none
Where is the PID/Image Name info?

Answers

  • Since we revamped the entire architecture, we haven't had a chance to add the exact same process tracking feature we had in Network Monitor.  For ETW based traces, (which is what Message Analyzer uses,) you can group by the ProcessID, but it isn't using the exact same method so the Process IDs reported could be different.

    Paul

    Wednesday, September 25, 2013 4:34 PM
    Owner
  • Yes, it certainly is coming back.  Process Tracking was a complex feature that tied deeply into the capturing stack.  Moving forward the capture stack is moving into the OS which makes re-integration a slightly longer term goal.  But correlations is one of our mantra's, so I think it has high priority.

    However, you can still organize by process in new traces, which might still be helpful.  For more details, read this blog about Grouping, a new correlation tool which perhaps you can see is the start of a more dynamic conversation tree.

    Paul

    Thursday, September 26, 2013 1:30 PM
    Owner

All replies

  • Since we revamped the entire architecture, we haven't had a chance to add the exact same process tracking feature we had in Network Monitor.  For ETW based traces, (which is what Message Analyzer uses,) you can group by the ProcessID, but it isn't using the exact same method so the Process IDs reported could be different.

    Paul

    Wednesday, September 25, 2013 4:34 PM
    Owner
  • Paul, you have removed the main feature that had me using Network Monitor over Wireshark.  Is there any chance of it coming back?

    Britt

    Thursday, September 26, 2013 5:16 AM
  • Yes, it certainly is coming back.  Process Tracking was a complex feature that tied deeply into the capturing stack.  Moving forward the capture stack is moving into the OS which makes re-integration a slightly longer term goal.  But correlations is one of our mantra's, so I think it has high priority.

    However, you can still organize by process in new traces, which might still be helpful.  For more details, read this blog about Grouping, a new correlation tool which perhaps you can see is the start of a more dynamic conversation tree.

    Paul

    Thursday, September 26, 2013 1:30 PM
    Owner
  • This took me a bit to figure out, so for anyone else, you can group by Process ID (PID) by adding EventRecord.Header.ProcessId to a column, then right-clicking that column header and select "Group".

    Step 1 (type in "EventRecord"):

    Step 1

    Step 2:

    Its not great though.  I've found some important network traffic with "0" in this column...



    Mike Crowley | MVP
    My Blog -- Planet Technologies


    Monday, October 28, 2013 11:48 PM
  • Another issue with this new tool is it doesn't get process names. Having a process name is much more important than having ProcessIDs.

    Imaging this scenario: a certain program launches, remains active for 2 secs and then terminates. Yes, you will have its process id which, obviously, will be totally of no use to you since the process is gone already and you won't be able to find out which image name was used.

    That's a major PITA and in order to properly address it I have to construct a separate script to capture tasklist periodically in order to correlate PIDs and Process Names later.

    Overall, I prefer MNM over MA because of that for many if not all capture scenarios. In fact, I never use MA to capture traffic since it's no better than agentless netsh trace captures and if I need to install a capture program I keep choosing MNM because of process name grouping feature.

    Hopefully something similar will get added eventually to MA, but as of now it's the end of 2015, this conversation is 2 years old and still no process names in MA.

    Wednesday, October 21, 2015 6:29 PM