Using Microsoft Message Analyzer for Network Troubleshooting

Protocol analyzers like Wireshark are very powerful tools network analysts use for a variety of reasons, including application baselining, identifying the root cause of application or network performance problems, documenting and mitigating cyberattacks, and device configuration tuning.

In this video, I show you how to use a protocol analyzer that you may not be familiar with: Microsoft Message Analyzer. This free analyzer is a good complementary tool to have in your toolbox. It can do some things that Wireshark can't.

Making a protocol analyzer effective relies on capturing and analyzing packets, but capturing packets isn’t as obvious as you would think. Factors such as SPAN vs TAP vs inline will impact what packets you can capture and timing accuracy. Moreover, analyzing the data is an art in itself;  it takes a combination of theory, street smarts, and experience. One of the main features of a protocol analyzer like Wireshark is the ability to decode specific protocols and provide analysis if anomalies are detected.

However, all analysts will eventually run into a common scenario where they need to identify which application or process transmitted the packets in a trace. In some cases, it will be obvious -- for example, HTTP packets with a Mozilla User-Agent request header probably come from a web browser.

In other scenarios, you might have encrypted packets transmitted to an unknown IP address using TCP port number 3433. If you are still near the host, and within a timely fashion, you can try command line utilities like netstat –b to determine which application was used.

The tricky part is what do you if you need to figure this out at a later date, or when you are back at your desk with no access to that system. This is where Microsoft Message Analyzer helps. It captures more than just packets and can identify which process was involved with which packets. This feature helps in a variety of scenarios, from identifying malicious code to tuning application performance.

In the video, I show you how to add the process name as a column in Microsoft Message Analyzer to streamline your work.