2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Evolution of Message Analyzer and Windows Interoperability

Paul Long Microsoft

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

2

What is Message Analyzer?

blogs.technet.com/MessageAnalyzer

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

What is Message Analyzer

Protocol and Log File Analysis Tool Correlation across traces and logs Visualize Data

Trace Collection Tool Remote and Local ETW events

4

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Demo: A quick tour

5

Start Page News

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Demo: A quick tour

6

Start Page Settings

Synchronized

Not Synchronized

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Demo: A quick tour

7

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Demo: A quick tour

8

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Demo: A quick tour

9

Trace Viewer

Message Stack Tool

Message Detail Tool

Various Stacked Tools

View Filter Tool

Session Tool

Status Bar

Viewer Actions

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Demo: A quick tour

10

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Demo: A quick tour

11

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

12

Demo: Correlation with

Multiple Logs

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Differences – Netmon

TCP (135)

Ethernet

IPv4

SMB Req (partial)

TCP (135)

Ethernet

IPv4

TCP (135)

Ethernet

IPv4

TCP (135)

Ethernet

IPv4

SMB Resp

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Differences – Wireshark

TCP (135)

Ethernet

IPv4

SMB Req (Reassembled)

TCP (135)

Ethernet

IPv4

TCP (135)

Ethernet

IPv4

TCP (135)

Ethernet

IPv4

SMB Resp

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Differences – Message Analyzer

TCP

Ethernet

IPv4

SMB Req (Reassembled)

TCP

Ethernet

IPv4

TCP

Ethernet

IPv4

TCP

Ethernet

IPv4

SMB Resp ReassembledTCP

(meta)

SMB Operation Summary of Request and Response Top Level

Protocol

Top Level Operation

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Message Analyzer

Network Moniotr

Wireshark

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Differences – Message Analyzer

TCP

Ethernet

IPv4

SMB Req (Reassembled)

TCP

Ethernet

IPv4

TCP

Ethernet

IPv4

TCP

Ethernet

IPv4

SMB Resp ReassembledTCP

(meta)

Top Level Protocol

Hide Operation

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Differences – Message Analyzer

TCP (135)

Ethernet

IPv4

SMB Req (Reassembled)

TCP (135)

Ethernet

IPv4

TCP (135)

Ethernet

IPv4

TCP (135)

Ethernet

IPv4

SMB Resp ReassembledTCP

(meta) TCP Viewpoint

SMB Operation Summary of Request and Response Top Level

Protocol

Top Level Operation

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Differences – Message Analyzer

TCP (135)

Ethernet

IPv4

TCP (135)

Ethernet

IPv4

TCP (135)

Ethernet

IPv4

TCP (135)

Ethernet

IPv4

TCP Viewpoint

SMB Operation SMB Operation SMB Operation SMB Operation

Top Level Summary Property

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Differences – Message Analyzer in 3D

Ethernet Ethernet Ethernet Ethernet

Ethernet Ethernet Ethernet Ethernet

Ethernet Ethernet Ethernet Ethernet

Ethernet Ethernet Ethernet Ethernet

IPv4 IPv4

IPv4 ARP

ARP IPv4

ARP

ARP

IPv4

IPv4IPv4

IPv4 IPv4 ARP

IPv4

IPv4

TCP TCP TCP

TCP

TCP TCP

TCP TCP

TCP

TCP

TCPTCP VIEWPOINT

TLS HTTP Chunk

TLS

TLS

TLS

HTTP Chunk

SMBResponse

ReassembledTCP

SMBRequest

HTTP Response

HTTP Request

Network:192.168.1.10-192.168.1.20Transport: 443-3333

Network:192.168.1.10-65.55.206.228Transport: 80-2515

Network:00-50-8D-B6-CD-56-00-50-8D-B6-CD-66

Network:192.168.1.10-192.168.1.5Transport: 445-9999

C1Network:192.168.1.10-192.168.1.20Transport: 443-3333

C2Network:192.168.1.10-65.55.206.228Transport: 80-2515

C3Network:00-50-8D-B6-CD-56-00-50-8D-B6-CD-66

C4Network:192.168.1.10-192.168.1.5Transport: 445-9999

1s

2s

3s

4s

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Differences – Message Analyzer in 3D

Ethernet Ethernet Ethernet

Ethernet Ethernet

Ethernet Ethernet Ethernet

Ethernet Ethernet Ethernet

IPv4 IPv4

IPv4

IPv4

IPv4

IPv4IPv4

IPv4 IPv4

IPv4

IPv4

TCP TCP TCP

TCP

TCP TCP

TCP TCP

TCP

TCP

TCP

Network:192.168.1.10-192.168.1.20Transport: 443-3333

Network:192.168.1.10-65.55.206.228Transport: 80-2515

Network:00-50-8D-B6-CD-56-00-50-8D-B6-CD-66

Network:192.168.1.10-192.168.1.5Transport: 445-9999

C1Network:192.168.1.10-192.168.1.20Transport: 443-3333

C2Network:192.168.1.10-65.55.206.228Transport: 80-2515

C3Network:00-50-8D-B6-CD-56-00-50-8D-B6-CD-66

C4Network:192.168.1.10-192.168.1.5Transport: 445-9999

1s

2s

3s

4s

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Differences: Session Explorer

24

Total number of messages at the bottom. For a .cap or .pcap. This is

what Netmon/Wireshark display

Total Number after data is reassembled and summarized with

operations.

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Dealing with Encrypted Traffic

Capture before encryption HTTPs IPSEC SMB SMB Direct

Decrypt a trace afterwards

26

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

27

Demo: Post Decryption

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Decrypting a trace

28

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Decrypting a trace

29

Decryption Tool can be docked anywhere.

1

2

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Decrypting a trace

30

3. Decrypted Traffic for the in focus

selected message

1. Select successfully decrypted session

from Decryption Tool

2. This triggers a global selection of those messages

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Decrypting a trace

31

Selection Tool Window is a helpful way to find all the

selected messages and bring each one in focus.

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Decrypting a trace

32

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Questions? 33

2014 Storage Developer Conference. © Microsoft. All Rights Reserved.

Resources

http://blogs.technet.com/MessageAnalyzer http://social.technet.microsoft.com/Forums/en-

US/home?forum=messageanalyzer http://connect.Microsoft.com/Site216

34