Microsoft Azure

Capturing and Inspecting Traffic in Azure Networks

In this post, I will teach how to capture packets from the NICs of Azure virtual machines using Network Watcher and inspect Azure network traffic at the packet level using Wireshark.



Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

Essential Skill

Time and time again, I hear how important being able to capture and inspect network traffic is. Engineers at Microsoft consider this an important skill. Speakers at technical conferences recommend learning how to do this. I have had to do this sort of work myself to troubleshoot issues or supply data to Microsoft support engineers.

Network Watcher — Packet Capture

The tools in Network Watcher provide us several methods for diagnosing communications issues in Azure virtual networks. One of these tools is called Packet Capture, which allows us to capture packets as they are passing through the NIC of a virtual machine.

Note: the Network Watcher extension must be installed in the virtual machine that you want to capture traffic from.

To do a packet capture, open Network Watcher and go into Packet Capture. Click Add to create a new packet capture and then enter the following information:

  • Subscription: Specify the subscription in your tenant that contains the virtual machine that you will capture network packets with.
  • Resource group: Select the resource group that contains the virtual machine.
  • Target Virtual Machine: Choose the virtual machine.
  • Packet Capture Name: Enter a name for the packet capture.

You then must configure the capture configuration:

  • Storage Account and/or File: A storage account must be specified. You can select to download it immediately.
  • Maximum Bytes Per Packet and Maximum Bytes Per Session: You can limit the size of the capture. By default, the entire packet is captured but you can truncate it. By default, a maximum of 1GiB (the computer science version of a GB, not the 1000-based marketing version) is captured in a session.
  • Time Limit (Seconds): The maximum duration is 18000 seconds or 5 hours.

If you clicked OK, then every packet that would pass in/out of the virtual machine would be captured. Often when troubleshooting, we have a bit more intelligence such as:

  • Source/destination IP addresses
  • Protocol information

We can optionally add one or more filters to limit what packets are captured.

In my example, I am going to capture 60 seconds of RDP (Port 3389) traffic that is coming into a virtual machine called vm-petri-01.

Capturing RDP packets coming into an Azure virtual machine [Image Credit: Aidan Finn]
Capturing RDP Packets Coming Into an Azure Virtual Machine [Image Credit: Aidan Finn]

It takes a few moments for the packet capture to save and then complete the Loading phase. It will automatically enter a Running phase, capture packets, and save them as you specified.

Inspecting a Packet Capture

The resulting packet capture is saved in a storage account with a folder structure that documents the virtual machine and date/time of the capture.

A packet capture file in a storage account [Image Credit: Aidan Finn]
A Packet Capture File in a Storage Account [Image Credit: Aidan Finn]

You can download the capture file (right-click and select Download) and open it. You can also return to the packet capture in Network Watcher and a download link is shared under Status.

The packet capture file is in a .CAP format, which can be opened using Wireshark.

Network packets captured from Azure and viewed in Wireshark [Image Credit: Aidan Finn]
Network Packets Captured From Azure and Viewed in Wireshark [Image Credit: Aidan Finn]

Now you have your packet capture and it is time to learn how to use Wireshark to analyze the results.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.
13 Email Threat Types to Know About Right Now

As email threats evolve and multiply, keeping track of them all—and staying protected against the many different types—becomes a complex challenge. Today, that requires more than just the traditional email gateway solution that used to be good enough.

In this eBook you will learn:

  • What are the most common and challenging email attacks for organizations?
  • How to defend against sophisticated email threats, such as spoofing, social engineering, and fraud
  • How to protect employees at the inbox level with the right technologies and security-awareness training
  • How to use a multilayered protection strategy to reduce susceptibility to email attacks and better defend your business and employees

Sponsored by: