In this post, I will teach how to capture packets from the NICs of Azure virtual machines using Network Watcher and inspect Azure network traffic at the packet level using Wireshark.

Essential Skill

Time and time again, I hear how important being able to capture and inspect network traffic is. Engineers at Microsoft consider this an important skill. Speakers at technical conferences recommend learning how to do this. I have had to do this sort of work myself to troubleshoot issues or supply data to Microsoft support engineers.

Network Watcher — Packet Capture

The tools in Network Watcher provide us several methods for diagnosing communications issues in Azure virtual networks. One of these tools is called Packet Capture, which allows us to capture packets as they are passing through the NIC of a virtual machine.

Note: the Network Watcher extension must be installed in the virtual machine that you want to capture traffic from.

To do a packet capture, open Network Watcher and go into Packet Capture. Click Add to create a new packet capture and then enter the following information:

Subscription : Specify the subscription in your tenant that contains the virtual machine that you will capture network packets with.

: Specify the subscription in your tenant that contains the virtual machine that you will capture network packets with. Resource group : Select the resource group that contains the virtual machine.

: Select the resource group that contains the virtual machine. Target Virtual Machine : Choose the virtual machine.

: Choose the virtual machine. Packet Capture Name: Enter a name for the packet capture.

You then must configure the capture configuration:

Storage Account and/or File : A storage account must be specified. You can select to download it immediately.

: A storage account must be specified. You can select to download it immediately. Maximum Bytes Per Packet and Maximum Bytes Per Session : You can limit the size of the capture. By default, the entire packet is captured but you can truncate it. By default, a maximum of 1GiB (the computer science version of a GB, not the 1000-based marketing version) is captured in a session.

: You can limit the size of the capture. By default, the entire packet is captured but you can truncate it. By default, a maximum of 1GiB (the computer science version of a GB, not the 1000-based marketing version) is captured in a session. Time Limit (Seconds): The maximum duration is 18000 seconds or 5 hours.

If you clicked OK, then every packet that would pass in/out of the virtual machine would be captured. Often when troubleshooting, we have a bit more intelligence such as:

Source/destination IP addresses

Protocol information

We can optionally add one or more filters to limit what packets are captured.

In my example, I am going to capture 60 seconds of RDP (Port 3389) traffic that is coming into a virtual machine called vm-petri-01.

It takes a few moments for the packet capture to save and then complete the Loading phase. It will automatically enter a Running phase, capture packets, and save them as you specified.

Inspecting a Packet Capture

The resulting packet capture is saved in a storage account with a folder structure that documents the virtual machine and date/time of the capture.

Subscribe to Petri Newsletters Office 365 Insider Our Petri Office 365 Insider is dedicated to sharing detailed knowledge from top Office 365 experts. Delivered once a month to your inbox. All Newsletters Petri.com may use your contact information to provide updates, offers and resources that may be of interest to you. You can unsubscribe at any time. To learn more about how we manage your data, you can read our Privacy Policy and Terms of Service. !Already a Petri.com member? Login here for 1-click registration.

You can download the capture file (right-click and select Download) and open it. You can also return to the packet capture in Network Watcher and a download link is shared under Status.

The packet capture file is in a .CAP format, which can be opened using Wireshark.

Now you have your packet capture and it is time to learn how to use Wireshark to analyze the results.