| title | description | services | documentationcenter | author | manager | editor | ms.assetid | ms.service | ms.devlang | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Manage packet captures with Azure Network Watcher - PowerShell | Microsoft Docs |
This page explains how to manage the packet capture feature of Network Watcher using PowerShell |
network-watcher |
na |
georgewallace |
timlt |
04d82085-c9ea-4ea1-b050-a3dd4960f3aa |
network-watcher |
na |
article |
na |
infrastructure-services |
02/22/2017 |
gwallace |
[!div class="op_single_selector"]
Network Watcher packet capture allows you to create capture sessions to track traffic to and from a virtual machine. Filters are provided for the capture session to ensure you capture only the traffic you want. Packet capture helps to diagnose network anomalies both reactively and proactively. Other uses include gathering network statistics, gaining information on network intrusions, to debug client-server communications and much more. By being able to remotely trigger packet captures, this capability eases the burden of running a packet capture manually and on the desired machine, which saves valuable time.
This article takes you through the different management tasks that are currently available for packet capture.
This article assumes you have the following resources:
- An instance of Network Watcher in the region you want to create a packet capture
- A virtual machine with the packet capture extension enabled.
Important
Packet capture requires a virtual machine extension AzureNetworkWatcherExtension. For installing the extension on a Windows VM visit Azure Network Watcher Agent virtual machine extension for Windows and for Linux VM visit Azure Network Watcher Agent virtual machine extension for Linux.
$VM = Get-AzurermVM -ResourceGroupName testrg -Name VM1 The following example retrieves the extension information needed to run the Set-AzureRmVMExtension cmdlet. This cmdlet installs the packet capture agent on the guest virtual machine.
Note
The Set-AzureRmVMExtension cmdlet may take several minutes to complete.
For Windows virtual machines:
$AzureNetworkWatcherExtension = Get-AzureRmVMExtensionImage -Location WestCentralUS -PublisherName Microsoft.Azure.NetworkWatcher -Type NetworkWatcherAgentWindows -Version 1.4.13.0
$ExtensionName = "AzureNetworkWatcherExtension"
Set-AzureRmVMExtension -ResourceGroupName $VM.ResourceGroupName -Location $VM.Location -VMName $VM.Name -Name $ExtensionName -Publisher $AzureNetworkWatcherExtension.PublisherName -ExtensionType $AzureNetworkWatcherExtension.Type -TypeHandlerVersion $AzureNetworkWatcherExtension.Version.Substring(0,3)For Linux virtual machines:
$AzureNetworkWatcherExtension = Get-AzureRmVMExtensionImage -Location WestCentralUS -PublisherName Microsoft.Azure.NetworkWatcher -Type NetworkWatcherAgentLinux -Version 1.4.13.0
$ExtensionName = "AzureNetworkWatcherExtension"
Set-AzureRmVMExtension -ResourceGroupName $VM.ResourceGroupName -Location $VM.Location -VMName $VM.Name -Name $ExtensionName -Publisher $AzureNetworkWatcherExtension.PublisherName -ExtensionType $AzureNetworkWatcherExtension.Type -TypeHandlerVersion $AzureNetworkWatcherExtension.Version.Substring(0,3)The following example is a successful response after running the Set-AzureRmVMExtension cmdlet.
RequestId IsSuccessStatusCode StatusCode ReasonPhrase
--------- ------------------- ---------- ------------
True OK OK
To ensure that the agent is installed, run the Get-AzureRmVMExtension cmdlet and pass it the virtual machine name and the extension name.
Get-AzureRmVMExtension -ResourceGroupName $VM.ResourceGroupName -VMName $VM.Name -Name $ExtensionName The following sample is an example of the response from running Get-AzureRmVMExtension
ResourceGroupName : testrg
VMName : testvm1
Name : AzureNetworkWatcherExtension
Location : westcentralus
Etag : null
Publisher : Microsoft.Azure.NetworkWatcher
ExtensionType : NetworkWatcherAgentWindows
TypeHandlerVersion : 1.4
Id : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testrg/providers/Microsoft.Compute/virtualMachines/testvm1/
extensions/AzureNetworkWatcherExtension
PublicSettings :
ProtectedSettings :
ProvisioningState : Succeeded
Statuses :
SubStatuses :
AutoUpgradeMinorVersion : True
ForceUpdateTag :
Once the preceding steps are complete, the packet capture agent is installed on the virtual machine.
The next step is to retrieve the Network Watcher instance. This variable is passed to the New-AzureRmNetworkWatcherPacketCapture cmdlet in step 4.
$nw = Get-AzurermResource | Where {$_.ResourceType -eq "Microsoft.Network/networkWatchers" -and $_.Location -eq "WestCentralUS" }
$networkWatcher = Get-AzureRmNetworkWatcher -Name $nw.Name -ResourceGroupName $nw.ResourceGroupName Retrieve a storage account. This storage account is used to store the packet capture file.
$storageAccount = Get-AzureRmStorageAccount -ResourceGroupName testrg -Name testrgsa123Filters can be used to limit the data that is stored by the packet capture. The following example sets up two filters. One filter collects outgoing TCP traffic only from local IP 10.0.0.3 to destination ports 20, 80 and 443. The second filter collects only UDP traffic.
$filter1 = New-AzureRmPacketCaptureFilterConfig -Protocol TCP -RemoteIPAddress "1.1.1.1-255.255.255" -LocalIPAddress "10.0.0.3" -LocalPort "1-65535" -RemotePort "20;80;443"
$filter2 = New-AzureRmPacketCaptureFilterConfig -Protocol UDPNote
Multiple filters can be defined for a packet capture.
Run the New-AzureRmNetworkWatcherPacketCapture cmdlet to start the packet capture process, passing the required values retrieved in the preceding steps.
New-AzureRmNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher -TargetVirtualMachineId $vm.Id -PacketCaptureName "PacketCaptureTest" -StorageAccountId $storageAccount.id -TimeLimitInSeconds 60 -Filters $filter1, $filter2The following example is the expected output from running the New-AzureRmNetworkWatcherPacketCapture cmdlet.
Name : PacketCaptureTest
Id : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatcher
s/NetworkWatcher_westcentralus/packetCaptures/PacketCaptureTest
Etag : W/"3bf27278-8251-4651-9546-c7f369855e4e"
ProvisioningState : Succeeded
Target : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testrg/providers/Microsoft.Compute/virtualMachines/testvm1
BytesToCapturePerPacket : 0
TotalBytesPerSession : 1073741824
TimeLimitInSeconds : 60
StorageLocation : {
"StorageId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testrg/providers/Microsoft.Storage/storageA
ccounts/examplestorage",
"StoragePath": "https://examplestorage.blob.core.windows.net/network-watcher-logs/subscriptions/00000000-0000-0000-0000-00000
0000000/resourcegroups/testrg/providers/microsoft.compute/virtualmachines/testvm1/2017/02/01/packetcapture_22_42_48_238.cap"
}
Filters : [
{
"Protocol": "TCP",
"RemoteIPAddress": "1.1.1.1-255.255.255",
"LocalIPAddress": "10.0.0.3",
"LocalPort": "1-65535",
"RemotePort": "20;80;443"
},
{
"Protocol": "UDP",
"RemoteIPAddress": "",
"LocalIPAddress": "",
"LocalPort": "",
"RemotePort": ""
}
]
Running the Get-AzureRmNetworkWatcherPacketCapture cmdlet, retrieves the status of a currently running, or completed packet capture.
Get-AzureRmNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher -PacketCaptureName "PacketCaptureTest"The following example is the output from the Get-AzureRmNetworkWatcherPacketCapture cmdlet. The following example is after the capture is complete. The PacketCaptureStatus value is Stopped, with a StopReason of TimeExceeded. This value shows that the packet capture was successful and ran its time.
Name : PacketCaptureTest
Id : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatcher
s/NetworkWatcher_westcentralus/packetCaptures/PacketCaptureTest
Etag : W/"4b9a81ed-dc63-472e-869e-96d7166ccb9b"
ProvisioningState : Succeeded
Target : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testrg/providers/Microsoft.Compute/virtualMachines/testvm1
BytesToCapturePerPacket : 0
TotalBytesPerSession : 1073741824
TimeLimitInSeconds : 60
StorageLocation : {
"StorageId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testrg/providers/Microsoft.Storage/storageA
ccounts/examplestorage",
"StoragePath": "https://examplestorage.blob.core.windows.net/network-watcher-logs/subscriptions/00000000-0000-0000-0000-00000
0000000/resourcegroups/testrg/providers/microsoft.compute/virtualmachines/testvm1/2017/02/01/packetcapture_22_42_48_238.cap"
}
Filters : [
{
"Protocol": "TCP",
"RemoteIPAddress": "1.1.1.1-255.255.255",
"LocalIPAddress": "10.0.0.3",
"LocalPort": "1-65535",
"RemotePort": "20;80;443"
},
{
"Protocol": "UDP",
"RemoteIPAddress": "",
"LocalIPAddress": "",
"LocalPort": "",
"RemotePort": ""
}
]
CaptureStartTime : 2/1/2017 10:43:01 PM
PacketCaptureStatus : Stopped
StopReason : TimeExceeded
PacketCaptureError : []
By running the Stop-AzureRmNetworkWatcherPacketCapture cmdlet, if a capture session is in progress it is stopped.
Stop-AzureRmNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher -PacketCaptureName "PacketCaptureTest"Note
The cmdlet returns no response when ran on a currently running capture session or an existing session that has already stopped.
Remove-AzureRmNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher -PacketCaptureName "PacketCaptureTest"Note
Deleting a packet capture does not delete the file in the storage account.
Once your packet capture session has completed, the capture file can be uploaded to blob storage or to a local file on the VM. The storage location of the packet capture is defined at creation of the session. A convenient tool to access these capture files saved to a storage account is Microsoft Azure Storage Explorer, which can be downloaded here: http://storageexplorer.com/
If a storage account is specified, packet capture files are saved to a storage account at the following location:
https://{storageAccountName}.blob.core.windows.net/network-watcher-logs/subscriptions/{subscriptionId}/resourcegroups/{storageAccountResourceGroup}/providers/microsoft.compute/virtualmachines/{VMName}/{year}/{month}/{day}/packetCapture_{creationTime}.cap
Learn how to automate packet captures with Virtual machine alerts by viewing Create an alert triggered packet capture
Find if certain traffic is allowed in orr out of your VM by visiting Check IP flow verify