message analysis and visualization in presentation title ... · exp:0 cross: 0 root:0 dc:0 01/19...
TRANSCRIPT
PRESENTATION TITLE GOES HERE Message Analysis and Visualization in Heterogeneous Environments
Paul Long/Microsoft
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
SNIA Legal Notice
The material contained in this tutorial is copyrighted by the SNIA unless otherwise noted. Member companies and individual members may use this material in presentations and literature under the following conditions:
Any slide or slides used must be reproduced in their entirety without modification The SNIA must be acknowledged as the source of any material used in the body of any document containing material from these presentations.
This presentation is a project of the SNIA Education Committee. Neither the author nor the presenter is an attorney and nothing in this presentation is intended to be, or should be construed as legal advice or an opinion of counsel. If you need legal advice or a legal opinion please contact your attorney. The information presented herein represents the author's personal opinion and current understanding of the relevant issues involved. The author, the presenter, and the SNIA do not assume any responsibility or liability for damages arising out of any reliance on or use of this information. NO WARRANTIES, EXPRESS OR IMPLIED. USE AT YOUR OWN RISK.
2
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Abstract
Message Analysis and Visualization in Heterogeneous Environments
Microsoft Message Analyzer is the next generation tool for analyzing messages from almost any source. Diagnosis of heterogeneous systems has continued to evolve as we explore new ways to visualize information for any type of trace data, be it a text log file, comma or tab separated data, network capture, or ETW component. Discover how to import Samba debug logs directly or define Text Log adapters, then inspect, filter, and organize as structured data. Learn how to analyze your file systems interoperability with Windows without having to read documentation. Expand your understanding of the interactions by including Windows component-specific information to gain insight into deep protocol and system behaviors.
3
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Message Analyzer Activities
4
Capture
Analyze
Share
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Message Analyzer differences?
Simulates protocol behavior Diagnosis messages for finding misbehavior
5
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Message Analyzer differences?
Coalesces network information Full defragmentation of messages High level performance info, like Server Response Times
6
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Homogeneous Environments
Different types of systems Windows Unix/Linux Apple
Different kinds of traces and logs Text logs Network traces Events for Windows Traces (ETL)
Different machines and parts of the world Time shifts Time zones
7
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Sharing
Create and save assets Filters, Trace Scenarios, Sequences, View Layouts, etc.
Share assets through feeds Via network shares Later via service
8
PRESENTATION TITLE GOES HERE Sharing Demo
9
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Capturing with Message Analyzer
SMB Client/Server Very concise, no noise Runs forever No network related traffic like DNS, DHCP, ICMP, ARP
Firewall Less overhead than capturing at the network layer Can capture Loopback Requires configuration
10
PRESENTATION TITLE GOES HERE Capture Demo
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Analysis – Importing Data
Importing Homogeneous Data Text Logs, CAP, ETL, CSV, PCAP, PCAPNG
Time Shifting By time zone or just a smidge
12
PRESENTATION TITLE GOES HERE Import Data Demo
13
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Text Log Configuration
RegEx expressions and OPN to parse a text log file Resources
http://msdn.microsoft.com/en-us/library/az24scfc.aspx http://derekslager.com/blog/posts/2007/09/a-better-dotnet-regular-expression-tester.ashx
14
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Text Log Configuration – Netlogon log
15
01/19 17:04:53 [MAILSLOT] Ping response 'Sam Logon Response Ex' (null) to \\mphewqtbx308.hew.us.ml.com Site: 1-NewYork-HUB on UDP LDAP 01/19 17:04:53 [LOGON] SamLogon: Transitive Network logon of CORP\NBKTIYN from B80C16EFD31D0 (via enycvc03dfs01) Entered 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: CORP\NBKTIYN: Algorithm entered. UPN:0 Sam:1 Exp:0 Cross: 0 Root:0 DC:0 01/19 17:04:53 [LOGON] NlPickDomainWithAccount: Username CORP\NBKTIYN is in forest bankofamerica.com (found via LsaMatch) 01/19 17:04:53 [LOGON] SamLogon: Transitive Network logon of CORP\NBKTIYN from B80C16EFD31D0 (via enycvc03dfs01) Returns 0x0
Sample Netlogon.log
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Text Log Configuration file
16
// // Message to capture Sam logon request. // message SamLogonRequest with EntryInfo { Regex = @"(?<nlts>[/0-9]+\s[/:0-9]+) \[(?<msgtype>[\S]+)\] SamLogon: Transitive Network logon of (?<UserName>[\S]+) (?<RemainingText>.*) Entered" } : BaseNetLogon { string UserName; string RemainingText; override string ToString() { return ("SamLogonRequest" + RemainingText); } }
01/19 17:04:53 [LOGON] SamLogon: Transitive Network logon of CORP\NBKTIYN from B80C16EFD31D0 (via enycvc03dfs01) Entered
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Text Log Configuration file
17
PRESENTATION TITLE GOES HERE Text Log Adapter Demo
18
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Analysis – Analyzing Data
Validating Implementation Diagnosis to understand adherence
Viewpoints Hiding operations and exploring other network layers
Sequence Expressions Describing complex patterns
Visualizations Exposing patterns via pictures
19
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Validation
20
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Viewpoints
Hide operations Remove operations so request/responses aren’t grouped
Alternate viewpoint Change your viewpoint to see traffic from a different layers perspective
21
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Viewpoint: Default
22
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Viewpoint: Link Layer
23
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Viewpoint: Network
24
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Viewpoint: Network
25
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Viewpoint: SMB
26
PRESENTATION TITLE GOES HERE Viewpoint Demo
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Sequence Expressions
Like a filter, but over a set of messages
28
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Sequence Expression Example
29
using SMB2; scenario SequenceExpression = backtrack (SMB2.VirtualOperations.Create) ( SMB2.VirtualOperations.Create{FileId is SMB2.SMB2Fileid{Persistent is var myFileId }} -> ( SMB2.VirtualOperations.Read{FileId is SMB2.SMB2Fileid{Persistent == myFileId }} ) interleave [1,] until SMB2.VirtualOperations.Close{FileId is SMB2.SMB2Fileid{Persistent == myFileId }} );
PRESENTATION TITLE GOES HERE Sequence Demo
30
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Visualizations
31
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
Chart Editor
Chart and editor to create visualizations
32
PRESENTATION TITLE GOES HERE Visualization Demo
PRESENTATION TITLE GOES HERE Questions?
Insert tutorial title in footer © 2013 Storage Networking Industry Association. All Rights Reserved.
References
Message Analyzer Blog http://blogs.technet.com/MessageAnalyzer
Message Analyzer Support Forums http://social.technet.microsoft.com/Forums/en-US/home?forum=messageanalyzer
Message Analyzer Beta on Connect http://connect.Microsoft.com/site216
Message Analyzer Documentation http://technet.microsoft.com/en-us/library/jj649776.aspx
35