Earlier this year, Microsoft released a preview of the Azure Network Watcher. It includes a number of network analysis and troubleshooting features, but the packet capture is the one I get the most questions about. The packet capture is fed into a .cap file, of the standard format used with popular network capture tools, such as Wireshark.
In addition to enabling the Network Watcher VM extension, we need to enable Network Watcher in each Azure region where we have resources we need to monitor. If you highlight the subscription, we can enable in all Azure regions in one click.
Then, we select Network Watcher and click the +Add button.
When we configure the packet capture settings, we can configure several options, including source and target machine, as well as the length of time of the capture.
Note: I like the option to store the capture file in a storage account for central storage, but we can also select the File option to store the capture on the target VM.
By clicking the +Add filter option, we can configure many of the same types of filters we could with popular capture tools, including ports, addresses and protocols, and take a capture.
Once the capture is complete, we can click on the cap file to proceed with download.
…which requires we then click a Download link.
Then, we can open in the tool of our choice, such as Wireshark.
While we can start captures manually, we can also start captures programmatically, such as through Azure Functions.