Sie sind auf Seite 1von 11

MICROSOFT MESSAGE ANALYZER

Frequently Asked Questions and Known Issues


This document captures FAQ and known issues with Microsoft Message Analyzer.
Please browse this list if you're having an issue before reporting a problem to our team.

1 | P a g e Known Issues
Table of Content
CAPTURING............................................................................................................................................................ 2
NETWORK CONNECTIONS ARE RESET WHEN MESSAGE ANALYZER IS INSTALLED ........................................................................... 2
WHY CANT I VIEW WEB TRAFFIC ANYMORE? WHY IS IE NOW NOT WORKING THE SAME? ............................................................. 2
CAN'T START CAPTURING OR NO DATA BEING RECEIVED .......................................................................................................... 2
IT SEEMS LIKE SOME OF THE MESSAGES ARE MISSING WHEN I CAPTURE ...................................................................................... 2
I RECEIVE THE ERROR FAILED TO START ONE OR MORE TRACE SESSION(S) DUE TO THE FOLLOWING ERROR(S) ................................. 2
LIVE CONSUMER XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX FAILS TO START. ............................................................................ 2
UNABLE TO START FILTER INFO PROVIDER SERVICE. .............................................................................................................. 2
POWERSHELL CAPTURE TRACE IS NOT SAVED TO PS EXECUTE PATH IF YOU ARE USING RELATIVE PATH .............................................. 3
SIMULTANEOUS CAPTURES INVOLVING THE SAME PROVIDER MAY GIVE UNPREDICTABLE RESULTS .................................................... 3
THE WEB PROXY LIVE TRACE SCENARIO CAUSES ISSUES WITH INTERNET EXPLORER AND WINDOWS STORE APPLICATIONS ................... 3
INFORMATION DISCLOSURE ON WEBPROXY TRACE SCENARIO FOR MULTI USER SCENARIO ............................................................ 4
HYPER-V TRAFFIC BETWEEN VIRTUAL MACHINES IS NOT CAPTURED IN WINDOWS SERVER 2008 R2 ............................................... 4
REMOTE CAPTURE ................................................................................................................................................. 4
SUPPORTED REMOTE CAPTURE SCENARIOS ......................................................................................................................... 4
FAILED TO CREATE A REMOTE TRACE SESSION AFTER PROVIDING WRONG CREDENTIALS ................................................................. 5
ETW KEYWORDS IGNORED WHEN DOING REMOTE CAPTURE ................................................................................................... 5
FAILED TO CREATE A REMOTE TRACE SESSION OR TO CONFIGURE NDIS PROVIDER WHEN ENTERING AN INVALID OR NOT REACHABLE
HOSTNAME FOR LINK LAYER REMOTE CAPTURE. .................................................................................................................... 5
WINDOWS 8.1 AND WINDOWS SERVER 2012 R2 SPECIFIC ISSUES ......................................................................... 5
CANT .......................................................................................................................................................................... 5
CAPTURE ON NDISCAP AFTER MESSAGE ANALYZER INSTALLATION .......................................................................................... 5
CAPTURE ON LOCAL LINK LAYER FAILS ................................................................................................................................ 5
UI ........................................................................................................................................................................... 5
CAN'T SEE COLUMNS FOR USB (OR OTHER) EVENTS .............................................................................................................. 5
CHARTS ........................................................................................................................................................................ 6
ASSETS IN APPDATA/ROAMING ARE NOT UPDATED AFTER UNINSTALL/REINSTALL ........................................................................ 6
PERFORMANCE ...................................................................................................................................................... 6
SIZE OF TRACES THAT CAN BE LOADED/NUMBER OF MESSAGES THAT CAN BE CAPTURED .............................................................. 6
ERRORS ON 32-BIT MACHINE ............................................................................................................................................ 7
FILTERING .............................................................................................................................................................. 7
IPV4 AND IPV6ADRESS FILTERS DO NOT WORK ON WIFI ........................................................................................................ 7
FAST FILTERS ON WFP ................................................................................................................................................... 7
SEQUENCE EXPRESSIONS ....................................................................................................................................... 7
WHAT ARE THE SEQUENCE EXPRESSIONS LIMITATIONS? .......................................................................................................... 7
OPENING TRACES ................................................................................................................................................. 10
MA IS UNABLE TO DECODE ETL FILE ................................................................................................................................. 10
SLOW PERFORMANCE LOADING CLUSTER LOG WITH TEXT LOG ADAPTER .................................................................................. 10
CLICKING MULTIPLE FILES FROM WINDOWS EXPLORER DOESNT DO ANYTHING ......................................................................... 10


2 | P a g e Known Issues
Capturing
Network connections are reset when Message Analyzer is installed
Message Analyzer installs PEFNDIS driver in Windows 8/Windows Server 2012 and below systems. When
we add our driver on the system during the installation, the network stack may reset. This might cause a
temporary loss network access which can interfere with programs that rely on a network connection. This
problem is mitigated on Windows 8 and Windows 2012 and above.
Why cant I view web traffic anymore? Why is IE now not working the same?
Message Analyzer uses Fiddler to create a man-in-the-middle proxy to capture unencrypted web traffic.
When the Message Analyzer closes unexpectedly, Message Analyzer tries to recover the original proxy
settings; however, there are times when this may not occur. To fix this issue, try restarting and then
stopping a Web Proxy capture OR resetting your proxy settings in the LAN settings section of the
Connections Tab in Internet Options within Internet Explorer.
Can't start capturing or no data being received
There is a limit to the number of capture sessions which can run concurrently. If the Message Analyzer
isn't properly closed, these can accumulate and prevent new ones from running. To close these extra
sessions:
1. Open the Computer Management utility by right-clicking Computer in the Start Menu and
selecting Manage.
2. Open up the Performance tree category under System Tools and find the Event Trace Sessions
folder under Data Collector Sets.
3. Find any sessions with the name Web-Proxy/Firewall or Local-Link-Layer (or same as the provider
name); right-click and stop them.
4. Then right-click them again and Delete them.
It seems like some of the messages are missing when I capture
If the number of messages is very high, Message Analyzer may drop messages. Microsoft suggests that
you use Fast Filtering to prevent this from happening. To do this, select Capture/Trace, select the relevant
provider, and then select the Fast Filter attributes. For instance, for capturing DNS across a Firewall, select
Trace Scenario Firewall, Select Fast Filter 1, Filter Type =UDPPort and then Filter 53.
I receive the error Failed to start one or more trace session(s) due to the
following error(s) Live consumer xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx fails to
start. Unable to start filter info provider service.
This happens when you start the Firewall Trace Scenario without running Message Analyzer as
administrator. To resolve this issue, save your work, exit Message Analyzer, and then do the following:
1. Go to the Command Prompt.
2. At the command line, type sc stop wfpcapture to stop the PEF WFP driver.
3. Restart Open the Message Analyzer by right-clicking "Microsoft Message Analyzer" on the Start
menu and then selecting "Run as administrator".

3 | P a g e Known Issues
PowerShell capture trace is not saved to PS execute path if you are using relative
path
When running a PowerShell script as Admin, the path variable for Current Directory is set to the System32
directory. So any relative path trace files will but created in System32. To work around the issue, specify a
fully qualified path starting at the drive when capturing with PowerShell as Admin.
Simultaneous captures involving the same provider may give unpredictable
results
Starting simultaneous captures involving the same provider is not recommended. It is not possible to
configure different instances of the same provider and attempting to start multiple instances of the same
provider can provide unpredictable results.
The Web Proxy live trace scenario causes issues with Internet Explorer and
Windows Store applications
You might find that when you try to trace using the Web Proxy provider with Message Analyzer that the
application you are tracing fails to work or that Message Analyzer doesnt capture any traffic.

This happens because Windows now protects client-to-client traffic by disabling local loopback to
127.0.0.1 in certain conditions. This interferes with the way that Web Proxy captures traffic.

Windows 8 has EPM (Enhanced Protected Mode) enabled default for the Windows 8 Internet Explorer
Application (the desktop version is not enabled). This mode includes the option to block EMP. You can
either remove this option, or change the Loopback exemption directly by using the information below.

Windows 8.1 client and server have EPM enabled by default at this time for both versions of IE.

Windows 8 and 8.1 have the loopback option disabled for all Windows Store applications. You have to use
workaround below to enable tracing for a specific Windows Store application.

Workaround(s) :
1. If the Web client is IE 10, then Enhanced Protected Mode has to be unchecked in the advanced
settings or on Windows 8 or later execute the command "CheckNetIsolation.exe
loopbackExempt -a -n=Windowsieac_001" to enable the loopback exemption for IE.
2. On Windows 8 or later, if the Webclient is store app, then following command has to be executed
"CheckNetIsolation.exe loopbackExempt -a -n=<Appcontainer name of the Web client
application>" to enable the loopback exemption for Windows Store applications.
Reference http://msdn.microsoft.com/en-us/library/windows/apps/Hh780593.aspx.
Capturing with the Web Proxy provider uses the Fiddler core API which has some known limitations and
issues:
Untrusted certificate with SSL capturing won't decode.
Proxy settings not reverted when MMA crashes on capturing with WebProxy.
The Web Proxy scenario won't work in cases, like Azure, where you need dedicate certificate
instead of the fake fiddler certificate.

4 | P a g e Known Issues
Cannot capture a site that requires additional authentication, for instance Channel binding
tokens.
There's no way to know the actual process ID or name of the traffic from the WEb Proxy
provider.
Cannot capture traffic which does not use proxy settings as set in Internet Options for
Internet Explorer.
Information Disclosure on WebProxy Trace Scenario for multi user scenario
If admin adds the two users User1 and User2 to the MCUG group and both users are remotely logged in
at the same time, User1 can see the traffic of User2 vice versa using MA. The reason is that ETW session is
global. Further, if admin added two users to capture, its assumed theyll have capture capabilities at the
system level in such cases.
Hyper-V traffic between virtual machines is not captured in Windows Server 2008
R2
On Windows Server 2008 R2 Hyper-V traffic is only captured between the host and any virtual machine.
Traffic from a virtual machine targeted to another virtual machine is not captured.

Remote Capture
Supported Remote Capture Scenarios
Supported servers (remote capture target):
Windows Server 2012 R2
Supported clients (remote capture source):
Windows 7 (needs WMF 3.0 http://www.microsoft.com/en-
pk/download/details.aspx?id=34595)
Windows Server 2008 R2 (needs WMF 3.0 http://www.microsoft.com/en-
pk/download/details.aspx?id=34595)
Windows 8
Windows Server 2012
Windows Blue 8.1 (build 9600)
Windows Server 2012 R2 (build 9600)

The following are the supported capture scenarios:
Both client and server being domain-joined
Both client and server being in workgroup
When the Client is domain-joined and server is in workgroup
The last case (client in workgroup and server is domain-joined) is supported but IPSec needs
to be disabled on the server, so this is not a recommended scenario.

Special considerations:

5 | P a g e Known Issues
If credentials are not provided, the current logged on users credentials (on the client) are
used for establishing connection to server.
When the client is domain-joined and the server is in workgroup, the remote machine needs
to be added to the trusted hosts list on the client by running the following commands from
an elevated command prompt:
WinRM quickconfig -quiet
WinRM set winrm/config/client @{TrustedHosts="RemoteHostName"}
Failed to create a remote trace session after providing wrong credentials
In a remote capture scenario, if the provided credentials (or the implicit ones) are not accepted by the
target server, then subsequent message captures will fail, even if the right credentials are provided
afterwards. The workaround is to restart MA.
ETW keywords ignored when doing remote capture
ETW keywords are ignored when doing a remote capture.
Failed to create a remote trace session or to configure NDIS provider when
entering an invalid or not reachable hostname for Link layer remote capture.
Hostname is not resolved until you attempt to start the trace or selecting Configure for NDIS provider.
Windows 8.1 and Windows Server 2012 R2 specific issues
Cant capture on NDISCAP after Message Analyzer installation
For first time capture, User needs to log-out and log back in OR run as administrator to capture on NDIS
layer with Windows 8.1 Client and Windows Server 2012 R2.
Capture on Local Link Layer fails
User needs to always run as administrator to capture on Local Link Layer with Windows 8.1 Client and
Windows Server 2012 R2

UI
Can't see columns for USB (or other) Events
Some fields for providers can't be seen until they are loaded for the first time. USB and other provider
parsers are created dynamically the first time you open or start a new trace for that provider. You can't see
the provider fields in the Column chooser or use them for filtering until the parser is created. Once the
parser is created you can add fields as columns which will be preserved, even if you reset the parser by
removing it manually.

6 | P a g e Known Issues
Charts
Cannot delete a data mapping
Data mappings for charts cannot be removed from the UI. You can edit the XML reference which starts
with <DataCollector> if you must remove the mapping. Export your assets from the library management
system, make a change and re-import the asset.
Click on pie slice other produces blank analysis grid
Clicking on a pie slice or bar chart that represents other will open up a blank grid. The issue is that the
other is the category represents every column that was not shown because it falls below the threshold,
DefaultMaxDisplayItemNumber which defaults to 10. We are not able to generate a filter for the other
group.
Assets in Appdata/Roaming are not updated after uninstall/reinstall
Any beta users will not get the latest assets we ship. So before installing, they should manually wipe out
appdata/.../MessageANalyzer directories. Also if you uninstall v1 and reinstall, the assets are not affected
either. Again you must do the step to manually wipe out appdata.
Performance
Size of Traces that can be loaded/Number of Messages that can be captured
The number of messages that can be captured or the size of trace file that can be loaded is dependent on
the amount total memory (actual + virtual using paging file) on the machine. Paging file settings can be
adjusted using the Control Panel | System applet.
Dropping Messages while Capturing
By default, Message Analyzer has a 200MB queue in memory to store messages temporarily while
messages are being processed. If messages are incoming at a very fast rate, this queue can get filled and
messages may be dropped. If you suspect that Message Analyzer is dropping messages, you can adjust
this queue by changing the Live Message Buffer: Size using File | Options. Message Analyzer currently
does not currently indicate if a message has been dropped.

Another way to avoid dropped packets is to use Fast Filtering which will filter out messages at the driver
level. Fast Filtering can be configured for the specific providers that are being used to capture.
Importing Time
When you load a non-native trace into Message Analyzer it will be imported (re/parsed). The following
are the approximate time it takes for importing:
.CAP files:
~2500 messages/second
~2 MB /second

7 | P a g e Known Issues
.MATP files:
Though .matp files are already parsed and are native, you can reparse them if you use File | Browse. You
would do this if you wanted to combine a .matp with other traces so that they can be viewed together as
if they were one trace. Opening a .matp using Quick Open, double clicking in File Explorer, or dragging
and dropping it into Message Analyzer is not an import as the messages are already parsed, and will
result in significantly faster loading time.
~2000 messages/second
~1.5 MB /second
Errors on 32-bit machine
On a 32 bit machine or a machine with limited memory, you may get random run-time errors, popups
about insufficient memory, sudden exits and stopped parsing. This can happen when you parse a trace file
that involves large amount of state information. In particular TCP connections, (around 10,000
connections) can cause this problem. In general this problem is very data dependent.
Each piece of state can remain in memory until the state is released. For instance, TCP connection will
introduce separate data structure for parsing, which is 64813not released dynamically, until end of
parsing. When large amount connections need to be parsed simultaneously, the memory will be
exhausted.

You need a machine with more memory to parse these traces, ideally 64 bits machine with minimal 8G
memory.
Filtering
IPv4 and IPv6Adress filters do not work on Wifi
IPv4 and IPv6 Link level fast filters don't work on WiFi on Windows 7 64bit. No traffic will match these
filters.
FAST Filters on WFP
When adding fast filters to the Firewall provider which result in removing traffic, for instance != 127.0.0.1,
you will receive duplicate traffic which results in erroneous TCP retransmits and other false diagnoses.
Instead use a Trace Filter, which while slower, does not have the issue.
Sequence Expressions
What are the sequence expressions limitations?
in parameter for creating collection is not supported:
scenario S[out array<int> ids] = Request{ID in ids} interleave;
Permute (&) operator is not supported:
Wont be compiled:

8 | P a g e Known Issues
scenario S = A & B;
or scenario S = A permute B;
fork operator can only be the top most operator:
Following definitions are not allowed:
scenario S = A | B -> (C || D);
scenario S = A || B || C;
Explicitly specify the type of out parameter in not allowed:
Wont be compiled:
scenario s[out binary payload] = HTTP.HttpContract.Operation{Payload is
payload:binary};
Supported syntax:
scenario s[out binary payload] = HTTP.HttpContract.Operation{ Payload is payload };
Explicitly specify the in keyword for parameters is not allowed:
Wont be compiled:
scenario S[in string name] = HTTP.HttpContract.Operation{Method == name};
Supported syntax:
scenario S[string name] = HTTP.HttpContract.Operation{Method == name};
where clause is not supported in virtual operation:
Wont be compiled:
virtual operation VOp
{
}
= MyScenario[out var reqId, out var statusCode]
where (StatusCode != 200) ==> !Success;
scenario MyScenario[out int reqId, out int statusCode] =
accepts Request{ID is reqId}
accepts Response{ID == reqId, StatusCode is statusCode};
exception clause is not supported in virtual operation:
Wont be compiled:

9 | P a g e Known Issues
virtual operation VOp
{
}
exception optional int = reason
=
accepts Request{ID is reqId:int}
(
accepts Response{ID == reqId, StatusCode == 200, StatusCode is statusCode:int}
|
accepts Response{ID == reqId, StatusCode != 200, StatusCode is reason:int}
);
Reference one scenario from another is not supported:
Wont be compiled:
scenario S1 = Relay{ID is var id} Relay{ID == id};
scenario S2 = Request{ID is var id} -> S1 -> Response{ID == id};
Please note: In MAs Sequence Match View, it is not allowed to declare more than one scenario.
Limited support in referencing scenarios in virtual operation:
Supported:
virtual operation M { } = S();
scenario S() =
Not Supported:
virtual operation M { } = S1() -> S2()
In the case of overlapping matches, there is no guarantee that the longer one will be
reported:
scenario S = Request{ID is var reqId} -> Relay{ID == reqId}? -> Response{ID ==
reqId};
The input sequence is:
Request{ ID == 1 }

10 | P a g e Known Issues
Request { ID == 2 }
Relay { ID == 1 }
Response { ID == 2 }
Response { ID == 1 }
Expected:
Request{ ID == 1 } Relay { ID == 1 } Response { ID == 1 }
Actual:
{{Request { ID == 2 } Response { ID == 2 }
Opening Traces
MA is unable to decode ETL file
ETL traces can come in 3 different flavors, Manifest Based, WPP, and MOF. We can open and parse
manifest files if the manifest is on the machine (either registered or provided manually) or if the manifest
is embedded which happens automatically when you capture with Message Analyzer. We currently don't
support MOF file formats and for these the messages will show up as ETW events.
Slow performance loading Cluster log with text log adapter
Log file parsing is based on how many log file adapters there are. The only way to affect this is to rename
the extension of other log files so that they are not loaded. This can be done from
C:\Users\YOURNAME\AppData\Local\Microsoft\MessageAnalyzer\OpnAndConfiguration\TextLogConfigur
ation
Clicking multiple files from Windows Explorer doesnt do anything
Selecting multiple files in the Windows File Explorer and selecting "Open with Message Analyzer" will not
launch Message Analyzer. This is currently not supported. You can select a single file and select "Open
with Message Analyzer". An alternative to view multiple files is to launch Message Analyzer first, go to the
Browse page and add the files.