Merge pull request #222948 from halkazwini/nw-vm-pc2

Network Watcher: Freshness: Manage packet captures with Azure Network Watcher using the portal

Author: JamesJBarnett

articles/network-watcher/media/network-watcher-packet-capture-manage-portal/add-packet-capture.png

@@ -1,98 +1,117 @@
 ---
-title: Manage packet captures - Azure portal
+title: Manage packet captures in VMs with Network Watcher - Azure portal
 titleSuffix: Azure Network Watcher
-description: Learn how to manage the packet capture feature of Network Watcher using the Azure portal.
+description: Learn how to manage packet captures in virtual machines with the packet capture feature of Network Watcher using the Azure portal.
 services: network-watcher
-documentationcenter: na
 author: shijaiswal
 ms.service: network-watcher
 ms.topic: how-to
-ms.tgt_pltfrm: na
 ms.workload:  infrastructure-services
-ms.date: 01/07/2021
+ms.date: 01/04/2023
 ms.author: shijaiswal
+ms.custom: template-how-to, engagement-fy23
 ---
 
-# Manage packet captures with Azure Network Watcher using the portal
+# Manage packet captures in virtual machines with Azure Network Watcher using the Azure portal
+
+> [!div class="op_single_selector"]
+> - [Azure portal](network-watcher-packet-capture-manage-portal.md)
+> - [PowerShell](network-watcher-packet-capture-manage-powershell.md)
+> - [Azure CLI](network-watcher-packet-capture-manage-cli.md)
+> - [Azure REST API](network-watcher-packet-capture-manage-rest.md)
 
 Network Watcher packet capture allows you to create capture sessions to track traffic to and from a virtual machine. Filters are provided for the capture session to ensure you capture only the traffic you want. Packet capture helps to diagnose network anomalies, both reactively, and proactively. Other uses include gathering network statistics, gaining information on network intrusions, to debug client-server communication, and much more. Being able to remotely trigger packet captures, eases the burden of running a packet capture manually on a desired virtual machine, which saves valuable time.
 
 In this article, you learn to start, stop, download, and delete a packet capture. 
 
-## Before you begin
+## Prerequisites
 
-Packet capture requires the following outbound TCP connectivity:
-- to the chosen storage account over port 443
-- to 169.254.169.254 over port 80
-- to 168.63.129.16 over port 8037
+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+- A virtual machine with the following outbound TCP connectivity:
+    - to the chosen storage account over port 443
+    - to 169.254.169.254 over port 80
+    - to 168.63.129.16 over port 8037
 
 > [!NOTE]
-> The ports mentioned in the latter two cases above are common across all Network Watcher features that involve the Network Watcher extension and might occasionally change.
-
+> The ports mentioned in the latter two cases are common across all Network Watcher features that involve the Network Watcher extension and might occasionally change.
 
-If a network security group is associated to the network interface, or subnet that the network interface is in, ensure that rules exist that allow the previous ports. Similarly, adding user-defined traffic routes to your network may prevent connectivity to the above mentioned IPs and ports. Please ensure they are reachable. 
+If a network security group is associated to the network interface, or subnet that the network interface is in, ensure that rules exist to allow outbound connectivity over the previous ports. Similarly, ensure outbound connectivity over the previous ports when adding user-defined routes to your network.
 
 ## Start a packet capture
 
-1. In your browser, navigate to the [Azure portal](https://portal.azure.com) and select **All services**, and then select **Network Watcher** in the **Networking section**.
-2. Select **Packet capture** under **Network diagnostic tools**. Any existing packet captures are listed, regardless of their status.
-3. Select **Add** to create a packet capture. You can select values for the following properties:
-   - **Subscription**: The subscription that the virtual machine you want to create the packet capture for is in.
-   - **Resource group**: The resource group of the virtual machine.
-   - **Target virtual machine**: The virtual machine that you want to create the packet capture for.
-   - **Packet capture name**: A name for the packet capture.
-   - **Storage account or file**: Select **Storage account**, **File**, or both. If you select **File**, the capture is written to a path within the virtual machine.
-   - **Local file path**: The local path on the virtual machine where the packet capture will be saved (valid only when *File* is selected). The path must be a valid path. If you are using a Linux virtual machine, the path must start with */var/captures*.
-   - **Storage accounts**: Select an existing storage account, if you selected *Storage account*. This option is only available if you selected **Storage**.
-   
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. In the search box at the top of the portal, enter *Network Watcher*.
+1. In the search results, select **Network Watcher**.
+1. Select **Packet capture** under **Network diagnostic tools**. Any existing packet captures are listed, regardless of their status.
+1. Select **+ Add** to create a packet capture. In **Add packet capture**, enter or select values for the following settings:
+
+   | Setting | Value |
+   | --- | --- |
+   | **Basic Details** |  |
+   | Subscription | Select the Azure subscription of the virtual machine. |
+   | Resource group | Select the resource group of the virtual machine. |
+   | Target type | Select **Virtual machine**. |
+   | Target instance | Select the virtual machine. |
+   | Packet capture name | Enter a name or leave the default name. |
+   | **Packet capture configuration** |  |
+   | Capture location | Select **Storage account**, **File**, or **Both**. |
+   | Storage account | Select your **Standard** storage account. <br> This option is available if you selected **Storage account** or **Both**. |
+   | Local file path | Enter a valid local file path where you want the capture to be saved in the target virtual machine. If you're using a Linux machine, the path must start with */var/captures*. <br> This option is available if you selected **File** or **Both**. |
+   | Maximum bytes per packet | Enter the maximum number of bytes to be captured per each packet. All bytes are captured if left blank or 0 entered. |
+   | Maximum bytes per session | Enter the total number of bytes that are captured. Once the value is reached the packet capture stops. Up to 1 GB is captured if left blank. |
+   | Time limit (seconds) | Enter the time limit of the packet capture session in seconds. Once the value is reached the packet capture stops. Up to 5 hours (18,000 seconds) is captured if left blank. |
+   | **Filtering (optional)** |  |   
+   | Add filter criteria | Select **Add filter criteria** to add a new filter. |
+   | Protocol | Filters the packet capture based on the selected protocol. Available values are **TCP**, **UDP**, or **Any**. |   
+   | Local IP address | Filters the packet capture for packets where the local IP address matches this value. |
+   | Local port | Filters the packet capture for packets where the local port matches this value. |
+   | Remote IP address | Filters the packet capture for packets where the remote IP address matches this value. |
+   | Remote port | Filters the packet capture for packets where the remote port matches this value. |
+
      > [!NOTE]
      > Premium storage accounts are currently not supported for storing packet captures.
 
-   - **Maximum bytes per packet**: The number of bytes from each packet that are captured. If left blank, all bytes are captured.
-   - **Maximum bytes per session**: The total number of bytes that are captured. Once the value is reached the packet capture stops.
-   - **Time limit (seconds)**: The time limit before the packet capture is stopped. The default is 18,000 seconds.
-   - Filtering (Optional). Select **+ Add filter**
-     - **Protocol**: The protocol to filter for the packet capture. The available values are TCP, UDP, and Any.
-     - **Local IP address**: Filters the packet capture for packets where the local IP address matches this value.
-     - **Local port**: Filters the packet capture for packets where the local port matches this value.
-     - **Remote IP address**: Filters the packet capture for packets where the remote IP address matches this value.
-     - **Remote port**: Filters the packet capture for packets where the remote port matches this value.
-    
      > [!NOTE]
-     > Port and IP address values can be a single value, range of values, or a range, such as 80-1024, for port. You can define as many filters as you need.
+     > Port and IP address values can be a single value, multiple values, or a range, such as 80-1024, for port. You can define as many filters as you need.
+
+1. Select **Start packet capture**.
 
-4. Select **OK**.
+    :::image type="content" source="./media/network-watcher-packet-capture-manage-portal/add-packet-capture.png" alt-text="Screenshot of Add packet capture in Azure portal showing available options.":::
 
-After the time limit set on the packet capture has expired, the packet capture is stopped, and can be reviewed. You can also manually stop a packet capture session.
+1. Once the time limit set on the packet capture is reached, the packet capture stops and can be reviewed. To manually stop a packet capture session before it reaches its time limit, select the **...** on the right-side of the packet capture in **Packet capture** page, or right-click it, then select **Stop**.
+ 
+    :::image type="content" source="./media/network-watcher-packet-capture-manage-portal/stop-packet-capture.png" alt-text="Screenshot showing how to stop a packet capture in Azure portal.":::
 
 > [!NOTE]
-> The portal automatically:
->  * Creates a  network watcher in the same region as the region the virtual machine you selected exists in, if the region doesn't already have a network watcher.
->  * Adds the *AzureNetworkWatcherExtension* [Linux](../virtual-machines/extensions/network-watcher-linux.md) or [Windows](../virtual-machines/extensions/network-watcher-windows.md) virtual machine extension to the virtual machine, if it's not already installed.
+> The Azure portal automatically:
+>  * Creates a network watcher in the same region as the region of the target virtual machine, if the region doesn't already have a network watcher.
+>  * Adds `AzureNetworkWatcherExtension` to [Linux](../virtual-machines/extensions/network-watcher-linux.md) or [Windows](../virtual-machines/extensions/network-watcher-windows.md) virtual machines, if the extension isn't already installed.
 
 ## Delete a packet capture
 
-1. In the packet capture view, select **...** on the right-side of the packet capture, or right-click an existing packet capture, and select **Delete**.
-2. You are asked to confirm you want to delete the packet capture. Select **Yes**.
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. In the search box at the top of the portal, enter *Network Watcher*, then select **Network Watcher** from the search results.
+1. Select **Packet capture** under **Network diagnostic tools**.
+1. In the **Packet capture** page, select **...** on the right-side of the packet capture that you want to delete, or right-click it, then select **Delete**.
 
-> [!NOTE]
-> Deleting a packet capture does not delete the capture file in the storage account or on the virtual machine.
+    :::image type="content" source="./media/network-watcher-packet-capture-manage-portal/delete-packet-capture.png" alt-text="Screenshot showing how to delete a packet capture from Network Watcher in Azure portal.":::
 
-## Stop a packet capture
+1. Select **Yes**.
 
-In the packet capture view, select **...** on the right-side of the packet capture, or right-click an existing packet capture, and select **Stop**.
+> [!NOTE]
+> Deleting a packet capture does not delete the capture file in the storage account or on the virtual machine.
 
 ## Download a packet capture
 
-Once your packet capture session has completed, the capture file is uploaded to blob storage or to a local file on the virtual machine. The storage location of the packet capture is defined during creation of the packet capture. A convenient tool to access capture files saved to a storage account is Microsoft Azure Storage Explorer, which you can [download](https://storageexplorer.com/).
+Once your packet capture session has completed, the capture file is saved to a blob storage or a local file on the target virtual machine. The storage location of the packet capture is defined during creation of the packet capture. A convenient tool to access capture files saved to a storage account is Azure Storage Explorer, which you can [download](https://storageexplorer.com/) after selecting the operating system.
 
-If a storage account is specified, packet capture files are saved to a storage account at the following location:
+- If a storage account is specified, packet capture files are saved to a storage account at the following location:
 
-```
-https://{storageAccountName}.blob.core.windows.net/network-watcher-logs/subscriptions/{subscriptionId}/resourcegroups/{storageAccountResourceGroup}/providers/microsoft.compute/virtualmachines/{VMName}/{year}/{month}/{day}/packetCapture_{creationTime}.cap
-```
+    ```
+    https://{storageAccountName}.blob.core.windows.net/network-watcher-logs/subscriptions/{subscriptionId}/resourcegroups/{storageAccountResourceGroup}/providers/microsoft.compute/virtualmachines/{VMName}/{year}/{month}/{day}/packetCapture_{creationTime}.cap
+    ```
 
-If you selected **File** when you created the capture, you can view or download the file from the path you configured on the virtual machine.
+- If a file path is specified, the capture file can be viewed on the virtual machine or downloaded.
 
 ## Next steps
 

articles/network-watcher/media/network-watcher-packet-capture-manage-portal/delete-packet-capture.png

@@ -139,19 +139,19 @@
       items:
       - name: Manage a packet capture
         items:
-        - name: Azure portal VM
+        - name: Virtual machine - portal
           href: network-watcher-packet-capture-manage-portal.md
-        - name: Azure portal virtual machine scale set
+        - name: Virtual machine scale set - portal
           href: network-watcher-packet-capture-manage-portal-vmss.md
-        - name: Azure PowerShell VM
+        - name: Virtual machine - PowerShell
           href: network-watcher-packet-capture-manage-powershell.md
-        - name: Azure PowerShell virtual machine scale set
+        - name: Virtual machine scale set - PowerShell
           href: network-watcher-packet-capture-manage-powershell-vmss.md
-        - name: The Azure CLI
+        - name: Virtual machine - Azure CLI
           href: network-watcher-packet-capture-manage-cli.md
-        - name: REST VM
+        - name: Virtual machine - REST
           href: network-watcher-packet-capture-manage-rest.md
-        - name: REST virtual machine scale set
+        - name: Virtual machine scale set - REST
           href: network-watcher-packet-capture-manage-rest-vmss.md
       - name: Analyze a packet capture
         items: