HOW-TO: Wireshark-friendly network packet capture with Azure Network Watcher

Earlier this year, Microsoft released a preview of the Azure Network Watcher. It includes a number of network analysis and troubleshooting features, but the packet capture is the one I get the most questions about. The packet capture is fed into a .cap file, of the standard format used with popular network capture tools, such as Wireshark.

In addition to enabling the Network Watcher VM extension, we need to enable Network Watcher in each Azure region where we have resources we need to monitor. If you highlight the subscription, we can enable in all Azure regions in one click.

image

Then, we select Network Watcher and click the +Add button.

image

When we configure the packet capture settings, we can configure several options, including source and target machine, as well as the length of time of the capture.

Note: I like the option to store the capture file in a storage account for central storage, but we can also select the File option to store the capture on the target VM.

image

By clicking the +Add filter option, we can configure many of the same types of filters we could with popular capture tools, including ports, addresses and protocols, and take a capture.

image

Once the capture is complete, we can click on the cap file to proceed with download.

image

…which requires we then click a Download link.

image

Then, we can open in the tool of our choice, such as Wireshark.

image

While we can start captures manually, we can also start captures programmatically, such as through Azure Functions.

Print Friendly
Posted in Blog Tagged with: , ,

Leave a Reply

%d bloggers like this: