Have you ever heard of Microsoft Message Analyzer? While troubleshooting some networking issues with Windows Server 2012, I requested the application owner to install Wireshark. Being a good systems admin, the application owner was naturally suspicious of an application with ‘shark’ in it’s name. Despite my insistence, I wasn’t able to convince the administrator to install Wireshark. We decided to look at alternatives – and came across Microsoft’s own Windows Message Analyzer! (WMA).

mma1

It turns out, WMA is very similar in form factor to Wireshark, with a lot less protocol specific features, but, a few unique features that make it a very compelling tool to keep in your back pocket. Of course, Wireshark is the king of protocol analysis – it’s certainly not getting dethroned. WMA however can be really handy in certain scenarios.

Windows Message Analyzer Pros:

  • Allows capture on multiple remote Windows systems (that have MMA installed, and  of course appropriate access/authorization) – THIS IS MMA’s MOST USEFUL FEATURE!
  • May be able to install it in environments where Microsoft products are trusted more over third party products – especially products with ‘shark’ in the name! 🙂
  • Allows capture on a per-process and per-application basis
  • Allows unencrypted HTTPS and IPSec capture (for HTTPS and IPSec traffic originating from local host)
  • Has similar look-and-feel to Wireshark – so learning curve for existing Wireshark users is minimal
  • Supports filters in the same manner as Wireshark
  • Allows you to drill down into a packet within the main list of packets, and see details of multiple packets at a time (see screenshot below)

Windows Message Analyzer Cons:

  • Since it’s still a relatively new product (2014), it doesn’t have 90%+ of the advanced protocol specific features that Wireshark has (e.g. VoIP analysis, TCP/UDP stream following, Flow Graph, etc.)
  • MMA’s mtap file format is not cross-compatible with Wireshark’s pcap or pcapng file formats. (On the other hand, pcap format is almost universally supported across many different packet capture and analysis tools, and across many different OSes too!)
  • Although Wireshark also has had stability issues, which have improved dramatically over the last few years, MMA has proven to be very unstable with my testing on Windows Server 2012 and Windows 7 where it crashed frequently.

Regardless of the above minor drawbacks, using the core packet capture and analysis functions, I was able to successfully use MMA to troubleshoot the application issues that ended up introducing me to MMA.

mma2.jpg

Advertisements