Document Details
Packet Capture Manage
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Detected Bias Types
windows_first
powershell_heavy
windows_tools
missing_linux_example
Summary
The documentation demonstrates a moderate Windows bias. PowerShell is featured as a primary automation method, and file path examples (e.g., C:\Capture\myVM_1.cap) are consistently shown before Linux equivalents. Download examples and tool recommendations (e.g., Azure Storage Explorer) are Windows-centric, and Linux-specific instructions or examples are minimal or only mentioned as afterthoughts. There are no explicit Linux shell (bash) examples for downloading files or handling packet captures locally, and guidance for Linux users is limited to brief notes about file paths.
Recommendations
- Provide Linux-first or at least parallel Linux examples (e.g., show /var/captures/myVM_1.cap alongside C:\Capture\myVM_1.cap in all relevant code and tables).
- Include bash or Linux shell command examples for downloading packet captures from Azure Storage (e.g., using azcopy, wget, or curl).
- Mention and link to cross-platform tools (such as azcopy or rclone) for managing Azure Storage, not just Azure Storage Explorer.
- When referencing local file paths, always show both Windows and Linux formats together, not just as a note.
- In PowerShell and CLI sections, explicitly call out any OS-specific differences or requirements.
- Consider adding a dedicated section or callout for Linux/macOS users, summarizing key differences and recommended tools.
Create Pull Request
Scan History
| Date | Scan | Status | Result |
|---|---|---|---|
| 2026-01-14 00:00 | #250 | in_progress |
Biased
|
| 2026-01-13 00:00 | #246 | completed |
Biased
|
| 2026-01-11 00:00 | #240 | completed |
Biased
|
| 2026-01-10 00:00 | #237 | completed |
Biased
|
| 2026-01-09 00:34 | #234 | completed |
Biased
|
| 2026-01-08 00:53 | #231 | completed |
Biased
|
| 2026-01-06 18:15 | #225 | cancelled |
 Clean
|
| 2025-08-17 00:01 | #83 | cancelled |
Clean
|
| 2025-07-13 21:37 | #48 | completed |
Clean
|
| 2025-07-12 23:44 | #41 | cancelled |
Clean
|
| 2025-07-09 13:09 | #3 | cancelled |
Clean
|
| 2025-07-08 04:23 | #2 | cancelled |
Biased
|
Flagged Code Snippets
The following output is an example of the output from the `Get-AzNetworkWatcherPacketCapture` cmdlet. The following example is after the capture is complete. The PacketCaptureStatus value is Stopped, with a StopReason of TimeExceeded. This value shows that the packet capture was successful and ran its time.
# [**PowerShell**](#tab/powershell) If a storage account is specified, capture files are saved to the storage account at the following path:
The following table describes the optional parameters that you can use with the [New-AzNetworkWatcherPacketCapture](/powershell/module/az.network/new-aznetworkwatcherpacketcapture) cmdlet: | Parameter | description | | --- | --- | | `-Filter` | Add filter(s) to capture only the traffic you want. For example, you can capture only TCP traffic from a specific IP address to a specific port. | | `-TimeLimitInSeconds` | Set the maximum duration of the capture session. The default value is 18000 seconds (5 hours). | | `-BytesToCapturePerPacket` | Set the maximum number of bytes to be captured per each packet. All bytes are captured if not used or 0 entered. | | `-TotalBytesPerSession` | Set the total number of bytes that are captured. Once the value is reached the packet capture stops. Up to 1 GB (1,073,741,824 bytes) is captured if not used. | | `-LocalFilePath` | Enter a valid local file path if you want the capture to be saved in the target virtual machine (For example, C:\Capture\myVM_1.cap). If you're using a Linux machine, the path must start with /var/captures. | The packet capture stops once the time limit or the file size (maximum bytes per session) is reached. # [**Azure CLI**](#tab/cli) To start a capture session, use [az network watcher packet-capture create](/cli/azure/network/watcher/packet-capture#az-network-watcher-packet-capture-create) command:
The following table describes the optional parameters that you can use with the [az network watcher packet-capture create](/cli/azure/network/watcher/packet-capture#az-network-watcher-packet-capture-create) command: | Parameter | description | | --- | --- | | `--filters` | Add filter(s) to capture only the traffic you want. For example, you can capture only TCP traffic from a specific IP address to a specific port. | | `--time-limit` | Set the maximum duration of the capture session. The default value is 18000 seconds (5 hours). | | `--capture-size` | Set the maximum number of bytes to be captured per each packet. All bytes are captured if not used or 0 entered. | | `--capture-limit` | Set the total number of bytes that are captured. Once the value is reached the packet capture stops. Up to 1 GB (1,073,741,824 bytes) is captured if not used. | | `--file-path` | Enter a valid local file path if you want the capture to be saved in the target virtual machine (For example, C:\Capture\myVM_1.cap). If you're using a Linux machine, the path must start with /var/captures. | The packet capture stops once the time limit or the file size (maximum bytes per session) is reached. --- ## Stop a packet capture # [**Portal**](#tab/portal) To manually stop a packet capture session before it reaches its time or file size limits, select the ellipsis **...** on the right-side of the packet capture, or right-click it, then select **Stop**. :::image type="content" source="./media/packet-capture-manage/stop-packet-capture.png" alt-text="Screenshot that shows how to stop a packet capture in the Azure portal." lightbox="./media/packet-capture-manage/stop-packet-capture.png"::: # [**PowerShell**](#tab/powershell) To manually stop a packet capture session before it reaches its time or file size limits, use the [Stop-AzNetworkWatcherPacketCapture](/powershell/module/az.network/stop-aznetworkwatcherpacketcapture) cmdlet.
> [!NOTE] > The command doesn't return a response whether ran on a currently running capture session or a session that has already stopped. --- ## View packet capture status # [**Portal**](#tab/portal) Go to the **Packet capture** page of Network Watcher to list existing packet captures regardless of their status. :::image type="content" source="./media/packet-capture-manage/view-packet-capture.png" alt-text="Screenshot that shows how to list and see packet captures in the Azure portal." lightbox="./media/packet-capture-manage/view-packet-capture.png"::: # [**PowerShell**](#tab/powershell) Use [Get-AzNetworkWatcherPacketCapture](/powershell/module/az.network/get-aznetworkwatcherpacketcapture) cmdlet to retrieve the status of a packet capture (running or completed).
> [!NOTE] > To get more details in the output, add `| Format-List` to the end of the command. # [**Azure CLI**](#tab/cli) Use [az network watcher packet-capture show-status](/cli/azure/network/watcher/packet-capture#az-network-watcher-packet-capture-show-status) command to retrieve the status of a packet capture (running or completed).
To download a packet capture from Azure storage to the local disk, use [Get-AzStorageBlobContent](/powershell/module/az.storage/get-azstorageblobcontent) cmdlet:
---
> [!NOTE]
> You can use Azure Storage Explorer to download capture files from the storage account container. Storage Explorer is a standalone app that you can conveniently use to access and work with Azure Storage data. For more information, see [Get started with Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md).
> [!IMPORTANT]
> During the packet capture session, the capture file might not immediately appear in the storage account container because it's initially saved to a temporary location. The file is transferred to its final location after the capture session is completed.
To download a packet capture file saved to the virtual machine (VM), connect to the VM and download the file from the local path specified during the packet capture creation.
## Delete a packet capture
# [**Portal**](#tab/portal)
1. In the **Packet capture** page, select **...** on the right-side of the packet capture that you want to delete, or right-click it, then select **Delete**.
:::image type="content" source="./media/packet-capture-manage/delete-packet-capture.png" alt-text="Screenshot that shows how to delete a packet capture from Network Watcher in Azure portal." lightbox="./media/packet-capture-manage/delete-packet-capture.png":::
1. Select **Yes**.
# [**PowerShell**](#tab/powershell)
Use [Remove-AzNetworkWatcherPacketCapture](/powershell/module/az.network/remove-aznetworkwatcherpacketcapture) to delete a packet capture resource.