How to use Packet captures with Azure Network Watcher
Hi everyone, continuing with the series of articles related to Azure Network watcher, I want to show you how to use the packet capture tool from the command line. Packet captures are in a standard format and can be analyzed offline using tools such as Wireshark and stored in an Azure storage account.
Prerequisites
- Network Watcher must be enabled in your region. If you want to know how to enable it, check out this link.
- The Azure Network Watcher extension must be installed on the target virtual machine to create packet captures. If you want to know how to enable it, check out this link.
**Azure PowerShell Workaround ** #
If you want to know how to install the PowerShell Azure module on your machine, check out this link. The simplest way to get started is to sign in interactively at the command line.
Connect-AzAccount
This cmdlet will bring up a dialog box prompting you for your email address and password associated with your Azure account. If you have more than one subscription associated with your mail account, you can choose the default subscription. To perform this task, we will use the following commands:
Get-AzSubscription
Select-AzSubscription -Subscription "My Subscription"
Once you set your default subscription, you’re ready to start.
Set the variables #
Here, we define the characteristics of our environment and the resource’s properties.
$resourceGroupName = "RG-DEMO-WE"
$location = "westeurope"
$storageAccountName = "storageaccountdemowe"
$vmName = "VM-DEMO-WE"
### Get Storage Account to store the capture ###
$storageAccount = Get-AzStorageAccount `
-Name $storageAccountName `
-ResourceGroupName $resourceGroupName
### Get the VM to which will analyze the traffic ###
$VM = Get-AzVM `
-Name $vmName `
-ResourceGroupName $resourceGroupName
### Get the network watcher resource ###
$nwResource = Get-AzResource `
| where {$\_.resourcetype -eq "Microsoft.Network/networkwatchers" -and $\_.Location -eq $location}
$networkWatcher = Get-AzNetworkWatcher `
-Name $nwResource.Name `
-ResourceGroupName $nwResource.ResourceGroupName
Define a packet capture filter #
It can capture all packets or a filtered subset. You should use the New-AzPacketCaptureFilterConfig cmdlet to define the desired filter. You can capture all packets or a filtered subset based on protocol and local and remote IP addresses and ports.
$filter = New-AzPacketCaptureFilterConfig `
-Protocol TCP `
-RemoteIPAddress "1.1.1.1-255.255.255.255" `
-LocalIPAddress "10.0.1.5" `
-LocalPort "1-65535" `
-RemotePort "443;80"
Start the packet capture #
Once the filter is defined, you can start the capture using the New-AzNetworkWatcherPacketCapture cmdlet with the following syntax.
New-AzNetworkWatcherPacketCapture `
-PacketCaptureName "PacketCapturePS" `
-NetworkWatcher $networkWatcher `
-TargetVirtualMachineId $vm.Id `
-StorageAccountId $storageAccount.Id `
-TimeLimitInSeconds 120 `
-Filter $filter
### The -TimeLimitInSeconds parameter sets the maximum duration of the capture session in seconds ###
Check the packet capture status #
If you want to check the status of the packet captures, you should use the Get-AzNetworkWatcherPacketCapture cmdlet with the following syntax.
Get-AzNetworkWatcherPacketCapture `
-PacketCaptureName "PacketCapturePS" `
-NetworkWatcher $networkWatcher `
|select-object Name,ProvisioningState,PacketCaptureStatus,StopReason `
|format-table
Stop the packet capture #
Using the Stop-AzNetworkWatcherPacketCapture cmdlet, you can stop packet capture immediately.
Stop-AzNetworkWatcherPacketCapture -PacketCaptureName "PacketCapturePS" \`
-NetworkWatcher $networkWatcher
Delete a packet capture #
When a packet capture job is complete, you can remove this job with the Remove-AzNetworkWatcherPacketCapture cmdlet, but note that removing the job does not remove the resulting file stored in the storage account.
Get-AzNetworkWatcherPacketCapture `
-NetworkWatcher $networkWatcher `
|select-object Name,ProvisioningState,PacketCaptureStatus `
|format-table
Remove-AzNetworkWatcherPacketCapture `
-PacketCaptureName "PacketCapturePS" `
-NetworkWatcher $networkWatcher
**Azure CLI Workaround ** #
In this case, we will use Azure Cloud Shell, a browser-based shell built into Azure Portal. This allows us to use the Azure command-line tools (Azure CLI and Azure PowerShell) directly from a browser. If you want to know more about Azure Cloud Shell, check out this link. First, we define the characteristics of our environment and store the values in variables.
resourceGroupName="RG-DEMO-WE"
location="westeurope"
storageAccountName="storageaccountdemowe"
vmName="VM-DEMO-WE"
Start the packet capture #
To start a capture, you should use the following command. You can capture all packets or a filtered subset based on protocol, and local and remote IP addresses and ports.
az network watcher packet-capture create \
--name PacketCaputureCLI \
--resource-group $resourceGroupName \
--vm $vmName \
--storage-account $storageAccountName \
--time-limit 120 \
--filters '[{"protocol":"TCP","remoteIPAddress":"1.1.1.1-255.255.255.255","localIPAddress":"10.0.1.5","localPort":"1-65535","remotePort":"443;80;3389"}]'
### The -time-limit parameter sets the maximum duration of the capture session in seconds ###
Check the packet capture status #
If you want to check the status of the packet captures, you should use the following command.
az network watcher packet-capture show-status \
--name PacketCaputureCLI \
--location $location
Stop the packet capture #
Using the following command, you can stop packet capture immediately.
az network watcher packet-capture stop \
--name PacketCaputureCLI \
--location $location
Delete a packet capture #
When a packet capture job completes, you can delete this job with the following command, but note that deleting the job does not delete the resulting file stored in the storage account.
az network watcher packet-capture list \
--location westeurope \
--query '[].{Name:name,ProvisioningState:provisioningState,TimeLimitInSeconds:timeLimitInSeconds,BytesToCapturePerPacket:bytesToCapturePerPacket}' \
-o table
az network watcher packet-capture delete \
--name PacketCaputureCLI \
--location $location
Thanks for reading my post. I hope you find it helpful.
For more information about Network Watcher, see this link.