Hi everyone, continuing with the series of articles related to Azure Network watcher, I want to show you how to use the packet capture tool from the command line. Packet captures are in a standard format and can be analyzed offline using tools such as Wireshark and stored in an Azure storage account.

Prerequisites

  • Network Watcher must be enabled in your region. If you want to know how to enable it, check out this link.
  • The Azure Network Watcher extension must be installed on the target virtual machine to create packet captures. If you want to know how to enable it, check out this link.

Azure PowerShell Workaround 

If you want to know how to install the PowerShell Azure module on your machine, check out this link.

The simplest way to get started is to sign in interactively at the command line.

This cmdlet will bring up a dialog box prompting you for your email address and password associated with your Azure account.
If you have more than one subscription associated with your mail account, you can choose the default subscription. To perform this task, we will use the following commands:

Once you set your default subscription, you’re ready to start.

Set the variables

Here, we define the characteristics of our environment and the resource’s properties.

Define a packet capture filter

It can capture all packets or a filtered subset. You should use the New-AzPacketCaptureFilterConfig cmdlet to define the desired filter. You can capture all packets or a filtered subset based on protocol and local and remote IP addresses and ports.

Start the packet capture

Once the filter is defined, you can start the capture using the New-AzNetworkWatcherPacketCapture cmdlet with the following syntax.

Check the packet capture status

If you want to check the status of the packet captures, you should use the Get-AzNetworkWatcherPacketCapture cmdlet with the following syntax.

Network Watcher packet capture

Stop the packet capture

Using the Stop-AzNetworkWatcherPacketCapture cmdlet, you can stop packet capture immediately.

Delete a packet capture

When a packet capture job is complete, you can remove this job with the Remove-AzNetworkWatcherPacketCapture cmdlet, but note that removing the job does not remove the resulting file stored in the storage account.

Azure CLI Workaround 

In this case, we will use Azure Cloud Shell, a browser-based shell built into Azure Portal. This allows us to use the Azure command-line tools (Azure CLI and Azure PowerShell) directly from a browser. If you want to know more about Azure Cloud Shell, check out this link.

First, we define the characteristics of our environment and store the values in variables.

Start the packet capture

To start a capture, you should use the following command. You can capture all packets or a filtered subset based on protocol, and local and remote IP addresses and ports.

Check the packet capture status

If you want to check the status of the packet captures, you should use the following command.

Network Watcher packet capture

Stop the packet capture

Using the following command, you can stop packet capture immediately.

Delete a packet capture

When a packet capture job completes, you can delete this job with the following command, but note that deleting the job does not delete the resulting file stored in the storage account.

Thanks for reading my post. I hope you find it helpful.

For more information about Network Watcher, see this link.