在门户中使用 Azure 网络观察程序管理数据包捕获Manage packet captures with Azure Network Watcher using the portal

使用网络观察程序数据包捕获,可以创建捕获会话以跟踪进出虚拟机的流量。Network Watcher packet capture allows you to create capture sessions to track traffic to and from a virtual machine. 为捕获会话提供了筛选器以确保仅捕获所需的流量。Filters are provided for the capture session to ensure you capture only the traffic you want. 数据包捕获有助于以主动和被动方式诊断网络异常。Packet capture helps to diagnose network anomalies, both reactively, and proactively. 其他用途包括收集网络统计信息,获得网络入侵信息,调试客户端与服务器之间的通信,等等。Other uses include gathering network statistics, gaining information on network intrusions, to debug client-server communication, and much more. 由于能够远程触发数据包捕获,此功能可减轻在所需虚拟机上手动运行数据包捕获的负担,从而节省宝贵的时间。Being able to remotely trigger packet captures, eases the burden of running a packet capture manually on a desired virtual machine, which saves valuable time.

在本文中,你将了解如何启动、停止、下载和删除数据包捕获。In this article, you learn to start, stop, download, and delete a packet capture.

准备阶段Before you begin

数据包捕获需要以下连接:Packet capture requires the following connectivity:

  • 通过端口 443 与存储帐户的出站连接。Outbound connectivity to a storage account over port 443.
  • 与 169.254.169.254 的入站和出站连接Inbound and outbound connectivity to 169.254.169.254
  • 与 168.63.129.16 的入站和出站连接Inbound and outbound connectivity to 168.63.129.16

如果网络安全组关联到网络接口或该网络接口所在的子网,请确保存在允许上述端口的规则。If a network security group is associated to the network interface, or subnet that the network interface is in, ensure that rules exist that allow the previous ports.

启动数据包捕获Start a packet capture

  1. 在浏览器中,导航到 Azure 门户,选择“所有服务”,然后在“网络”部分中选择“网络观察程序”。In your browser, navigate to the Azure portal and select All services, and then select Network Watcher in the Networking section.

  2. 在“网络诊断工具”下选择“数据包捕获”。Select Packet capture under Network diagnostic tools. 将列出任何现有的数据包捕获,无论其状态如何。Any existing packet captures are listed, regardless of their status.

  3. 选择“添加”以创建数据包捕获。Select Add to create a packet capture. 可以为以下属性选择值:You can select values for the following properties:

    • 订阅:你要为其创建数据包捕获的虚拟机所在的订阅。Subscription: The subscription that the virtual machine you want to create the packet capture for is in.

    • 资源组:虚拟机的资源组。Resource group: The resource group of the virtual machine.

    • 目标虚拟机:你要为其创建数据包捕获的虚拟机。Target virtual machine: The virtual machine that you want to create the packet capture for.

    • 数据包捕获名称:数据包捕获的名称。Packet capture name: A name for the packet capture.

    • 存储帐户或文件:选择“存储帐户”、“文件”或同时选择两者。Storage account or file: Select Storage account, File, or both. 如果选择了“文件”,则捕获将写入到虚拟机中的某个路径。If you select File, the capture is written to a path within the virtual machine.

    • 本地文件路径:虚拟机上将用来保存数据包捕获的本地路径(仅当选择了“文件”时有效)。Local file path: The local path on the virtual machine where the packet capture will be saved (valid only when File is selected). 该路径必须是一个有效的路径。The path must be a valid path. 如果使用 Linux 虚拟机,则路径必须以 /var/captures 开头。If you are using a Linux virtual machine, the path must start with /var/captures.

    • 存储帐户:如果选择了“存储帐户”,请选择一个现有的存储帐户。Storage accounts: Select an existing storage account, if you selected Storage account. 仅当选择了“存储”时此选项才可用。This option is only available if you selected Storage.

      Note

      目前不支持使用高级存储帐户存储数据包捕获。Premium storage accounts are currently not supported for storing packet captures.

    • 每个数据包的最大字节数:捕获的每个数据包中的字节数。Maximum bytes per packet: The number of bytes from each packet that are captured. 如果留空,将捕获所有字节。If left blank, all bytes are captured.

    • 每个会话的最大字节数:捕获的字节总数。Maximum bytes per session: The total number of bytes that are captured. 一旦达到此值,数据包捕获便停止。Once the value is reached the packet capture stops.

    • 时间限制(秒):在停止数据包捕获之前的时间限制。Time limit (seconds): The time limit before the packet capture is stopped. 默认为 18,000 秒。The default is 18,000 seconds.

    • 筛选(可选)。Filtering (Optional). 选择“+ 添加筛选器”Select + Add filter

      • 协议:要筛选的数据包捕获协议。Protocol: The protocol to filter for the packet capture. 可用值为 TCP、UDP 和 Any。The available values are TCP, UDP, and Any.
      • 本地 IP 地址:在数据包捕获中筛选其中的本地 IP 地址与此值匹配的数据包。Local IP address: Filters the packet capture for packets where the local IP address matches this value.
      • 本地端口:在数据包捕获中筛选其中的本地端口与此值匹配的数据包。Local port: Filters the packet capture for packets where the local port matches this value.
      • 远程 IP 地址:将数据包捕获筛选为远程 IP 地址与此值匹配的数据包。Remote IP address: Filters the packet capture for packets where the remote IP address matches this value.
      • 远程端口:在数据包捕获中筛选其中的远程端口与此值匹配的数据包。Remote port: Filters the packet capture for packets where the remote port matches this value.

      Note

      端口和 IP 地址值可以是单个值、值的范围,或某个范围,例如,可为端口指定 80-1024。Port and IP address values can be a single value, range of values, or a range, such as 80-1024, for port. 可以根据需要定义任意数量的筛选器。You can define as many filters as you need.

  4. 选择“确定” 。Select OK.

超过为数据包捕获设置的时间限制后,数据包捕获将停止,并且可供查看。After the time limit set on the packet capture has expired, the packet capture is stopped, and can be reviewed. 也可以手动停止数据包捕获会话。You can also manually stop a packet capture session.

Note

门户会自动执行以下操作:The portal automatically:

  • 在你选择的虚拟机所在的区域中创建一个网络观察程序(如果该区域尚没有网络观察程序)。Creates a network watcher in the same region as the region the virtual machine you selected exists in, if the region doesn't already have a network watcher.

删除数据包捕获Delete a packet capture

  1. 在数据包捕获视图中,选择数据包捕获右侧的 ...,或者右键单击现有的数据包捕获,然后选择“删除”。In the packet capture view, select ... on the right-side of the packet capture, or right-click an existing packet capture, and select Delete.
  2. 系统会要求确认是否要删除数据包捕获。You are asked to confirm you want to delete the packet capture. 请选择“是”。Select Yes.

Note

删除数据包捕获不会删除存储帐户中的或虚拟机上的捕获文件。Deleting a packet capture does not delete the capture file in the storage account or on the virtual machine.

停止数据包捕获Stop a packet capture

在数据包捕获视图中,选择数据包捕获右侧的 ...,或者右键单击现有的数据包捕获,然后选择“停止”。In the packet capture view, select ... on the right-side of the packet capture, or right-click an existing packet capture, and select Stop.

下载数据包捕获Download a packet capture

在数据包捕获会话完成后,捕获文件将上传到 Blob 存储或虚拟机上的本地文件。Once your packet capture session has completed, the capture file is uploaded to blob storage or to a local file on the virtual machine. 数据包捕获的存储位置是在创建数据包捕获时定义的。The storage location of the packet capture is defined during creation of the packet capture. 用于访问保存到存储帐户的捕获文件的便利工具是 Azure 存储资源管理器,可以下载该工具。A convenient tool to access capture files saved to a storage account is Azure Storage Explorer, which you can download.

如果指定了存储帐户,则数据包捕获文件将保存到以下位置的存储帐户:If a storage account is specified, packet capture files are saved to a storage account at the following location:

https://{storageAccountName}.blob.core.chinacloudapi.cn/network-watcher-logs/subscriptions/{subscriptionId}/resourcegroups/{storageAccountResourceGroup}/providers/microsoft.compute/virtualmachines/{VMName}/{year}/{month}/{day}/packetCapture_{creationTime}.cap

如果在创建捕获时选择了“文件”,则可以从在虚拟机上配置的路径查看或下载该文件。If you selected File when you created the capture, you can view or download the file from the path you configured on the virtual machine.

后续步骤Next steps