How to capture Microsoft 365 connection traffic using Wireshark

Overview

Microsoft 365 connectivity troubleshooting may require an in-depth look at the traffic packets between the client PowerShell modules or API components and Microsoft 365 cloud services. This article describes the steps required to collect traffic using Wireshark. Wireshark is an open-source network protocol analyzer recommended by Microsoft as a replacement for their tools. Learn more in: Microsoft Message Analyzer Blog. Refer to the steps below to use Wireshark to collect network traffic information required to troubleshoot connectivity issues.

Preparation steps

1. Download and install Wireshark from: https://www.wireshark.org/#download on the machine running the Cayosoft Administrator server.

2. While on the same server, open a command prompt and execute this command:

   Copy

   ping login.microsoftonline.com

   

   NOTE: The URL may differ depending on the original connectivity issue. Consult Cayosoft Support for details.

3. Copy the resolved IP address. The IP in the featured screenshot is 20.190.151.69.

4. Add the resolved IP to the hosts file:

   1. Run Notepad as administrator.

   2. Open the %windir%\System32\drivers\etc\hosts file.

   3. Add an entry for the resolved IP as follows: 20.190.151.69 ping login.microsoftonline.com

   4. Save the hosts file.

Using Wireshark

1. Run Wireshark as administrator.

2. Set the filter to include only traffic to the IP resolved in the previous section using "host <ip address> and select the network interface used to connect to the Internet:

   

3. Start capturing packets by clicking Capture > Start or Ctrl+E:

4. Open a PowerShell prompt and run the test commands:

   1. For example, to capture network operations when connecting from MSOL PowerShell module, execute this command:

      Copy

      Connect-ExchangeOnline

   2. When prompted, login using the same Microsoft 365 account as used in the Cayosoft Administrator Service.

   3. Execute: Get-Mailbox

5. Return to Wireshark and stop the packet capture.

   

6. Go to File > Save, specify a location and file name, for example, MSOLtraffic.pcap.

7. Send this file to Cayosoft Support.

8. Remove the login.microsoftonline.com entry from the hosts file.

   1. Run Notepad as administrator.

   2. Open the %windir%\System32\drivers\etc\hosts file.

   3. Remove the new entry added in the preparation section.

   4. Save the hosts file.

Related article

• Troubleshooting connection to Microsoft 365