| title | description | services | documentationcenter | author | manager | editor | ms.assetid | ms.service | ms.devlang | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Manage packet captures with Azure Network Watcher - REST API | Microsoft Docs |
This page explains how to manage the packet capture feature of Network Watcher using Azure REST API |
network-watcher |
na |
georgewallace |
timlt |
53fe0324-835f-4005-afc8-145eeb314aeb |
network-watcher |
na |
article |
na |
infrastructure-services |
02/22/2017 |
gwallace |
[!div class="op_single_selector"]
Network Watcher packet capture allows you to create capture sessions to track traffic to and from a virtual machine. Filters are provided for the capture session to ensure you capture only the traffic you want. Packet capture helps to diagnose network anomalies both reactively and proactively. Other uses include gathering network statistics, gaining information on network intrusions, to debug client-server communications and much more. By being able to remotely trigger packet captures, this capability eases the burden of running a packet capture manually and on the desired machine, which saves valuable time.
Important
Packet capture requires a virtual machine extension AzureNetworkWatcherExtension. For installing the extension on a Windows VM visit Azure Network Watcher Agent virtual machine extension for Windows and for Linux VM visit Azure Network Watcher Agent virtual machine extension for Linux.
This article takes you through the different management tasks that are currently available for packet capture.
- Get a packet capture
- List all packet captures
- Query the status of a packet capture
- Start a packet capture
- Stop a packet capture
- Delete a packet capture
In this scenario, you call the Network Watcher Rest API to run IP Flow Verify. ARMclient is used to call the REST API using PowerShell. ARMClient is found on chocolatey at ARMClient on Chocolatey
This scenario assumes you have already followed the steps in Create a Network Watcher to create a Network Watcher.
armclient loginRun the following script to return a virtual machine. This information is needed for starting a packet capture.
The following code needs variables:
- subscriptionId - The subscription id can also be retrieved with the Get-AzureRMSubscription cmdlet.
- resourceGroupName - The name of a resource group that contains virtual machines.
$subscriptionId = "<subscription id>"
$resourceGroupName = "<resource group name>"
armclient get https://management.azure.com/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Compute/virtualMachines?api-version=2015-05-01-previewFrom the following output, the id of the virtual machine is used in the next example.
...
,
"type": "Microsoft.Compute/virtualMachines",
"location": "westcentralus",
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoExampleRG/providers/Microsoft.Compute
/virtualMachines/ContosoVM",
"name": "ContosoVM"
}
]
}The following example gets the status of a single packet capture
$subscriptionId = "<subscription id>"
$resourceGroupName = "NetworkWatcherRG"
$networkWatcherName = "NetworkWatcher_westcentralus"
armclient post "https://management.azure.com/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/packetCaptures/${packetCaptureName}/querystatus?api-version=2016-12-01"The following responses are examples of a typical response returned when querying the status of a packet capture.
{
"name": "TestPacketCapture5",
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westcentralus/packetCaptures/TestPacketCapture6",
"captureStartTime": "2016-12-06T17:20:01.5671279Z",
"packetCaptureStatus": "Running",
"packetCaptureError": []
}{
"name": "TestPacketCapture5",
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westcentralus/packetCaptures/TestPacketCapture6",
"captureStartTime": "2016-12-06T17:20:01.5671279Z",
"packetCaptureStatus": "Stopped",
"stopReason": "TimeExceeded",
"packetCaptureError": []
}The following example gets all packet capture sessions in a region.
$subscriptionId = "<subscription id>"
$resourceGroupName = "NetworkWatcherRG"
$networkWatcherName = "NetworkWatcher_westcentralus"
armclient get "https://management.azure.com/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/packetCaptures?api-version=2016-12-01"The following response is an example of a typical response returned when getting all packet captures
{
"value": [
{
"name": "TestPacketCapture6",
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westcentralus/packetCaptures/TestPacketCapture6",
"etag": "W/\"091762e1-c23f-448b-89d5-37cf56e4c045\"",
"properties": {
"provisioningState": "Succeeded",
"target": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoExampleRG/providers/Microsoft.Compute/virtualMachines/ContosoVM",
"bytesToCapturePerPacket": 0,
"totalBytesPerSession": 1073741824,
"timeLimitInSeconds": 60,
"storageLocation": {
"storageId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoExampleRG/providers/Microsoft.Storage/storageAccounts/contosoexamplergdiag374",
"storagePath": "https://contosoexamplergdiag374.blob.core.windows.net/network-watcher-logs/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/contosoexamplerg/providers/microsoft.compute/virtualmachines/contosovm/2016/12/06/packetcap
ture_17_19_53_056.cap",
"filePath": "c:\\temp\\packetcapture.cap"
},
"filters": [
{
"protocol": "Any",
"localIPAddress": "",
"localPort": "",
"remoteIPAddress": "",
"remotePort": ""
}
]
}
},
{
"name": "TestPacketCapture7",
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westcentralus/packetCaptures/TestPacketCapture7",
"etag": "W/\"091762e1-c23f-448b-89d5-37cf56e4c045\"",
"properties": {
"provisioningState": "Failed",
"target": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoExampleRG/providers/Microsoft.Compute/virtualMachines/ContosoVM",
"bytesToCapturePerPacket": 0,
"totalBytesPerSession": 1073741824,
"timeLimitInSeconds": 60,
"storageLocation": {
"storageId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoExampleRG/providers/Microsoft.Storage/storageAccounts/contosoexamplergdiag374",
"storagePath": "https://contosoexamplergdiag374.blob.core.windows.net/network-watcher-logs/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/contosoexamplerg/providers/microsoft.compute/virtualmachines/contosovm/2016/12/06/packetcap
ture_17_23_15_364.cap",
"filePath": "c:\\temp\\packetcapture.cap"
},
"filters": [
{
"protocol": "Any",
"localIPAddress": "",
"localPort": "",
"remoteIPAddress": "",
"remotePort": ""
}
]
}
}
]
}The following example gets all packet capture sessions in a region.
$subscriptionId = "<subscription id>"
$resourceGroupName = "NetworkWatcherRG"
$networkWatcherName = "NetworkWatcher_westcentralus"
$packetCaptureName = "TestPacketCapture5"
armclient get "https://management.azure.com/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/packetCaptures/${packetCaptureName}/querystatus?api-version=2016-12-01"The following response is an example of a typical response returned when querying the status of a packet capture.
{
"name": "vm1PacketCapture", "id": "/subscriptions/{guid}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkWatchers/{networkWatche rName}/packetCaptures/{packetCaptureName}",
"captureStartTime" : "9/7/2016 12:35:24PM",
"packetCaptureStatus" : "Stopped",
"stopReason" : "TimeExceeded"
"packetCaptureError" : [ ]
}The following example creates a packet capture on a virtual machine. The example is parameterized to allow for flexibility in creating an example.
$subscriptionId = '<subscription id>'
$resourceGroupName = "NetworkWatcherRG"
$networkWatcherName = "NetworkWatcher_westcentralus"
$packetCaptureName = "TestPacketCapture5"
$storageaccountname = "contosoexamplergdiag374"
$vmName = "ContosoVM"
$bytestoCaptureperPacket = "0"
$bytesPerSession = "1073741824"
$captureTimeinSeconds = "60"
$localIP = ""
$localPort = "" # Examples are: 80, or 80-120
$remoteIP = ""
$remotePort = "" # Examples are: 80, or 80-120
$protocol = "" # Valid values are TCP, UDP and Any.
$targetUri = "" # Example: /subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.compute/virtualMachine/$vmName
$storageId = "" # Example: "https://mytestaccountname.blob.core.windows.net/capture/vm1Capture.cap"
$storagePath = ""
$localFilePath = "c:\\temp\\packetcapture.cap" # Example: "d:\capture\vm1Capture.cap"
$requestBody = @"
{
'properties': {
'target': '/${targetUri}',
'bytesToCapturePerPacket': '${bytestoCaptureperPacket}',
'totalBytesPerSession': '${bytesPerSession}',
'timeLimitinSeconds': '${captureTimeinSeconds}',
'storageLocation': {
'storageId': '${storageId}',
'storagePath': '${storagePath}',
'filePath': '${localFilePath}'
},
'filters': [
{
'protocol': '${protocol}',
'localIPAddress': '${localIP}',
'localPort': '${localPort}',
'remoteIPAddress': '${remoteIP}',
'remotePort': '${remotePort}'
}
]
}
}
"@
armclient PUT "https://management.azure.com/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/packetCaptures/${packetCaptureName}?api-version=2016-07-01" $requestbodyThe following example stops a packet capture on a virtual machine. The example is parameterized to allow for flexibility in creating an example.
$subscriptionId = '<subscription id>'
$resourceGroupName = "NetworkWatcherRG"
$networkWatcherName = "NetworkWatcher_westcentralus"
$packetCaptureName = "TestPacketCapture5"
armclient post "https://management.azure.com/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/packetCaptures/${packetCaptureName}/stop?api-version=2016-12-01"The following example deletes a packet capture on a virtual machine. The example is parameterized to allow for flexibility in creating an example.
$subscriptionId = '<subscription id>'
$resourceGroupName = "NetworkWatcherRG"
$networkWatcherName = "NetworkWatcher_westcentralus"
$packetCaptureName = "TestPacketCapture5"
armclient delete "https://management.azure.com/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/packetCaptures/${packetCaptureName}?api-version=2016-12-01"Note
Deleting a packet capture does not delete the file in the storage account
For instructions on downloading files from azure storage accounts, refer to Get started with Azure Blob storage using .NET. Another tool that can be used is Storage Explorer. More information about Storage Explorer can be found here at the following link: Storage Explorer
Learn how to automate packet captures with Virtual machine alerts by viewing Create an alert triggered packet capture