message analysis and visualization in presentation title ... · exp:0 cross: 0 root:0 dc:0 01/19...
TRANSCRIPT
![Page 1: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/1.jpg)
PRESENTATION TITLE GOES HERE Message Analysis and Visualization in Heterogeneous Environments
Paul Long/Microsoft
![Page 2: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/2.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
SNIA Legal Notice
The material contained in this tutorial is copyrighted by the SNIA unless otherwise noted. Member companies and individual members may use this material in presentations and literature under the following conditions:
Any slide or slides used must be reproduced in their entirety without modification The SNIA must be acknowledged as the source of any material used in the body of any document containing material from these presentations.
This presentation is a project of the SNIA Education Committee. Neither the author nor the presenter is an attorney and nothing in this presentation is intended to be, or should be construed as legal advice or an opinion of counsel. If you need legal advice or a legal opinion please contact your attorney. The information presented herein represents the author's personal opinion and current understanding of the relevant issues involved. The author, the presenter, and the SNIA do not assume any responsibility or liability for damages arising out of any reliance on or use of this information. NO WARRANTIES, EXPRESS OR IMPLIED. USE AT YOUR OWN RISK.
2
![Page 3: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/3.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Abstract
Message Analysis and Visualization in Heterogeneous Environments
Microsoft Message Analyzer is the next generation tool for analyzing messages from almost any source. Diagnosis of heterogeneous systems has continued to evolve as we explore new ways to visualize information for any type of trace data, be it a text log file, comma or tab separated data, network capture, or ETW component. Discover how to import Samba debug logs directly or define Text Log adapters, then inspect, filter, and organize as structured data. Learn how to analyze your file systems interoperability with Windows without having to read documentation. Expand your understanding of the interactions by including Windows component-specific information to gain insight into deep protocol and system behaviors.
3
![Page 4: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/4.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Message Analyzer Activities
4
Capture
Analyze
Share
![Page 5: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/5.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Message Analyzer differences?
Simulates protocol behavior Diagnosis messages for finding misbehavior
5
![Page 6: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/6.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Message Analyzer differences?
Coalesces network information Full defragmentation of messages High level performance info, like Server Response Times
6
![Page 7: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/7.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Homogeneous Environments
Different types of systems Windows Unix/Linux Apple
Different kinds of traces and logs Text logs Network traces Events for Windows Traces (ETL)
Different machines and parts of the world Time shifts Time zones
7
![Page 8: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/8.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Sharing
Create and save assets Filters, Trace Scenarios, Sequences, View Layouts, etc.
Share assets through feeds Via network shares Later via service
8
![Page 9: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/9.jpg)
PRESENTATION TITLE GOES HERE Sharing Demo
9
![Page 10: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/10.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Capturing with Message Analyzer
SMB Client/Server Very concise, no noise Runs forever No network related traffic like DNS, DHCP, ICMP, ARP
Firewall Less overhead than capturing at the network layer Can capture Loopback Requires configuration
10
![Page 11: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/11.jpg)
PRESENTATION TITLE GOES HERE Capture Demo
![Page 12: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/12.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Analysis – Importing Data
Importing Homogeneous Data Text Logs, CAP, ETL, CSV, PCAP, PCAPNG
Time Shifting By time zone or just a smidge
12
![Page 13: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/13.jpg)
PRESENTATION TITLE GOES HERE Import Data Demo
13
![Page 14: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/14.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Text Log Configuration
RegEx expressions and OPN to parse a text log file Resources
http://msdn.microsoft.com/en-us/library/az24scfc.aspx http://derekslager.com/blog/posts/2007/09/a-better-dotnet-regular-expression-tester.ashx
14
![Page 15: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/15.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Text Log Configuration – Netlogon log
15
01/19 17:04:53 [MAILSLOT] Ping response 'Sam Logon Response Ex' (null) to \\mphewqtbx308.hew.us.ml.com Site: 1-NewYork-HUB on UDP LDAP 01/19 17:04:53 [LOGON] SamLogon: Transitive Network logon of CORP\NBKTIYN from B80C16EFD31D0 (via enycvc03dfs01) Entered 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: CORP\NBKTIYN: Algorithm entered. UPN:0 Sam:1 Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com (found via LsaMatch) 01/19 17:04:53 [LOGON] SamLogon: Transitive Network logon of CORP\NBKTIYN from B80C16EFD31D0 (via enycvc03dfs01) Returns 0x0
Sample Netlogon.log
![Page 16: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/16.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Text Log Configuration file
16
// // Message to capture Sam logon request. // message SamLogonRequest with EntryInfo { Regex = @"(?<nlts>[/0-9]+\s[/:0-9]+) \[(?<msgtype>[\S]+)\] SamLogon: Transitive Network logon of (?<UserName>[\S]+) (?<RemainingText>.*) Entered" } : BaseNetLogon { string UserName; string RemainingText; override string ToString() { return ("SamLogonRequest" + RemainingText); } }
01/19 17:04:53 [LOGON] SamLogon: Transitive Network logon of CORP\NBKTIYN from B80C16EFD31D0 (via enycvc03dfs01) Entered
![Page 17: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/17.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Text Log Configuration file
17
![Page 18: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/18.jpg)
PRESENTATION TITLE GOES HERE Text Log Adapter Demo
18
![Page 19: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/19.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Analysis – Analyzing Data
Validating Implementation Diagnosis to understand adherence
Viewpoints Hiding operations and exploring other network layers
Sequence Expressions Describing complex patterns
Visualizations Exposing patterns via pictures
19
![Page 20: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/20.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Validation
20
![Page 21: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/21.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Viewpoints
Hide operations Remove operations so request/responses aren’t grouped
Alternate viewpoint Change your viewpoint to see traffic from a different layers perspective
21
![Page 22: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/22.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Viewpoint: Default
22
![Page 23: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/23.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Viewpoint: Link Layer
23
![Page 24: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/24.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Viewpoint: Network
24
![Page 25: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/25.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Viewpoint: Network
25
![Page 26: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/26.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Viewpoint: SMB
26
![Page 27: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/27.jpg)
PRESENTATION TITLE GOES HERE Viewpoint Demo
![Page 28: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/28.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Sequence Expressions
Like a filter, but over a set of messages
28
![Page 29: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/29.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Sequence Expression Example
29
using SMB2; scenario SequenceExpression = backtrack (SMB2.VirtualOperations.Create) ( SMB2.VirtualOperations.Create{FileId is SMB2.SMB2Fileid{Persistent is var myFileId }} -> ( SMB2.VirtualOperations.Read{FileId is SMB2.SMB2Fileid{Persistent == myFileId }} ) interleave [1,] until SMB2.VirtualOperations.Close{FileId is SMB2.SMB2Fileid{Persistent == myFileId }} );
![Page 30: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/30.jpg)
PRESENTATION TITLE GOES HERE Sequence Demo
30
![Page 31: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/31.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Visualizations
31
![Page 32: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/32.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Chart Editor
Chart and editor to create visualizations
32
![Page 33: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/33.jpg)
PRESENTATION TITLE GOES HERE Visualization Demo
![Page 34: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/34.jpg)
PRESENTATION TITLE GOES HERE Questions?
![Page 35: Message Analysis and Visualization in PRESENTATION TITLE ... · Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com](https://reader031.vdocument.in/reader031/viewer/2022011920/60279c16717b9c67ec3e0fd2/html5/thumbnails/35.jpg)
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
References
Message Analyzer Blog http://blogs.technet.com/MessageAnalyzer
Message Analyzer Support Forums http://social.technet.microsoft.com/Forums/en-US/home?forum=messageanalyzer
Message Analyzer Beta on Connect http://connect.Microsoft.com/site216
Message Analyzer Documentation http://technet.microsoft.com/en-us/library/jj649776.aspx
35