通过 Azure CLI 使用 Azure 网络观察程序管理数据包捕获Manage packet captures with Azure Network Watcher using the Azure CLI

使用网络观察程序数据包捕获,可以创建捕获会话以跟踪进出虚拟机的流量。Network Watcher packet capture allows you to create capture sessions to track traffic to and from a virtual machine. 为捕获会话提供了筛选器以确保仅捕获所需的流量。Filters are provided for the capture session to ensure you capture only the traffic you want. 数据包捕获有助于以主动和被动方式诊断网络异常。Packet capture helps to diagnose network anomalies both reactively and proactively. 其他用途包括收集网络统计信息,获得网络入侵信息,调试客户端与服务器之间的通信,等等。Other uses include gathering network statistics, gaining information on network intrusions, to debug client-server communications and much more. 由于能够远程触发数据包捕获,此功能可减轻手动运行数据包捕获的负担,并可在所需计算机上运行,从而可节省宝贵的时间。By being able to remotely trigger packet captures, this capability eases the burden of running a packet capture manually and on the desired machine, which saves valuable time.

若要执行本文中的步骤,需要安装适用于 Mac、Linux 和 Windows 的 Azure 命令行接口 (Azure CLI)To perform the steps in this article, you need to install the Azure Command-Line Interface for Mac, Linux, and Windows (Azure CLI).

本文将引导完成当前可用于数据包捕获的不同管理任务。This article takes you through the different management tasks that are currently available for packet capture.

准备阶段Before you begin

本文假定你拥有以下资源:This article assumes you have the following resources:

  • 要创建数据包捕获的区域中的网络观察程序实例An instance of Network Watcher in the region you want to create a packet capture
  • 已启用数据包捕获扩展的虚拟机。A virtual machine with the packet capture extension enabled.

Important

数据包捕获要求在虚拟机上运行代理。 已安装代理作为扩展。 有关 VM 扩展的说明,请访问虚拟机扩展和功能

安装 VM 扩展Install VM extension

步骤 1Step 1

在来宾虚拟机上运行 az vm extension set cmdlet 以安装数据包捕获代理。Run the az vm extension set cmdlet to install the packet capture agent on the guest virtual machine.

对于 Windows 虚拟机:For Windows virtual machines:

az vm extension set --resource-group resourceGroupName --vm-name virtualMachineName --publisher Microsoft.Azure.NetworkWatcher --name NetworkWatcherAgentWindows --version 1.4

对于 Linux 虚拟机:For Linux virtual machines:

az vm extension set --resource-group resourceGroupName --vm-name virtualMachineName --publisher Microsoft.Azure.NetworkWatcher --name NetworkWatcherAgentLinux--version 1.4

步骤 2Step 2

若要确保已安装代理,请运行 vm extension show cmdlet 并向其传递资源组和虚拟机的名称。To ensure that the agent is installed, run the vm extension show cmdlet and pass it the resource group and virtual machine name. 检查结果列表,以确保已安装代理。Check the resulting list to ensure the agent is installed.

az vm extension show --resource-group resourceGroupName --vm-name virtualMachineName --name NetworkWatcherAgentWindows

以下示例是运行 az vm extension show 后的响应的实例The following sample is an example of the response from running az vm extension show

{
  "autoUpgradeMinorVersion": true,
  "forceUpdateTag": null,
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}/extensions/NetworkWatcherAgentWindows",
  "instanceView": null,
  "location": "chinaeast",
  "name": "NetworkWatcherAgentWindows",
  "protectedSettings": null,
  "provisioningState": "Succeeded",
  "publisher": "Microsoft.Azure.NetworkWatcher",
  "resourceGroup": "{resourceGroupName}",
  "settings": null,
  "tags": null,
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "typeHandlerVersion": "1.4",
  "virtualMachineExtensionType": "NetworkWatcherAgentWindows"
}

启动数据包捕获Start a packet capture

完成前面的步骤后,数据包捕获代理将安装在虚拟机上。Once the preceding steps are complete, the packet capture agent is installed on the virtual machine.

步骤 1Step 1

下一步是检索网络观察程序实例。The next step is to retrieve the Network Watcher instance. 在步骤 4 中,会将网络观察程序的名称传递给 az network watcher show cmdlet。TThe name of the Network Watcher is passed to the az network watcher show cmdlet in step 4.

az network watcher show --resource-group resourceGroup --name networkWatcherName

步骤 2Step 2

检索存储帐户。Retrieve a storage account. 此存储帐户用于存储数据包捕获文件。This storage account is used to store the packet capture file.

azure storage account list

步骤 3Step 3

可以使用筛选器来限制数据包捕获存储的数据。Filters can be used to limit the data that is stored by the packet capture. 以下示例为数据包捕获设置了多个筛选器。The following example sets up a packet capture with several filters. 前三个筛选器仅收集从本地 IP 10.0.0.3 发往目标端口 20、80 和 443 的传出 TCP 流量。The first three filters collect outgoing TCP traffic only from local IP 10.0.0.3 to destination ports 20, 80 and 443. 最后一个筛选器仅收集 UDP 流量。The last filter collects only UDP traffic.

az network watcher packet-capture create --resource-group {resourceGroupName} --vm {vmName} --name packetCaptureName --storage-account {storageAccountName} --filters "[{\"protocol\":\"TCP\", \"remoteIPAddress\":\"1.1.1.1-255.255.255\",\"localIPAddress\":\"10.0.0.3\", \"remotePort\":\"20\"},{\"protocol\":\"TCP\", \"remoteIPAddress\":\"1.1.1.1-255.255.255\",\"localIPAddress\":\"10.0.0.3\", \"remotePort\":\"80\"},{\"protocol\":\"TCP\", \"remoteIPAddress\":\"1.1.1.1-255.255.255\",\"localIPAddress\":\"10.0.0.3\", \"remotePort\":\"443\"},{\"protocol\":\"UDP\"}]"

以下示例是运行 az network watcher packet-capture create cmdlet 后的预期输出。The following example is the expected output from running the az network watcher packet-capture create cmdlet.

{
  "bytesToCapturePerPacket": 0,
  "etag": "W/\"b8cf3528-2e14-45cb-a7f3-5712ffb687ac\"",
  "filters": [
    {
      "localIpAddress": "10.0.0.3",
      "localPort": "",
      "protocol": "TCP",
      "remoteIpAddress": "1.1.1.1-255.255.255",
      "remotePort": "20"
    },
    {
      "localIpAddress": "10.0.0.3",
      "localPort": "",
      "protocol": "TCP",
      "remoteIpAddress": "1.1.1.1-255.255.255",
      "remotePort": "80"
    },
    {
      "localIpAddress": "10.0.0.3",
      "localPort": "",
      "protocol": "TCP",
      "remoteIpAddress": "1.1.1.1-255.255.255",
      "remotePort": "443"
    },
    {
      "localIpAddress": "",
      "localPort": "",
      "protocol": "UDP",
      "remoteIpAddress": "",
      "remotePort": ""
    }
  ],
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_chinaeast/pa
cketCaptures/packetCaptureName",
  "name": "packetCaptureName",
  "provisioningState": "Succeeded",
  "resourceGroup": "NetworkWatcherRG",
  "storageLocation": {
    "filePath": null,
    "storageId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/gwteststorage123abc",
    "storagePath": "https://gwteststorage123abc.blob.core.chinacloudapi.cn/network-watcher-logs/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/{resourceGroupName}/p
roviders/microsoft.compute/virtualmachines/{vmName}/2017/05/25/packetcapture_16_22_34_630.cap"
  },
  "target": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}",
  "timeLimitInSeconds": 18000,
  "totalBytesPerSession": 1073741824
}

获取数据包捕获Get a packet capture

运行 az network watcher packet-capture show-status cmdlet,检索当前正在运行的或已完成的数据包捕获的状态。Running the az network watcher packet-capture show-status cmdlet, retrieves the status of a currently running, or completed packet capture.

az network watcher packet-capture show-status --name packetCaptureName --location {networkWatcherLocation}

以下示例是 az network watcher packet-capture show-status cmdlet 的输出。The following example is the output from the az network watcher packet-capture show-status cmdlet. 以下是捕获停止的示例,其中 StopReason 为 TimeExceeded。The following example is when the capture is Stopped, with a StopReason of TimeExceeded.

{
  "additionalProperties": {
    "status": "Succeeded"
  },
  "captureStartTime": "2016-12-06T17:20:01.5671279Z",
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_chinaeast/pa
cketCaptures/packetCaptureName",
  "name": "packetCaptureName",
  "packetCaptureError": [],
  "packetCaptureStatus": "Stopped",
  "stopReason": "TimeExceeded"
}

停止数据包捕获Stop a packet capture

运行 az network watcher packet-capture stop cmdlet 后,如果捕获会话正在进行,它将停止。By running the az network watcher packet-capture stop cmdlet, if a capture session is in progress it is stopped.

az network watcher packet-capture stop --name packetCaptureName --location chinaeast

Note

该 cmdlet 在当前正在运行的捕获会话或已停止的现有会话中运行时,将不返回任何响应。

删除数据包捕获Delete a packet capture

az network watcher packet-capture delete --name packetCaptureName --location chinaeast

Note

删除数据包捕获不会删除存储帐户中的文件。

下载数据包捕获Download a packet capture

完成数据包捕获会话后,可以将捕获文件上传到 blob 存储或 VM 上的本地文件。Once your packet capture session has completed, the capture file can be uploaded to blob storage or to a local file on the VM. 数据包捕获的存储位置是在创建会话时定义的。The storage location of the packet capture is defined at creation of the session. 用于访问这些保存到存储帐户的捕获文件的便利工具是 Azure 存储资源管理器,下载地址为: http://storageexplorer.com/A convenient tool to access these capture files saved to a storage account is Azure Storage Explorer, which can be downloaded here: http://storageexplorer.com/

如果指定了存储帐户,则数据包捕获文件将保存到以下位置的存储帐户:If a storage account is specified, packet capture files are saved to a storage account at the following location:

https://{storageAccountName}.blob.core.chinacloudapi.cn/network-watcher-logs/subscriptions/{subscriptionId}/resourcegroups/{storageAccountResourceGroup}/providers/microsoft.compute/virtualmachines/{VMName}/{year}/{month}/{day}/packetCapture_{creationTime}.cap

后续步骤Next steps

访问查看“IP 流验证”,了解是否允许某些流量传入和传出 VMFind if certain traffic is allowed in or out of your VM by visiting Check IP flow verify