Network trace or Packet capture without VM

Copper Contributor

Hi, trying to debug tcp timeout problems, On-Premises server calls Azure App Service via Private endpoint.

Site-to-site is ExpressRoute, calls from on-prem occasionally ends up in timeout. These failed calls are seen in App Service logs however, and are answered correctly according to our software developer team.

So I would like to capture packets in Azure between ER GW and App service Private Endpoint (app, linux, container) but don't know how? For example NSG Flow Logs don't capture anything. How to accomplish this?


BR, Mika

4 Replies
If NSG Flow Logs are not capturing the packets, you can try capturing packets using Network Watcher's packet capture feature. This feature allows you to capture packets flowing through a specific network interface on a VM, which should allow you to capture packets flowing between the ER GW and App Service Private Endpoint.

Here are the steps to capture packets using Network Watcher:

Enable Network Watcher on your Azure subscription if it is not already enabled.

Create a packet capture session in Network Watcher for the network interface of the VM that is handling the traffic between the ER GW and App Service Private Endpoint.

Start the packet capture session and wait for the issue to occur.

Stop the packet capture session and download the captured packets.

Analyze the captured packets using a packet capture analysis tool, such as Wireshark, to determine the cause of the timeouts.

Note that capturing packets can generate a large amount of data, so it's important to be selective in what you capture and to filter the captured packets to only include the traffic you are interested in. Also, be aware that capturing packets may have an impact on network performance, so it's important to limit the duration and frequency of the capture sessions to minimize the impact on your environment.
To capture packets in Azure between your ExpressRoute gateway and your Azure App Service Private Endpoint, you can use Azure Network Watcher's packet capture feature. This allows you to capture network traffic to and from a virtual machine, network interface, or subnet. Here's how you can use this feature to capture packets:

In the Azure portal, navigate to the Network Watcher resource for your subscription.

Select Packet Capture from the menu on the left-hand side.

Click on Create a packet capture.

Provide a name for your packet capture and select the appropriate resource for the capture. In your case, you would select the network interface for your App Service Private Endpoint.

Select the filters for the capture. You can specify a source IP address, a destination IP address, a protocol, and a port range.

Set the maximum duration and size for the capture.

Select the storage account where you want to store the captured packets.

Click on Create to start the packet capture.

Once the packet capture is complete, you can download the captured packets from the storage account you specified and use Wireshark to analyze the packets and diagnose and troubleshoot the TCP timeouts.

@shankerhari Hi, at least in my Azure tenant Packet Capture is possible only with virtual machines, not possible to capture from subnet level, as you stated. Or am I missing something here?