Skip to content

In this tutorial, we observe various network traffic to and from Azure Virtual Machines with Wireshark as well as experiment with Network Security Groups.

Notifications You must be signed in to change notification settings

ShaKiraMcDonald/azure-network-protocols

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 

Repository files navigation

Traffic Examination

Network Security Groups (NSGs) and Inspecting Traffic Between Azure Virtual Machines

In this tutorial, we observe various network traffic to and from Azure Virtual Machines with Wireshark as well as experiment with Network Security Groups.

Environments and Technologies Used

  • Microsoft Azure (Virtual Machines/Compute)
  • Remote Desktop
  • Various Command-Line Tools
  • Various Network Protocols (SSH, RDH, DNS, HTTP/S, ICMP)
  • Wireshark (Protocol Analyzer)

Operating Systems Used

  • Windows 10 (21H2)
  • Linux Ubuntu Server 20.04

High-Level Steps

Create Resources Observe ICMP Traffic Observe SSH Traffic) Observe DHCP Traffic Observe RDP Traffic

Actions and Observations

Resource Groups (similar to a file system) logical collections of virtual machines, storage accounts, virtual networks, web apps, databases, and/or database servers. Virtual Machines (VM) allow you to more easily scale your applications by adding more physical or virtual servers to distribute the workload across multiple VMs. We created two Virtual Machines (pictured below) of differing Operating Systems (Windows 10 21H2 & Linux Ubuntu Server 20.04) that will be used for Remote Deskop and to observe network traffic between the two devices.

Disk Sanitization Steps


Remote desktop allows the user to connect to a computer in another location, see that computer's desktop and interact with it as if it were local. A quick search for "remote desktop connection" will allow the user to access the VM. Here we will be entering the details of the public IP address for VM1 (Windows 10 21H2) to install Wireshark (packet analysis software) instead of using our local machine. (below pictured search of remote desktop and the result to enter IP address)

Disk Sanitization Steps

On the virtual machine with Windows 10, download Wireshark (Windows Installer 64-bit) and continue with all the default options.

Npcap will pop up to install, go ahead and install that with defaults and wireshark will continue to install after.

Open Wirehsark in the VM, click Ethernet and then click the blue fin at the top left under 'File' to begin capturing packets. Notice all the traffic already happening that happens in the background.


After retrieving the private IP address from VM2 (Linux Ubutu Server 20.04) we can now ping that private IP address from VM1 (Windows 10 21H2) that we've used to remote into. We can use the ping command to test the connection between machines for connectivity. So we can now view the traffic travel from VM1 to VM2 by filtering the ICMP packets in Wireshark. We can also ping other IP address or a domain names (www.google.com). The filtered traffic that is requested and its corresponding reply is shown below in Wireshark is pictured (left) and Powershell (right):

Disk Sanitization Steps


If we want to deny the ping request we can add this rule to our Network Security Group inside the Virtual Machine and once we've added this rule to VM2, we can see that the traffic times out in PowerShell along with Wireshark longer displaying a reply to this request.

ping traffic


Wireshark and PowerShell timed out after denying icmp (ping) traffic

icmp traffic deny


We can filter in Wireshark, with a the filter functionality we can filter SSH only traffic. From the Windows 10 VM, we enter SSH into Linux Virtual Machine (VM2) (using "ssh username@ip address" its private IP address). When we use commands such as touch, pwd (print working directory) or ls (list), into the linux SSH was used to connect. SSH traffic is observed spamming in WireShark. The SSH connection can be exited, by typing ‘exit’ and pressing [Enter].

ssh traffic

We can filter in Wireshark for "DHCP traffic only". From VM1 (Windows 10 21H2), a new IP address was issued from the command line (ipconfig /renew). Now DHCP traffic can be observed in WireShark.

dhcp traffic


In Wireshark, we can filter for RDP traffic only (tcp.port == 3389) because the RDP (protocol) is constantly showing you a live stream from one computer to another, therefore traffic is consistently being transmitted

tcp 3389

"We need to accept that we won’t always make the right decisions, that we’ll screw up royally sometimes―understanding that failure is not the opposite of success, it’s part of success.” ―Arianna Huffington

About

In this tutorial, we observe various network traffic to and from Azure Virtual Machines with Wireshark as well as experiment with Network Security Groups.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published