My favorite tool lately has been Wireshark. Out of curiosity, I decided to compare Wireshark with Microsoft Message Analyzer.
Microsoft Message Analyzer is a new tool for capturing, displaying, and analyzing protocol messaging traffic, events, and other system or application messages in network troubleshooting and other diagnostic scenarios. Message Analyzer also enables you to load, aggregate, and analyze data from log and saved trace files. It is the successor to Microsoft Network Monitor 3.4 and is a key component in the Protocol Engineering Framework (PEF) that was created by Microsoft to improve protocol design, development, implementation testing and verification, documentation, and support (technet.microsoft.com, 2017).
Some highlights from my findings are:
Microsoft Message Analyzer
Microsoft Message Analyzer not only captures traffic and can read captures, but it also analyzes information from Windows event logs, .log files, Powershell, SQL, and Azure
Captured “messages” are the packets or frames
There is an easy to read GUI
Can capture from a remote computer or from multiple machines at the same time.
Ability to decrypt all the data if you import a new SSL Certificate or by capturing at Windows firewall level or at application level before being encrypted by HTTPS
Can open panels of information side by side to have a better understanding of the system
Live capture and offline analysis
Standard three-pane packet browser
Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
Read/write many different capture file formats: tcpdump (libpcap), Pac NG, Catapult DCT2000, Cisco Secure IDS pilot, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and Nethra®, Network Instruments Observer, Net Screen snoop, Novell Analyzer, RADCOM WAN/LAN Analyzer, Shomate/Finesser Surveyor, Tektronix K12xx, Visual Networks Visual Uptime, Wild Packets Ether Peek/Token Peek/Aerotek, and many others
Capture files compressed with gzip can be decompressed on the fly
Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
Wireshark has been around for a long time and is well known in the industry. any system. Microsoft Message Analyzer seems to be an overall good tool to have and add to the mix. Maybe not the only one, but a good one to use in addition to the others.