└── README.md /README.md: -------------------------------------------------------------------------------- 1 |

2 | Traffic Examination 3 |

4 | 5 |

🔎 Analyzing Network Traffic in Azure with Wireshark

6 |

Learn how to monitor and understand real-time network traffic in a cloud environment using Azure virtual machines and Wireshark.

7 | 8 |

🧠 Overview (with Demo to follow)

9 | 10 |

In this lab, you’ll create two Azure virtual machines—one Windows 10 and one Ubuntu Linux—within the same virtual network. You’ll use Wireshark on the Windows VM to analyze protocols such as ICMP, SSH, DNS, DHCP, and RDP. Along the way, you’ll also adjust Network Security Group (NSG) rules to observe how traffic is filtered in Azure. 11 | This guide is beginner-friendly and great for students exploring network engineering, cloud computing, or cybersecurity fundamentals.

12 | 13 | 14 |

What You’ll Learn:

15 | 16 | - Basics of cloud computing with Azure 17 | - How to capture network traffic using Wireshark 18 | - Understand protocols like ICMP, DNS, SSH, DHCP, RDP 19 | - How to interpret real-time network behavior and apply security rules 20 | 21 |

Environments and Technologies to use

22 | 23 | - Microsoft Azure (Virtual Machines) 24 | - Microsoft RD Client (Remote Desktop) 25 | - Windows Powershell 26 | - Various Network Protocols (ICMP, SSH, DHCP, DNS, TCP Port ===) 27 | - Wireshark (Protocol Analyzer) 28 | 29 |

Operating Systems to use

30 | 31 | - macOS Sonoma ***(if you own Macbook Air M1 or M2; it does not matter what type of macOS you own, it'll work on remote desktop app)*** 32 | - Windows 10 or Windows 11 Home or Pro ***(if you own either of these OS)*** 33 | - Ubuntu Server 22.04 (Virtual Machine) 34 | 35 | ----- 36 | 37 |

☁️ Part 1: Set Up Azure Resources

38 | 39 |

📦 Step 1: Create a Resource Group & Virtual Network

40 | 41 | 1. Log into Azure Portal 42 | 2. Create a Resource Group 43 | - Example: `NetworkLabRG` 44 | 3. Create a Virtual Network (VNet) 45 | - Name: `NetworkLabVNet` 46 | - Address space: `10.0.0.0/16` (default) 47 | 48 |

🖥️ Step 2: Create Virtual Machines

49 | 50 | - Windows 10 VM 51 | - Use the resource group and VNet created above 52 | - Allow `RDP (port 3389)` during setup 53 | - Choose a small size (e.g. B2s) 54 | - Note the private IP address 55 | 56 | - Ubuntu Linux VM 57 | - Same Resource Group and VNet as Windows VM 58 | - Allow `SSH (port 22)` 59 | - Choose username + password 60 | - Note the private IP address 61 | 62 | ***📖 Note: A Resource Group organizes related Azure services, and a VNet allows your VMs to communicate like they’re on the same local network. You’ll use one VM (Windows) to generate and monitor traffic, and the other (Linux) to respond to it.*** 63 | 64 | ----- 65 | 66 |

🔍 Part 2: Monitor Network Traffic with Wireshark

67 | 68 | ***Wireshark is a free and powerful tool used to analyze packets and protocols on a network. It helps you see what’s happening behind the scenes.*** 69 | 70 | - 💻 Install Wireshark 71 | 72 | - On the Windows 10 VM, connect via Remote Desktop 73 | Screenshot 2025-10-23 at 10 42 06 AM 74 | 75 | - Download Wireshark: `https://www.wireshark.org` 76 | Screenshot 2025-10-23 at 10 45 28 AM 77 | 78 | - Launch Wireshark and start capturing on the Ethernet adapter 79 | Screenshot 2025-10-23 at 10 46 26 AM 80 | 81 | Screenshot 2025-10-23 at 10 45 40 AM 82 | 83 | Screenshot 2025-10-23 at 10 46 58 AM 84 | 85 | ----- 86 | 87 | ### ICMP Traffic (Ping) 88 | 89 | ***📖 Note: ICMP is the protocol used when you “ping” another device.*** 90 | 91 | - Filter ICMP in Wireshark 92 | - Open Wireshark and set the filter to show only `icmp` traffic on the search bar. 93 | Screenshot 2025-10-23 at 10 55 52 AM 94 | 95 | - Ping Ubuntu VM 96 | - Find the private IP address of your Ubuntu VM from your Azure. (e.g. - `10.0.0.5`) 97 | - Open Powershell or Command Line on the Windows 10 VM. 98 | - Ping this Private IP address from the Windows 10 VM and watch the traffic in Wireshark. (e.g. - `ping 10.0.0.5`) 99 | Screenshot 2025-10-23 at 10 57 28 AM 100 | 101 | - Ping a Public Website 102 | - In the Windows 10 VM, use the command line or PowerShell to ping a public website (e.g., `www.google.com`). 103 | - Observe the traffic in Wireshark. 104 | Screenshot 2025-10-23 at 10 56 35 AM 105 | 106 | - Continuous Ping 107 | - Start a continuous ping from Windows 10 VM to Ubuntu VM. (e.g. - `ping 10.0.0.5 -t`) 108 | 109 | - 🛑 Stop the ping with `Ctrl + C`. 110 | 111 | ----- 112 | 113 | ## 🔐 Manage ICMP with NSG 114 | 115 | - Go to the Ubuntu VM > Networking > NSG 116 | 117 | - Add a new Inbound Rule: 118 | - Protocol: `ICMPv4` 119 | - Action:`Deny` 120 | - Priority: `290` 121 | 122 | - Return to the Windows VM and try pinging again. It should fail. 123 | 124 | - Change the NSG rule to Allow ICMP and try again. It should succeed. 125 | 126 | - 🛑 Stop the ping with `Ctrl + C`. 127 | 128 | ***📖 Note: Observe in Wireshark how traffic stops and resumes depending on NSG rules.*** 129 | 130 | ----- 131 | 132 | ### 🧰 SSH Traffic 133 | 134 | - Filter for SSH in Wireshark 135 | 136 | - In Wireshark, set the filter to show only SSH traffic. (e.g. `tcp. port == 22`) on the search bar. 137 | 138 | - SSH into Ubuntu VM 139 | 140 | - From Windows 10 VM, use the Windows Terminal or Powershell and connect to the Ubuntu VM via SSH using its private IP. (e.g. - `ssh username@Private IP Address`) 141 | - Type commands in the SSH session and observe the traffic in Wireshark. Use this link for commands cheat sheet (for a study purpose) https://www.linuxtrainingacademy.com/linux-commands-cheat-sheet/ 142 | 143 | - Exit SSH Session 144 | 145 | - Type `exit` and press `enter` to close the SSH connection. 146 | 147 | ----- 148 | 149 | ### 📶 DHCP Traffic 150 | 151 | - Filter for DHCP Traffic 152 | 153 | - In Wireshark, filter to show only DHCP traffic on the search bar 154 | 155 | - Renew IP Address 156 | 157 | - On Windows 10 VM, run `ipconfig /renew` to request a new IP address. 158 | - Observe the DHCP traffic in Wireshark. 159 | - Use this link for a cheat sheet (with explanation) commands https://www.ninjaone.com/blog/ipconfig-commands/ 160 | 161 | Screenshot 2025-10-23 at 11 14 34 AM 162 | 163 | ***📖 Note: The purpose of this DHCP is that it assigns IP addresses automatically, perferably forcing a new request if done correctly. You'll notice that DHCP Discover, Offer, Request, and Acknowledge as known messages. For more information about the ipconfig commands blog post above*** 164 | 165 | ----- 166 | 167 | ### 🌍 DNS Traffic 168 | 169 | - Filter for DNS Traffic 170 | 171 | - In Wireshark, filter to show only DNS traffic `dns` on the search bar. 172 | 173 | - Use nslookup 174 | 175 | - From the Windows 10 VM command line or Powershell, use `nslookup` to find IP addresses for `google.com` and `disney.com`. 176 | - Observe the DNS traffic in Wireshark. 177 | - Use this link to learn more about the commands and use it for learning purpose: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725991(v=ws.11) 178 | 179 | ***📖 Note: DNS translates domain names (like google.com) into IP addresses.*** 180 | 181 | ----- 182 | 183 | ### 🖥️ RDP Traffic 184 | 185 | ***📖 Note: Since you are already connected via Windows Remote Desktop, you’ll observe continuous traffic on `port 3389`.*** 186 | 187 | - Filter for RDP Traffic 188 | 189 | - In Wireshark, set the filter to show RDP traffic (`tcp.port == 3389`) on the search bar. 190 | 191 | - Observe RDP Traffic 192 | 193 | - Note the constant stream of traffic. This happens because RDP continuously transmits a live stream between computers. 194 | 195 | Screenshot 2025-10-23 at 11 18 27 AM 196 | 197 | ----- 198 | 199 |

📘 What Is Cloud Computing?

200 | 201 |

Cloud computing allows users to access computing resources (like servers, storage, and apps) over the internet rather than managing physical infrastructure.

202 | 203 |

Azure is a leading cloud platform that supports:

204 | 205 | - IaaS (Infrastructure as a Service) → VMs, Networks, NSGs 206 | - Scalability & Flexibility → Use what you need, when you need it 207 | - Security & Monitoring → Protect and observe your data flows 208 | 209 | ----- 210 | 211 | ## 🧠 Summary of Wireshark Filters 212 | 213 | - Protocol | Use | Wireshark Filter 214 | 215 | - ICMP | Ping test / connectivity | `icmp` 216 | - SSH | Secure shell login | `tcp.port == 22` 217 | - DHCP | IP address leasing | `bootp` 218 | - DNS | Domain name resolution | `dns` 219 | - RDP | Remote Desktop traffic | `tcp.port == 3389` 220 | 221 | - ✅ Wrap Up 222 | 223 | - ✅ You set up a cloud lab using Azure 224 | - ✅ Monitored real traffic with Wireshark 225 | - ✅ Learned how protocols behave in real-time 226 | - ✅ Explored firewall rules using Network Security Groups (NSGs) 227 | 228 | - 🧹 When You’re Finished 229 | 230 | - To avoid charges: 231 | 232 | - Return to Azure Portal 233 | - Stop or delete both VMs and the Resource Group 234 | 235 | ----- 236 | 237 | ### 🧠 Want to Learn More? 238 | 239 | - [Azure Networking Documentation](https://learn.microsoft.com/en-us/azure/networking/) 240 | 241 | - [Wireshark Documentation](https://www.wireshark.org/docs/wsug_html_chunked/) 242 | 243 | - [Microsoft Learn - DNS Basics](https://learn.microsoft.com/en-us/windows-server/networking/dns/dns-overview) 244 | --------------------------------------------------------------------------------