Wireshark walkthrough: observing an Azure SQL Database TDS connection on the wire

Microsoft

Jan 26, 2026

One of the most effective ways to truly understand how Azure SQL Database connectivity works is to observe the connection at the packet level. A short Wireshark capture clearly shows the interaction between TCP, TLS, TDS, and the Azure SQL gateway / redirect flow.

This section walks through what you should expect to see in a healthy Azure SQL Database connection.

1. Capture setup (high level)

Capture traffic on the client side, while reproducing the connection attempt (for example, using sqlcmd, SSMS, or your application).

Typical display filters to start with:

tcp.port == 1433

If Redirect mode is involved, you may later see additional TCP ports (for example, 11xxx–11999 or a specific dynamic port like 6188).

2. TCP three‑way handshake (transport layer)

The first packets are standard TCP:

SYN → client initiates connection
SYN‑ACK → Azure SQL gateway responds
ACK → connection established

At this point:

The destination IP is the Azure SQL Database gateway
The destination port is 1433

This confirms basic network reachability to the gateway.

3. TDS PRELOGIN message (application layer)

Immediately after the TCP handshake, Wireshark shows the TDS Pre‑Login packet.

Key observations:

Protocol: TDS
Message type: PRELOGIN
This packet contains no credentials
It negotiates:
- TDS version
- Encryption capability
- MARS (Multiple Active Result Sets)
- Federated authentication flags (if applicable)

In Wireshark, this often appears as:

Tabular Data Stream
  Packet Type: Pre-Login

This is the first SQL‑aware packet on the wire.

4. TLS handshake (security layer)

What happens next depends on the TDS version and encryption mode:

TDS 7.x (older behavior)

PRELOGIN is visible in clear text
TLS handshake occurs after PRELOGIN

TDS 8.0 / Encrypt=Strict (modern Azure SQL behavior)

TLS handshake occurs immediately after TCP
PRELOGIN itself is encrypted
Wireshark shows:
- Client Hello
- Server Hello
- Certificate exchange

In this case:

You will not see readable TDS fields unless TLS decryption is configured
This is expected and by design

5. LOGIN and authentication phase

After TLS is established:

Client sends LOGIN7 message
Authentication occurs (SQL auth, Azure AD token, managed identity, etc.)
All sensitive data is encrypted

In Wireshark:

Packets are marked as TLS Application Data
TDS payload is no longer human‑readable

A successful login is followed by:

ENVCHANGE tokens
Session setup responses

6. Redirect behavior (very important in Azure SQL)

If the server is using Redirect connection policy, Wireshark shows a distinctive pattern:

Initial connection:
- TCP → 1433 (gateway)
Server responds with routing information
Client opens a second TCP connection:
- New destination IP
- New dynamic port (for example: 6188)

In Wireshark you will see: