary of the type of information you can derive or the analysis that you can perform with the viewer and layout configuration of this Profile includes the following:

  • Data that can help you pinpoint performance problems related to slowly responding servers and/or network latency through analysis of ResponseTime and TimeElapsed data in the Analysis Grid viewer.
  • Diagnostic information that you can obtain in the DiagnosisTypes column of the Analysis Grid viewer. Diagnosis messages can quickly expose problem areas and guide the direction in which your inquiries should proceed for the resolution of issues.
  • Processes that consume high bandwidth, which can indicate potential problem areas, as exposed in the Grouping viewer by a summary view of network conversation message volumes and the Transport Layer ports over which they were carried for each ProcessId within ProcessName groups.
  • Network conversations with the highest traffic volumes and the ability to drill down into nested subgroups to view lower-level data in the grouped configuration. Also enables correlation of Grouping viewer data with Analysis Grid viewer and Chart messages through group selection.
  • Transport Layer performance statistics in the Top TCP/UDP Conversations By Message Count view Layout for the Chart viewer that exposes the top conversation message volumes, data transmission rate, payload levels, and conversation durations. These statistics can pinpoint the conversations — and hence the computers — that may be experiencing performance problems.

    Analysis Example — from the data that you can obtain with the viewing and layout configuration provided by this Profile, you might be able to isolate the following types of issues:

    • High message volumes from TCP Retransmits could be an indication of dropped packets, possibly caused by computer firewall rules, the network, or some other TCP issue. You can determine whether this may be the case by viewing diagnosis message descriptions for TCP messages of interest.
    • High payload levels might point to a Windows scaling issue that results in dropped packets.
    • Low data transmission rates at the client computer could be an indication of network delays.
    • High conversation durations might combine several of these factors.
Network Monitor .cap Enable this Profile to display the Analysis Grid as the default viewer along with the Network Monitor view Layout populated with data, whenever you load data into Message Analyzer from a *.cap file for process and performance analysis. Also displays the Grouping viewer with the Process Name and Conversations view Layout, given that the Automatically open Grouping Viewer check box is selected in this Profile. To display the Chart configuration specified in this Profile, you will need to manually highlight the Chart item in the New Viewer drop-down list on the global Message Analyzer toolbar and then select the Default item in the list. This action will display the Top TCP/UDP Conversations by Message Count view Layout for the Chart viewer in a new session viewer tab. This latter Layout uses a Table grid visualizer component.

Usage Overview — the advantages of the viewer and layout configuration of this Profile are that first, it provides the Analysis Grid viewer as a standard environment for detailed analysis that includes quick access to diagnosis errors and top-level messages that encapsulate message stacks, fragments, and any Operations. It also simulates the default Network Monitor view by including data columns such as TimeDelta (TimeOffset in Network Monitor) to indicate message running times, ProcessName, Source and Destination IP addresses, Module, and Summary. Note that Message Analyzer now captures process name data natively with any ETW provider, so that you can view process information with this Layout from any .cap trace file that contains it.

With the Grouping viewer Process Name and Conversations Layout you can obtain a view that is similar to the Network Monitor Conversation Tree, in that the groupings enable you to isolate messages based on process name, process ID, network, and transport. With this configuration, you can view network conversations and the ports over which they were carried for each process ID within a process name group.

With the Top TCP/UDP Conversations By Message Count view Layout, you can quickly obtain a summary of the Transport Layer conversations that carried the highest message count from the data displayed in the Count column, which is sorted in descending order. Other statistics are also included in this Chart such as Bytes, which indicates the total payload byte volume of all messages containing this property that are associated with each conversation; the data transmission rates in bytes-per-second (BPS) and kilobytes-per-second (KBs); along with data columns for conversation StartTime, EndTime, and Duration.

After you display this Layout, you might redock the Chart session tab, as previously described, so that you can observe the interactive display of data in multiple viewers based on message selection.

Analysis Example — a sample of the type of information you can derive from the viewer and layout configuration of this Profile for analysis includes the following:

  • Process name information in the Analysis Grid viewer for which you can analyze the Details of an associated message. In addition, you can correlate such a message to a Grouping viewer group with the use of the Find in Grouping Viewer command located on the Analysis Grid viewer toolbar. For example, by selecting this command for a particular message of interest, you can highlight the Network or Transport group with which a ProcessId group is associated in the Grouping viewer, to expose the computer conversation and message volumes associated with the process name that displayed in the Analysis Grid viewer.
  • Diagnosis errors that can provide additional insights into the direction in which your analysis should proceed. You can quickly view these errors in the DiagnosisTypes column of the Analysis Grid viewer by sorting this column in descending order, as indicated by the down arrow near the column label. You can also obtain a summary view of diagnosis message types, error descriptions, modules, and associated message counts across a set of trace results from the Diagnostics Tool Window.
  • A group-filtered view of messages and volumes associated with each of the following:

    • Process name
    • Process ID
    • IP conversation
    • Transport for messages in each IP conversation
  • Network conversations with the highest traffic volumes for a particular process, which could be a flag for further investigation.
  • Correlation of data in any Grouping viewer group with Analysis Grid viewer and Chart viewer messages through group selection. By manipulating the way data displays, you can achieve a unique enhancement to your analysis perspective.
  • TCP performance statistics from the Top TCP/UDP Conversations By Message Count view Layout for the Chart viewer, which includes top conversation message volumes, data transmission rate, payload levels, and conversation durations across a set of trace results, as previously described in the Analysis Example section of the Performance Top Down Profile.
  • Field data Details for any selected message, including information at the Capfile layer.
Network Monitor .etl Enable this Profile to display the Analysis Grid as the default viewer along with the Network Monitor view Layout whenever you load data into Message Analyzer from a *.etl file for event log analysis. Also displays the Grouping viewer with the Network Address and Ports view Layout, given that the Automatically open Grouping Viewer check box is selected in this Profile. To display the Chart configuration specified in this Profile, you will need to manually highlight the Chart item in the New Viewer drop-down list on the global Message Analyzer toolbar and then select the Default item in the list. This action will display the Top TCP/UDP Conversations By Message Count view Layout for the Chart viewer in a new session viewer tab. This latter Layout uses a Table grid visualizer component.

Usage Overview — the advantages of the viewer and layout configuration of this Profile are that first, it provides the Analysis Grid viewer as a standard environment for detailed analysis that includes quick access to diagnosis errors and top-level messages that encapsulate message stacks, fragments, and any Operations. It also simulates the default Network Monitor view layout, which provides ProcessName information, as previously described in the Network Monitor Profile for .cap files.

Also, with the Grouping viewer Network and Addresses view Layout, you can correlate IP conversations and the TCP/UDP port numbers that carried them, as presented in the Network and Transport groups.

With the Top TCP/UDP Conversations By Message Count view Layout for the Chart viewer, you have access to TCP performance statistics that provide data to help you to isolate performance issues, as described earlier in the Performance Top Down Profile for .cap files.

Analysis Example — a sample of the type of information you can derive or the analysis you can perform with the viewer and layout configuration of this Profile is specified earlier in the Performance Top Down Profile for .cap files, with exception of ProcessName and ProcessId information, which is not available in the Grouping viewer Layout for this Profile.
File Sharing SMB .cap Enable this Profile to display the Analysis Grid as the default viewer along with the SMB Flat view Layout whenever you load data into Message Analyzer from a *.cap file for SMB analysis. Also specifies the Grouping viewer with the File Sharing SMB/SMB2 view Layout; however, you will need to manually select the Grouping viewer from the New Viewer drop-down list on the global Message Analyzer toolbar and then select the Default item in the list to display this viewer with the specified Layout, given that this Profile is not configured to automatically display the Grouping viewer. To display the Chart viewer that is configured in this Profile, you will need to manually highlight the Chart item in the New Viewer drop-down list on the global Message Analyzer toolbar and then select the Default item in the list. This action will display the SMB Top Talkers view Layout for the Chart viewer in a new session viewer tab. This latter Layout uses a Table grid visualizer component.

Usage Overview — the advantages of the viewer and layout configuration of this Profile are that first, it provides the Analysis Grid viewer as a standard environment for detailed analysis that includes quick access to diagnosis errors and top-level messages that encapsulate message stacks, fragments, and any Operations. In addition, it includes data columns such as TimeDelta, Source, Destination, and Summary information while exposing several SMB data fields that you can quickly reference for further analysis of message details. Data columns that are significant for SMB analysis are the SessionIdName, TreeIdNameReference, FileNameReference, and Header.MessageId columns. They provide the following information:

- SessionId — provides a value that uniquely identifies each session that is multiplexed over a single SMB connection.
- TreeId — provides a value that uniquely identifies a connection between a Common Internet File System (CIFS) client and a share on a remote CIFS server.
- FileNameReference — provides the name of the file resource/s upon which SMB operations were performed.
- MessageId — provides a value that uniquely identifies an SMB request and response pair among all messages that are sent across a common SMB connection.

The Grouping viewer enables you to view the message volume per session, as distinguished by a SessionIdName group, among potentially multiple sessions over a single SMB connection. Drilling down further, you can view specific share connections (TreeIds) via the nested TreeIdName groups along with the nested FileName groups under each parent TreeIdName group. At each group level, the Grouping viewer enables you to examine the traffic volumes associated with each group in the nested configuration and to interactively drive display of messages associated with any selected group into the Analysis Grid viewer for further investigation of message details.

The SMB Top Talkers view Layout for the Chart viewer enables you to examine a summary of IP conversations (via address pair sets) sorted by message count from highest to lowest, along with other statistics that include Bytes, which indicates the total payload byte volume of all messages containing this property that are associated with each conversation; the data transmission rates in bytes-per-second (BPS) and kilobytes-per-second (KBs); along with data columns for conversation StartTime, EndTime, and Duration.

Analysis Example — for instance, if SMB write or read operations are taking a long time, possibly indicated by a high Duration value (sort this column in descending order for the best view), you may be able to isolate a poorly performing computer where this is occurring by observing the session duration, message count, and/or data transmission rate that is associated with the conversation in which such a computer is engaged.

You can also interactively drive the display of data in the SMB Top Talkers view Layout for the Chart viewer and the Analysis Grid viewer, from any group that you select in the Grouping viewer, for further correlation of data, as described earlier. For best interactive results, redock the Chart session viewer tab next to the Analysis Grid viewer.

You might also keep in mind that errors may be occurring, which you can view in the DiagnosisTypes column of the Analysis Grid viewer, as described earlier in the Network Monitor Profile for .cap files in this table.
File Sharing SMB Perf .cap Enable this Profile to display the Analysis Grid as the default viewer along with the File Sharing Perf SMB2/SMB view Layout whenever you load data into Message Analyzer from a *.cap file for SMB analysis. Also specifies the Grouping viewer with the File Sharing SMB/SMB2 view Layout; however, you will need to manually select the Grouping viewer from the New Viewer drop-down list on the global Message Analyzer toolbar and then select the Default item in the list to display this viewer with the specified Layout, given that this Profile is not configured to automatically display the Grouping viewer. To display the Chart viewer that is configured in this Profile, you will need to manually highlight the Chart item in the New Viewer drop-down list on the global Message Analyzer toolbar and then select the Default item in the list. This action will display the SMB Service Performance view Layout for the Chart viewer in a new session viewer tab. This latter Layout uses a Table grid visualizer component.

Usage Overview — similar to the File Sharing SMB Profile, the advantages of the viewer and layout configuration of the File Sharing SMB Perf Profile are that first, it provides the Analysis Grid viewer as a standard environment for detailed analysis that includes quick access to diagnosis errors and top-level messages that encapsulate message stacks, fragments, and any Operations. It also includes the same data columns as the File Sharing SMB Profile for .cap files, with the exception of the TimeDelta column, which is replaced with the ResponseTime column in this Profile. Therefore you can obtain similar values and statistics with both of these Profiles, although with the File Sharing SMB Perf Profile, you can also assess the server response times to SMB2 request messages, as they are conveniently located in the ResponseTime column of the Analysis Grid viewer that you can add with Field Chooser.

Analysis Example — if you correlate ResponseTime and TimeElapsed data in the Analysis Grid viewer, you can determine whether performance is being compromised by a slowly responding server or by network latency, as described earlier in the Performance Top Down Profile. Other key data fields for the viewers in this Profile consist of SessionId, TreeIdReference, and FileNameReference, which are provided in Analysis Grid viewer as columns, and in the Grouping viewer as equivalent groups. See the File Sharing SMB Profile for more information about these fields. Also keep in mind that diagnosis messages may be helpful in determining the cause of performance issues.
Event Log .evtx Enable this Profile to display the Analysis Grid as the default viewer along with the Event Log view Layout whenever you load data into Message Analyzer from a *.evtx file for event analysis. You can also display the Grouping viewer with the Event Viewer view Layout; however, because the Automatically open Grouping Viewer check box is unselected in this Profile, you will need to manually select the Grouping item from the New Viewer drop-down list on the global Message Analyzer toolbar to display the indicated configuration. To display the Event Log IDs view Layout for the Chart viewer, manually select the Chart item in the New Viewer drop-down list to display the indicated Layout. This latter Layout uses a Bar element visualizer component.

Usage Overview — the advantages of the viewer and layout configuration of this Profile are that first, it provides a basic analysis environment with the Analysis Grid viewer for viewing event data. The Event Log view Layout enables quick access to standard event information. Much of this information is declared in an Event Descriptor, which in turn is typically defined by an ETW provider manifest, as described in the ETW Framework Conceptual Tutorial. The event information that can populate this Analysis Grid viewer Layout can include EventID, Version, Channel (target audience), error Level, and Opcode. Keyword values are also typically a part of event definitions and usually reside in an event manifest. Other important information that is exposed by this Layout includes the ProcessId, ETW ProviderName, and the actual EventData that tells you the current state of an application or some process. Note: You can view Keywords for any *.evtx log in the Details window. You can also add a Keywords column to the Analysis Grid viewer by right-clicking the Keywords field in the Details window and then selecting Add 'Keywords' as Column in the context menu that displays, that is, after initially selecting an event/message in the Analysis Grid that defines Keywords.

Also, the Grouping viewer with the Event Viewer Layout contains the following four groups in a nested configuration for every data set that is defined by a unique top-level field value:

- ProviderName — this top-level field is the name of the ETW provider that raised events and wrote them to the ETW session from which your data is displaying.
- Level — this field can include error Levels in the range of 1-5, for example, Critical (1), Error (2), Warning (3), and so on.
- Channel — this field displays the target audience for the event/s and is specified in an ETW provider manifest.
- EventID — this field specifies the ID for events that were written by an ETW provider.

As different ProviderName values are detected in the trace results, additional grouped data sets are created and organized by Message Analyzer to expose the different values in the above specified nested group configuration. When you select a group node in the Grouping viewer for any data set, the messages that correspond with that group node are filtered to the Analysis Grid viewer, so that you can analyze all the messages associated with a common group value. For example, this could be a specific error Level, Channel, or EventID value. This provides a unique way of organizing the trace data into summary groups that enable you to interactively correlate different aspects of your data with the analysis context of data displayed in the other viewers that are configured by this Profile.

The Event Log ID view Layout for the Chart viewer enables you to view the message volume — ordered from the highest to the lowest volume — that is associated with EventIDs that were found in the .evtx log. The data is displayed in a Bar element visualizer component that provides an at-a-glance view of the relative distribution of message volume per EventID across a set of trace results. This enables you to make a quick visual assessment of which events involved the highest message count, which could be a flag for further investigation.

As you click any bar element in this Layout, messages associated with that element are highlighted in the Analysis Grid viewer. This same result occurs if you select EventID groups in the Grouping viewer, provided that the Grouping viewer is in Selection Mode. Otherwise, when the Grouping viewer is in Filtering Mode, messages associated with the clicked group will be filtered to the Analysis Grid viewer for further examination and to the Chart viewer as well.

Analysis Example — from the viewer and layout configuration of the Event Log Profile, you can derive the following types of information which can be significant to the analysis process:

- The message volumes associated with the events of a particular message provider, as exposed in the group configuration of the Grouping viewer. Message volumes per EventID are also exposed in the Chart viewer for this Profile.
High volumes might point to an overburdened system component or application that is issuing a lot of event traffic or experiencing a high rate of errors. Sparse traffic might be an indication of dropped packets due to misconfigured ETW Session buffer settings, as described in Specifying Advanced ETW Session Configuration Settings.
- The ETW provider that is writing the events, as exposed by the ProviderName field. This can identify the message provider for a particular component, application, or subsystem that may be experiencing performance issues.
- The error levels and descriptions associated with each provider's messages, as exposed by the Level or LevelDisplayName and Summary fields, respectively. This can expose the severity of event errors, which can be a flag to examine any diagnosis messages that are associated with such errors. In turn, diagnosis message descriptions may expose an underlying issue.
- The process ID associated with each event, as exposed by the ProcessId field, which could pinpoint a particular application or process that is experiencing errors, erratic behavior, or sluggish performance.
- The event Keywords configured in the event manifest for the ETW provider, as exposed by the Keywords field. Only the Keywords that were specified in the ETW provider manifest are reported to the ETW Session and subsequently recorded in the .evtx log, that is, if such events were written by the ETW provider in response to some error condition or state of an application or system component. Such information can highlight a problem area for further investigation.
- The Diagnosis messages associated with each event, as exposed in the DiagnosisTypes and Summary columns of the Analysis Grid viewer. Diagnosis messages consist of four types, as described in the Diagnosis Category topic. For example, a Diagnosis message might indicate that a particular event could not be parsed by Message Analyzer due to invalid data (a Parsing error type) or that an event does not align with its manifest definition (a Validation error type). Tip: To enhance the interactive analysis context for the viewers and layouts of this Profile, you might redock the Chart viewer tab alongside the Analysis Grid viewer so you can observe the interaction between Grouping viewer group node selection and the display of messages in the Analysis Grid and the Chart viewer, as described in the first item of this table.
Fiddler Traces .saz Enable this Profile to display the Analysis Grid viewer as the default viewer along with the Fiddler SAZ view Layout whenever you load data into Message Analyzer from a Fiddler *.saz file for HTTP analysis. Note that the data exposed in this viewing configuration closely resembles the Fiddler Web Debugger analysis environment, although field names are different.

You can also display the Grouping viewer with the Fiddler Grouping view Layout; however, because the Automatically open Grouping Viewer check box is unselected in this Profile, you will need to manually select the Grouping item from the New Viewer drop-down list and then select the Default item in this list, as previously described, to display the indicated configuration.

Likewise, to display the HTTP Content Type Volumes view Layout for the Chart viewer, manually select the Chart item in the New Viewer drop-down list and then select the Default item in this list to display the indicated Layout. This Layout uses a Bar element visualizer component.

Usage Overview — the main advantage of the viewer and layout configuration of this Profile is that it provides the Fiddler SAZ view Layout in the Analysis Grid for in-depth analysis of HTTP messages from Fiddler traces in a simulated Fiddler debugging environment. Some of the most significant information that is exposed in this Analysis Grid viewer Layout for analysis consists of the following:

- HTTP response code, as exposed in the StatusCode column.
- HTTP verbs, as exposed in the Method column.
- Uniform resource identifier (URI) information such as the host, absolute path to resources, and URIs, as exposed in the uri.host, uri.abspath, and uri columns, respectively.
- Packet length, equal to the header + payload in bytes, as exposed in the PayloadLength column.
- Content caching directives, as exposed in the Headers.cache-control column.
- Content type, process name and ID, and payload value information, as exposed in the ContentType, SessionFlags.x-processinfo, and Payload columns, respectively.

The Grouping viewer isolates some of this same information from a Fiddler trace into groups, where you can view the message volume that is associated with each top-level process name and ID group (SessionFlags.x-ProcessInfo), the hosts that handled each request as indicated in the nested Uri.Host group under a particular process name and ID group, along with the number of messages associated with each host group.

The HTTP Content Type Volumes view Layout for the Chart viewer provides a visual indication of the relative volumes of HTTP content type payload lengths in bytes for each content type, along with the relative distribution of volume for each content type, from the highest to lowest values. This enables you to see at a glance which byte volumes are the largest for any particular content type. In turn, this can provide an indication of the loads being carried by responding web servers.

Analysis Example — an example of how you might use these viewer and layout configurations as tools for analysis is to first sort the PayloadLength column of the Analysis Grid viewer in descending order so that you can see which messages had the highest packet length. You can then correlate that information with the following:

- The HTTP request type, as specified in the Method column.
- Process name and process ID, as specified in the SessionFlags.x-ProcessInfo column.
- Content type associated with messages of interest, as specified in the ContentType column.
- The web server host and specific resources that were requested by a client, as specified in the Uri.Host and Uri.AbsPath columns.
- Status of HTTP response messages, as specified in the StatusCode column.

In summary, the information that you obtain from the Analysis Grid viewer with this correlation can expose the types of request messages that are associated with a particular process, the specific type of content involved, the hosts from which resources were retrieved, along with the success of the operations. With this data, you may be able to pinpoint a web server that is under stress, potentially from servicing a high volume of client requests for a particular content type.

Moreover, you can use the Find in Grouping Viewer command in the Analysis Grid viewer's right-click context menu for particular messages with various PayloadLength values, so that you can locate them in the Grouping viewer for a quick correlation of associated process and host data. In addition, you can interactively and simultaneously drive the display of messages in the Analysis Grid viewer and the HTTP Content Type Volumes view Layout for the Chart viewer by selecting ProcessInfo group nodes in the Grouping viewer that contain various message volumes, providing that the Grouping viewer is in the Filtering Mode. This enables you to isolate the associated group messages in these other viewers to take advantage of their analysis capabilities. Note that if the Grouping viewer is in Selection Mode, the messages that are associated with a selected ProcessInfo group will be highlighted in the Analysis Grid viewer only.

Alternately, you can double-click a bar element of a certain content volume in the HTTP Content Type Volumes view Layout for the Chart viewer to isolate the messages represented in that bar element to a separate instance of the Analysis Grid viewer for review of message Details. You can also use the Find in Grouping Viewer command on the isolated Analysis Grid messages to expose and correlate the process information in the Grouping viewer with the hosts involved. Set the Grouping viewer to the Selection Mode for this operation to work the best.

By examining this information in the indicated ways, you may be able to determine that one or more responding web servers are carrying large loads, which could expose performance issues that include sluggish response times.
Text log files Common file extension: Important: Because Message Analyzer has multiple built-in Profiles for different logs that are all associated with the same .log file type designation, you will need to open the log file types described below in one of the following ways, otherwise the correct view Layout for the Chart viewer will not display after you load data from these logs. By specifying a text log configuration file in the actions that follow, Message Analyzer can differentiate between the built-in Profiles for different Log files, so that the right Profile is applied:
  • Use the New Session dialog for a Data Retrieval Session, from where you can select the configuration file for the specific .log type that contains the data you are importing.--- More Information To learn more about using text log configuration files to open .log files, see Opening Text Log Files.---
  • Use the Open command or Recent Files list on the Message Analyzer Start Page, providing that you have correctly set the default text log configuration file on the General tab of the Options dialog for the .log type you are opening.
If you do not have a default configuration file set on the General tab of the Options dialog and you attempt to open any .log file, for example, by using the Open command or Recent Files list on the Start Page, or by opening the log from Windows Explorer, Message Analyzer presents you with the input configuration for a Data Retrieval Session so that you can specify the Text Log Configuration file that is appropriate for the log file type that contains the data you are importing. If you are uncertain about which Text Log Configuration File to specify for any of the following logs, you can view the Profile configuration for each log by selecting an appropriate Profile on the Profiles tab of the Options dialog and then clicking the Edit button on the Advanced Profiles toolbar. Note: Message Analyzer parses the log files that are described in this section with the use of configuration files, which contain OPN code that is specifically designed to parse such files. When the OPN code in a configuration file for a particular log type is compiled, an OPN module for that log is added as a new node in the Field Chooser Tool Window. If you expand such a node, you will have access to other log fields that were parsed by the OPN code. You can then add any of these fields as a new data column in the Analysis Grid viewer by double-clicking it. The resulting data that is displayed can provide additional information to support your analysis process. To learn more about the Field Chooser, see the topic Field Chooser Tool Window.
IIS Logs .log Enable this Profile to display the Analysis Grid as the default viewer along with the IIS view Layout, whenever you load data from an IIS .log file for analysis of client and server data in IIS logs. You will need to manually open the other viewers that are configured in this Profile in the previously described manner, which includes the Grouping viewer with the IIS view Layout, and the IIS Log HTTP Traffic Volume view Layout for the Chart viewer. This latter Layout uses the Bar element visualizer component. Note: In the IIS view Layout of the Analysis Grid viewer, data fields that are associated with the client computer contain a "c" character in the prefix of the field name, while "cs" characters indicate a client-to-server transaction. Likewise, fields that are associated with the server contain an "s" character in the prefix of the field name, while "sc" characters indicate a server-to-client transaction, although you will only find fields with "sc" characters in the Details Tool Window. Examples from the Analysis Grid viewer Layout include cs_method and s_port,

Usage Overview — the main advantage of the viewer and layout configuration of this Profile is that it provides data sets in several different interactive viewing configurations that expose the information you will need to analyze the logs of an IIS web server. Just from the Analysis Grid viewer alone with its IIS view Layout, you may be able to discover factors such as the following that might be contributing to web server stress:

  • Operations that took a long time to complete for a particular type of client request, as exposed in the time_taken column. Tip: Add this field as a column in the Analysis Grid viewer by right-clicking the time_taken field in the Details window and then selecting the Add 'time_taken' as Column command. This field exposes the length of time in milliseconds that an action took to complete.
  • High traffic volumes associated with any of the following:

    • Sites that are being inundated with the most client traffic, as exposed in the s_sitename column and correlated to Grouping viewer s_port (server port) message volumes. You can correlate a site name with message volumes on an input server port by clicking the Find in Grouping Viewer command on the Analysis Grid toolbar while a site name of interest is selected. This action should highlight an s_port group in the Grouping viewer and show the associated message volume. Note: The Grouping viewer must be displayed so that the Find in Grouping Viewer command is enabled.
    • Target resources or services to be accessed, as exposed in the cs_uri_stem column.
    • Queries/client requests, as indicated in the cs_uri_query column.
    • Methods and operations to be performed, as exposed in the cs_method column.
    • Specific users who are making requests, as exposed in the cs_username column.
    • Potentially compromised client browsers or other applications that are sending erroneous or intermittent queries to the server, as exposed in the csUser_Agent column.

At a minimum, the information provided in this Analysis Grid viewer Layout could expose any of the following issues:

- Slow server operations (high time_taken values) could be an indication that a high volume of requested operations are stressing web server resources, compromising performance, and reducing service availability.
- High traffic volumes for specific sites can indicate that such sites are being overwhelmed by traffic and possibly dropping packets.
- High traffic volumes associated with client queries, client methods, specific users, or target resources might be consuming web service availability time.

The Grouping viewer exposes the client IP addresses that made the requests and the server ports that received the requests, along with the query message volume sent to the server by the client. If you also have the IIS Log HTTP Traffic Volumes view Layout for the Chart viewer displayed, you can view the relative distribution of traffic volume in bytes, from the highest to the lowest volume, for the server HTTP responses to each client query that the server received. The volume values in this Layout are based on the sc_bytes field for server responses, the values for which you can view in the Details window. This visualizer component provides a quick summary of the server response volumes in bytes that are associated with the queries requesting access to web server resources and services. Note that very high byte volumes could be a flag that points to the potential overload of one or more web servers.

You can also use the Grouping viewer to interactively and simultaneously drive the display of messages in the IIS Log HTTP Traffic Volumes visualizer component and the Analysis Grid viewer, by group selection in the Grouping viewer. For example, if the Grouping viewer displays multiple c_ip groups of client addresses where requests were initiated, you can view the associated messages in the Analysis Grid viewer and corresponding server response byte volumes in the IIS Log HTTP Traffic Volumes view Layout (to isolate the data for further analysis) by clicking those groups in the Grouping viewer. As previously described, you can also right-click any message in the Analysis Grid viewer and select the Find in Grouping Viewer context menu command to locate the group in the Grouping viewer with which a message of interest in the Analysis Grid viewer is associated. Tip: Additional IIS log fields are available for examination in the Details window, which includes server response data such as sc_status and sc_bytes.
Netlogon Logs .log Enable this Profile to display the Analysis Grid as the default viewer along with the Netlogon Log view Layout, whenever you load data from a Netlogon .log file to analyze Netlogon data. You will need to manually open the other viewers that are configured in this Profile in the previously described manner, which includes the Grouping viewer with the Netlogon Group by Message Type view Layout, and the Netlogon Message Types view Layout for the Charts viewer. This latter Layout uses the Pie chart visualizer component.

Usage Overview — the advantages of the viewer and layout configuration of this Profile consist of the following:

- The Analysis Grid viewer with the Netlogon Log Layout provides summary data for each log file entry for a Netlogon .log file that includes message type information, along with data in other Analysis Grid fields that include MessageNumber, Timestamp, and TimeDelta.
- The Grouping viewer with the Netlogon Group by Message Type Layout isolates messages into message type groups and provides the number of messages associated with each type.
- The Netlogon Message Types view Layout for the Chart viewer provides a pie-slice visualizer that summarizes the relative percentage of message volumes for each message type in a Netlogon log file.

Analysis Example — in the Summary column of the Analysis Grid viewer, you will find a description that includes message type, error descriptions, and other descriptive data that is related to each message. As described many times in this table, you can associate any message in the Analysis Grid with groups in the Grouping viewer; for this Profile it would be the msgType group. Some of the important message types that are issued during the log on process and which you will typically find in a Netlogon log are as follows:

  • MAILSLOT — consists of an LDAP ping that enables a client to locate a domain controller with this type of message via RPC name pipes or with TCP as the transport. This message is in turn received by a logon server that has created a MAILSLOT file that the client message can write to, thus establishing client-to-server authentication communications for logon. Both client MAILSLOT and server response MAILSLOT messages are typically written to Netlogon logs so that you can view client and server communication records.
  • DNS — this type of message from a logon server can provide cache entries and annotations, or an indication of DNS status.
  • CRITICAL — this type of message from a logon server typically includes critical error information or status, such as an invalid domain name was pinged, a DNS query failed to return data, NetBIOS to IP address resolution failed, and so on.
  • DIAGNOSIS — this type of message from a logon server typically includes error information or status, such as DNS resolution failures, indications of authentication chain issues, setup problems, client queries that failed because the server could not service them, and failure to find a logon server. Note that DIAGNOSIS messages can also be of type CRITICAL.
  • SESSION — this type of message provides a record of different logon session-level messages, such as the following:

    • Messages associated with establishing a session, including domain controller discovery and machine password resets.
    • Requests sent to the security account manager (SAM) and associated responses.
    • Authentication success and failure messages.
    • Messages requesting logon domain information.
    • Queries for logon server capabilities.
  • LOGON — this type of message provides a record of successful logons, for example, Administrator and user logons, along with account and site names. Another type of LOGON message is the WRONG PASSWORD message, which can indicate the following:

    • A password provided to a non-logon server, for example, a file server, was forwarded to an authenticating domain controller for validation. Also known as pass-through authentication.
    • A password did not match the one held by an authenticating domain controller and was therefore passed to the primary domain controller for validation.
  • MISC — this type of message can include Netlogon events being logged, user or machine account status, and other information requested by a client, such as the status of a logon server, domain controller name requests, and other information. It might also include server messages that advise a client of other sites with greater availability.
  • PERF — this type of message provides Netlogon performance counter information that includes data related to setting up a client-server session, the number of authentication timeouts that have occurred, and average semaphore hold times before authentication occurs.
Note: Messages for various authentication types that can be detected by the Message Analyzer Netlogon text log parser include NTLM, Kerberos PAC, Digest, and so on.

With the viewer and layout configuration of this Profile, you can very quickly isolate the above information during analysis to find problem areas. You can do this by clicking on each message type in the msgtype group of the Grouping viewer. From this action, you can effectively isolate the messages associated with each group in the Analysis Grid viewer, provided that the Grouping viewer is in Filtering Mode. If the Grouping viewer is in the Selection Mode, you can simply highlight the messages in the Analysis Grid viewer without introducing any filtering effects.

If you also have the Netlogon Message Types view Layout for the Chart viewer displayed, you can click different Pie chart elements and drive the display of messages in the Analysis Grid viewer. When you do this, you can also achieve different interactions with the Grouping viewer depending on the mode it is in. These capabilities enable you to quickly zero-in on the specific data presented by different message types, which is very convenient when you need to expose errors and other important information that is buried in a large log file.

More Information
To learn more about the Netlogon troubleshooting and the Netlogon parser that is used by Message Analyzer, see Diving into the Netlogon Parser (v3.5) for Message Analyzer on TechNet.
Cluster Logs .log Enable this Profile to display the Analysis Grid as the default viewer along with the Cluster Log view Layout, whenever you load data from a Cluster .log file to expose fields that are key to analysis. You will need to manually open the other viewers that are configured in this Profile in the previously described manner, which includes the Grouping viewer with the Cluster Logs view Layout, and the Cluster Levels view Layout for the Chart viewer. This latter Layout uses the Bar element visualizer component.

Usage Overview — the main advantage of the viewer and layout configuration of this Profile is that it provides several data sets in different interactive viewing configurations that expose information you will need to quickly isolate problem areas for further investigation of clustering issues. From the Analysis Grid viewer Layout, you can obtain an overview of key cluster log information through data columns such as InfoLevel, Subcomponent, RemainingText, ProcessId, and ThreadId. With this information, you can expose errors that may be occurring in a particular subcomponent of the Cluster Service, for example, the Failover Manager, Database Manager, Node Manager, or Global Update Manager; and you can also associate such errors with one or more ProcessIds.

Sorting and grouping in the Analysis Grid viewer can organize the data in a way that speeds up analysis. For example, if you sort the Subcomponent column of the Analysis Grid viewer in ascending order, you can organize the log entries such that the entries for any particular component are gathered together for easy viewing. Moreover, you can execute the Group command from the context menu that displays when you right-click the Subcomponent column header in the Analysis Grid viewer. The result of this operation provides a view of the data that encapsulates the message activity that occurred for various subcomponents of the Cluster Service into a separate "group" node that you can expand for further details. Likewise, if you Group the InfoLevel column, you will see a view of the data that encapsulates the message activity associated with the information level that exists for each log entry for debugging purposes.

Note that a quick way to expose failures that might have occurred is to Apply a Filter such as *RemainingText contains "failure" from the Message Analyzer Filtering Toolbar that is located in the upper left sector of the Analysis Grid session tab . The results of this operation can point you to specific components where errors occurred, while also providing a description of what actually occurred.

But probably the most useful way to display the data is with the default Layout of the Grouping viewer. This Layout enables you to isolate the different types of information levels that can be written by a Cluster Service component, which typically consist of informational (INFO), warning (WARN), error (ERR), and debug (DBG) levels. These informational levels are isolated by the top-level InfoLevel group in this Layout. The Subcomponent group is nested under the InfoLevel group and the ProcessId group is in turn nested under that. By organizing the data in this grouped configuration, this Layout enables you to very quickly assess all the information levels that occurred for each Cluster Service Subcomponent and the ProcessIds that are associated with the operations that were carried out. Tip: You can obtain a quick assessment of which information levels have the most log entry activity by opening up the Cluster Levels view Layout for the Chart viewer. This data display provides an at-a-glance view of the relative distribution of message volume for each of the information types found in a Cluster log file. By double-clicking any bar element that represents a particular InfoType, you can display all the log entries that contain that type along with the Subcomponents with which they are associated.

Analysis Example — the Global Update Manager (GUM) is a primary mechanism of the Clustering Service that keeps all cluster nodes up to date with the latest resource configurations stored in the Cluster database. It is also used by internal Cluster Service components, such as the Failover Manager (FM), Node Manager (NM), and Database Manager (DM), to replicate changes made to any node, which is usually initiated by a Cluster API call. The GUM is a heavy user of Cluster Service communication processes and is therefore a good starting point when troubleshooting clustering issues.

To assess any issues that may have occurred with the GUM service, you can do the following:

1. Open the Grouping viewer and then display the Cluster Logs Layout in the previously described manner.
2. Click the Collapse All button on the Grouping viewer toolbar to display the top-level groups only, which in this case will be the data for InfoLevel groups that is derived from your Cluster log.
3. Click the expansion node of the ERR group to display the nested Subcomponent groups.
4. Scroll down to the GUM group and click it to display all the log entries that contain errors that were logged by the GUM service.
If the Grouping viewer is in Filtering Mode, this action will filter and display the associated messages to the Analysis Grid viewer. If the Grouping viewer is in the Selection Mode, the same messages will simply be highlighted in the Analysis Grid viewer.
5. Observe the error descriptions under the RemainingText column of the Analysis Grid viewer.
For example, you might see that a GUM request resulted in an exception or other failure during the update process for a specific cluster node.
6. Obtain the ProcessId that is associated with any log entry that exposes an error, by right-clicking the log entry and then selecting the Find in Grouping Viewer command in the context menu that appears.
The relevant process will be highlighted in the ProcessId group that is nested under the Subcomponent group. This information may provide some additional insights into which resources or other components were involved in the failed update process.
7. If no errors were logged in the ERR group for the GUM service, go to step 3 and perform these same operations for the WARN group. Tip: For hints of other potential problem areas, you can also review the TimeDelta column values for evidence of operations that took an exceptionally long time to complete.
Samba Logs .log If you are a developer who tests new Samba features or if you simply want to monitor Samba performance, you can enable this Profile to display the Analysis Grid as the default viewer along with the SysLog view Layout, whenever you load data from a SambaSysLog .log file. You will need to manually open the other viewers that are configured in this Profile in the previously described manner, which includes the Grouping viewer with the SysLog view Layout, and the SysLog Levels view Layout for the Chart viewer. This latter Layout uses a Bar element visualizer component.

Usage Overview — the main advantage of the viewer and layout configuration of this Profile is that it provides several data sets with varying analysis contexts that can quickly expose the Samba log entries where issues may be occurring. For example, in the Analysis Grid viewer, you can correlate the Samba debug levels with the Samba functions that wrote the log entries and which contain the level information, along with the Samba source_file/s where the functions exist. A quick way to summarize this information might be to sort the level column so you can view all the log entries in a hierarchical manner according to level values. You can then correlate log entries that have the more critical level values with the associated function and source_file data.

Analysis Example — you might consider taking advantage of the Analysis Grid viewer Group command to organize the data into separate hierarchical groups that each contain log entries with a common level value, so that you can evaluate the data in the context of identical level value groups. You can also nest additional groups under the level group, for example, a function group at the first nested level and a source_file group at the second nested level. Then, by drilling down to the source_file group you can expose the log entries that have been isolated according to the grouped configuration. To execute an Analysis Grid viewer Group command, right-click the header of a column such as level and select the Group item that appears in the context menu that displays. After you create a multiple group configuration in this manner, you can drag any group into a new position in the hierarchy to recast the data according to the new group organization that is created, so that you can obtain an alternate analysis perspective on the data.

The Grouping viewer provides a similar grouping configuration; however, it also enables you to interactively drive selection of log entries in the Analysis Grid viewer based on group selection in the Grouping viewer. As previously described, if the Grouping viewer is in the Selection Mode, group selection will cause Analysis Grid viewer log entries to be highlighted; if the Grouping viewer is in the Filtering Mode, group selection will cause a filtered view of the log entries where all other entries are temporarily removed from the Analysis Grid, that is, until you click the Reset button on the Grouping viewer toolbar.

The advantage of the Grouping viewer is that you can isolate the log entry data to the top group, which is the Samba debug level, to the Samba function that wrote the log entry to the first nested group, and to the Samba source_file that contains the function in the last nested group. This grouped configuration enables you to prioritize your investigation based on the level values, which is a good starting point from where you can determine, in a hierarchical manner, the functions and source code that is associated with the most critical levels. SambaSysLog levels typically consist of the following:

- 0 — Error
- 1 — Warning
- 2 — Notice
- 3 — Information
- 4 and above — Debug

You might proceed by first clicking the Collapse All button on the Grouping viewer toolbar so you can immediately see all the debug levels that exist in the entries of your SambaSys log. Then click a level expansion node that is designated with a value such as '0' or '1' to expose the data for the underlying function and source_file groups. Next, make sure the Grouping viewer is in Filtering Mode by clicking the Filtering Mode icon on the Grouping viewer toolbar and then select a function group value of interest. The log entries associated with the selected function are filtered to the Analysis Grid viewer. You can then horizontally scroll to the content column in the Analysis Grid to review the operations that were occurring while the selected function was executing, where you might obtain some additional insights into the cause of the debug issue. Lastly, from the file_line column of the Analysis Grid viewer, you can determine the Samba source code line that initiated logging of the displayed entries, for some further perspective on what may have occurred as the function was executing. Note that you can also drag groups of the Grouping viewer into a different position in the group hierarchy to obtain a different analysis perspective on the data.

The SysLogLevels view Layout for the Chart viewer enables you to quickly assess the relative distribution of the log entry volumes per level value, as derived from your SambaSys log. With this Layout, you can obtain an instant visual assessment of the areas in your log that had the most critical levels, which can immediately indicate the direction in which further investigation should proceed. You can also drive selection of log entries in the Analysis Grid viewer by double-clicking any bar element of interest in the SysLog Levels view Layout.
ETW Analysis .etl Enable this Profile to display the Analysis Grid as the default viewer along with the ETW view Layout, whenever you load data from an event trace log (ETL) file for ETW analysis. You will need to manually open the other viewers that are configured in this Profile in the previously described manner, which includes the Grouping viewer with the ETW Guids and IDs view Layout, and Top Level Protocols Message Count view Layout for the Chart viewer. This latter Layout uses a Bar element visualizer component.

Usage Overview — the main advantage of the viewer and layout configuration of this Profile is that it provides several data sets in different interactive viewing configurations that expose information you will need to quickly isolate problem areas for further investigation of ETW issues. For example, in the Analysis Grid viewer you can correlate the ProcessId and ThreadId that is associated with any event that was logged during execution of a particular process, along with the name of the ETW provider (Module column data) that wrote the events that were captured. The Summary column data provides additional descriptions, errors, or debug information that can each identify problem areas.

Analysis Example — as described earlier, applying a *Summary contains "error" or *Summary contains "failure" Filter from the Filtering Toolbar can be a way to isolate where errors or failures may have occurred. The results of this operation can point you to specific components where errors occurred while also providing a description of what actually occurred. You might also consider executing Group commands from the context menus that display when you right-click the headers of the EventRecord.Header.ProcessId and EventRecord.Header.ThreadId columns, in succession. This will result in a display configuration that organizes the data into groups of events with common ThreadId values and nests them under events that have a common ProcessId under which the threads executed. The analysis context that this creates can quickly expose which processes carried the highest thread volume, which could be a flag for further investigation. Note: The ThreadId is a unique identifier of an execution thread that is running under a particular process. The ProcessId is a number that is used by the operating system kernel to uniquely identify an active process for which an ETW provider or some other component is generating events.

The Grouping viewer provides a quick assessment of the event volumes associated each ETW provider that participated in the trace, along with IDs of the events that each provider generated. If you have the ETW manifest for the provider, you may be able to correlate the meaning of events with the IDs that are exposed in any group. You can isolate the events per provider or individual event IDs by clicking a group of interest. If the Grouping viewer is in the Selection Mode when you click a group, it drives event selection in the Analysis Grid viewer. If it is in the Filtering Mode, it filters the events into the Analysis Grid viewer so that you can analyze additional event Details. Note that you can also click the global properties icon on the Details Tool Window toolbar for more field information that might be available for a selected event line in the Analysis Grid viewer. The fields that are grouped in the Grouping viewer have the following meaning:

- ProviderId field — specifies the GUID of the ETW trace provider that generated an Event.
- Descriptor.Id field — specifies the Event identifier, which is part of an Event Descriptor, as described in the ETW Framework Conceptual Tutorial topic. Tip: You might also consider selecting the Process Name and Conversations layout from the Layout drop-down list on the Grouping viewer toolbar, to obtain a summary view of all the processes that were initiated across a set of trace results. You can then select a ProcessName group of interest to interactively drive the display of corresponding events in the Analysis Grid viewer where you can correlate the ProcessName with ProcessId and ThreadId data.

This Profile contains the Top Level Protocols Message Count view Layout for the Chart viewer. It provides a summary view of the relative distribution of event volumes across a set of trace results for the modules/protocols that generated events in such a trace. This graphic display can immediately point to potential issues where high event volumes are causing large bandwidth consumption.
PerfMon Logs .blg Enable this Profile to display data from a Performance Monitor log and utilize some of Message Analyzer capabilities to manipulate and analyze the data whenever you load data from a *.blg log file. Provides a main display with a graphic representation of performance counter data along with a legend of counters and an adjustable time window for zooming into data points. Displays a related set of messages after you double-click a line of performance counter data for further details.

The Grouping viewer contains the following groups to organize the data:

- Machine
- Instance
- Counter

For any instance, you can click a Counter and display that result in the main graphic display. Note that you can double-click a counter data line and display the data that was logged in an associated set of messages in a separate instance of the Analysis Grid viewer.
NTP Time Offset .cap Enable this Profile to understand time offset from the network perspective and to troubleshoot time-related issues. The viewer and layout configuration for this Profile includes the NTP Flat view Layout for the Analysis Grid; the NTP Time Offset view Layout for the Chart viewer, which shows time offset over time; and the NTP Source view Layout for the Grouping viewer, which organizes the NTP conversations.

Usage Overview — the main advantage of the viewer and layout configuration of this Profile is that you can observe Time Offset data over the timeline of a set of trace results per network conversation, which you can select in a legend to the right of the Timeline visualizer component. Note: The Chart viewer with the NTP Time Offset view Layout for the Chart viewer displays by default for all file types that are associated with this Profile. This includes the .cap, .pcap, .etl, and .pcapng file types. Note that the viewer and layout configuration for all these file types is identical in the Profiles that apply to them.

More Information
To learn more about the above file types, along with other file types that Message Analyzer supports, see Locating Supported Input Data File Types.
To learn more about the view Layouts that you can select for the Analysis Grid viewer in a Profile, see Applying and Managing Analysis Grid Viewer Layouts.
To learn more about the view Layouts that you can select for the Grouping viewer in a Profile, see Understanding the Built-In Grouping View Layouts.
To learn more about the Layouts that you can select for Chart viewers in a Profile, see Chart Viewer Layouts.


Applying and Managing Profiles

By default, several built-in Profiles that exist in the Advanced Profiles list are enabled, which means that when Message Analyzer detects that you are loading data from a file type for which a Profile has been created and enabled, the Profile configuration will be automatically applied after data loading is complete. This action also occurs for any custom-designed and enabled Profile of your own. For Message Analyzer to automatically apply any particular Profile, the Use Advanced Profiles check box must have a check mark in it and the Profile must be enabled in the Advanced Profiles list. Otherwise, the data viewers and view layouts associated with the Profile will not display automatically when you load an associated file type into Message Analyzer. Note that you can enable or disable any Profile individually, as described in Enabling and Disabling Profiles.

The remainder of this section describes how to manage Profiles, which includes tasks such as enabling or disabling them, creating new Profiles, editing Profiles, and removing them from the Advanced Profiles list.

Enabling and Disabling Profiles

Message Analyzer provides you with the option to either enable or disable any individual Profile in the Advanced Profiles list on the Profiles tab of the Options dialog. You can disable a Profile by unselecting its check box in the Enabled column to the left of the Profile name in the Advanced Profiles list. This action prevents the Profile from activating during the data loading process; however, you can re-enable it at any time by simply placing a check mark back in its check box. You can also disable all Profiles simultaneously, even those that are currently selected, by removing the check mark from the Use Advanced Profiles check box, which prevents Message Analyzer from applying any Profiles when you are loading data from a supported file type. To re-enable selected Profiles, simply place a check mark back in the Use Advanced Profiles check box.

Note

If you disable all Profiles, Message Analyzer still provides a default Profile that specifies the Analysis Grid viewer. At your discretion, you can change the default viewer by selecting a new one from the Default Viewer drop-down list in the Default Profile section on the Profiles tab of the Options dialog.

This selection determines the default viewer for the display of data in all Live Trace and Data Retrieval Sessions, as described in Session Data Viewer Options. Note that you still have the option of changing the data viewer according to your requirements after you have acquired and displayed session data.

Configuring a New Profile

If you want to create a new Profile, you will need to click the Add Profile button on the Advanced Profiles toolbar on the Profiles tab of the Options dialog to open the New Profile dialog. From here, you can specify the Profile configuration that you want by making use of the following controls:

  • Name — specify a name for the new Profile. Be sure to specify a unique name that you can easily recognize and distinguish from other Profile names.

  • Description — optionally specify a short description of the Profile.

  • Category — optionally select a Category from this drop-down list. Note that these names are arbitrary and that you can specify a custom category by typing one in the text box portion of this control.

  • File Type — select one of twenty different supported input file types from the File Type drop-down list for your new Profile.

  • Copy From — optionally select one of the Profiles in the Copy From drop-down list to create an initial pre-populated configuration for your new Profile that is based on one of the existing Profiles. You will be able to alter the initial configuration of the Profile by clicking Edit Profile after you Save the new Profile.

  • Save — click this button when you are finished with the initial configuration of a new Profile.

If you want to make adjustments to the initial configuration that you specified in the New Profile dialog, click the Edit Profile button on the Advanced Profiles toolbar to open a dialog that contains the viewer and layout configuration that you want to modify. From the dialog, you can specify a Default Viewer and a view Layout for each of the common viewers that all Profiles contain, which consist of the following:

  • Analysis Grid viewer

  • Grouping viewer

  • Chart viewer

Example of Configuring a Profile to Create a Targeted Analysis Environment

This section provides an example of creating a Profile that specifies data viewers and view layouts that create an environment that uniquely suits analysis of TCP messages. To create this example Profile, use the procedure that follows:

  1. Display the New Profile dialog by clicking the Add Profile button on the toolbar above the Advanced Profiles list on the Profiles tab of the Options dialog.

    The Options dialog is accessible from the global Message Analyzer Tools menu.

  2. In the Name text box of the New Profile dialog, specify a name for your new Profile such as "My TCP Analysis".

  3. In the Description text box of the New Profile dialog, optionally specify a brief description of the new Profile.

  4. In the Category drop-down list, optionally specify a category for your Profile by selecting one in the list or by typing a custom name in the Category combo box.

  5. From the File Type drop-down list, select the type of file that you want to associate with your new Profile, for example, a .cap file.

  6. From the Copy From drop-down list, select one of the built-in Profiles to populate your new Profile with initial viewer and view layout settings.

    Note: Use this option if an existing built-in Profile contains a configuration from which you want to import settings into your new Profile. Otherwise, proceed to the next step.

  7. When complete, click the Save button in the New Profile dialog to save the Profile.

  8. In the Advanced Profiles list, select your newly created Profile and then click the Edit Profile button on the toolbar above the Advanced Profiles list to display the initial configuration of your custom Profile.

  9. From the Default Viewer drop-down list, select the Analysis Grid viewer as the default to display your initial session results.

    This list contains the same viewers that are accessible from the New Viewers drop-down list on the global Message Analyzer toolbar.

  10. From the File Type drop-down list, select the .cap file type.

    This list contains most of the same file types that are listed in the All Supported Files list that displays in the Open dialog when you click the Add Files button during Data Retrieval Session configuration.

  11. From the Analysis Grid Layout drop-down list, select the TCP view Layout for the Analysis Grid viewer.

  12. From the Grouping Viewer Layout drop-down list, select the TCP Deep Packet Analysis view Layout for the Grouping viewer.

  13. From the Charts Layout drop-down list, select the TCP Rate and Diagnosis view Layout for the Chart viewer.

    As previously described in this topic, this Chart will not display unless you select the Default item in the Charts drop-down list that is accessible from the New Viewer drop-down list. You would typically make this selection after you load data from the .cap file. The TCP Rate and Diagnosis view Layout for the Chart viewer will then display, provided that this Profile is enabled in the Advanced Profiles list at the time you load the data.

  14. Place a check mark in the Automatically open Grouping Viewer check box.

    With this check box selected, the Grouping viewer will automatically display with populated data in your initial session results when loading data from a .cap file, provided that this Profile is enabled in the Advanced Profiles list.

  15. Click the Save button to retain your Profile configuration.

At this point, you can create a Data Retrieval Session, as described in Configuring a Data Retrieval Session, to specify a .cap file from which to load data so you can test whether the Profile configuration displays the expected default viewer and layouts. The section that follows provides an overview of how you can use the presentation formats of the viewers and layouts of this Profile to create some useful analysis contexts.

Targeted TCP Analysis Overview As indicated in the previous procedure, this Profile is configured by default to display the TCP view Layout for the Analysis Grid viewer, the TCP Deep Packet Analysis view Layout for the Grouping viewer, and the TCP Rate and Diagnoses view Layout for the Chart viewer. The main advantage of the viewer and layout configuration of this Profile is that it provides you with an exceptional context for analysis of TCP messages that can quickly expose potential TCP issues, as described ahead.

TCP Layout — with the TCP Layout for the Analysis Grid viewer, you can observe values such as Source and Destination IP addresses, TCP DestinationPort and SourcePort, PayloadLength, SequenceNumber, AcknowledgementNumber, WindowScaled, and a Summary description that are each displayed as a separate column of data in the Analysis Grid viewer. This provides quick access to important TCP data that can point to areas that need further investigation, for example, an improper receive window size that could be causing packets to be dropped.

TCP Deep Packet Analysis Layout — with the TCP Deep Packet Analysis view Layout for the Grouping viewer, the data displays in a hierarchical grouped configuration that is organized by DataSource at the top-level, along with nested groups consisting of the Network group for the IP or Ethernet conversations, the Transport group that identifies the transport that carried the conversations, and the associated TCP SourcePort for each message. Note that you can use the Grouping viewer in the Selection Mode or Filtering Mode to interactively drive the display of messages in the Analysis Grid viewer to correlate your data. The Selection Mode drives the selection of messages in the Analysis Grid viewer while the Filtering Mode causes filtered-isolation of messages in the Analysis Grid viewer, where the data displayed in each mode is based on selection of groups in the Grouping viewer.

An advantage of the Grouping viewer is that it enables you to drill down through the grouped configuration to isolate and expose data of interest at each group level. For example, by clicking a Network group, you can interactively select (or filter) all the messages in the Analysis Grid viewer that are associated with a particular IP conversation, which is similar to what the Conversation Tree does in the Network Monitor application. In Selection Mode, you can analyze the details of selected messages in the context of the original capture sequence, where leading and trailing messages can often provide clues as to why an error might have occurred for a selected message. Another advantage of the Grouping viewer is that it can immediately expose the groups that have the highest associated traffic volumes, which can also be a trigger for further investigation.

For further grouping analysis, you might consider using the Group command (a right-click command on a chosen Analysis Grid viewer column header) to organize the data into separate groups based on common values that exist in the selected column. This feature can quickly expose data that can enhance your analysis perspective. For instance, you could create a unique analysis context by executing multiple Group commands that create a nested group configuration by first grouping the Module column and then grouping the PayloadLength column. This nested group configuration can quickly expose which Modules have messages with the highest payloads so you can isolate such traffic for further investigation. In the grouped context, this could also involve drilling down into the associated message stacks to assess the payload levels, which includes the Transport Layer payloads. With this information and the Source and Destination address information, you might be able to expose computers that are being overwhelmed by heavy traffic loads where a high volume of TCP retransmits is occurring.

With the TCP Rate and Diagnoses view Layout for the Chart viewer, you can quickly assess how many Diagnosis messages occurred in a trace in the context of associated IP conversations, the TCP SourcePort and DestinationPort associated with the IP conversations, and the ratio (Rate) of how many Diagnosis messages occurred with respect to the total number of messages in a particular conversation. A high Diagnosis error Rate can also be a flag that further investigation is warranted. Note that you can obtain a summary of Diagnosis message counts and descriptions for each diagnosis type across a set of trace results by opening the Diagnostics Tool Window from the global Message Analyzer Tool menu.

Taken together, these viewers and layouts provide robust information sets that you can utilize for analysis of TCP data that exists in Network Monitor capture (.cap) files. If you want to modify this Profile, you can do so as specified in the section that follows. Because the value of the ReadOnly column in the Advanced Profiles list for this Profile is False, you can change the settings of this Profile as you wish, going forward.

Editing and Removing Profiles

Given that the ReadOnly value for user-created Profiles is always set to False in the Advanced Profiles list, you can edit any Profile that you have created at any time, by simply highlighting the Profile and then clicking the Edit Profile button on the Advanced Profiles toolbar. After you modify and save a custom Profile, the viewer and layout configuration that you specified will be automatically applied whenever you are loading data into Message Analyzer from the file type for which you configured the Profile.

To remove any custom Profile that you created, simply highlight the Profile in the Advanced Profiles list and then click the Remove Profile button on the Advanced Profiles toolbar. Note that if you delete a custom Profile, you will be unable to recover the configuration except by creating a new Profile. Note that you cannot Edit or Remove any of the built-in Profiles.

See Also

Analysis Grid Viewer
Grouping Viewer
Chart Viewer Layouts
ETW Framework Conceptual Tutorial