Most often, the Details and Field ChooserTool Windows are used to locate fields and values, for example, to expand the Analysis Grid column layout configuration. Although the Field Chooser provides a complete if not an overwhelming list of fields, properties, methods, and so on, for many protocols and modules, it is often easiest to use the fields contained in the Details window to create filters and add data columns to the Analysis Grid. However, until now, there has been a range of things you can filter on that didn’t appear based on the selected message. And of course, this isn’t limited to filtering as you can also add this range of things as columns, use them for grouping, and more.
New Details Tool Window Features
Before Message Analyzer v1.3, the Details window showed you information based on the field details of the currently selected message only. The displayed fields were related to the selected message only and corresponded to data that traveled across the wire. As such, the Details window represented things you would find in an RFC or Protocol specification.
However there’s another class of elements that are held by global Properties and Annotations—as they are referred to in Field Chooser—that are derived from the wire data, which in some cases are intended to help you aggregate and correlate information. For instance, the message TCP.Segment has a property called PayloadLength. Surprisingly, there is no TCP PayloadLength property defined as a field in the applicable protocol documentation. Instead, it’s derived from the IPv4 payload length by subtracting the TCP header from the TCP.Segment message.
In Message Analyzer v1.3, the new Details window has three modes: Fields, Properties and Tracked Items.
You can now discover all of these Properties and Annotations in a new Properties window by using the Properties mode. Using the Tracked Item mode shows fields or properties that you added through use of the Details context menu for a particular message, to enable tracking and comparison of their values with other messages that you select. By clicking the Properties button on the Details toolbar, new information displays that shows you properties that exist in two categories:
1. Global category—contains global Properties and Annotations, which apply to any message.
2. Message category—contains Properties that apply to the currently selected message.
The Properties and Annotations are shown in the Global category of the Properties window in the figure that follows. Also shown in the figure is the Message category with the TCP.Segment designation, which reflects the Open Protocol Notation (OPN) declaration for TCP messages.
In each category, you see the list of valid properties and annotations and their current values. The set of global properties that are shown in the Global category are common to all messages. . In the window tray at the bottom, information displays about the selected message that includes a summary description.
Note: Null property values are not shown in the Properties window.
Global Properties
For each message there is a set of properties that exist across all messages. Some of these are inherent to the system, for instance TraceSourcePath, which is supplied by the Runtime, exists for all messages. Other messages are properties defined by OPN and applied to “any message”. Properties such as PID and ProcessName are exposed that way.
Message Properties
For the TCP.Segment message, there are some local properties that we specifically added to help users. Payload and PayloadLength fields make it easy to create filters on that portion of a message. The Transport field is a convenient string on which you can perform a group command to arrange TCP messages into conversations. In addition, the value of the WindowScaled field is computed by using the derived TCP scale factor multiplied by the window size.
Impact of Analysis Grid Inheritance
Sometimes the Analysis Grid viewer shows a value for a particular property, but when you use the Properties mode in Details, the property doesn’t show up or has a different value. This can happen because the Analysis Grid viewer displays an inherited value from the first child in the origins tree of a particular message that has the field or property defined. For instance, Source/Destination is a value that many messages will compute. The Destination for Ethernet is some MAC address, such as FF-33-EE-11-22-AA. But IPv4 also has the Destination property defined, for instance 192.168.1.10, and so does HTTP. But even though TCP doesn’t have a Source property defined, the value will be inherited from the associated child IPv4 message, which Message Analyzer will then display in the Analysis Grid viewer at the top-level.
For example, in the previous figure, the top-level message 3117 shows “c.msn.com” as the Destination. However, when selecting the IPv4 message in the Message Stack Tool Window, Details shows the Destination property to be an IP address value of 65.53.63.32.
Moreover, for the following TCP.Segment message, the Analysis Grid viewer shows the Destination as 65.53.6.153. However, the value displayed is inherited from the IPv4 layer, as the Destination property doesn’t exist in the TCP.Segment properties display:
Seeing the Full Picture
With the new Details window, you can easily discover new things that can benefit your analysis. In addition, having the ability to right click and group, filter, or add new columns via the annotations and properties that are now exposed in Details will help you explore and understand your data more quickly.
More Information
To learn more about some of the concepts discussed in this article, see the following topics in the Message Analyzer Operating Guide: