Performing remote Wireshark and tcpdump over SSH

tcpdump can be configured to write its capture to standard out, and Wireshark can read from standard in. SSH allows you to remote exec a command, and have it stream the output back.

This allows one to perform a remote Wireshark capture quickly and easily - one of the nice uses for this is to perform captures from a Ubiquti router. For exmaple:

ssh 192.168.0.1 'sudo tcpdump -f -i eth1 -w - port 53' | /Applications/Local/Wireshark.app/Contents/MacOS/Wireshark  -k -i -

This ssh's to my home router, and starts tcpdump listening on interface eth1. It writes the output to STDOUT ('-w -') and only captures port 53. This then streams to wireshark on my local machine (-k is "start capturing immediately" and -i is interface -- in this case, STDIN (-)).