Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Microsoft Azure

Capturing and Inspecting Traffic in Azure Networks

In this post, I will teach how to capture packets from the NICs of Azure virtual machines using Network Watcher and inspect Azure network traffic at the packet level using Wireshark.



Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

Essential Skill

Time and time again, I hear how important being able to capture and inspect network traffic is. Engineers at Microsoft consider this an important skill. Speakers at technical conferences recommend learning how to do this. I have had to do this sort of work myself to troubleshoot issues or supply data to Microsoft support engineers.

Network Watcher — Packet Capture

The tools in Network Watcher provide us several methods for diagnosing communications issues in Azure virtual networks. One of these tools is called Packet Capture, which allows us to capture packets as they are passing through the NIC of a virtual machine.

Note: the Network Watcher extension must be installed in the virtual machine that you want to capture traffic from.

To do a packet capture, open Network Watcher and go into Packet Capture. Click Add to create a new packet capture and then enter the following information:

  • Subscription: Specify the subscription in your tenant that contains the virtual machine that you will capture network packets with.
  • Resource group: Select the resource group that contains the virtual machine.
  • Target Virtual Machine: Choose the virtual machine.
  • Packet Capture Name: Enter a name for the packet capture.

You then must configure the capture configuration:

  • Storage Account and/or File: A storage account must be specified. You can select to download it immediately.
  • Maximum Bytes Per Packet and Maximum Bytes Per Session: You can limit the size of the capture. By default, the entire packet is captured but you can truncate it. By default, a maximum of 1GiB (the computer science version of a GB, not the 1000-based marketing version) is captured in a session.
  • Time Limit (Seconds): The maximum duration is 18000 seconds or 5 hours.

If you clicked OK, then every packet that would pass in/out of the virtual machine would be captured. Often when troubleshooting, we have a bit more intelligence such as:

  • Source/destination IP addresses
  • Protocol information

We can optionally add one or more filters to limit what packets are captured.

In my example, I am going to capture 60 seconds of RDP (Port 3389) traffic that is coming into a virtual machine called vm-petri-01.

Capturing RDP packets coming into an Azure virtual machine [Image Credit: Aidan Finn]
Capturing RDP Packets Coming Into an Azure Virtual Machine [Image Credit: Aidan Finn]

It takes a few moments for the packet capture to save and then complete the Loading phase. It will automatically enter a Running phase, capture packets, and save them as you specified.

Inspecting a Packet Capture

The resulting packet capture is saved in a storage account with a folder structure that documents the virtual machine and date/time of the capture.

A packet capture file in a storage account [Image Credit: Aidan Finn]
A Packet Capture File in a Storage Account [Image Credit: Aidan Finn]

You can download the capture file (right-click and select Download) and open it. You can also return to the packet capture in Network Watcher and a download link is shared under Status.

The packet capture file is in a .CAP format, which can be opened using Wireshark.

Network packets captured from Azure and viewed in Wireshark [Image Credit: Aidan Finn]
Network Packets Captured From Azure and Viewed in Wireshark [Image Credit: Aidan Finn]

Now you have your packet capture and it is time to learn how to use Wireshark to analyze the results.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.