Manage packet captures in virtual machines with Azure Network Watcher using the Azure portal
Network Watcher packet capture allows you to create capture sessions to track traffic to and from a virtual machine. Filters are provided for the capture session to ensure you capture only the traffic you want. Packet capture helps to diagnose network anomalies, both reactively, and proactively. Other uses include gathering network statistics, gaining information on network intrusions, to debug client-server communication, and much more. Being able to remotely trigger packet captures, eases the burden of running a packet capture manually on a desired virtual machine, which saves valuable time.
In this article, you learn to start, stop, download, and delete a packet capture.
Prerequisites
- An Azure account with an active subscription. Create one for free.
- A virtual machine with the following outbound TCP connectivity:
- to the chosen storage account over port 443
- to 169.254.169.254 over port 80
- to 168.63.129.16 over port 8037
Note
The ports mentioned in the latter two cases are common across all Network Watcher features that involve the Network Watcher extension and might occasionally change.
If a network security group is associated to the network interface, or subnet that the network interface is in, ensure that rules exist to allow outbound connectivity over the previous ports. Similarly, ensure outbound connectivity over the previous ports when adding user-defined routes to your network.
Start a packet capture
Sign in to the Azure portal.
In the search box at the top of the portal, enter Network Watcher.
In the search results, select Network Watcher.
Select Packet capture under Network diagnostic tools. Any existing packet captures are listed, regardless of their status.
Select + Add to create a packet capture. In Add packet capture, enter or select values for the following settings:
Setting Value Basic Details Subscription Select the Azure subscription of the virtual machine. Resource group Select the resource group of the virtual machine. Target type Select Virtual machine. Target instance Select the virtual machine. Packet capture name Enter a name or leave the default name. Packet capture configuration Capture location Select Storage account, File, or Both. Storage account Select your Standard storage account.
This option is available if you selected Storage account or Both.Local file path Enter a valid local file path where you want the capture to be saved in the target virtual machine. If you're using a Linux machine, the path must start with /var/captures.
This option is available if you selected File or Both.Maximum bytes per packet Enter the maximum number of bytes to be captured per each packet. All bytes are captured if left blank or 0 entered. Maximum bytes per session Enter the total number of bytes that are captured. Once the value is reached the packet capture stops. Up to 1 GB is captured if left blank. Time limit (seconds) Enter the time limit of the packet capture session in seconds. Once the value is reached the packet capture stops. Up to 5 hours (18,000 seconds) is captured if left blank. Filtering (optional) Add filter criteria Select Add filter criteria to add a new filter. Protocol Filters the packet capture based on the selected protocol. Available values are TCP, UDP, or Any. Local IP address Filters the packet capture for packets where the local IP address matches this value. Local port Filters the packet capture for packets where the local port matches this value. Remote IP address Filters the packet capture for packets where the remote IP address matches this value. Remote port Filters the packet capture for packets where the remote port matches this value. Note
Premium storage accounts are currently not supported for storing packet captures.
Note
Port and IP address values can be a single value, multiple values, or a range, such as 80-1024, for port. You can define as many filters as you need.
Select Start packet capture.
Once the time limit set on the packet capture is reached, the packet capture stops and can be reviewed. To manually stop a packet capture session before it reaches its time limit, select the ... on the right-side of the packet capture in Packet capture page, or right-click it, then select Stop.
Note
The Azure portal automatically:
Delete a packet capture
Sign in to the Azure portal.
In the search box at the top of the portal, enter Network Watcher, then select Network Watcher from the search results.
Select Packet capture under Network diagnostic tools.
In the Packet capture page, select ... on the right-side of the packet capture that you want to delete, or right-click it, then select Delete.
Select Yes.
Note
Deleting a packet capture does not delete the capture file in the storage account or on the virtual machine.
Download a packet capture
Once your packet capture session has completed, the capture file is saved to a blob storage or a local file on the target virtual machine. The storage location of the packet capture is defined during creation of the packet capture. A convenient tool to access capture files saved to a storage account is Azure Storage Explorer, which you can download after selecting the operating system.
If a storage account is specified, packet capture files are saved to a storage account at the following location:
https://{storageAccountName}.blob.core.windows.net/network-watcher-logs/subscriptions/{subscriptionId}/resourcegroups/{storageAccountResourceGroup}/providers/microsoft.compute/virtualmachines/{VMName}/{year}/{month}/{day}/packetCapture_{creationTime}.cap
If a file path is specified, the capture file can be viewed on the virtual machine or downloaded.
Next steps
- To learn how to automate packet captures with virtual machine alerts, see Create an alert triggered packet capture.
- To determine whether specific traffic is allowed in or out of a virtual machine, see Diagnose a virtual machine network traffic filter problem.
Feedback
Submit and view feedback for