Capturing and Inspecting Traffic in Azure Networks

traffic lights hero
In this post, I will teach how to capture packets from the NICs of Azure virtual machines using Network Watcher and inspect Azure network traffic at the packet level using Wireshark.


Essential Skill

Time and time again, I hear how important being able to capture and inspect network traffic is. Engineers at Microsoft consider this an important skill. Speakers at technical conferences recommend learning how to do this. I have had to do this sort of work myself to troubleshoot issues or supply data to Microsoft support engineers.

Network Watcher — Packet Capture

The tools in Network Watcher provide us several methods for diagnosing communications issues in Azure virtual networks. One of these tools is called Packet Capture, which allows us to capture packets as they are passing through the NIC of a virtual machine.
Note: the Network Watcher extension must be installed in the virtual machine that you want to capture traffic from.
To do a packet capture, open Network Watcher and go into Packet Capture. Click Add to create a new packet capture and then enter the following information:

  • Subscription: Specify the subscription in your tenant that contains the virtual machine that you will capture network packets with.
  • Resource group: Select the resource group that contains the virtual machine.
  • Target Virtual Machine: Choose the virtual machine.
  • Packet Capture Name: Enter a name for the packet capture.

You then must configure the capture configuration:

  • Storage Account and/or File: A storage account must be specified. You can select to download it immediately.
  • Maximum Bytes Per Packet and Maximum Bytes Per Session: You can limit the size of the capture. By default, the entire packet is captured but you can truncate it. By default, a maximum of 1GiB (the computer science version of a GB, not the 1000-based marketing version) is captured in a session.
  • Time Limit (Seconds): The maximum duration is 18000 seconds or 5 hours.

If you clicked OK, then every packet that would pass in/out of the virtual machine would be captured. Often when troubleshooting, we have a bit more intelligence such as:

  • Source/destination IP addresses
  • Protocol information

We can optionally add one or more filters to limit what packets are captured.

In my example, I am going to capture 60 seconds of RDP (Port 3389) traffic that is coming into a virtual machine called vm-petri-01.

Capturing RDP packets coming into an Azure virtual machine [Image Credit: Aidan Finn]
Capturing RDP Packets Coming Into an Azure Virtual Machine [Image Credit: Aidan Finn]
It takes a few moments for the packet capture to save and then complete the Loading phase. It will automatically enter a Running phase, capture packets, and save them as you specified.

Inspecting a Packet Capture

The resulting packet capture is saved in a storage account with a folder structure that documents the virtual machine and date/time of the capture.

A packet capture file in a storage account [Image Credit: Aidan Finn]
A Packet Capture File in a Storage Account [Image Credit: Aidan Finn]
You can download the capture file (right-click and select Download) and open it. You can also return to the packet capture in Network Watcher and a download link is shared under Status.
The packet capture file is in a .CAP format, which can be opened using Wireshark.
Network packets captured from Azure and viewed in Wireshark [Image Credit: Aidan Finn]
Network Packets Captured From Azure and Viewed in Wireshark [Image Credit: Aidan Finn]

Now you have your packet capture and it is time to learn how to use Wireshark to analyze the results.