Over 1 million tech questions and answers.

Monitor DHCP logs and traffic using Message Analyzer

Q: Monitor DHCP logs and traffic using Message Analyzer

Hi,
Is is possible to monitor the DHCP server logs and traffic on a Windows 2012 R2 DHCP load balanced server using Message Analyzer?
Mike

Read other answers
RELEVANCY SCORE 200
Preferred Solution: Monitor DHCP logs and traffic using Message Analyzer

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

RELEVANCY SCORE 84.4

Hello,
I've used Message Analyzer in the past to decrypt HTTPS traffic after importing the certificate used by the web server and it was a tremendous improvement over Netmon & NMDecrypt.    I'm looking at a trace I took of LDAPS traffic (TCP.port==636)
and the traffic after the SSL handshake Message Analyzer is not decrypting the traffic.   

Is the decryption sub-routines in Message Analyzer only supposed to work with HTTPS traffic, or should we be expecting to see success on LDAPS traffic as well?
Thank you,
John

Read other answers
RELEVANCY SCORE 84.4

I want to capture both local and network traffic for connections and disconnections unrelated to http
Capture filter "(tcp.RST || tcp.SYN) && tcp.Port != 80 && tcp.Port != 443"

I found that I can do one or the other, but when I add both below, I capture neither ???
>> What is the trick to capturing both ?
Thanks

Read other answers
RELEVANCY SCORE 83.6

My network seems to be slowing way down. I have basic networking knowledge and moderate Server knowledge. I, however, do not have very good analyzer skills.

Just like how we have an awsome sticky on RAID, I was wondering if we could have one on analyzing tools.

Personally I am looking for something either built into Server 2003, downloadable form Microsoft, or even free or expensive software that lets me monitor my network for traffic problems.

I am getting lots of users who are connected to a database on our server, and about every 5 minutes it looses the connection. I am trying to track the problem and don't know where to start.
 

Read other answers
RELEVANCY SCORE 83.2

Message Analyzer has not had any significant updates (apart from minor parser updates) for some time. The mechanism that out-of-the-box Message Analyzer uses to decrypt
TLS is based on access to the server certificate private key (and therefore does not work with ephemeral session keys). Since Message Analyzer is very flexible and configurable, I wanted to check whether it could be adapted to use SSLKEYLOGFILE information
and indeed the answer is yes.
 
The OPN programming language is Turing complete, but it would not be an ideal choice for implementing all of the necessary cryptographic routines that are needed for
this task ? it would be better to use existing cryptographic libraries. Fortunately OPN does include a mechanism for calling external routines ? the ?Handcoded? declaration:
 
binary DecryptData(string suite, byte ct, array<byte> ver, binary data, array<byte> key, array<byte> salt, ref array<byte>
iv, long ctr, out bool ok) with DeclarationInfo { Handcoded = true };
 
One simple way of using this is to place the ?Handcoded? definitions in a small OPN ?module?. The OPN has to be included as a resource in the DLL built from the ?Handcoded?
implementation. The resource is located by means of a .NET assembly level attribute:
 
[assembly: ExtensionOpnModel("TLSex.opn", false)]
 
The exposed hand-coded routine also needs to be decorated with attributes (for the containing ... Read more

Read other answers
RELEVANCY SCORE 82.4

Upgraded to Windows 10 today, and Message Analyzer no longer seems to be capturing traffic (build 4.0.7540.0).

Get-NetEventSession shows that there's a session running, but nothing shows up in the Message Analyzer window.
 

Read other answers
RELEVANCY SCORE 82.4

While I open my the ETL file captured in Windows 10, the PID/VID seems to be incorrect (compared to what I read in Network Monitor 3.4 and I plugged the devices myself, I know what's the right VID/PID).
I did discover there are some error messages in the log, and I only put two examples below,
10/28/2015 3:29:17 PM Error C:\Users\IBM_ADMIN\AppData\Local\Microsoft\MessageAnalyzer\OPNAndConfiguration\OpnForEtw\OpnForEtwProcess\TCPIPComponentExt.opn(173,45-173,62):  undeclared 'EventTemplate_130'
10/28/2015 3:29:17 PM Error C:\Users\IBM_ADMIN\AppData\Local\Microsoft\MessageAnalyzer\OPNAndConfiguration\OpnForEtw\OpnForEtwProcess\TCPIPComponentExt.opn(197,50-197,67):  undeclared 'EventTemplate_130'

Could you help me to understand what I should do to overcome it?

Read other answers
RELEVANCY SCORE 81.6

Hi!
Is there a way to look inside GRE tunnel traffic captured with Wireshark in Message Analyzer? I'm troubleshooting a scenario where I need to correlate event log entries from a server with network trace captured on by another person using ERSPAN protocol.
Thanks,
Ivan

Ivan Seriavin

Read other answers
RELEVANCY SCORE 78.4

Dear all,
it should be possible to
"Capture firewall discard Events - This feature allows you to discover how the firewall is affecting network traffic.  New messages tell you when traffic is blocked and associated IDs point to the specific firewall rule responsible
for dropping the message."
Source
Does anybody of you know a little bit more about how Message Analyzer has to be configured to show which rule blocks (in my case Outbound) traffic?
This would be a great improvement to the pfirewall.log, where this important information is missing...
Best regards

Peter

Read other answers
RELEVANCY SCORE 70.4

My application does not have any network-like implementation except FlexNet Publisher for licensing. I expect it should connect only to license server.

When I use Microsoft Network Monitor then it shows only connections from/to my application and license server.

When I use Microsoft Message Analyzer then it shows enormous additional traffic for my application which I cannot explain. For example many events' source and destination do not match my local machine (BRWS/DNS/UDP modules), so it seems that my application
is kind of proxy (?) for them. Can anyone give some hints how to interpret Message Analyzer data, please?

Read other answers
RELEVANCY SCORE 68.4

Microsoft Message Analyzer - Microsoft Security Event Logs - How to Group by IP Address and Sort Top talkers highest to lowest
I open a saved Microsoft Security Event Log evtx file and right click one of the event and group by IP address.
This gives me a count of how many security events is generated per IP Address.
However, I do not know how to sort highest to lowest the top talker. Basically, which IP address generated the most security events in my log file.

Read other answers
RELEVANCY SCORE 66.8

I'm looking for a good network analyzer software that allows me to monitor the network. maybe have some features on discovering devices, ports, bandwidth in a certain amount of time, etc. Thanks.
 

A:network traffic analyzer

That would depend on the network topology. Any global network monitoring will have to be done with access to a common point where all the traffic converges. Addressed traffic between workstations will go directly between them via any switches and gateways in the path, so you can't do this with just a workstation.
 

Read other 1 answers
RELEVANCY SCORE 66

Hi everyone!!!

I've been tasked with running message analyzer to determine if data is encrypted from an endpoint. We are using MBAM and want to ensure that any data sent to MBAM application server is encrypted. Now, we know it is via https, but, we still need to verify this
(for audit purposes).

Can anyone provide some insight as to how I could use microsoft message anaylzer (or perhaps something better) ?

We are planning to run a capture for 24 hours. We also want to ensure data is encrypted from app server to sql server. 



Thanks all! 

Read other answers
RELEVANCY SCORE 66

Hi guys,

I hope you guys could provide me with a few sites on

Traffic Generator Functions or Performance Analyzer

these are for networking, layer 1 and layer 2 switches
I cant seem to find any, so i hope you guys could help me out
thanks
 

Read other answers
RELEVANCY SCORE 60.8

Here are the generated logs for this Sony Vaio Laptop with XP/SP2.

Logfile of HijackThis v1.99.0
Scan saved at 11:27:12 AM, on 1/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media ... Read more

A:Hjt + Analyzer Logs - Please Help!

Welcome to TSF.

No need to post both logs. Just the result.txt log is enough.

You have a bad one there. We will need other logs to help us out here.

Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready):

Please download the following programs required for the removal process:

Kill2Me http://www.greyknight17.com/spy/Kill2Me.exe
PV http://www.greyknight17.com/spy/pv.zip
VX2Finder(126) http://www.greyknight17.com/spy/VX2Finder(126).exe
Hoster http://www.greyknight17.com/spy/Hoster.exe
CleanUp! http://cleanup.stevengould.org/ or http://www.greyknight17.com/spy/Cleanup.exe
KillBox http://www.greyknight17.com/spy/KillBox.exe
notify.bat - right click on this link http://www.greyknight17.com/spy/notify.bat and choose Save As...Save it.

Please follow the steps below:

1. Download/run the following uninstallers:

Look2Me Uninstaller http://www.look2me.com/cgi-bin/UnInstaller
IGN Keyword Uninstaller http://www.greyknight17.com/spy/NLNUninstall.zip
ClearSearch Uninstaller http://www.greyknight17.com/spy/ClrSchUninstall.zip

2. Run Kill2Me.

3. Unzip the pv.zip files contents to your Desktop (NOTE: It MUST be on your Desktop!).
a) Open... Read more

Read other 1 answers
RELEVANCY SCORE 60

I was just wondering if there would be any easy fixes to make my computer run faster. It's been running slowly for a while now. I have posted a HijackThis log file and and Analyzed copy too. Thanks in advance...

Logfile of HijackThis v1.99.1
Scan saved at 6:20:58 PM, on 4/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell TrueMobile 1150\Client Manager\CmDEL.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Debbie\My Documents\Repair\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.1st.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com... Read more

A:HijackThis and Analyzer Logs... Please Help!!

Hello and welcome to TSF...

In order to assist you better, we recommend that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk.trendmicro-europe.com/ente...all_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. Otherwise, make sure your antivirus program has the late... Read more

Read other 5 answers
RELEVANCY SCORE 57.6

Is there a good network traffic/broadband monitor that actually keeps track of ALL (really ALL) traffic in a network?
I have used quite a few (eg, Ethereal, ntop, network probe) but all of them kinda keep track of only traffic that is coming in and out of the PC they are run from.

I need one that really tracks every single transaction that goes on in the network, including PCs talking to PCs, PCs talking to servers, servers talking to PCs, PCs talking to printers, etc.

Would help a great deal if they are FREE too!

Anyone know of any good ones?
 

A:Network traffic/bandwidth monitor that tracks GLOBAL network traffic

Hi.

You may find something here...

http://www.freewarehome.com/Internet/Networking/Network_Monitoring_t.html
 

Read other 2 answers
RELEVANCY SCORE 56

from every pc on my localnet when connecting to google.com i got the message of "unusual traffic has been detected...".
this happens on Firefox, Chrome and IE (in some pc's).it seems that some malware is creating automated connections to google servers.

now using currports i have not detected any strange connections (but i am no expert on this)

I attach the following logs generated buy hijackthis.
 hijackthis_fani_laptop.txt   10.24KB
  0 downloads

 hijackthis_hrisanthi.log   8.75KB
  0 downloads

 hijackthis_katerina.log   7.24KB
  0 downloads

 hijackthis_reader.log   8.96KB
  0 downloads

if anyone could review them and understand if there is some malware working on any of the pc's i will be really .gratefull

thanks
Nikos

A:HiJAckThis logs for review (google unusual traffic)

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. Please chose one PC for now to work with and then let's first analyse jsut this one so we can identify the issue.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some pr... Read more

Read other 5 answers
RELEVANCY SCORE 55.2

Hello,========================================================================This topic is linked to this other one where I explained that I am not infected by a malware, I just ran ComboFix without precautions. Maybe it conflicts with :- REALTEK 11n Wireless LAN Utility- FrozenWay (OpenVPN software)- Shrew Soft VPN ClientNow, something is broken and I lost the DHCP Client and PolicyAgent services. Here are 2 event logs about DHCP Client (and v6, the worst), different from the other topic because I took it in Safe Mode with network support, so it is very focused on the problem.http://www.partage-facile.com/UATKE7MPHF/dhcp_client_2_.evtx.htmlhttp://www.partage-facile.com/SVZA3DQXH7/dhcpv6_client_2_.evtx.htmlAs you can see, DHCP Client get always WSAEINVAL error and retry as an infinite loop. Men which made ComboFix could know which step can provoke these DhcpV6ClientEvents_ErrorOpeningSocket.========================================================================Here is DDS.txt log, taken in Safe Mode with network support (IE opened to see instructions) :.DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORKInternet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.6.2Run by Jean-Christophe at 11:31:08 on 2012-08-25Microsoft Windows 7 Professionnel 6.1.7601.1.1252.33.1036.18.4094.1707 [GMT 2:00].AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: Microsoft Security E... Read more

A:"DHCP Client 100% CPU after ComboFix" logs

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/466406 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 26 answers
RELEVANCY SCORE 54.4

Message analyzer 1.4
Hello,
Just discovered the tool and used to identify Web application bottleneck performance.
But I need some helps.
During analysis, I have found out a possible issue related to DNS (several seconds).
The problem is that I can not understand if the DNS is related to the application or other source.

Is a way to add the source (not the host name) but the application?
Thanks

Read other answers
RELEVANCY SCORE 54

Hello,
- Does anyone know if MS has any plan to expose Message Analyzer C++ API? If yes, when will it be roughly?

- It seems NM 3.4 is in "archived" mode now, i.e. no new updates. However, if there is a vulnerability/serious bug, will MS fix/patch it?

- To develop a network monitoring tool, is there an alternative to NM 3.4 (with C++ API support), which is robust and have long-term development cycle? I am not entirely sure if Windows Filtering Platform (WFP) is the right one?

Thanks,

Victor

Read other answers
RELEVANCY SCORE 54

Hi everybody,
I need to investigate somes logs for find an issue on Outlook calendar
So i followed this topic to activate the "debug mode" of Outlook :
https://support.office.com/en-ie/article/What-is-the-Enable-logging-troubleshooting-option-0fdc446d-d1d4-42c7-bd73-74ffd4034af5
Now, i got a file : OLKCalLog_2017_01_02_08_39_07.etl
I opened it on Message Analyzer for make some easy checks :
- Calendar item actions (creation, modification, or deletion)
How can i use the filter for find the keyword i created on the calendar (or the event ID for list all calendar items créations ??).
Example here, i made a calendar item called "Hello Technet".
The result :

PS : I just discovered that the ETL file is filled at the Outlook closing.
thanks for your help

Read other answers
RELEVANCY SCORE 54

Support for decrypting TLS 1.3 connections in Wireshark has been present for some time and Message Analyzer, with some modification of its TLS OPN, can do it too.
 
The two ?handcoded?/external routines used by TLS.opn (DecryptData and ComputeKeys) both need extension. ComputeKeys needs to support the HMAC-based Extract-and-Expand
Key Derivation Function (HKDF) and DecryptData needs to support the new formats for the AEAD Nonce and AuthData.
 
Various type definitions need to be extended and some new types introduced (for handshakes like encrypted_extensions and extensions like supported_versions).
 
The biggest conceptual change that I made was to the routing of messages through the Message Analyzer stack. For TLS directly over TCP, the original Microsoft OPN files
dispatch the message from TCP to TLS then back to TCP and finally on to the end/application protocol (e.g. HTTP or HTTP2); one side effect of this is that some TLS handshake/alert messages are never visible in decrypted form ? one only sees the TLS handshake
messages sent in plain text and the decrypted application data. The new routing follows the path TCP -> TLS -> TLS again (if there are now some previous encrypted handshake/alert messages available in plaintext) -> TCP -> application protocol (e.g.
HTTP2).
 
The new routing means that all handshakes (even encrypted handshakes), such as encrypted_extensions (and indeed the server certificate ? which is enc... Read more

Read other answers
RELEVANCY SCORE 54

Hi everyone!

Why is not possible in Message Analyzer to parse the ICMPv6 traffic inside the IP-HTTPS tunnel (at least up to my current knowledge) and only shows the ESP traffic when the scenario "Network Tunnel Traffic and Unencrypted IPSEC" is chosen.
I also tried to  capture on a specific interface, but the IP-HTTPS interface was not listed among the available interfaces.

For additional information, the environment of the DirectAccess i deployed on Hyper-V Windows server 2012 R2 which means that my DA clients are VM's on the Hyper-V.

I would be so appreciated if someone gives me a feedback on this :) 

Thanks,

Ali

Read other answers
RELEVANCY SCORE 54

Has Message Analyzer been abandoned by Microsoft?  It seems that Paul doesn't hang around here anymore, spam is starting to get posted, there haven't been any blog updates since 2016, and the Connect site doesn't appear to have been migrated to Collaborate. 
It's a really useful tool, but there are some serious performance problems with it still.

Read other answers
RELEVANCY SCORE 54

Hello.
I need to capture parse and save SIP/RTP traffic according sessions.
I'm trying to find way to capture this through Microsoft Message Analyzer but could not find any useful docs or samples.
All I found, only documentation about Open Protocol Notation, but this part about creating parsers for new protocols, not about catching traffic.
As I understand MMA based on Protocol Engineering Framework, but I also could not find any APIs to this
https://technet.microsoft.com/ru-ru/library/jj714800.aspx
I need some API to 
1. Configure catching network traffic with "Microsoft-Windows-NDIS-PacketCapture Provider"
2. Possible parse SIP packets with MMA
3. Receive flow of SIP (possible parsed already) and RTP traffic into my app.

Read other answers
RELEVANCY SCORE 54

Hi,
When I open Message Analyzer it says that it has an update available.
But it takes me to download the 2016 install file.
How can I update it?

Read other answers
RELEVANCY SCORE 54

OK, this is my problem , I'm working in a complex environment with many networks and more servers (300+). Historically server hosted firewalls have been disabled and none of the internal subnets were bordered by firewalls ( thankfully they at least used
firewalls on the external interfaces ) . Documentation has also been poor. Not all the people who implemented some of our stuff still work here. The internal networks have effectively been completely flat.
The risks of this have finally been recognised and a project is in place to start implementing server hosted firewalls and on those internal subnets deemed important hardware based firewalls will also be implemented.
As you can probably guess however, from the initial statement nobody has much of a clue about which servers/applications are talking to what and how ( protocol or port) statefull/less. I'm looking for a tool which from a central location can monitor and
consolidate the network traffic between servers/applications and present the information in such a way that they could be analysed and present a baseline set of reports which would be a solid foundation for defining a set of firewall rules. Ideally the solution
would be agent less  (but that is not a deal breaker) . Is Message Analyzer the tool for this ? Or should I be looking elsewhere ? The OS landscape is overwhelmingly windows servers ( 2008 thru 2016 ) but there are a few RHEL servers ( although I don't
mind treating them as a separate ca... Read more

Read other answers
RELEVANCY SCORE 53.2

hi there,
when i click "Pre-Encryption for HTTPs" in Message analyzer(version 1.4), an error occurs like this "xxx should work with fiddler core".
then i download and install the fiddler core(the free version) in it's official site, and then installed it into the Message analyzer directory.
after installation completed, i click the "Pre-Encryption for HTTPs" again, but still see another errors like "Fiddler.startApplication() cannot start".
could you  please tell me how to make Fiddler core work with message analyzer?
btw, i also searched in message analyzer forum, but the marked answer is not helpful at all.

Read other answers
RELEVANCY SCORE 53.2

I've only recently started playing with Message Analyzer and found that an update was published on 3/10/2016. Are there any release notes or a basic list of bug fixes/improvements for the latest update?

Read other answers
RELEVANCY SCORE 53.2

Hello.  I am attempting to use Message Analyzer to troubleshoot a USB device.  I know the device's VID and PID.  I've also installed Message Analyzer on multiple PCs.  One some PCs I can see traffic from the device (I can see the VID
and PID appear) but on others I can't.  Any thoughts on why Message Analyzer can see my USB device on some PCs but not others?  I am using up-to-date chipset and USB drivers, so that shouldn't be the problem.  All PCs are Win 7 Pro SP1 64-bit. 
Thanks!

Read other answers
RELEVANCY SCORE 53.2

Howdy - any suggestions on how to "bulk" anonymize a Message Analyzer *.matp capture before we share it with a 3rd party?  Regards, Christopher

Read other answers
RELEVANCY SCORE 53.2

Hello,
i try to build my own OPN parser. I just made a little test in order to check if everything working before moving forward. So i wrote this one below:

protocol LAMSEL with
BinaryEncodingDefaults{Endian = Endian.Big},
Documentation
{
ProtocolName = "",
ShortName = "LAMSEL",
Description = ""
},
OPNAuthoring
{
Copyright = "",
};

using Standard;
using Utility;
using UDP;
using IANA;

endpoint Server over UDP.Host issues LAMSELMessage accepts LAMSELMessage;
client endpoint Client connected to Server;

autostart actor LAMSELOverUDP(UDP.Host host)
{
process host accepts d:UDP.Datagram where ((d.Payload.Count > 0) && (d.DestinationPort == 1024))
{
dispatch endpoint LAMSEL.Server over host accepts ("TEST" as LAMSELMessage);
}
}

// Header
message LAMSELMessage
{
string MyString;
override string ToString()
{
return "TEST";
}
}
ttps://blogs.technet.microsoft.com/messageanalyzer/2016/05/13/how-to-plug-into-message-analyzer-parsers/
i try to plug this one as described in the link (i use the "Loopback and Unencrypted IPSEC" session because, i use a local software to send UDP packet localy on port 1024). The "LAMSEL.opn" file has been put here "C:\Program Files\Microsoft
Message Analyzer\OPNAndConfiguration\OPNForEtw\CoreNetworking"
I can see the UDP packet within the gridview "
MessageNumber Diagnosi... Read more

Read other answers
RELEVANCY SCORE 53.2

First time installation. 
When attempting to launch on Windows 7 get the error: 
Problem signature:
  Problem Event Name: APPCRASH
  Application Name: MessageAnalyzer.exe
  Application Version: 4.0.7948.0
  Application Timestamp: 56f0e7af
  Fault Module Name: USER32.dll
  Fault Module Version: 6.1.7601.19061
  Fault Module Timestamp: 56423d2a
  Exception Code: c0000005
  Exception Offset: 0000000000010800
  OS Version: 6.1.7601.2.1.0.256.4
  Locale ID: 1033
  Additional Information 1: 5838
  Additional Information 2: 583871ada3fbdcca9a3132ef9217b6ab
  Additional Information 3: 9c9d
  Additional Information 4: 9c9d036872bdb375cb2c4c6a9d6f29a2

Any ideas or what more information is needed?
System is Windows 7 Enterprise SP1 x64 - 8GB RAM. Dual Monitor. Intel Core i5.
.NET 4.6.1 installed
VisualStudio Community 2013 with Update 4
WireShark
Many other apps and things, but that should be mostly all that is really relevant, I think.
Thanks!
 

Read other answers
RELEVANCY SCORE 53.2

Hello,
I'm trying to upload a certificate to the message analyzer and receiving invalid password error. I know the password is correct as I can install the certificate using MMC with same password. I notice that every time I try to upload the certificate in Message
Analyzer, I receive this error in Windows Security Log (below). This certificate has multiple SAN entries as it's for a load balanced environment. I've been able to successfully load certificates that do not have SAN entries.
Any pointers on what might be causing this issue and how to resolve it?
Message Analyzer Error: Password for MyCert.pfx is Incorrect.
Corresponding Windows Security Log Entry:
Cryptographic operation.

Subject:
Security ID:
DOM\MyId
Account Name:
MyId
Account Domain:
DOM
Logon ID:
0x56fad

Cryptographic Parameters:
Provider Name:
Microsoft Software Key Storage Provider
Algorithm Name:
RSA
Key Name:
le-WebServerAlternateName-{some GUID}
Key Type:
Machine key.

Cryptographic Operation:
Operation:
Create Key.
Return Code:
0x80090010

SANs in Certificate:
DNS Name=DOMAPSV1
DNS Name=DOMAPSV1.dom.ag.loc
DNS Name=DOMAPSV2
DNS Name=DOMAPSV2.dom.ag.loc
DNS Name=DOMAPSV3
DNS Name=DOMAPSV3.dom.ag.loc
DNS Name=DOMAPSV4
DNS Name=DOMAPSV4.dom.ag.loc
DNS Name=DOMAPSV5
DNS Name=DOMAPSV5.dom.ag.loc
DNS Name=DOMAPSV6
DNS Name=DOMAPSV6.dom.ag.loc

Read other answers
RELEVANCY SCORE 53.2

Hi,
Does anyone know how to capture traffic using p-mode via powershell? Can someone give me an example?
Here is the code I was working with, but it seems that Add-PefProviderConfig does not have a property to enable P-mode on the interface.
$TargetHost = New-PefTargetHost -ComputerName "DESKTOP-8T37P4E"
$TraceConfig = $TargetHost | Add-PefProviderConfig -Provider "Microsoft-Windows-NDIS-PacketCapture"
$TraceConfig.Configurations[0].Interfaces[7].Enabled=1
$TraceSession = New-PefTraceSession -Name "Test" -Force -Path "C:\Traces\Trace.matu" -SaveOnStop | Add-PefMessageSource -Source $TargetHost
Start-PefTraceSession $TraceSession

Thanks!
Andre

Read other answers
RELEVANCY SCORE 52.8

Hi Team,
We followed to this url for use of remote interface capture
Remote Capture with Message Analyzer.

we followed the document of Message analyzer for capturing rdp session data.But that not helped us.
Both systems are in same network domain
source (physical , win 10 OS)
target  (vm , WIN 10 OS)

winRM services are running on both sides. 
Still we are unable to get the rdp data remotely.
Could u please suggest us to get the rdp session hex dump data remotely form message analyzer.

Read other answers
RELEVANCY SCORE 52.8

Message Analyzer seems to have no print/export as CSV/TSV. 
Log parser 2.2 doesn't seem to understand .matp formats. 2.2 seems to be the latest version.
logparser -i:netmon "SELECT * INTO test.csv from test.matp
says "not recognized as a valid NetMon capture file"

Are there other tools? I'm surprised this is not a common request. 

Message Analyzer can export as .cap files, but these particular traces either export badly or the traffic is something that wireshark doesn't handle. MessageAnalyzer shows it as fairly standard TCP traffic, albeit to/from IPV4-loopback, which is the correct
"NIC".

Read other answers
RELEVANCY SCORE 52.8

I couldn't get MA to Sync over our corporate proxy (which requires authentication). If you know how to get this working let me know.
Thanks,
-Wes

A:Message Analyzer updates over an authenticated proxy

Yes, we did some more research and found there is a difference in how it tries to authenticate.  If your proxy requires authentication for a proxy request, then this exposes the issue.  We have a bug filed and we will look for a solution.
Paul

Read other 5 answers
RELEVANCY SCORE 52.8

Hi Everyone,
I've been attempting to capture traffic by invoking this tool via PowerShell but for whatever reason it is not generating .matu output file. Can someone please let me know what am I doing wrong?
$TraceSessionA = New-PefTraceSession -Mode Linear

#Establish Triggers
$Trigger01 = New-PefTimeSpanTrigger -TimeSpan (New-TimeSpan -Seconds 60)
$Trigger02 = New-PefDateTimeTrigger -DateTime "1/12/2018 9:35 AM"
$Trigger03 = New-PefDateTimeTrigger -DateTime "1/12/2018 9:40 AM"

<#Windows 2012 or earlier
Add-PefMessageSource -PEFSession $TraceSessionA -Source "Microsoft-PEF-NDIS-PacketCapture"
Add-PefMessageSource -PEFSession $TraceSessionA -Source "Microsoft-Windows-L2NACP"
Add-PefMessageSource -PEFSession $TraceSessionA -Source "Microsoft-Windows-Wired-AutoConfig"
Add-PefMessageSource -PEFSession $TraceSessionA -Source "Microsoft-Windows-EapHost"
Add-PefMessageSource -PEFSession $TraceSessionA -Source "Microsoft-Windows-OneX"
Add-PefMessageSource -PEFSession $TraceSessionA -Source "Microsoft-Windows-NDIS"
Add-PefMessageSource -PEFSession $TraceSessionA -Source "Microsoft-Windows-SMBClient"
#>

#Windows 2012 R2 or later
Add-PefMessageSource -PEFSession $TraceSessionA -Source "Microsoft-Windows-NDIS-PacketCapture"
Add-PefMessageSource -PEFSession $TraceSessionA -Source "Microsoft-Windows-L2NACP"
Add-PefMessageSource -PEFSession $TraceSessi... Read more

Read other answers
RELEVANCY SCORE 52.8

Hi,

I've captured a network trace on a 2008R2 server using the following commands:

netsh trace start capture=yes maxsize=1024

[reproduce issue for 20 minutes]

netsh trace stop

I've then copied the resulting ETL file (about 350MB) to a 2012R2 virtual machine (1 x vCPU 4GB RAM) running Message Analyser 1.4 (64-bit). I've opened the file in MA by double-clicking on the ETL file and applied an ?HTTP? filter to view only HTTP traffic.
 The server then goes to 100% CPU and sits there working through the data set at about one row per minute.  I give up and kill the process with the CPU time in task manager at about 2.5 hours and no data yet displayed.

I then open the same file on the same machine in Network Monitor 3.4, sort out the parsers and apply an ?HTTP' filter and after 30 seconds of 100% CPU get the data I'm looking for. It's not as pretty as Message Analyser but it does the job.

What am I doing wrong?  Right now it seems that while MA is no doubt great for some cool new stuff it cannot do the basics of Network Monitor or Wireshark.

Thanks.

Read other answers
RELEVANCY SCORE 52.8

My OS is windows10, Message Analyzer version is 1.3.1. Blueooth dongle is CSR bluetooth4.0 USB dongle.
I want to know:
1. Does Message Analyzer support bluetooth ? Can I use it to capture bluetooth package ? If yes, how to configure it ?
2. Dose Message Analyzer can parse bluetooth package, such as parse HCI cmd, HCI reply, L2cap request and L2cap reply and so on ?

Read other answers
RELEVANCY SCORE 52.8

Hi Folks
I worked with "Wireshark" and also with "Microsoft Network Monitor".
Both has Autoscroll you can choose or not.
I can't find this option on this new version "Microsoft Message Analyzer".
Could you help please?

Regards
Kevin

A:Where is auto scroll in Microsft Message analyzer?

We don't have a real Autoscroll yet.  Though you could sort by time if you want to see the latest messages.  There are also known issues in how the scrolling works when loading a trace which we hope to address.
Paul

Read other 2 answers
RELEVANCY SCORE 52.8

Hello everyone, 
I am new here, and trying to download message analyzer for the first time.  When I go to the link https://www.microsoft.com/en-us/download/details.aspx?id=44226
and click on the big red DOWNLOAD button, this pops up:
"Choose the download you want"
So then I try to choose, but I can't.  The file names aren't "active" and I cannot choose any of them.  
Anyone have any ideas?
Thank you very much for any help

Read other answers
RELEVANCY SCORE 52.4

Hi, Currently Message Analyzer does not support decryption of Diffie-Hellman (DHE/ECDHE) traces.  Most of the newer versions of Windows seem to default to this cipher which is understandable. Changing the default cipher suite in order to decrypt SSL
traffic is relatively cumbersome and doesn't provide the best customer support experience.
It looks like wireshark may have the ability to decrypt DHE, but requires a bit more setup, and using an SSLKEYLOGFILE that you can easily generate with chrome or firefox.  Does anyone know if this is something Microsoft is looking at for message analyzer
and/or IE/Edge?  It would be very helpful since this seems to be the default ciphers in newer versions of the OS. 

https://ask.wireshark.org/questions/30290/decrypting-tls_ecdhe_rsa_with_aes_128_cbc_sha-and-tls_ecdhe_rsa_with_aes_128_gcm_sha256-using-sslkeylogfile
https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/
It seems that the number of up-votes may help prioritize requested features such as this.  So, I'm starting a new thread for discussion.  Thanks.

Read other answers
RELEVANCY SCORE 52.4

I've been using the TraceLogger Apis in a kernel driver and I see the current Message Analyzer version knows how to display these self-describing ETW traces. Unfortunately, event field values are truncated to 8-bits, so the event fields don't display the
correct values. I've looked at the binary data in the event, and the type and full width value are present. The event files also do display the full field values in some other tools, so this seems to be something specific to Message Analyzer.

Read other answers