none
Filter on Address RRS feed

  • Question

  • Is it possible to see both sides of an HTTP conversation (on a non-standard port) with Message Analyzer, like you can with Wireshark?

    I grabbed this 1 minute capture that has a tad over 1 million records in it. Following the numerous MS articles on filtering, a simple filter like *address== {some IP} yields absolutely nothing.

    I found I could get records to display using Microsoft_Windows_TCPIP.Destination == {some IP} in the filter, but it only appears to show one side of the conversation (client where the trace was running to the server).

    We're getting a complaint that a web server is throwing an error when a service calls it. I ran the trace for 1 minute on the client, copied the trace to my workstation and now I'm trying to filter for both sides of the conversation, but I cannot seem to see the responses from the web server.

    I even tried exporting to a PCAP and view in Wireshark but Wireshark isn't loading the exported file.

    Friday, March 23, 2018 11:36 PM

All replies

  • Is it possible to see both sides of an HTTP conversation (on a non-standard port) with Message Analyzer, like you can with Wireshark?

    Yes.  I had one but forgot how I did it.  I had saved the trace that it produced and was annoyed that there seems to be no way to derive the scenario from that.  Fortunately I just remembered what I had done:  Provider WinInet-Capture ViewPoint HTTP Filter *Address=="answers.microsoft.com"  AND forgot to save the scenario again!  Fortunately I figured out that there is a Session Edit which gives me a second chance for correcting that oversight.

    Heh.  I used the Save Scenario button but don't think I have the functionality available that is described here

    https://docs.microsoft.com/en-us/message-analyzer/saving-trace-scenarios 

    Oh well, at least I have a clearer idea of what I will need to do to reproduce it again, if necessary.



    Robert Aldwinckle
    ---

    Thursday, October 11, 2018 1:03 AM