Microsoft's new network capture tool, Message Analyzer, has been officially released. Since first announcing Message Analyzer's development roughly one year ago, three beta versions have been released, which has allowed Microsoft to test and refine the software that would eventually replace its previous capture tool, Network Monitor.

Replacing Network Monitor is a welcome move from Microsoft. While it was a good tool when someone wanted to capture network traffic within a Microsoft Windows OS, it wasn't always the first choice; many preferred third-party tools like Wireshark. But for organizations that were concerned about using third-party tools, installing Microsoft software was the given route since it usually involved less red tape than installing something that was open-source. 

Trace scenarios

This is a new feature in Message Analyzer that I really like. Event tracing for Windows (ETW) is something that first appeared in Windows 2000, but each successive operating system has expanded more and more on the features it provides.

I think the most interesting trace scenario provided uses new ETW features in Windows 8.1/Server 2012R2 to allow you to capture traffic in a remote virtual machine using a Hyper-V switch. Not only do you not need to install the network capture tool in the virtual machine, but you don't need to install it on the host either. It can be run from a remote workstation using Windows 7, for example.

These trace scenarios are also expandable and shareable where settings for a particular type of trace can be exported and imported. This also leaves the possibility of Microsoft providing out-of-band updates and for Microsoft Support to use this as a support mechanism to provide complex settings via a simple “download and run this” scenario to gather important network trace logs.

The second most interesting trace scenario is called web proxy. This provides a way to view local HTTPS traffic in an unencrypted trace log. This can be a very important feature when trying to troubleshoot HTTPS-based communications such Microsoft's Active Directory Federation Services (aka “ADFS”) which is heavily based on HTTPS communications and browser cookies.

Windows PowerShell support

Message Analyzer comes with a Windows PowerShell module called protocol engineering framework (PEF). It currently provides 14 cmdlets. At the time of writing this post, examples were provided for all of the cmdlets except one. I saw a recent message on the support forum from one of the project managers that suggests that they are making help available online (to take advantage of PowerShell version 3's new updatable help).

Support resources

Microsoft has released a very detailed operating guide to guide you through using Message Analyzer, and the landing page to the guide provides an enormous quantity of task-oriented information that should get a user going in no time. To get peer-to-peer support, a new community support forum for Message Analyzer users has been created. The support forums are an awesome way to get help quickly; many of the responses are usually provided in a relatively timely fashion. And as expected, a dedicated blog has been launched. I'm hoping that the blog becomes a bit livelier with more information, use cases and examples now that the product has been released.

An exciting new product

I really like this new network capture tool. Requiring the .NET 4.0 Framework might cause delays in its adoption because the majority of current Windows OS installations are likely Server 2008/2008R2, but as Server 2012/2012R2 picks up more speed, I could see more people and organizations starting to use this tool simply because it's something that comes directly from Microsoft.

Third-party tools are great and definitely more agile with regular updates, but I really like the direction Microsoft has taken by refreshing its old network tool.

Marco Shaw is an IT consultant working in Canada. He has been working in the IT industry for over 12 years. He was awarded the Microsoft MVP award for his contributions to the Windows PowerShell community for 5 consecutive years (2007-2011). He has co-authored a book on Windows PowerShell, contributed to Microsoft Press and Microsoft TechNet magazine, and also contributed chapters for other books such as Microsoft System Center Operations Manager and Microsoft SQL Server. He has spoken at Microsoft TechDays in Canada and at TechMentor in the United States. He currently holds the GIAC GSEC and RHCE certifications, and is actively working on others.