I’ve thought about this a lot. There’s an old rpcapd project that’s not particular linux friendly to start, and it’s old. But I saw these notes about pipes and it gave me the idea.

1) I have PKI setup so I can authenticate to other machines using keys. I’ve already entered my passphrase.
2) I’ve installed tshark on the remote machine, and wireshark on my machine
3) The sudoers file on the remote machine is configured with “%admins ALL = NOPASSWD: /usr/bin/tshark”
4) The remote machine is debian, and my machine is ubuntu

mkfifo /tmp/shark
ssh remotehost sudo tshark port 1433 -i eth1 -w - > /tmp/shark &
wireshark -k -i /tmp/shark

Whatever your filter use, you’ll want at least ‘not port ssh’ or ‘not host yourhost’ otherwise you’ll just be seeing the constant ssh traffic. In this particular case I was looking for only MSSQL traffic on port 1433.

Granted, you could just install wireshark on the remote machine and use X over ssh to run it, but I like this, because I’m a giant dork.