News & Events

Microsoft Copilot Network Analysis with Wireshark

  • 21 November, 2025

AI, Article, Networking

Introduction & Concept

This article is the second in a series where I explore how AI tools can work hand in hand with Wireshark to help network engineers capture, inspect, and analyse network traffic. We engineers all know how time-consuming it can be to manually sift through endless network packets trying to spot anomalies or patterns. With the help of AI, that tedious process can be dramatically simplified, allowing us to parse and interpret network data far faster (and often more accurately) than we could with just our eyes and a mouse cursor.

So can we simply enter targeted prompts or queries directly into MS Copilot to help with network data? Was I able to obtain instant, context-analytical insights from the Wireshark information, let’s see.

Understand Wireshark’s native PCAP file is not supported in Co-Pilot so I had to export the file in CSV format, see below link for supported file formats.

https://support.microsoft.com/en-us/topic/file-formats-supported-by-microsoft-365-copilot-1afb9a70-2232-4753-85c2-602c422af3a8

As you can imagine, I’ve kept the traffic capture as minimal as possible to avoid revealing too much about my live network, so focusing only on Google searches and generating Microsoft 365/Azure traffic. Let’s get started!

This article is the first instalment in a series examining how AI tools can complement Wireshark to enhance the way network engineers capture, inspect, and analyse network traffic.

Part One – ChatGPT Network Analysis with Wireshark

Part Three – Google Gemini Network Analysis with Wireshark

Step One

From the Wireshark Interface, Select the NIC you want to capture traffic from.

Step Two

Start Capturing Traffic, by selecting Capture/Start.  Keep the capture file to about 500 packets for best results.  (if traffic populates to quickly reduce the amount of applications in your taskbar)

Step Three

Pause the Traffic Capture by selecting Capture/Stop and File/Export traffic and save PCAP file as .CSV file.

Step Four

Login to Co-pilot and upload the .CSV file or you could simply copy and paste the .CSV contents into the prompt.  Note you have to give Co-pilot context of what it’s about to analyse so just enter “Can you analyse my Wireshark Capture?”

Step Five

Now that the .CSV file is uploaded we are going to use the following tried and tested “prompts” to query the Wireshark Capture.  Again, be creative and use prompts that are applicable to your network context.

Example Prompts

  • 1) Generate a table of all destination IPs by count
  • 2) Extract HTTP/HTTPS URLs and hostnames from this capture
  • 3) Produce a table mapping each hostname to the IP addresses
  • 4) List the Azure services
  • 6) Create simplified diagram showing application traffic flows

Each of these prompts can be used individually to generate a range of responses from the AI interface.

Sample outputs for each of these are shown below.

1) Generate a table of all destination IPs by count

Copilot Output

Here is a table showing all destination IPs and their respective packet counts from your Wireshark capture:

Destination IP Packet Count
192.168.1.103 251
170.72.245.107 22
Broadcast 19
192.168.1.254 13
142.250.140.95 13
54.72.168.67 11
142.250.140.94 11
170.72.245.205 10
52.97.241.162 9
170.72.245.159 9
142.251.168.84 8
142.250.151.139 8
44.215.118.141 6
84.17.50.23 6
51.116.246.106 6
20.42.72.131 6
40.99.218.98 5
3.254.239.146 5
40.79.141.153 5
3.254.239.211 4
79.127.216.203 4
13.107.246.64 4
52.108.50.37 4
224.0.0.22 3
13.107.213.64 3
216.239.38.120 3
18.244.124.40 1
Intel_49:ee:a9 1
99.86.114.110 1
81.130.101.42 1
Arcadyan_3e:7f:cb 1

ChatGPT Observations:

Top 5 Destination IPs:

  • 192.168.1.103 (your device)
  • 170.72.245.107
  • Broadcast
  • 192.168.1.254
  • 142.250.140.95

2) Extract HTTP/HTTPS URLs and hostnames from this capture

Co-Pilot Output

Here are the DNS query domains extracted from your Wireshark capture:

Queried Domain
android.clients.google.com
eu-mobile.events.data.microsoft.com
browser.events.data.microsoft.com
mobile.events.data.microsoft.com
beacons.gcp.gvt2.com
locus-a.wbx2.com
p2p-ams1.discovery.steamserver.net
usersub-a.wbx2.com

Notes:

These domains suggest activity related to:

  • Google services (Android clients, telemetry)
  • Microsoft telemetry and event tracking
  • Webex conferencing

3) Produce a table, mapping each hostname to the IP addresses

Co-Pilot Output

Time Source IP Destination IP Queried Domain
7.556889 192.168.1.103 192.168.1.254 android.clients.google.com
7.557313 192.168.1.103 192.168.1.254 android.clients.google.com
7.567039 192.168.1.254 192.168.1.103 android.clients.google.com
14.567532 192.168.1.103 192.168.1.254 eu-mobile.events.data.microsoft.com
14.571251 192.168.1.103 192.168.1.254 browser.events.data.microsoft.com
14.577466 192.168.1.254 192.168.1.103 eu-mobile.events.data.microsoft.com
14.584712 192.168.1.254 192.168.1.103 browser.events.data.microsoft.com
41.566887 192.168.1.103 192.168.1.254 mobile.events.data.microsoft.com
41.577699 192.168.1.254 192.168.1.103 mobile.events.data.microsoft.com
41.665562 192.168.1.103 192.168.1.254 beacons.gcp.gvt2.com
41.674859 192.168.1.254 192.168.1.103 beacons.gcp.gvt2.com
41.858747 192.168.1.103 192.168.1.254 locus-a.wbx2.com
41.874672 192.168.1.254 192.168.1.103 locus-a.wbx2.com
52.186135 192.168.1.103 192.168.1.254 usersub-a.wbx2.com
52.198327 192.168.1.254 192.168.1.103 usersub-a.wbx2.com

Notes:

As we can see the timestamps logic is an arbitrary number only Co-pilot can understand, which is clearly no help to us

4) List the Azure services

Co-Pilot Output

The DNS queries in the Wireshark capture include several Azure-related services, identified by domain names containing keywords like azure or microsoft. Here’s the list:

☁️ Azure Services Queried

  • eu-mobile.events.data.microsoft.com
  • browser.events.data.microsoft.com
  • mobile.events.data.microsoft.com
  • onedscolprdweu04.westeurope.cloudapp.azure.com
  • onedscolprdgwc00.germanywestcentral.cloudapp.azure.com
  • onedscolprdwus05.westus.cloudapp.azure.com
  • onedscolprdcus19.centralus.cloudapp.azure.com
  • onedscolprdeus01.eastus.cloudapp.azure.com
  • onedscolprdcus21.centralus.cloudapp.azure.com
  • onedscolprdweu04.westeurope.cloudapp.azure.com
  • onedscolprdcus19.centralus.cloudapp.azure.com
  • onedscolprdcus21.centralus.cloudapp.azure.com

Notes / Observations:

These domains are typically associated with Microsoft telemetry, event tracking, and cloud services hosted on Azure.

5) Create simplified diagram showing application traffic flows

Diagram Highlights:

  • Left side: Source IPs (e.g., your device)
  • Right side: Destination IPs labeled with their service type (e.g., Webex, Microsoft, Google)
  • Flow width: Represents the number of packets exchanged

Conclusion

Simply put, using Co-Pilot for network analysis was an agonizing experience. It’s nowhere near ready to assist network engineers in making sense of network data. From the very first prompt where I had to explicitly tell it to “analyze network data” to the incomprehensible “gobble-de-goo” diagram it eventually produced, the entire process felt more frustrating than functional.

Throughout my evaluation, I was unable to identify a single scenario in which Co-Pilot delivered meaningful assistance or demonstrated performance superior to ChatGPT. The model consistently failed to interpret packet captures accurately, frequently misclassifying protocol fields and misinterpreting fundamental networking terminology. In several test cases, Co-Pilot produced generic or contextually irrelevant summaries that added little analytical value. Moreover, it required constant manual intervention, I had to repeatedly provide explicit contextual prompts and reference details that were already present within the supplied CSV file.

That said, Co-Pilot does shine in other areas. Its AI-powered assistance across Microsoft 365 applications, automating routine Office tasks and offering contextual suggestions in Word, Excel, and Outlook is genuinely impressive. When it comes to productivity in the Office suite, Co-Pilot is leaps and bounds ahead. But for analysing network traffic? It’s simply not there yet.

Final Thoughts, ChatGPT dramatically outperforms Co-Pilot when it comes to analysing network data. It saves massive amounts of time and effort by parsing complex information and presenting it in a clear, easy-to-read format that can be shared effortlessly with colleagues. I’m afraid there is no bonus content with this one guys.

Feedback & Further Discussion

This article is part of a three part series on WireShark Analysis with AI Tools, Part One (ChatGPT) and Part Three (Gemini) are also available. This article was written by our Senior Collaboration Architect, Dylan James. If you’d like to reach out to Dylan to discuss the article or any similar concepts, he’d be happy to hear from you. Please reach out to us via our contact page and we’ll get you in touch with him.

Thanks for reading.

Tweet
Share
Share