为 VPN 网关配置数据包捕获Configure packet capture for VPN gateways

与连接和性能相关的问题通常很复杂。Connectivity and performance-related problems are often complex. 缩小确定问题原因的范围可能需要花费大量时间和精力。It can take significant time and effort just to narrow down the cause of the problem. 数据包捕获有助于将问题范围缩小到网络的某些部分。Packet capture can help you narrow down the scope of a problem to certain parts of the network. 它有助于确定问题是出现在网络的客户端、网络的 Azure 端还是两者之间的某个位置。It can help you determine whether the problem is on the customer side of the network, the Azure side of the network, or somewhere in between. 缩小问题范围后,可以更高效地调试和采取补救措施。After you narrow down the problem, it's more efficient to debug and take remedial action.

可以使用一些常用数据包捕获工具。There are some commonly available packet capture tools. 使用这些工具获取相关的数据包捕获会比较繁琐,尤其是在高流量场景中。Getting relevant packet captures with these tools can be cumbersome, especially in high-volume traffic scenarios. Azure VPN 网关数据包捕获提供的筛选功能是一项主要优势。The filtering capabilities provided by Azure VPN Gateway packet capture are a major differentiator. 可以将 VPN 网关数据包捕获与常用的数据包捕获工具结合使用。You can use VPN Gateway packet capture together with commonly available packet capture tools.

VPN 网关数据包捕获筛选功能VPN Gateway packet capture filtering capabilities

VPN 网关数据包捕获可在网关上运行,也可在特定的连接上运行,具体取决于你的需求。You can run VPN Gateway packet capture on the gateway or on a specific connection, depending on your needs. 还可以同时在多个隧道上运行数据包捕获。You can also run packet capture on multiple tunnels at the same time. 可捕获单向或双向流量、IKE 和 ESP 流量以及内部数据包,并对 VPN 网关进行筛选。You can capture one-way or bi-directional traffic, IKE and ESP traffic, and inner packets along with filtering on a VPN gateway.

查明高流量相关问题时,使用 5 元组筛选器(源子网、目标子网、源端口、目标端口、协议)和 TCP 标志(SYN、ACK、FIN、URG、PSH、RST)会很有帮助。It's helpful to use a five-tuple filter (source subnet, destination subnet, source port, destination port, protocol) and TCP flags (SYN, ACK, FIN, URG, PSH, RST) when you're isolating problems in high-volume traffic.

以下 JSON 和 JSON 架构示例提供每个属性的说明。The following examples of JSON and a JSON schema provide explanations of each property. 运行数据包捕获时,请记住以下限制:Here are some limitations to keep in mind when you run packet captures:

  • 在此处显示的架构中,筛选器是一个数组,但目前一次只能使用一个筛选器。In the schema shown here, the filter is an array, but currently only one filter can be used at a time.
  • 无法同时运行多个网关范围的数据包捕获。You can't run multiple gateway-wide packet captures at the same time.
  • 无法在同一连接上同时运行多个数据包捕获。You can't run multiple packet captures on a single connection at the same time. 可以同时在不同的连接上运行多个数据包捕获。You can run multiple packet captures on different connections at the same time.
  • 每个网关最多可以并行运行 5 个数据包捕获。A maximum of five packet captures can be run in parallel per gateway. 这些数据包捕获可以是网关范围的数据包捕获和基于连接的数据包捕获的组合。These packet captures can be a combination of gateway-wide packet captures and per-connection packet captures.

示例 JSONExample JSON

{
  "TracingFlags": 11,
  "MaxPacketBufferSize": 120,
  "MaxFileSize": 200,
  "Filters": [
    {
      "SourceSubnets": [
        "20.1.1.0/24"
      ],
      "DestinationSubnets": [
        "10.1.1.0/24"
      ],
      "SourcePort": [
        500
      ],
      "DestinationPort": [
        4500
      ],
      "Protocol": [
        6
      ],
      "TcpFlags": 16,
      "CaptureSingleDirectionTrafficOnly": true
    }
  ]
}

JSON 架构JSON schema

{
    "type": "object",
    "title": "The Root Schema",
    "description": "The root schema input JSON filter for packet capture",
    "default": {},
    "additionalProperties": true,
    "required": [
        "TracingFlags",
        "MaxPacketBufferSize",
        "MaxFileSize",
        "Filters"
    ],
    "properties": {
        "TracingFlags": {
            "$id": "#/properties/TracingFlags",
            "type": "integer",
            "title": "The Tracingflags Schema",
            "description": "Tracing flags that customer can pass to define which packets are to be captured. Supported values are CaptureESP = 1, CaptureIKE = 2, CaptureOVPN = 8. The final value is OR of the bits.",
            "default": 11,
            "examples": [
                11
            ]
        },
        "MaxPacketBufferSize": {
            "$id": "#/properties/MaxPacketBufferSize",
            "type": "integer",
            "title": "The Maxpacketbuffersize Schema",
            "description": "Maximum buffer size of each packet. The capture will only contain contents of each packet truncated to this size.",
            "default": 120,
            "examples": [
                120
            ]
        },
        "MaxFileSize": {
            "$id": "#/properties/MaxFileSize",
            "type": "integer",
            "title": "The Maxfilesize Schema",
            "description": "Maximum file size of the packet capture file. It is a circular buffer.",
            "default": 100,
            "examples": [
                100
            ]
        },
        "Filters": {
            "$id": "#/properties/Filters",
            "type": "array",
            "title": "The Filters Schema",
            "description": "An array of filters that can be passed to filter inner ESP traffic.",
            "default": [],
            "examples": [
                [
                    {
                        "Protocol": [
                            6
                        ],
                        "CaptureSingleDirectionTrafficOnly": true,
                        "SourcePort": [
                            500
                        ],
                        "DestinationPort": [
                            4500
                        ],
                        "TcpFlags": 16,
                        "SourceSubnets": [
                            "20.1.1.0/24"
                        ],
                        "DestinationSubnets": [
                            "10.1.1.0/24"
                        ]
                    }
                ]
            ],
            "additionalItems": true,
            "items": {
                "$id": "#/properties/Filters/items",
                "type": "object",
                "title": "The Items Schema",
                "description": "An explanation about the purpose of this instance.",
                "default": {},
                "examples": [
                    {
                        "SourcePort": [
                            500
                        ],
                        "DestinationPort": [
                            4500
                        ],
                        "TcpFlags": 16,
                        "SourceSubnets": [
                            "20.1.1.0/24"
                        ],
                        "DestinationSubnets": [
                            "10.1.1.0/24"
                        ],
                        "Protocol": [
                            6
                        ],
                        "CaptureSingleDirectionTrafficOnly": true
                    }
                ],
                "additionalProperties": true,
                "required": [
                    "SourceSubnets",
                    "DestinationSubnets",
                    "SourcePort",
                    "DestinationPort",
                    "Protocol",
                    "TcpFlags",
                    "CaptureSingleDirectionTrafficOnly"
                ],
                "properties": {
                    "SourceSubnets": {
                        "$id": "#/properties/Filters/items/properties/SourceSubnets",
                        "type": "array",
                        "title": "The Sourcesubnets Schema",
                        "description": "An array of source subnets that need to match the Source IP address of a packet. Packet can match any one value in the array of inputs.",
                        "default": [],
                        "examples": [
                            [
                                "20.1.1.0/24"
                            ]
                        ],
                        "additionalItems": true,
                        "items": {
                            "$id": "#/properties/Filters/items/properties/SourceSubnets/items",
                            "type": "string",
                            "title": "The Items Schema",
                            "description": "An explanation about the purpose of this instance.",
                            "default": "",
                            "examples": [
                                "20.1.1.0/24"
                            ]
                        }
                    },
                    "DestinationSubnets": {
                        "$id": "#/properties/Filters/items/properties/DestinationSubnets",
                        "type": "array",
                        "title": "The Destinationsubnets Schema",
                        "description": "An array of destination subnets that need to match the Destination IP address of a packet. Packet can match any one value in the array of inputs.",
                        "default": [],
                        "examples": [
                            [
                                "10.1.1.0/24"
                            ]
                        ],
                        "additionalItems": true,
                        "items": {
                            "$id": "#/properties/Filters/items/properties/DestinationSubnets/items",
                            "type": "string",
                            "title": "The Items Schema",
                            "description": "An explanation about the purpose of this instance.",
                            "default": "",
                            "examples": [
                                "10.1.1.0/24"
                            ]
                        }
                    },
                    "SourcePort": {
                        "$id": "#/properties/Filters/items/properties/SourcePort",
                        "type": "array",
                        "title": "The Sourceport Schema",
                        "description": "An array of source ports that need to match the Source port of a packet. Packet can match any one value in the array of inputs.",
                        "default": [],
                        "examples": [
                            [
                                500
                            ]
                        ],
                        "additionalItems": true,
                        "items": {
                            "$id": "#/properties/Filters/items/properties/SourcePort/items",
                            "type": "integer",
                            "title": "The Items Schema",
                            "description": "An explanation about the purpose of this instance.",
                            "default": 0,
                            "examples": [
                                500
                            ]
                        }
                    },
                    "DestinationPort": {
                        "$id": "#/properties/Filters/items/properties/DestinationPort",
                        "type": "array",
                        "title": "The Destinationport Schema",
                        "description": "An array of destination ports that need to match the Destination port of a packet. Packet can match any one value in the array of inputs.",
                        "default": [],
                        "examples": [
                            [
                                4500
                            ]
                        ],
                        "additionalItems": true,
                        "items": {
                            "$id": "#/properties/Filters/items/properties/DestinationPort/items",
                            "type": "integer",
                            "title": "The Items Schema",
                            "description": "An explanation about the purpose of this instance.",
                            "default": 0,
                            "examples": [
                                4500
                            ]
                        }
                    },
                    "Protocol": {
                        "$id": "#/properties/Filters/items/properties/Protocol",
                        "type": "array",
                        "title": "The Protocol Schema",
                        "description": "An array of protocols that need to match the Protocol of a packet. Packet can match any one value in the array of inputs.",
                        "default": [],
                        "examples": [
                            [
                                6
                            ]
                        ],
                        "additionalItems": true,
                        "items": {
                            "$id": "#/properties/Filters/items/properties/Protocol/items",
                            "type": "integer",
                            "title": "The Items Schema",
                            "description": "An explanation about the purpose of this instance.",
                            "default": 0,
                            "examples": [
                                6
                            ]
                        }
                    },
                    "TcpFlags": {
                        "$id": "#/properties/Filters/items/properties/TcpFlags",
                        "type": "integer",
                        "title": "The Tcpflags Schema",
                        "description": "A list of TCP flags. The TCP flags set on the packet must match any flag in the list of flags provided. FIN = 0x01,SYN = 0x02,RST = 0x04,PSH = 0x08,ACK = 0x10,URG = 0x20,ECE = 0x40,CWR = 0x80. An OR of flags can be provided.",
                        "default": 0,
                        "examples": [
                            16
                        ]
                    },
                    "CaptureSingleDirectionTrafficOnly": {
                        "$id": "#/properties/Filters/items/properties/CaptureSingleDirectionTrafficOnly",
                        "type": "boolean",
                        "title": "The Capturesingledirectiontrafficonly Schema",
                        "description": "A flags which when set captures reverse traffic also.",
                        "default": false,
                        "examples": [
                            true
                        ]
                    }
                }
            }
        }
    }
}

通过使用 PowerShell 设置数据包捕获Set up packet capture by using PowerShell

以下示例显示使用 PowerShell 命令启动和停止数据包捕获。The following examples show PowerShell commands that start and stop packet captures. 有关参数选项的详细信息,请参阅此 PowerShell 文档For more information on parameter options, see this PowerShell document.

启动 VPN 网关的数据包捕获Start packet capture for a VPN gateway

Start-AzVirtualnetworkGatewayPacketCapture -ResourceGroupName "YourResourceGroupName" -Name "YourVPNGatewayName"

可以使用可选参数 -FilterData 来应用筛选器。You can use the optional parameter -FilterData to apply a filter.

停止 VPN 网关的数据包捕获Stop packet capture for a VPN gateway

Stop-AzVirtualNetworkGatewayPacketCapture -ResourceGroupName "YourResourceGroupName" -Name "YourVPNGatewayName" -SasUrl "YourSASURL"

启动 VPN 网关连接的数据包捕获Start packet capture for a VPN gateway connection

Start-AzVirtualNetworkGatewayConnectionPacketCapture -ResourceGroupName "YourResourceGroupName" -Name "YourVPNGatewayConnectionName"

可以使用可选参数 -FilterData 来应用筛选器。You can use the optional parameter -FilterData to apply a filter.

在 VPN 网关连接上停止数据包捕获Stop packet capture on a VPN gateway connection

Stop-AzVirtualNetworkGatewayConnectionPacketCapture -ResourceGroupName "YourResourceGroupName" -Name "YourVPNGatewayConnectionName" -SasUrl "YourSASURL"

重要注意事项Key considerations

  • 运行数据包捕获会影响性能。Running packet capture can affect performance. 不需要数据包捕获时,请记得将其停止。Remember to stop the packet capture when you don't need it.
  • 建议的最短数据包捕获持续时间为 600 秒。Suggested minimum packet capture duration is 600 seconds. 由于路径上多个组件之间的同步问题,较短的数据包捕获可能无法提供完整的数据。Because of sync issues among multiple components on the path, shorter packet captures might not provide complete data.
  • 数据包捕获数据文件以 PCAP 格式生成。Packet capture data files are generated in PCAP format. 使用 Wireshark 或其他常用应用程序打开 PCAP 文件。Use Wireshark or other commonly available applications to open PCAP files.
  • 基于策略的网关不支持数据包捕获。Packet captures aren't supported on policy-based gateways.

后续步骤Next steps

有关 VPN 网关的详细信息,请参阅什么是 VPN 网关?For more information about VPN Gateway, see What is VPN Gateway?.