What is Snooper tool?
Snooper is a multipurpose debugging tool for Microsoft Lync Server communications software. Snooper
parses server and client trace log files and makes protocol (for example, SIP and HTTP) messages and traces easier to read. It can also read call details and stored procedure execution reports for errors. In addition,
Snooper can display reports about users, conferences, and conferencing servers (also known as multipoint
control units or MCUs).
This can be found in Lync Server 2013 Debugging tools which can be further downloaded from Microsoft.
1.1.1
Introduction
Snooper was developed to make the task of finding and analyzing debugging information for Lync Server
2013 easier. It can be used for the following tasks:








Viewing server and client trace files: Snooper currently parses all server trace files and client
UCCP log files. It provides all the sorting, searching, and filtering capabilities that are seen in
Event Viewer.
Viewing protocol messages extracted from server and client trace files: Snooper can parse the
log files for protocol messages such as SIP and HTTP, and then show them in a way that is easier to
analyze. The following log types are supported:
o Server Sip Stack
o Client UCCP
o S4
o McuInfra C3P (http)
o Focus C3P (http)
o PSOM/LDM
o Mediation Server
Viewing call detail recordings (CDRs) from Monitoring Server: This helps with the analysis of
call failures. Snooper has filtering and report generation options to make the task easier.
Viewing user reports: Snooper can display all the information that is stored in the database about
the user in an easy to analyze way. This is helpful when diagnosing problems specific to a user.
Viewing details about a conference: You can get all the conference information that is related to a
user in a user report, and then use the identifier to get all the information about a conference.
Resolving conference issues: If you have the meeting ID, you can find the conference ID, and then
get all the details about the conference.
Viewing health of MCUs
Viewing diagnostic information about the Lync Server 2010 pool: Data such as the number of resources and Front End servers, the file size of the databases, and things that might be wrong (for
example, improperly homed resources).
1.1.2
Description
The following sections give an overview of each feature.
1.1.2.1
Trace Viewer
Snooper can be used to view traces in server and client UCCP log files. Figure 1 shows the output after the
file is opened.
Figure 1. Trace viewer
Functions
Trace viewer can do the following:


Sort traces by column.
Search using the following columns:
o Function
o Source
o CorrelationID
o Log Text
1.1.2.2
Protocol Message Viewer
As mentioned earlier, Snooper can parse the protocol messages from the server and client log files and then
display them in a fashion that is easy to follow.
Message Viewer is integrated with Trace Viewer. Trace Viewer (Traces tab) shows all the traces, while
message viewer (Messages tab) shows only protocol messages.
By default, the protocol viewer is organized horizontally, with the message preview list on the left and the
message display pane on the right as shown in Figure 2. You can use the Toggle View option to switch to a
vertical layout with the list on top.
The following sections describe the features in the Message Viewer part of the tool.
Figure 2. Protocol Message viewer
Message Preview
The message preview list (left pane) shows a status icon and the timestamp, direction (in/out), to
and from users, and the start line of the message. Usually, each message is a protocol message
sent. For some log types, internal diagnostic information is also shown as a message but it does not
represent a protocol message.
You can sort messages by clicking the column headers in the message preview list. Clicking a row
displays the message in the display pane. Right-click a row to display a context menu, where you
can select the following tasks:





Mark the message by setting a flag so it stands out.
Find related messages. This applies a filter for that message's Call ID.
Copy the full contents of the message to the clipboard.
Go to the nearest entry in the trace viewer, so you can view the event in the vicinity of the
current message can be analyzed.
Clear search and keep the selection on the currently selected message. (This is the same as
the zoom in functionality described for the Trace Viewer.)
The color of a message's row in the message preview list can be used to quickly get information
about the message. The following color scheme is used:







Green indicates a message that has been marked.
Dark red indicates an error message.
Bright red indicates an error with the same Call ID as the selected message.
White indicates an incoming message.
Bright yellow indicates an incoming message with the same Call ID as the selected message.
Gray indicates an outgoing message.
Dark yellow indicates an outgoing message with the same Call ID as the selected message.
The following symbols are used to indicate information:



1.1.3
"#" indicates a marked message.
"!" indicates an error message.
Arrow labels indicate the direction of the message. Left arrow indicates an incoming message. Right arrow indicates an outgoing message.
Output
Snooper can be used to view traces in server and client UCCP log files.
1.1.4
Purpose
The purpose of this tool is to enable easy analysis of trace files and provide an easy interface for showing
error reports, and conferencing and presence reports.
1.1.5
Requirements
This tool requires .NET framework (version 3.5 SP1) to be installed.
1.1.6
Summary
In this document, we went over the various features of Snooper, and saw how it can assist in debugging
Lync Server-related issues. The most important functionality of Snooper is its trace and protocol message
viewing capability, but its database report feature can also come in very handy.