Heterogeneous Environments
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
SNIA Legal Notice
The material contained in this tutorial is copyrighted by the SNIA unless
otherwise noted.
Member companies and individual members may use this material in
presentations and literature under the following conditions:
Any slide or slides used must be reproduced in their entirety without modification
The SNIA must be acknowledged as the source of any material used in the body of
any document containing material from these presentations.
This presentation is a project of the SNIA Education Committee.
Neither the author nor the presenter is an attorney and nothing in this
presentation is intended to be, or should be construed as legal advice or an
opinion of counsel. If you need legal advice or a legal opinion please
contact your attorney.
The information presented herein represents the author's personal opinion
and current understanding of the relevant issues involved. The author, the
presenter, and the SNIA do not assume any responsibility or liability for
damages arising out of any reliance on or use of this information.
NO WARRANTIES, EXPRESS OR IMPLIED. USE AT YOUR OWN RISK.
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Message Analysis and Visualization in Heterogeneous
Environments
Microsoft Message Analyzer is the next generation tool for
analyzing messages from almost any source. Diagnosis of
heterogeneous systems has continued to evolve as we explore
new ways to visualize information for any type of trace data, be it
a text log file, comma or tab separated data, network capture, or
ETW component. Discover how to import Samba debug logs
directly or define Text Log adapters, then inspect, filter, and
organize as structured data. Learn how to analyze your file
systems interoperability with Windows without having to read
documentation. Expand your understanding of the interactions
by including Windows component-specific information to gain
insight into deep protocol and system behaviors.
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Message Analyzer Activities
4
Capture
Analyze
Share
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Simulates protocol behavior
Diagnosis messages for finding misbehavior
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Message Analyzer differences?
Coalesces network information
Full defragmentation of messages
High level performance info, like Server Response Times
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Different types of systems
Windows
Unix/Linux
Apple
Different kinds of traces and logs
Text logs
Network traces
Events for Windows Traces (ETL)
Different machines and parts of the world
Time shifts
Time zones
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Sharing
Create and save assets
Filters, Trace Scenarios, Sequences, View Layouts, etc.
Share assets through feeds
Via network shares
Later via service
Sharing Demo
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Capturing with Message Analyzer
SMB Client/Server
Very concise, no noise
Runs forever
No network related traffic like DNS, DHCP, ICMP, ARP
Firewall
Less overhead than capturing at the network layer
Can capture Loopback
Requires configuration
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Analysis – Importing Data
Importing Homogeneous Data
Text Logs, CAP, ETL, CSV, PCAP, PCAPNG
Time Shifting
By time zone or just a smidge
Import Data Demo
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Text Log Configuration
RegEx expressions and OPN to parse a text log file
Resources
http://msdn.microsoft.com/en-us/library/az24scfc.aspx
http://derekslager.com/blog/posts/2007/09/a-better-dotnet-regular-expression-tester.ashx
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
15
01/19 17:04:53 [MAILSLOT] Ping response 'Sam Logon Response Ex' (null) to
\\mphewqtbx308.hew.us.ml.com Site: 1-NewYork-HUB on UDP LDAP
01/19 17:04:53 [LOGON] SamLogon: Transitive Network logon of CORP\NBKTIYN from B80C16EFD31D0
(via enycvc03dfs01) Entered
01/19 17:04:53 [LOGON] NlPickDomainWithAccount: CORP\NBKTIYN: Algorithm entered. UPN:0 Sam:1
Exp:0 Cross: 0 Root:0 DC:0
01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest
bankofamerica.com (found via LsaMatch)
01/19 17:04:53 [LOGON] SamLogon: Transitive Network logon of CORP\NBKTIYN from B80C16EFD31D0
(via enycvc03dfs01) Returns 0x0
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Text Log Configuration file
16
//
// Message to capture Sam logon request.
//
message SamLogonRequest with
EntryInfo { Regex = @"
(?<nlts>[/0-9]+\s[/:0-9]+) \[(?<msgtype>[\S]+)\] SamLogon:
Transitive Network logon of (?<UserName>[\S]+) (?<RemainingText>.*) Entered
"
}
: BaseNetLogon
{
string UserName;
string RemainingText;
override string ToString()
{
return ("SamLogonRequest" + RemainingText);
}
}
01/19 17:04:53 [LOGON] SamLogon: Transitive Network logon of CORP\NBKTIYN from B80C16EFD31D0
(via enycvc03dfs01) Entered
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
17
PRESENTATION TITLE GOES HERE
Text Log Adapter
Demo
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Validating Implementation
Diagnosis to understand adherence
Viewpoints
Hiding operations and exploring other network layers
Sequence Expressions
Describing complex patterns
Visualizations
Exposing patterns via pictures
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Validation
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Hide operations
Remove operations so request/responses aren’t grouped
Alternate viewpoint
Change your viewpoint to see traffic from a different layers
perspective
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Viewpoint: Default
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
23
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Viewpoint: Network
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
25
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Viewpoint: SMB
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Sequence Expressions
Like a filter, but over a set of messages
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
29
using
SMB2;
scenario
SequenceExpression =
backtrack
(SMB2.VirtualOperations.Create)
(
SMB2.VirtualOperations.Create{FileId
is
SMB2.SMB2Fileid{Persistent
is
var
myFileId }} ->
(
SMB2.VirtualOperations.Read{FileId
is
SMB2.SMB2Fileid{Persistent == myFileId }}
)
interleave
[1,]
until
SMB2.VirtualOperations.Close{FileId
is
SMB2.SMB2Fileid{Persistent == myFileId }}
);
PRESENTATION TITLE GOES HERE
Sequence Demo
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
31
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Chart Editor
Chart and editor to create visualizations
PRESENTATION TITLE GOES HERE
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
