Had a need to capture some traffic on the remote machine and analyze it in Real Time ™.  Found to solutions to this.  The first, involved just sending the output of tcpdump across the ssh session.

ssh host.example.org tcpump - eth0 -w - > capture.pcap


The other method, picked up from the wireshark wiki allows for the captured traffic to be viewed as it’s being captured in wireshark.  This is done using a combination of ssh and a fifo pipe.  The exact command can very slightly, and I suggest reading the relevant man pages, but something similar to the following (taken from their wiki) should do the trick.

mkfifo /tmp/pipe
ssh user@remote-host "tshark -w - not port 22" > /tmp/pipe
wireshark -k -i /tmp/pipe


No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.