使用入口網站以 Azure 網路監看員管理封包擷取Manage packet captures with Azure Network Watcher using the portal

網路監看員封包擷取可讓您建立擷取工作階段來追蹤虛擬機器的流入和流出流量。Network Watcher packet capture allows you to create capture sessions to track traffic to and from a virtual machine. 系統會為擷取工作階段提供篩選器,以確保您只會擷取到您想要的流量。Filters are provided for the capture session to ensure you capture only the traffic you want. 封包擷取有助於以被動和主動方式診斷網路異常。Packet capture helps to diagnose network anomalies, both reactively, and proactively. 其他用途包括收集網路統計資料、取得有關網路入侵的資訊,以及偵錯用戶端與伺服器間的通訊等等。Other uses include gathering network statistics, gaining information on network intrusions, to debug client-server communication, and much more. 由於能夠從遠端觸發封包擷取,因此可以減輕在所需的虛擬機器上手動執行封包擷取的工作負擔,進而省下寶貴的時間。Being able to remotely trigger packet captures, eases the burden of running a packet capture manually on a desired virtual machine, which saves valuable time.

在本文中,您將了解如何啟動、停止、下載及刪除封包擷取。In this article, you learn to start, stop, download, and delete a packet capture.

開始之前Before you begin

封包捕獲需要下列輸出 TCP 連線能力:Packet capture requires the following outbound TCP connectivity:

  • 透過埠443的選擇儲存體帳戶to the chosen storage account over port 443
  • 透過埠 80 169.254.169.254to 169.254.169.254 over port 80
  • 透過埠 8037 168.63.129.16to 168.63.129.16 over port 8037

注意

上述兩個案例中提及的埠,在所有包含網路監看員延伸模組且可能偶爾變更的網路監看員功能之間是共通的。The ports mentioned in the latter two cases above are common across all Network Watcher features that involve the Network Watcher extension and might occasionally change.

如果網路安全性群組與網路介面或網路介面所在的子網路相關聯,請確定有允許前述連接埠的規則存在。If a network security group is associated to the network interface, or subnet that the network interface is in, ensure that rules exist that allow the previous ports. 同樣地,新增使用者定義的流量路由到您的網路,可能會導致無法連線到上述的 Ip 和埠。Similarly, adding user-defined traffic routes to your network may prevent connectivity to the above mentioned IPs and ports. 請確定可連線。Please ensure they are reachable.

啟動封包擷取Start a packet capture

  1. 在瀏覽器中瀏覽至 Azure 入口網站,並選取 [所有服務],然後選取 [網路] 區段中的 [網路監看員]。In your browser, navigate to the Azure portal and select All services, and then select Network Watcher in the Networking section.

  2. 選取 [網路診斷工具] 下方的 [封包擷取]。Select Packet capture under Network diagnostic tools. 任何現有的封包擷取都會列出,無論其狀態為何。Any existing packet captures are listed, regardless of their status.

  3. 選取 [新增] 以建立封包擷取。Select Add to create a packet capture. 您可以選取下列屬性的值:You can select values for the following properties:

    • 訂用帳戶:您要為其建立封包擷取的虛擬機器所在的訂用帳戶。Subscription: The subscription that the virtual machine you want to create the packet capture for is in.

    • 資源群組:虛擬機器的資源群組。Resource group: The resource group of the virtual machine.

    • 目標虛擬機器:您要為其建立封包擷取的虛擬機器。Target virtual machine: The virtual machine that you want to create the packet capture for.

    • 封包擷取名稱:封包擷取的名稱。Packet capture name: A name for the packet capture.

    • 儲存體帳戶或檔案:選取 [儲存體帳戶] 和 (或) [檔案]。Storage account or file: Select Storage account, File, or both. 如果您選取 [檔案],擷取將會寫入至虛擬機器內的路徑。If you select File, the capture is written to a path within the virtual machine.

    • 本機檔案路徑:虛擬機器上將儲存封包擷取的本機路徑 (只有在選取 [檔案] 時才有效)。Local file path: The local path on the virtual machine where the packet capture will be saved (valid only when File is selected). 路徑必須是有效路徑。The path must be a valid path. 如果您使用 Linux 虛擬機器,路徑必須以 /var/captures 開頭。If you are using a Linux virtual machine, the path must start with /var/captures.

    • 儲存體帳戶:選取現有的儲存體帳戶 (如果您選取 [儲存體帳戶])。Storage accounts: Select an existing storage account, if you selected Storage account. 只有已選取 [儲存體] 時才可使用此選項。This option is only available if you selected Storage.

      注意

      儲存封包擷取目前不支援進階儲存體帳戶。Premium storage accounts are currently not supported for storing packet captures.

    • 每個封包的最大位元組:從每個封包中擷取的位元組數。Maximum bytes per packet: The number of bytes from each packet that are captured. 如果保留為空白,則會擷取所有位元組。If left blank, all bytes are captured.

    • 每個工作階段的最大位元組:擷取的位元組總數。Maximum bytes per session: The total number of bytes that are captured. 一旦達到此值,封包擷取就會停止。Once the value is reached the packet capture stops.

    • 時間限制 (秒):擷取封包停止之前的時間限制。Time limit (seconds): The time limit before the packet capture is stopped. 預設值為 18,000 秒。The default is 18,000 seconds.

    • 篩選 (選擇性)。Filtering (Optional). 選取 [+ 新增篩選]Select + Add filter

      • 通訊協定:用來篩選封包擷取的通訊協定。Protocol: The protocol to filter for the packet capture. 可用的值為 TCP、UDP 和 Any。The available values are TCP, UDP, and Any.
      • 本機 IP 位址:將封包擷取篩選為本機 IP 位址符合此值的封包。Local IP address: Filters the packet capture for packets where the local IP address matches this value.
      • 本機連接埠:將封包擷取篩選為本機連接埠符合此值的封包。Local port: Filters the packet capture for packets where the local port matches this value.
      • 遠端 IP 位址:將封包擷取篩選為遠端 IP 位址符合此值的封包。Remote IP address: Filters the packet capture for packets where the remote IP address matches this value.
      • 遠端連接埠:將封包擷取篩選為遠端連接埠符合此值的封包。Remote port: Filters the packet capture for packets where the remote port matches this value.

      注意

      連接埠和 IP 位址的值可以是單一值、值的範圍,或特定範圍 (如 80-1024) 的連接埠。Port and IP address values can be a single value, range of values, or a range, such as 80-1024, for port. 您可以視需要定義不限數量的篩選。You can define as many filters as you need.

  4. 選取 [確定]。Select OK.

對封包擷取設定的時間限制到期之後,封包擷取即會停止,且可供檢閱。After the time limit set on the packet capture has expired, the packet capture is stopped, and can be reviewed. 您也可以手動停止封包擷取工作階段。You can also manually stop a packet capture session.

注意

入口網站會自動:The portal automatically:

  • 在您選取的虛擬機器所在的相同區域中建立網路監看員 (如果該區域還沒有網路監看員)。Creates a network watcher in the same region as the region the virtual machine you selected exists in, if the region doesn't already have a network watcher.
  • AzureNetworkWatcherExtension LinuxWindows 虛擬機器擴充功能新增至虛擬機器 (如果尚未安裝)。Adds the AzureNetworkWatcherExtension Linux or Windows virtual machine extension to the virtual machine, if it's not already installed.

刪除封包擷取Delete a packet capture

  1. 在封包擷取檢視中,選取位於封包擷取右側的 [...],或以滑鼠右鍵按一下現有的封包擷取,然後選取 [刪除]。In the packet capture view, select ... on the right-side of the packet capture, or right-click an existing packet capture, and select Delete.
  2. 系統會要求您確認您要刪除封包擷取。You are asked to confirm you want to delete the packet capture. 選取 [是] 。Select Yes.

注意

刪除封包擷取時,並不會刪除儲存體帳戶中或虛擬機器上的擷取檔案。Deleting a packet capture does not delete the capture file in the storage account or on the virtual machine.

停止封包擷取Stop a packet capture

在封包擷取檢視中,選取位於封包擷取右側的 [...],或以滑鼠右鍵按一下現有的封包擷取,然後選取 [停止]。In the packet capture view, select ... on the right-side of the packet capture, or right-click an existing packet capture, and select Stop.

下載封包擷取Download a packet capture

封包擷取工作階段完成後,擷取檔案會上傳到 Blob 儲存體或虛擬機器上的本機檔案。Once your packet capture session has completed, the capture file is uploaded to blob storage or to a local file on the virtual machine. 封包擷取的儲存位置會在建立封包擷取期間定義。The storage location of the packet capture is defined during creation of the packet capture. 若要存取儲存至儲存體帳戶的擷取檔案,Microsoft Azure 儲存體總管是很便利的工具,您可以下載取得。A convenient tool to access capture files saved to a storage account is Microsoft Azure Storage Explorer, which you can download.

如果指定了儲存體帳戶,封包擷取檔案便會儲存到儲存體帳戶的下列位置︰If a storage account is specified, packet capture files are saved to a storage account at the following location:

https://{storageAccountName}.blob.core.windows.net/network-watcher-logs/subscriptions/{subscriptionId}/resourcegroups/{storageAccountResourceGroup}/providers/microsoft.compute/virtualmachines/{VMName}/{year}/{month}/{day}/packetCapture_{creationTime}.cap

如果您在建立擷取時選取了 [檔案],您可以從您在虛擬機器上設定的路徑檢視或下載檔案。If you selected File when you created the capture, you can view or download the file from the path you configured on the virtual machine.

下一步Next steps