https://github.com/kimleeheng/azure-network-protocols
Instructions/tutorial on how to inspect network protocols using Wireshark and Windows Powershell within Azure virtual machines
https://github.com/kimleeheng/azure-network-protocols
azure dhcp dns icmp network-protocols networking ssh tcp-ip virtual-machine windows-powershell wireshark
Last synced: about 1 month ago
JSON representation
Instructions/tutorial on how to inspect network protocols using Wireshark and Windows Powershell within Azure virtual machines
- Host: GitHub
- URL: https://github.com/kimleeheng/azure-network-protocols
- Owner: KimleeHeng
- Created: 2025-07-09T04:23:13.000Z (12 months ago)
- Default Branch: main
- Last Pushed: 2025-07-25T05:16:27.000Z (11 months ago)
- Last Synced: 2025-07-25T10:44:31.545Z (11 months ago)
- Topics: azure, dhcp, dns, icmp, network-protocols, networking, ssh, tcp-ip, virtual-machine, windows-powershell, wireshark
- Homepage:
- Size: 13 MB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Network Protocol Inspection in Azure Virtual Environments
This tutorial outlines the steps on how to observe network traffics and protocols using Wireshark and Windows Powershell within Azure Virtual Machines
## Prerequisites Needed
- Microsoft Azure Subscription (Free/Pay as you go)
## Environments Used
- Microsoft Azure (Cloud Environment)
- Windows 11 Pro (Virtual Machine OS)
- Ubuntu Server 24.04 (Virtual Machine OS)
## Technologies Used
- Azure Virtual Machines
- Windows Powershell (Commmand-line Shell)
- Wireshark (Packet Capture & Analysis)
- TCP/IP, ICMP, SSH, DHCP, DNS (Network Protocols)
## Content Sections
- [Create our Resources and Virtual Machines](#Create-our-Resources-and-Virtual-Machines)
- [Login using RDP and Installing Wireshark](#Login-using-RDP-and-Installing-Wireshark)
- [Observing ICMP Traffic](#Observing-ICMP-Traffic)
- [Observing SSH Traffic](#Observing-SSH-Traffic)
- [Observing DHCP Traffic](#Observing-DHCP-Traffic)
- [Observing DNS Traffic](#Observing-DNS-Traffic)
## Create our Resources and Virtual Machines
*NOTE: Ensure that you are logged into your Microsoft Azure account, and have a subscription active.*
### Step 1: Create a new resource group within Microsoft Azure
1.1 After logging into your Azure account, navigate to/search for "Resource Groups":
1.2 On the Resource Groups page, click Create to start a new resource group:
1.3 Fill out the following information:
- Select your subscription
- Name your resource group. For this lab it will be titled **Testing-RG**
- Choose the region you are residing in. For this lab, we will select **(US) East US**
Then Click Review + create to proceed.
Following this, you will be prompted to review your new resource group information on the next page. Ensure the information entered is correct, and then click Create to Proceed.
**A resource group has now succcesfully been created.**
### Step 2: Create a Windows 11 Virtual Machine
2.1 Search for "Virtual Machine" in the search bar, or navigate to the Virtual Machine section back on the home page.
2.2 On the Virtual Machine page, click **Create**, and then select **Virtual machine**.
2.3 Fill out the following information:
- Subscription - Select your current and active subscription
- Resource Group - Select the resource group previously made in Step 1: **"Testing-RG"**
- Virtual machine name - For this lab, we will name our VM: **"Windows-VM"**
- Region - Select your current region. For this lab, we will select **"(US) East US"**
- Availablity Zone - Select **"Zone 3"**
- Image - Select **"Windows 11 Pro, version 24H2 - x64 Gen2"**
- Size - Select **"Standard_D2s_v3 - 2vcpus, 8GiB memory ($70.08/month)"**
Create your **Administrator account**.
- For this lab, we will use **labuser** as the username and **Cyberlab123!** as the password.
Check off the Licensing check box
Click **Next: Disks>**, and then **Next: Networking >**
2.4 Click **Create new** under Virtual Network. A window to create a virtual network should pop up
Create your **Virtual Network**
- For this lab, we will use **Lab-VNet** as the name of our virtual network
Click **OK** to proceed
Back on the Virtual Machine page, Click **Review + Create** to proceed
2.5 Confirm that **Validation passed** for your virtual machine.
Review the the information you inputted, ensuring everything is correct.
Click **Create** once more to initialize deployment of your virtual machine.
**A Windows 11 Virtual Machine has now successfully been created.**
### Step 3: Create a Linux (Ubuntu Server) Virtual Machine
3.1 Search for "Virtual Machine" in the search bar, or navigate to the Virtual Machine section back on the home page.
3.2 On the Virtual Machine page, click **Create**, and then select **Virtual machine**.
3.3 Fill out the following information:
- Subscription - Select your current and active subscription
- Resource Group - Select the resource group previously made in Step 1: **"Testing-RG"**
- Virtual machine name - For this lab, we will name our VM: **"Linux-VM"**
- Region - Select your current region. For this lab, we will select **"(US) East US"**
- Availablity Zone - Select **"Zone 3"**
- Image - Select **"Ubuntu Server 24.04 LTS - x64 Gen2"**
- Size - Select **"Standard_D2s_v3 - 2vcpus, 8GiB memory ($70.08/month)"**
Create your **Administrator account**.
- Select **Password** option for **Authentication Type**
- For this lab, we will use **labuser** as the username and **Cyberlab123!** as the password.
Click **Next: Disks>**, and then **Next: Networking >**
3.4 For our Virtual Network, we will be selecting the virtual network that we created when creating our Windows 11 virtual machine: **Lab-VNet**
Click **Review + Create** to proceed
3.5 Confirm that **Validation passed** for your virtual machine.
Review the the information you inputted, ensuring everything is correct.
Click **Create** once more to initialize deployment of your virtual machine.
**A Linux Ubuntu Virtual Machine has now successfully been created** 👍
## Login using RDP and Installing Wireshark
### Step 1: Use Remote Desktop to connect to your Windows 11 Virtual Machine
1.1 On your Virtual Machine page within Azure, you will be able to see the designated Public IP Address for each virtual machine created.
Use the Windows 11 Virtual Machine's IP address to log in through Remote Desktop
1.2 A small windows security prompt will ask you to enter your credentials to log into the virtual machine
- We will use the username and password that we made when creating the virtual machines **(labuser/Cyberlab123!)**
Another windows prompt will appear, click **Yes** to proceed
Power on the Windows 11 virtual machine and proceed with the setup steps until you reach the Windows Desktop.
### Step 2: Installing Wireshark
2.1 Open Microsoft Edge and navigate to https://www.wireshark.org/. Download the installer labeled Windows x64 Installer.
2.2 Run the Wireshark installer and proceed through the installation by clicking 'Next' at each step to complete the setup
Once installation is complete, click **Finish**
2.3 Open up Wireshark. Once the application is running, performing the following steps:
- Highlight **Ethernet**
- Click the blue fin at the top left corner to start **capturing packets**
Once you have started capturing packets, you will notice a stream of entries in Wireshark. This is ongoing network traffic that is happening on the backend of your virtual machine. Your network protocol analyzer (Wireshark) is capturing all incoming and outgoing packets, and from here we are able to observe various types of network traffic and protocols in real time.
## Observing ICMP Traffic
ICMP (Internet Control Message Protocol) is a network protocol used for sending error messages and operational information. ICMP is the underlying protocol that makes the **ping** command functional. In this section, we will observe ICMP traffic through the following examples:
- [Between our Windows 11 and Linux Ubuntu virtual machines](#example-1-observing-icmp-traffic-between-virtual-machines)
- [Initiating a continuous ping and configuring firewall rules (e.g., Network Security Groups)](#example-2-initiating-a-continuous-ping-and-configuring-firewall-rules-eg-network-security-groups)
### Example 1: Observing ICMP traffic between virtual machines
To start, we will obtain the private IP address of our Linux Ubuntu virtual machine.
Head back to the virtual machine page on Azure, and click on **Linux VM**. On the right side of the page, under **Networking** the private IP address of the virtual machine should be displayed. This is the IP address that we will **ping** within our Windows 11 virtual machine.
On our Windows 11 virtual machine, filter out ICMP traffic on Wireshark by typing ICMP within the search/filter bar. This will result in only ICMP traffic being displayed.
In the windows search bar, search for and open the application, **Windows Powershell**,
From here, we will attempt to ping the Linux virtual machine using its private IP address to make contact.
Type the following: **ping 10.0.0.5**, then click Enter
A successful ping has been made, as the Linux virtual machine is responding back to the requests from our Windows virtual machine
Navigate back to Wireshark, and you will be able to see the ICMP traffic that occurred between both virtual machines.
You'll notice that **Wireshark displays 8 packet entries**, whereas **Windows PowerShell shows only 4**.
This is because:
- **Wireshark** captures **both the request and reply packets** of the ping command.
- **PowerShell** only displays the **replies** received from the Linux virtual machine.
As a result, each ping generates **two packets** (one request, one reply), and Wireshark provides a more detailed view of the full network exchange.
By analyzing these packets in Wireshark, we can clearly see the exchange of ICMP traffic between the two virtual machines.
### Example 2: Initiating a continuous ping and configuring firewall rules (e.g., Network Security Groups)
We will initiate a perpetual ping from the Windows 11 virtual machine to the Linux Ubuntu virtual machine.
To perform this, type the following into Windows Powershell, then run the command:
- **ping 10.0.0.5 -t**
_NOTE_: This is a continuation of the previous example, with the -t flag added to the ping command to create a continuous stream of ICMP requests between the Windows 11 and Linux Ubuntu virtual machines
Back on Wireshark, the same activity is reflected. You will see multiple request and reply packets being captured between both virtual machines.
**Now we are going to open up the Network Security Group for the Linux Ubuntu virtual machine, and disable incoming ICMP traffic. After, we will observe the network traffic in Wiresharkto see the resulting behavior.**
Head over to our Azure portal, and open up Linux-VM
Navigate to **Network settings** and under **Network Security Group**, click **Linux-VM-nsg**
_NOTE_: A Network Security Group (NSG) is a virtual firewall used in Microsoft Azure to control inbound and outbound network traffic to and from Azure resources, such as virtual machines (VMs), subnets, or network interfaces.
On the left hand side, click **Settings > Inbound security rules**, then click **Add**
Here we will create an inbound security rule preventing ICMP traffic from going into our Windows virtual machine. We will observe the activity that occurs afterwards.
Fill in the following information:
- Destination port ranges - * (just an asterisk)
- Protocol - **ICMPv4** (ICMP protocol)
- Action - **Deny** (Will prevent incoming ICMP traffic)
- Priority - **290** (Will be highest priority within our security rules)
Then click **Add** to create rule
Back on our Windows virtual machine, our perpetual ping within Windows Powershell will start to time out. This is because the inbound security rule that we created has started taking affect, and is blocking the ICMP request packets coming from the Windows virtual machine to the Linux virtual machine.
This results in the Windows virtual machine not being able to receive a reply packet, thus making our Powershell time out.
This is also reflected on Wireshark as well. No responses will be found as the request packets from the Windows virtual machine aren't going through.
With Network Security Groups, we are able to create rules to allow/deny certain network protocols for both inbound and outbound traffic
Let's go ahead and remove the inbound security rule we made. Go back into the Linux virtual machine's network security group in Azure and delete the inbound security rule by performing the following:
- Check security rule
- Click trash icon
- Click Yes to delete security rule
Back on our Windows virtual machine, our perpetual ping within Windows Powershell will continue again, as the security rule has been removed. Request and reply packets, and ICMP traffic can now communicate between virtual machines.
The ICMP traffic on Wireshark is now up and running as well.
Go ahead and stop the perpetual ping by pressing **CRTL + C**
By performing these examples, we’ve demonstrated how ICMP traffic operates within a network and how tools like Wireshark can be used to monitor it. We also explored how firewall rules, such as those configured in Network Security Groups and how it directly impact the flow of network traffic. This provides valuable insight into both connectivity diagnostics and network security control.
## Observing SSH Traffic
SSH (Secure Shell) is a network protocol used to securely connect one computer to another over an unsecured network. It is used for secure remote access and system administration over a network.
SSH also allows users to remotely log in, run commands, and manage systems, all while encrypting the connection to protect data from interception. In this section, we will observe SSH traffic through the following example:
- [Observing SSH traffic between virtual machines](#observing-ssh-traffic-between-virtual-machines)
### Observing SSH traffic between virtual machines
To start, make sure the following has been performed:
- Both virtual machines are turned on (Windows and Linux)
- Log in to your Windows virtual machine
- Start up Wireshark
In Wireshark, start a packet capture up and filter for **SSH** traffic only.
From your Windows 10 virtual machine, open up Windows Powershell. We will now **"SSH into"** our Linux Ubuntu virtual machine via its private IP address.
Type in the following: _ssh labuser@10.0.0.5_, then click Enter.
You will be prompted to continue connecting to the Linux virtual machine.
Perform the following:
- Type **yes**, then click enter
- After, type the Linux virtual machine's password: **Cyberlab123!**, then click enter
_NOTE_: When you tpye your password here, nothing will appear. This is for security purposes. Rest assured text will still be entered.
As you can see in Windows Powershell, the prompt changed to **labuser@Linux-VM**, which means we are now securely connected to our Linux virtual machine through SSH.
Back in Wireshark, SSH traffic is reflected from our activity in Windows Powershell
Any activity performed in Windows PowerShell while connected via SSH will generate corresponding traffic that can be observed in Wireshark. This includes everything from executing commands to simply typing in the command-line interface
To show that we are connected to the Linux Ubuntu virtual machine, we can type some commands to test it out.
Type **hostname**, then click enter.
Here, it will prompt the following message: **linux-vm**. Even though we are on our Windows virtual machine, we are remotely connected to our Linux virtual machine via SSH. This allows us to control and execute commands from our Windows command line tool.
Type **pwd**, then click enter.
Here, it will prompt the following message: **/home/labuser**. This example shows that we are in the working directory of **/home/labuser** which is in our Linux virtual machine.
Exit the SSH connection by typing **exit** and clicking Enter
This example showed how SSH traffic works on a network and how Wireshark can be used to observe it. We also learned how SSH securely connects to remote systems, giving us a better understanding of encrypted communication
## Observing DHCP traffic
DHCP (Dynamic Host Configuration Protocol) is a network protocol used automatically assign an IP address and other network settings to a device on the network. In this section, we will observe SSH traffic through the following example:
- [Requesting a new IP Address via DHCP](#requesting-a-new-ip-address-via-dhcp)
### Requesting a new IP Address via DHCP
To start, make sure the following has been performed:
- Log in to your Windows virtual machine
- Start up Wireshark
In Wireshark, start a packet capture up and filter for **DHCP** traffic only
Open up an instance of Notepad and type in the following
```
ipconfig /release
ipconfig /renew
```
Save the notepad document by performing the following steps
- File type: Enter **c:\programdata**
- File name: **dhcp.bat**
- File type: **All Files**
Run Windows Powershell as Administrator by right clicking the application and clicking "Run as Administrator"
Run the following command:
```
cd c:\programdata
```
and then:
```
.\dhcp.bat
```
Once the previous command is run, the Windows virtual machine releases its current IP address and requests a new one from the DHCP server through the DHCP handshake process.
In Wireshark, the following DHCP packets will appear, each representing a step in the DHCP handshake process.
This is the standard 4 step process known as DORA that is used by DHCP to assign an IP address to a client. The steps of the DHCP handshake are shown in the table below:
| Step | Protocol Message | Description |
| ---- | ----------------- | ---------------------------------------------------------------------------------------------- |
| 1️⃣ | **DHCP Discover** | The client (source: `0.0.0.0`) broadcasts a request to find a DHCP server. |
| 2️⃣ | **DHCP Offer** | A DHCP server (source: `168.63.129.16`) responds with an IP address offer and network details. |
| 3️⃣ | **DHCP Request** | The client requests to use the offered IP address by sending a DHCP Request message. |
| 4️⃣ | **DHCP ACK** | The server acknowledges the request and officially assigns the IP to the client. |
Here is another representation on how the DHCP handshake works. Again, this is the standard 4 step process known as DORA that is used by DHCP to assign an IP address to a client.
This example showed how DHCP works on a network and how Wireshark helps us see the traffic involved. We also learned about the DORA process and how it’s used during the DHCP handshake to assign an IP address to a device.
## Observing DNS Traffic
DNS (Domain Name System) is a network protocol that translates human-readable domain names into IP addresses that computers use to communicate with each other over the internet or a network. In this section, we will observe DNS traffic through the following example:
- [nslookup within Windows Powershell](#nslookup-within-Windows-Powershell)
### nslookup within Windows Powershell
To start, make sure the following has been performed:
- Log in to your Windows virtual machine
- Start up Wireshark
- Start up Windows Powershell
In Wireshark, start a packet capture up and filter for **DNS** traffic only.
We will be using the command **nslookup** for this DNS activity. **nslookup** is a command line tool used to query DNS to obtain the domain name or IP address mapping information.
In Windows Powershell, we will type in the following command, then click enter
_NOTE_: Any public website or domain can be inserted here.
```
nslookup disney.com
```
What came back was the public IP Address of the domain that we inputted into our command line interface. In this case, the IP address for **disney.com** is **130.211.198.204**
Back in Wireshark, DNS traffic is reflected from our activity in Windows Powershell
In this lab, we used DNS to resolve domain names to IP addresses, demonstrating how devices rely on DNS to locate and connect to remote servers. Tools like nslookup and Wireshark helped us observe and analyze the DNS query and response process in real time.