Over 1 million tech questions and answers.

Message Analyzer - Local and Network traffic

Q: Message Analyzer - Local and Network traffic

I want to capture both local and network traffic for connections and disconnections unrelated to http
Capture filter "(tcp.RST || tcp.SYN) && tcp.Port != 80 && tcp.Port != 443"

I found that I can do one or the other, but when I add both below, I capture neither ???
>> What is the trick to capturing both ?
Thanks

Read other answers
RELEVANCY SCORE 200
Preferred Solution: Message Analyzer - Local and Network traffic

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

RELEVANCY SCORE 84.4

Hello,
I've used Message Analyzer in the past to decrypt HTTPS traffic after importing the certificate used by the web server and it was a tremendous improvement over Netmon & NMDecrypt.    I'm looking at a trace I took of LDAPS traffic (TCP.port==636)
and the traffic after the SSL handshake Message Analyzer is not decrypting the traffic.   

Is the decryption sub-routines in Message Analyzer only supposed to work with HTTPS traffic, or should we be expecting to see success on LDAPS traffic as well?
Thank you,
John

Read other answers
RELEVANCY SCORE 83.2

Message Analyzer has not had any significant updates (apart from minor parser updates) for some time. The mechanism that out-of-the-box Message Analyzer uses to decrypt
TLS is based on access to the server certificate private key (and therefore does not work with ephemeral session keys). Since Message Analyzer is very flexible and configurable, I wanted to check whether it could be adapted to use SSLKEYLOGFILE information
and indeed the answer is yes.
 
The OPN programming language is Turing complete, but it would not be an ideal choice for implementing all of the necessary cryptographic routines that are needed for
this task ? it would be better to use existing cryptographic libraries. Fortunately OPN does include a mechanism for calling external routines ? the ?Handcoded? declaration:
 
binary DecryptData(string suite, byte ct, array<byte> ver, binary data, array<byte> key, array<byte> salt, ref array<byte>
iv, long ctr, out bool ok) with DeclarationInfo { Handcoded = true };
 
One simple way of using this is to place the ?Handcoded? definitions in a small OPN ?module?. The OPN has to be included as a resource in the DLL built from the ?Handcoded?
implementation. The resource is located by means of a .NET assembly level attribute:
 
[assembly: ExtensionOpnModel("TLSex.opn", false)]
 
The exposed hand-coded routine also needs to be decorated with attributes (for the containing ... Read more

Read other answers
RELEVANCY SCORE 83.2

Hi,
Is is possible to monitor the DHCP server logs and traffic on a Windows 2012 R2 DHCP load balanced server using Message Analyzer?
Mike

Read other answers
RELEVANCY SCORE 83.2

I'm looking for a good network analyzer software that allows me to monitor the network. maybe have some features on discovering devices, ports, bandwidth in a certain amount of time, etc. Thanks.
 

A:network traffic analyzer

That would depend on the network topology. Any global network monitoring will have to be done with access to a common point where all the traffic converges. Addressed traffic between workstations will go directly between them via any switches and gateways in the path, so you can't do this with just a workstation.
 

Read other 1 answers
RELEVANCY SCORE 82.4

While I open my the ETL file captured in Windows 10, the PID/VID seems to be incorrect (compared to what I read in Network Monitor 3.4 and I plugged the devices myself, I know what's the right VID/PID).
I did discover there are some error messages in the log, and I only put two examples below,
10/28/2015 3:29:17 PM Error C:\Users\IBM_ADMIN\AppData\Local\Microsoft\MessageAnalyzer\OPNAndConfiguration\OpnForEtw\OpnForEtwProcess\TCPIPComponentExt.opn(173,45-173,62):  undeclared 'EventTemplate_130'
10/28/2015 3:29:17 PM Error C:\Users\IBM_ADMIN\AppData\Local\Microsoft\MessageAnalyzer\OPNAndConfiguration\OpnForEtw\OpnForEtwProcess\TCPIPComponentExt.opn(197,50-197,67):  undeclared 'EventTemplate_130'

Could you help me to understand what I should do to overcome it?

Read other answers
RELEVANCY SCORE 82.4

Upgraded to Windows 10 today, and Message Analyzer no longer seems to be capturing traffic (build 4.0.7540.0).

Get-NetEventSession shows that there's a session running, but nothing shows up in the Message Analyzer window.
 

Read other answers
RELEVANCY SCORE 81.6

Hi!
Is there a way to look inside GRE tunnel traffic captured with Wireshark in Message Analyzer? I'm troubleshooting a scenario where I need to correlate event log entries from a server with network trace captured on by another person using ERSPAN protocol.
Thanks,
Ivan

Ivan Seriavin

Read other answers
RELEVANCY SCORE 81.2

My network seems to be slowing way down. I have basic networking knowledge and moderate Server knowledge. I, however, do not have very good analyzer skills.

Just like how we have an awsome sticky on RAID, I was wondering if we could have one on analyzing tools.

Personally I am looking for something either built into Server 2003, downloadable form Microsoft, or even free or expensive software that lets me monitor my network for traffic problems.

I am getting lots of users who are connected to a database on our server, and about every 5 minutes it looses the connection. I am trying to track the problem and don't know where to start.
 

Read other answers
RELEVANCY SCORE 78.4

Dear all,
it should be possible to
"Capture firewall discard Events - This feature allows you to discover how the firewall is affecting network traffic.  New messages tell you when traffic is blocked and associated IDs point to the specific firewall rule responsible
for dropping the message."
Source
Does anybody of you know a little bit more about how Message Analyzer has to be configured to show which rule blocks (in my case Outbound) traffic?
This would be a great improvement to the pfirewall.log, where this important information is missing...
Best regards

Peter

Read other answers
RELEVANCY SCORE 72

Hi there,

when extracting an archive to the same network location on which the archive itself resides, why is it that I'm having local bandwidth usage?

As you can see, there is simultaneous ~150Mbit/s upstream/downstream on my local ethernet adapter. WHY? As far as I am concerned there should be no meaningful traffic since it's actually a copy process on the local hard disk of my server.

Ideas anyone? Your help/insight is highly appreciated!

Cheers

A:copy from/to network share - why local traffic?

The action is being processed on your local machine's CPU rather than the servers CPU since the task was initiated from your machine, the only way to reach your machine from the server is via your ethernet card.

If you were able to initiate the task on the server itself then you would not see any ethernet usage on your client machine. You wouldn't even see the application completing the task. The only change you would see is the new files on the servers share.

Hope This Helps,
Josh

Read other 3 answers
RELEVANCY SCORE 72

Hi,

I have recently moved to a wireless broadband connection. The connection is slower than my cable internet in my previous residence. So, I'm noticing some things while I work. One thing is that every time I access my local hard drive, there is network traffic and I have to wait for the network. This is while I'm connected to a VPN. The folders I'm accessing are not synchronized off-line files, either. I do have one mapped network drive.

Anyone know what would cause Windows XP to instigate network traffic when accessing a local drive and how to limit it?

Thanks,
Paul
 

A:Network traffic while accessing local drive

This is actually a situation I ran across some time back. Every local access was trying to touch a network drive, and when that drive wasn't available, it got ugly! In my case, it was a errant path in the registry that was being searched every time I opened a file locally.
 

Read other 3 answers
RELEVANCY SCORE 70.4

Dear Team,

We have two offices at 1 floor. both are connected with uplink of their switch.

We are facing latency or packet drop issue at second office. I am not sure why facing such kind of issues but it may be some packets or request redirected to the firewall. Due to this our switch traffic get jam & we are facing network congestion issue

My concern is only that request will move to the firewall which want internet access, apart from that all LAN traffic will use another gateway to local transfer or communication purpose.

For your kind information I am giving you Network Infra.

1 office :- 40 Users, 1 Firewall, Squid Proxy Server, 3 Switches
2 office :- 20 Users, 2 switches
Up-link from office 1 to Office 2
 

Read other answers
RELEVANCY SCORE 68.8

Message Analyzer seems to have no print/export as CSV/TSV. 
Log parser 2.2 doesn't seem to understand .matp formats. 2.2 seems to be the latest version.
logparser -i:netmon "SELECT * INTO test.csv from test.matp
says "not recognized as a valid NetMon capture file"

Are there other tools? I'm surprised this is not a common request. 

Message Analyzer can export as .cap files, but these particular traces either export badly or the traffic is something that wireshark doesn't handle. MessageAnalyzer shows it as fairly standard TCP traffic, albeit to/from IPV4-loopback, which is the correct
"NIC".

Read other answers
RELEVANCY SCORE 68

My application does not have any network-like implementation except FlexNet Publisher for licensing. I expect it should connect only to license server.

When I use Microsoft Network Monitor then it shows only connections from/to my application and license server.

When I use Microsoft Message Analyzer then it shows enormous additional traffic for my application which I cannot explain. For example many events' source and destination do not match my local machine (BRWS/DNS/UDP modules), so it seems that my application
is kind of proxy (?) for them. Can anyone give some hints how to interpret Message Analyzer data, please?

Read other answers
RELEVANCY SCORE 66

To whom it may concern,
 
I have been directed to Google's "unusual Traffic from your computer network" webpage on several occasions.  I have ran Malwarebytes and Avast! at times and it has yet to report anything suspicious.  I know this won't help when I say this but I've had other weird symptoms as well but can't remember what they were.  I do know that there is a file in a folder on my computer that is locked and I can't delete and I know I didn't put it there (file/folder name is lengthy numbers and letters).  I'm sorry I can't offer more descriptions, my brain isn't what it used to be.  But I look forward to your help!  Thank you in advance for your time!!
 
Sincerely,
 
Jen

A:Google "Unusual traffic from your computer network" message

Hello,
I will be helping you with your problems. Please be patient while I assist you.
Some points for you to keep in mind while I am helping you to make things go easier and faster for both of us
Please do NOT run, install or uninstall any programs,  unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.

Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate... Read more

Read other 12 answers
RELEVANCY SCORE 66

Hi guys,

I hope you guys could provide me with a few sites on

Traffic Generator Functions or Performance Analyzer

these are for networking, layer 1 and layer 2 switches
I cant seem to find any, so i hope you guys could help me out
thanks
 

Read other answers
RELEVANCY SCORE 66

Hi everyone!!!

I've been tasked with running message analyzer to determine if data is encrypted from an endpoint. We are using MBAM and want to ensure that any data sent to MBAM application server is encrypted. Now, we know it is via https, but, we still need to verify this
(for audit purposes).

Can anyone provide some insight as to how I could use microsoft message anaylzer (or perhaps something better) ?

We are planning to run a capture for 24 hours. We also want to ensure data is encrypted from app server to sql server. 



Thanks all! 

Read other answers
RELEVANCY SCORE 66

I keep getting this alert despite the amount of resources that I add to my Gateway.  
Our DC and Gateway are running virtually in VMware.  Distributed Virtual Switches are not an option so I have to resort to configuring Promiscuous Port Group.  
I configured a Promiscuous Port Group on the same Virtual Switch that the DC (and the rest of our servers) is connected , and assigned it the same VLAN ID as the DC. 
ATA is capturing and reporting traffic but I continually receive an alert for some network traffic is not being analyzed.  I have thrown double the resources at our Gateway's
than what the sizing tool identified, and still receive this alert.  At this point I have 24GB of RAM and 10 Cores allocated to my Gateway which is only capturing reporting on 1 DC.  At this point I am about ready to scrap ATA because of how resource
intense it is.  
Any ideas or suggestions?  Does it sound like I have the Promiscuous Port Group configured correctly, or is it possible that I am capturing ALL traffic for the VLAN assigned?  

Read other answers
RELEVANCY SCORE 64.8

Is there a good network traffic/broadband monitor that actually keeps track of ALL (really ALL) traffic in a network?
I have used quite a few (eg, Ethereal, ntop, network probe) but all of them kinda keep track of only traffic that is coming in and out of the PC they are run from.

I need one that really tracks every single transaction that goes on in the network, including PCs talking to PCs, PCs talking to servers, servers talking to PCs, PCs talking to printers, etc.

Would help a great deal if they are FREE too!

Anyone know of any good ones?
 

A:Network traffic/bandwidth monitor that tracks GLOBAL network traffic

Hi.

You may find something here...

http://www.freewarehome.com/Internet/Networking/Network_Monitoring_t.html
 

Read other 2 answers
RELEVANCY SCORE 60.4

any body got any good ideas about a good in house message system? Looking for something that can be installed on all computers that will notify that a new post was posted. I need to spread information thru out my network like, when a computer is ready for a customer, or the status of one, or sending a message to a certain computer on my network of what needs to be done to a system. Open source would be great.

Read other answers
RELEVANCY SCORE 57.6

Hello,

I did some searching on this topic and saw the answer was to turn off default gateway. I work at home and am connected to my home network and VPN into my work network so outlook will work. If I look at my VPN Status, it says IPv4 connectivity - no internet access- and IPv6 connectivity no network access.

From what I was able to find this is how I want it set up so that my general internet browsing it not going over my VPN. Can you confirm that's what IPv4 no internet access means?

My home network says IPv4 connectivity - internet -
 

Read other answers
RELEVANCY SCORE 57.6

I get the error message :Some of the controls on this property sheet are disabled becuase one or more other network property sheets are already open.

What exactly does this mean and what should I do about it?
 

A:strange error message when i click on local network connections (WinXP)

Start by rebooting.
 

Read other 1 answers
RELEVANCY SCORE 57.2

Could any one tell how i would make an ethernet adaptor in vista capable of only local traffic and not internet traffic.

Read other answers
RELEVANCY SCORE 56.4

Okay first here's a little bit on my hardware setup:

Router: Belkin F5D8235-4 v2000 Latest Firmware

My laptop: Acer 5739g with the latest windows 7 and the latest drivers installed as well.

Roommates laptop: Same as mine but with windows vista(she never got the free upgrade lol)

Desktop: Custom built with the latest windows vista and the latest drivers installed as well.

All computers have wireless! Laptops have N and the desktop has G.

Now for my problem. At random after I attempt any sort of local network traffic (such as copying files across the network), my wireless for all the computers crashes without warning. This happened when I still had vista on my laptop too, however it did not happen with the old router that got fried. I have tried a couple of things to see if I could resolve the issue such as upgrading to the latest firmware and playing around with the settings(different radio channels etc). No matter what settings I use it seems to crash. I assigned static IP's for all the computers hoping it might fix the problem but I had no luck with that either.

Here's my wireless router settings:
http://img96.imageshack.us/img96/7654/wirelesssettings1.png
http://img139.imageshack.us/img139/5143/wirelesssettings2.png

I have no problems with the internet and I can download large files without any problems this seems to be a local issue only, and it seems to happen more often when moving large amounts of data.
I'm pretty stumped about this one and... Read more

A:Wireless crashes with local traffic

Read other 12 answers
RELEVANCY SCORE 56

After Windows 10 1803 update, the loopback capture scenario does not show network events.
Repro steps :

I run Message Analyzer as an adminNew SessionLive TraceSelect ScenarioLocal Loopback network
Navigate with my browser to any self hosted web site at 127.0.0.1, any port.
try ping 127.0.0.1 or localhost
The analysis grid only shows Windows_Kernel_Trace modules.
I tried uninstall, install Message Analyzer again, update Assets (they are all in sync).
Any help is appreciated

Read other answers
RELEVANCY SCORE 56

Please provide removal assistance
 

A:svchost.exe does suspicious internet and local traffic

I've saw that hiting F12 on Chrome on different sites, on different times, sometimes, I get this js script added, although on different PCs aren't there:
<script src="http://93.113.37.2/stats/793Dv"></script>
<script src="http://s3.amazonaws.com/jscache/caa21cd32b826e98dc.js"></script>
 

Read other 0 answers
RELEVANCY SCORE 56

Hi

On one computer I am running one ISP and on the other computer I am using a different ISP.

Each Computer has its own PPPOE dial up connection. My router is set up in bridge mode (Telkom Mega 100WR2)

Is there a way of making my router split the international and local bandwidth of my one ISP account so that when I go onto a local site it doesn't use my international bandwidth?

Or is the only solution buying two different accounts - one international and one local?

Please let me know ASAP

Thanks

A:Splitting International and Local traffic using one account with one ISP

Think of it from the router's point of view. Every packet that it comes across must be "routed" to either a specific gateway, or its default gateway if none of the other routes match.

There's really nothing at the IP address layer that directly distinguishes "national" from "international" addresses, but you could for example deduce that IPs in the (making this up completely) 144.123.X.Y and 144.124.A.B ranges are definitely "national" so they should be forwarded to a specific (national) gateway instead of being sent to the router's default gateway to process.

The precise mechanism for adding routes will depend on your router. There may be a console interface, or you might need to connect via its HTTP administration page and find the "manage routes" section. That's the easy part.

The hard part will be establishing exactly what IP ranges are considered "national" in your area, and whether the blocks are sufficiently contiguous to allow you to add all of them individually, or whether you'd have to use supernetting. Unless you've done that type of work before you'd probably want some direct assistance from a networking technician.

Read other 1 answers
RELEVANCY SCORE 55.2

Hey all im new here and im mainly looking for an answer or maybe some assitance for setting somthing up what would take all new or existing IPs and route/direct or forward there first viewed page to a specific web page. This is an open network with new useres comming and going all the time
thanks for the help ladys and gents

cheers
 

A:redirect local traffic to a certain URL apon opening browser

Read other 9 answers
RELEVANCY SCORE 54.8

Hi,

I am having a problem on a clients home computers where if I use the option on the VPN to force local traffic to bypass the VPN, after XX Hours Outlook/Exchange stops working and requires a reconnect of the VPN.
When I have the Option in IPv4 to disable bypassing local traffic the above problem is gone and all works fine.. connections last for days+

This happened when a recent change of both the server and client having Telstra BIGPOND Internet. I have previously used Other ISP and Tested the issues with home connections and all works fine eg(Telstra Bigpond to TPG). This is a telstra bigpond to telstra
bigpond connection and thats the issue!
Server is using Telstra Bigpond ADSL
Client is using Telstra Bigpond Cable Coax Internet
So I would like to learn what is required to use the Route function.
I need help on how to create a few routes which would bypass all websites (Ipaddress in the www) and leave out the server's IP address (The remote server's Ipaddress I dont want to bypass the VPN)  I would like to leave the server ip out for security
reasons. If a Private Message can be done? or an explanation?

I understand and read that I can use mask to allow me to route a range of IP Addresses but got very confused on how the numbering worked.
http://superuser.com/questions/121998/windows-7-how-can-i-add-an-ip-range-in-the-route-command
this is where I seen how to range IP route
If there is another way Please let me know. Like I said earlier. I c... Read more

Read other answers
RELEVANCY SCORE 54.4

Message analyzer 1.4
Hello,
Just discovered the tool and used to identify Web application bottleneck performance.
But I need some helps.
During analysis, I have found out a possible issue related to DNS (several seconds).
The problem is that I can not understand if the DNS is related to the application or other source.

Is a way to add the source (not the host name) but the application?
Thanks

Read other answers
RELEVANCY SCORE 54

OK, this is my problem , I'm working in a complex environment with many networks and more servers (300+). Historically server hosted firewalls have been disabled and none of the internal subnets were bordered by firewalls ( thankfully they at least used
firewalls on the external interfaces ) . Documentation has also been poor. Not all the people who implemented some of our stuff still work here. The internal networks have effectively been completely flat.
The risks of this have finally been recognised and a project is in place to start implementing server hosted firewalls and on those internal subnets deemed important hardware based firewalls will also be implemented.
As you can probably guess however, from the initial statement nobody has much of a clue about which servers/applications are talking to what and how ( protocol or port) statefull/less. I'm looking for a tool which from a central location can monitor and
consolidate the network traffic between servers/applications and present the information in such a way that they could be analysed and present a baseline set of reports which would be a solid foundation for defining a set of firewall rules. Ideally the solution
would be agent less  (but that is not a deal breaker) . Is Message Analyzer the tool for this ? Or should I be looking elsewhere ? The OS landscape is overwhelmingly windows servers ( 2008 thru 2016 ) but there are a few RHEL servers ( although I don't
mind treating them as a separate ca... Read more

Read other answers
RELEVANCY SCORE 54

Hi everybody,
I need to investigate somes logs for find an issue on Outlook calendar
So i followed this topic to activate the "debug mode" of Outlook :
https://support.office.com/en-ie/article/What-is-the-Enable-logging-troubleshooting-option-0fdc446d-d1d4-42c7-bd73-74ffd4034af5
Now, i got a file : OLKCalLog_2017_01_02_08_39_07.etl
I opened it on Message Analyzer for make some easy checks :
- Calendar item actions (creation, modification, or deletion)
How can i use the filter for find the keyword i created on the calendar (or the event ID for list all calendar items créations ??).
Example here, i made a calendar item called "Hello Technet".
The result :

PS : I just discovered that the ETL file is filled at the Outlook closing.
thanks for your help

Read other answers
RELEVANCY SCORE 54

Hi the Great team !
Looking for the latest activities around Messaging Analyzer, which btw. was very great tool, I have a feeling that this has been kind of inactive. Has Microsoft stopped developing the tool?

Petri

Read other answers
RELEVANCY SCORE 54

Hi everyone!

Why is not possible in Message Analyzer to parse the ICMPv6 traffic inside the IP-HTTPS tunnel (at least up to my current knowledge) and only shows the ESP traffic when the scenario "Network Tunnel Traffic and Unencrypted IPSEC" is chosen.
I also tried to  capture on a specific interface, but the IP-HTTPS interface was not listed among the available interfaces.

For additional information, the environment of the DirectAccess i deployed on Hyper-V Windows server 2012 R2 which means that my DA clients are VM's on the Hyper-V.

I would be so appreciated if someone gives me a feedback on this :) 

Thanks,

Ali

Read other answers
RELEVANCY SCORE 54

Hello.
I need to capture parse and save SIP/RTP traffic according sessions.
I'm trying to find way to capture this through Microsoft Message Analyzer but could not find any useful docs or samples.
All I found, only documentation about Open Protocol Notation, but this part about creating parsers for new protocols, not about catching traffic.
As I understand MMA based on Protocol Engineering Framework, but I also could not find any APIs to this
https://technet.microsoft.com/ru-ru/library/jj714800.aspx
I need some API to 
1. Configure catching network traffic with "Microsoft-Windows-NDIS-PacketCapture Provider"
2. Possible parse SIP packets with MMA
3. Receive flow of SIP (possible parsed already) and RTP traffic into my app.

Read other answers
RELEVANCY SCORE 54

Has Message Analyzer been abandoned by Microsoft?  It seems that Paul doesn't hang around here anymore, spam is starting to get posted, there haven't been any blog updates since 2016, and the Connect site doesn't appear to have been migrated to Collaborate. 
It's a really useful tool, but there are some serious performance problems with it still.

Read other answers
RELEVANCY SCORE 54

Hello,
- Does anyone know if MS has any plan to expose Message Analyzer C++ API? If yes, when will it be roughly?

- It seems NM 3.4 is in "archived" mode now, i.e. no new updates. However, if there is a vulnerability/serious bug, will MS fix/patch it?

- To develop a network monitoring tool, is there an alternative to NM 3.4 (with C++ API support), which is robust and have long-term development cycle? I am not entirely sure if Windows Filtering Platform (WFP) is the right one?

Thanks,

Victor

Read other answers
RELEVANCY SCORE 54

Hi,
When I open Message Analyzer it says that it has an update available.
But it takes me to download the 2016 install file.
How can I update it?

Read other answers
RELEVANCY SCORE 54

Support for decrypting TLS 1.3 connections in Wireshark has been present for some time and Message Analyzer, with some modification of its TLS OPN, can do it too.
 
The two ?handcoded?/external routines used by TLS.opn (DecryptData and ComputeKeys) both need extension. ComputeKeys needs to support the HMAC-based Extract-and-Expand
Key Derivation Function (HKDF) and DecryptData needs to support the new formats for the AEAD Nonce and AuthData.
 
Various type definitions need to be extended and some new types introduced (for handshakes like encrypted_extensions and extensions like supported_versions).
 
The biggest conceptual change that I made was to the routing of messages through the Message Analyzer stack. For TLS directly over TCP, the original Microsoft OPN files
dispatch the message from TCP to TLS then back to TCP and finally on to the end/application protocol (e.g. HTTP or HTTP2); one side effect of this is that some TLS handshake/alert messages are never visible in decrypted form ? one only sees the TLS handshake
messages sent in plain text and the decrypted application data. The new routing follows the path TCP -> TLS -> TLS again (if there are now some previous encrypted handshake/alert messages available in plaintext) -> TCP -> application protocol (e.g.
HTTP2).
 
The new routing means that all handshakes (even encrypted handshakes), such as encrypted_extensions (and indeed the server certificate ? which is enc... Read more

Read other answers
RELEVANCY SCORE 53.2

I've only recently started playing with Message Analyzer and found that an update was published on 3/10/2016. Are there any release notes or a basic list of bug fixes/improvements for the latest update?

Read other answers
RELEVANCY SCORE 53.2

Hello,
i try to build my own OPN parser. I just made a little test in order to check if everything working before moving forward. So i wrote this one below:

protocol LAMSEL with
BinaryEncodingDefaults{Endian = Endian.Big},
Documentation
{
ProtocolName = "",
ShortName = "LAMSEL",
Description = ""
},
OPNAuthoring
{
Copyright = "",
};

using Standard;
using Utility;
using UDP;
using IANA;

endpoint Server over UDP.Host issues LAMSELMessage accepts LAMSELMessage;
client endpoint Client connected to Server;

autostart actor LAMSELOverUDP(UDP.Host host)
{
process host accepts d:UDP.Datagram where ((d.Payload.Count > 0) && (d.DestinationPort == 1024))
{
dispatch endpoint LAMSEL.Server over host accepts ("TEST" as LAMSELMessage);
}
}

// Header
message LAMSELMessage
{
string MyString;
override string ToString()
{
return "TEST";
}
}
ttps://blogs.technet.microsoft.com/messageanalyzer/2016/05/13/how-to-plug-into-message-analyzer-parsers/
i try to plug this one as described in the link (i use the "Loopback and Unencrypted IPSEC" session because, i use a local software to send UDP packet localy on port 1024). The "LAMSEL.opn" file has been put here "C:\Program Files\Microsoft
Message Analyzer\OPNAndConfiguration\OPNForEtw\CoreNetworking"
I can see the UDP packet within the gridview "
MessageNumber Diagnosi... Read more

Read other answers
RELEVANCY SCORE 53.2

First time installation. 
When attempting to launch on Windows 7 get the error: 
Problem signature:
  Problem Event Name: APPCRASH
  Application Name: MessageAnalyzer.exe
  Application Version: 4.0.7948.0
  Application Timestamp: 56f0e7af
  Fault Module Name: USER32.dll
  Fault Module Version: 6.1.7601.19061
  Fault Module Timestamp: 56423d2a
  Exception Code: c0000005
  Exception Offset: 0000000000010800
  OS Version: 6.1.7601.2.1.0.256.4
  Locale ID: 1033
  Additional Information 1: 5838
  Additional Information 2: 583871ada3fbdcca9a3132ef9217b6ab
  Additional Information 3: 9c9d
  Additional Information 4: 9c9d036872bdb375cb2c4c6a9d6f29a2

Any ideas or what more information is needed?
System is Windows 7 Enterprise SP1 x64 - 8GB RAM. Dual Monitor. Intel Core i5.
.NET 4.6.1 installed
VisualStudio Community 2013 with Update 4
WireShark
Many other apps and things, but that should be mostly all that is really relevant, I think.
Thanks!
 

Read other answers
RELEVANCY SCORE 53.2

Hi,
Does anyone know how to capture traffic using p-mode via powershell? Can someone give me an example?
Here is the code I was working with, but it seems that Add-PefProviderConfig does not have a property to enable P-mode on the interface.
$TargetHost = New-PefTargetHost -ComputerName "DESKTOP-8T37P4E"
$TraceConfig = $TargetHost | Add-PefProviderConfig -Provider "Microsoft-Windows-NDIS-PacketCapture"
$TraceConfig.Configurations[0].Interfaces[7].Enabled=1
$TraceSession = New-PefTraceSession -Name "Test" -Force -Path "C:\Traces\Trace.matu" -SaveOnStop | Add-PefMessageSource -Source $TargetHost
Start-PefTraceSession $TraceSession

Thanks!
Andre

Read other answers
RELEVANCY SCORE 53.2

Howdy - any suggestions on how to "bulk" anonymize a Message Analyzer *.matp capture before we share it with a 3rd party?  Regards, Christopher

Read other answers
RELEVANCY SCORE 53.2

hi there,
when i click "Pre-Encryption for HTTPs" in Message analyzer(version 1.4), an error occurs like this "xxx should work with fiddler core".
then i download and install the fiddler core(the free version) in it's official site, and then installed it into the Message analyzer directory.
after installation completed, i click the "Pre-Encryption for HTTPs" again, but still see another errors like "Fiddler.startApplication() cannot start".
could you  please tell me how to make Fiddler core work with message analyzer?
btw, i also searched in message analyzer forum, but the marked answer is not helpful at all.

Read other answers