Network Tracking with Protocols Jinghui Zhang Message Analyzer Fiddler Inspectors Overview What is Message Analyzer? Notable features

It’s much more than just network Local and remote (NDIS) capturing Using any ETW Providers Can filter while capturing Filters out “capturing” packets on wire automatically Support Promiscuous mode

Any ETW Providers (USB, DNS, Bluetooth, NDIS, kernel, WMI, etc)

Any ETW Providers (USB, DNS, Any ETW Providers (USB, DNS, Bluetooth, NDIS, kernel, WMI, etc) Bluetooth, NDIS, kernel, WMI, etc) Types of Data that can be Loaded into Message Analyzer Diagnostic Data Type Requires Parser Supports Live to be written Capture Fiddler Perfmon ETL  ETL (wire protocols)   Any combination of the Text logs  following correlated by Event Logs Timestamp or any other field… Dumps Comma/Tab Separated Powershell execution XML JSON SQL Tables Azure Tables Process monitor OMS post-indexed data Providers

• Pre-Encryption for HTTPS scenario will need Fiddler provider that can be downloaded at http://www.telerik.com/fiddler/fiddlercore

• If you try to run without install it. The message bellow is displayed Message Analyzer Parsers Overview

Parsers for public protocols (e.g. HTTP, SOAP) and Windows protocols Office Message Analyzer Parses Features

Message Recognition Binary XML decoding Validation*

* Not available for all parsers yet Where to get Parsers Office Parsers Packages

4 EAS 35 EWS 15 Exchange 12 Skype for 92 Office & SP 5 WOPI/FSS MS-ASCMD MS- MAPI Business MS-LISTSWS MS-FSS* MS-ASHTTP OXWSCORE MS-OXCDATA MS-CON* MS-WEBSS MS-WOPI MS-ASPROV MS- MS-OXCROPS MS-SIP* … … MS-ASWBXML OXWSFOLD … … … …. Demo Fiddler Office Inspectors

5 WOPI/FSS MS-FSS* MS-WOPI …

15 Exchange MAPI MS-OXCDATA MS-OXCROPS … Fiddler Office Inspectors Features Demo Comparison and how to choose

Inspectors Capture  Numerous transport protocols supported Protocol families supported Capture • HTTP/S only  Office & SP Protocol families supported  EWS • Office & SP (let us know if you want this)  EAS • EWS (let us know if you want this)  MAPI • EAS  WOPI/FSSHTTP • MAPI (HTTP)  Skype for Business • WOPI/FSSHTTP Community Participation • Skype for Business  Parser source code Community Participation  Share through asset • Open Source in Github Message Analyzer Resources

 Download: http://www.microsoft.com/en-us/download/details.aspx?id=44226  Operating Guide: ://technet.microsoft.com/en-us/library/jj649776.aspx  Office Interoperability Blog: http://blogs.msdn.com/b/officeinteroperability/  MA Blog: http://blogs.technet.com/b/messageanalyzer/  Forum: https://social.technet.microsoft.com/Forums/en-US/home?forum=messageanalyzer Fiddler Office Inspectors Resources

 Github Repos: MAPIHTTP: https://github.com/OfficeDev/Office-Inspectors-for- Fiddler/tree/master/MAPIInspector

WOPI/FSSHTTP: https://github.com/OfficeDev/Office-Inspectors-for- Fiddler/tree/master/FSSHTTPWOPIInspector

 Office Interoperability Blog: http://blogs.msdn.com/b/officeinteroperability/ Thank you! Questions? ([email protected]) Remote Capture Traces

 Microsoft-Windows-NDIS-PacketCapture provider to capture traffic on a remote computer running the Windows 8.1, Windows Server 2012 R2, or Windows 10 at the Data Link Layer so you can:  Target specific remote hosts on which to capture traffic.  Specify the host adapters and/or VM adapters on which to capture data.  Create special packet and address filtering configurations.

 Other requirements:  WinRM configuration — this service requires configuration on the source computer where you are running the Message Analyzer remote trace and on target computers from which you are capturing data. To configure (Run as Administrator): winrm quickconfig

 Trusted Hosts configuration — when the source computer and remote target host are not in the same domain, you must add the remote host name to the source computer Trusted Hosts list by running the following command string from an elevated command prompt: winrm set winrm/config/client @{TrustedHosts="RemoteHostName"}  If the issue is between the machine running Message Analyzer and the remote captured machine, the traffic is dropped, so it is important to collect from a machine without the issue to run Message Analyzer. Remote x Local Capture Traces

 Remote trace scenarios with the Microsoft-Windows-NDIS-PacketCapture provider — you can specify the remote host adapters and/or virtual machine (VM) adapters from which to capture messages, the manner in which packets traverse the NDIS stack layers or Hyper-V-Switch extension layers on such remote adapters, respectively, and various unique filters such as Truncation, EtherTypes, and IP Protocol Numbers.

 Local trace scenarios with the Microsoft-PEF-NDIS-PacketCapture provider — in local scenarios that use this provider, you can specify local adapters from which to capture messages, the direction, and you can create up to two logically-chained Fast Filter Groups that you can assign to any selected adapter.

 In Message Analyzer v1.3, the Microsoft-PEF-WFP-MessageProvider has the capability to capture messages from remote computers that are running the Windows 10 operating system. You can capture this data in any Trace Scenario that uses this provider by starting your Live Trace Session with this scenario from any computer that is running the Windows 8.1, Windows Server R2, or the Windows 10 operating system.