Using Microsoft Message Analyzer for Network Troubleshooting
Protocol analyzers like Wireshark are very powerful tools network analysts use for a variety of reasons, including application baselining, identifying the root cause of application or network performance problems, documenting and mitigating cyberattacks, and device configuration tuning.
In this video, I show you how to use a protocol analyzer that you may not be familiar with: Microsoft Message Analyzer. This free analyzer is a good complementary tool to have in your toolbox. It can do some things that Wireshark can't.
Making a protocol analyzer effective relies on capturing and analyzing packets, but capturing packets isn’t as obvious as you would think. Factors such as SPAN vs TAP vs inline will impact what packets you can capture and timing accuracy. Moreover, analyzing the data is an art in itself; it takes a combination of theory, street smarts, and experience. One of the main features of a protocol analyzer like Wireshark is the ability to decode specific protocols and provide analysis if anomalies are detected.
However, all analysts will eventually run into a common scenario where they need to identify which application or process transmitted the packets in a trace. In some cases, it will be obvious -- for example, HTTP packets with a Mozilla User-Agent request header probably come from a web browser.
In other scenarios, you might have encrypted packets transmitted to an unknown IP address using TCP port number 3433. If you are still near the host, and within a timely fashion, you can try command line utilities like netstat –b to determine which application was used.
The tricky part is what do you if you need to figure this out at a later date, or when you are back at your desk with no access to that system. This is where Microsoft Message Analyzer helps. It captures more than just packets and can identify which process was involved with which packets. This feature helps in a variety of scenarios, from identifying malicious code to tuning application performance.
In the video, I show you how to add the process name as a column in Microsoft Message Analyzer to streamline your work.
Recommended For You
Low-Power WANs offer an alternative to 5G for connecting a fast-growing array of basic devices and sensors that transmit small amounts of data.
An effective network visibility strategy requires understanding the technical, financial, political, and legal aspects impacting your network operations.
Emerging organizational structures for IT include placement of IT pros in user areas and departments forming their own "micro IT's."
Comparing a good and bad trace helps identify performance issues. Dynamic baselining can be used when you do not have a good trace to reference.
Combining commodity server platforms and FPGA-based SmartNICs will allow network applications to operate at hundreds of gigabits of throughput with support for millions of simultaneous flows.
SD-WAN implementations are on the rise thanks to the potential cost savings, increased network resiliency, and better application performance they deliver.