In this post, I will teach how to capture packets from the NICs of Azure virtual machines using Network Watcher and inspect Azure network traffic at the packet level using Wireshark.
Time and time again, I hear how important being able to capture and inspect network traffic is. Engineers at Microsoft consider this an important skill. Speakers at technical conferences recommend learning how to do this. I have had to do this sort of work myself to troubleshoot issues or supply data to Microsoft support engineers.
The tools in Network Watcher provide us several methods for diagnosing communications issues in Azure virtual networks. One of these tools is called Packet Capture, which allows us to capture packets as they are passing through the NIC of a virtual machine.
Note: the Network Watcher extension must be installed in the virtual machine that you want to capture traffic from.
To do a packet capture, open Network Watcher and go into Packet Capture. Click Add to create a new packet capture and then enter the following information:
You then must configure the capture configuration:
If you clicked OK, then every packet that would pass in/out of the virtual machine would be captured. Often when troubleshooting, we have a bit more intelligence such as:
We can optionally add one or more filters to limit what packets are captured.
In my example, I am going to capture 60 seconds of RDP (Port 3389) traffic that is coming into a virtual machine called vm-petri-01.
It takes a few moments for the packet capture to save and then complete the Loading phase. It will automatically enter a Running phase, capture packets, and save them as you specified.
The resulting packet capture is saved in a storage account with a folder structure that documents the virtual machine and date/time of the capture.
You can download the capture file (right-click and select Download) and open it. You can also return to the packet capture in Network Watcher and a download link is shared under Status.
The packet capture file is in a .CAP format, which can be opened using Wireshark.
Now you have your packet capture and it is time to learn how to use Wireshark to analyze the results.