Perform packet capture on a packet core instance

Packet capture for control or data plane packets is performed using the MEC-Dataplane Trace tool. MEC-Dataplane (MEC-DP) Trace is similar to tcpdump, a data-network packet analyzer computer program that runs on a command line interface (CLI). You can use MEC-DP Trace to monitor and record packets on any user plane interface on the access network (N3 interface) or data network (N6 interface) on your device, as well as the control plane (N2 interface). You can access MEC-DP Trace using the Azure portal or the Azure CLI.

Packet capture works by mirroring packets to a Linux kernel interface, which can then be monitored using tcpdump. In this how-to guide, you'll learn how to perform packet capture on a packet core instance.


Performing packet capture will reduce the performance of your system and the throughput of your data plane. It is therefore only recommended to use this tool at low scale during initial testing.


You must have an AP5GC site deployed to perform packet capture.

To perform packet capture using the command line, you must:

  • Identify the Kubernetes - Azure Arc resource representing the Azure Arc-enabled Kubernetes cluster on which your packet core instance is running.
  • Ensure your local machine has core kubectl access to the Azure Arc-enabled Kubernetes cluster. This requires a core kubeconfig file, which you can obtain by following Core namespace access.

Performing packet capture using the Azure portal

Set up a storage account

You need to set up a storage account to store the diagnostics package.

  1. Create a storage account for diagnostics with the following additional configuration:
    1. In the Data protection tab, under Access control, select Enable version-level immutability support. This will allow you to specify a time-based retention policy for the account in the next step.
    2. If you would like the content of your storage account to be automatically deleted after a period of time, configure a default time-based retention policy for your storage account.
    3. Create a container for your diagnostics.
    4. Make a note of the Container blob URL. For example:
      1. Navigate to your Storage account.
      2. Select the ... symbol on the right side of the container blob that you want to use for diagnostics collection.
      3. Select Container properties in the context menu.
      4. Copy the contents of the URL field in the Container properties view.
  2. Create a User-assigned identity and assign it to the storage account created above with the Storage Blob Data Contributor role.


    You may have already created and associated a user-assigned identity when creating the site.

  3. Navigate to the Packet core control plane resource for the site.
  4. Select Identity under Settings in the left side menu.
  5. Select Add.
  6. Select the user-signed managed identity you created and select Add.


Once you have created the user-assigned managed identity, you must refresh the packet core configuration by making a dummy configuration change. This could be a change that will have no impact on your deployment and can be left in place, or a change that you immediately revert. See Modify a packet core instance. If you do not refresh the packet core configuration, packet capture will fail.

Start a packet capture

  1. Sign in to the Azure portal.
  2. Navigate to the Packet Core Control Pane overview page of the site you want to run a packet capture in.
  3. Select Packet Capture under the Help section on the left side. This will open a Packet Capture view.
  4. If this is the first time you've taken a packet capture using the portal, you will see an error message prompting you to configure a storage account. If so:
    1. Follow the link in the error message.
    2. Enter the Storage account container URL that was configured for diagnostics storage and select Modify.


      If you don't have the URL for your storage account container:

      1. Navigate to your Storage account.
      2. Select the ... symbol on the right side of the container that you want to use for packet capture.
      3. Select Container properties in the context menu.
      4. Copy the contents of the URL field.
    3. Return to the Packet Capture view.
  5. Select Start packet capture.
  6. Fill in the details on the Start packet capture pane and select Create.
  7. The page will refresh every few seconds until the packet capture has completed. You can also use the Refresh button to refresh the page. If you want to stop the packet capture early, select Stop packet capture.
  8. Once the packet capture has completed, the AP5GC online service will save the output at the provided storage account URL.
  9. To download the packet capture output, you can use the Copy to clipboard button in the Storage or File name columns to copy those details and then paste them into the Search box in the portal. To download the output, right-click the file and select Download.

Performing packet capture using the Azure CLI

  1. In a command line with kubectl access to the Azure Arc-enabled Kubernetes cluster, enter the MEC-DP troubleshooter pod:

    kubectl exec -it -n core core-mec-dp-0 -c troubleshooter -- bash
  2. View the list of configured user plane interfaces:

    mect list

    This should report a single interface on the control plane network (N2), a single interface on the access network (N3) and an interface for each attached data network (N6). For example:

    n6trace0 (Data Network: internet)
    n6trace1 (Data Network: enterprise)
    n6trace2 (Data Network: test)
  3. Run mectdump with any parameters that you would usually pass to tcpdump. In particular, -i to specify the interface, and -w to specify where to write to. Close the tool when finished by pressing Ctrl + C. The following examples are common use cases:

    • To run capture packets on all interfaces, run mectdump -i any -w any.pcap
    • To run capture packets for the N3 interface and the N6 interface for a single data network, enter the MEC-DP troubleshooter pod in two separate windows. In one window run mectdump -i n3trace -w n3.pcap and in the other window run mectdump -i <N6 interface> -w n6.pcap (use the N6 interface for the data network as identified in step 2).


    Packet capture files might be large, particularly when running packet capture on all interfaces. Specify filters when running packet capture to reduce the file size - see the tcpdump documentation for the available filters.

  4. Leave the container:

  5. Copy the output files:

    kubectl cp -n core core-mec-dp-0:<path to output file> <location to copy to> -c troubleshooter

    The tcpdump might have been stopped in the middle of writing a packet, which can cause this step to produce an error stating unexpected EOF. However, your file should have copied successfully, but you can check your target output file to confirm.

  6. Remove the output files:

        kubectl exec -it -n core core-mec-dp-0 -c troubleshooter -- rm <path to output file>

Next steps

For more options to monitor your deployment and view analytics: