Getting a live capture over an ssh connection is a solved problem on all
platforms. ssh works for this purpose on Linux, Macos, and WSL on Windows
while
Plink
works for Windows PuTTY users. Briefly, I’ll go over what
that looks like for ssh.
You can check that your ssh-key is loaded with ssh-add -L.
Initially, let’s set up variables for cleaner code. Replace each variable in <> with a value that works for you.
ssh_opts="<user>@<server> -p <port>"
remote_cmd="sudo /usr/sbin/tcpdump -s0 -n -w - not port <port>"
read_cmd="wireshark -k -i" -OR- "tshark -i"
We then have the option of piping directly:
ssh $ssh_opts $remote_cmd | $read_cmd -
Or using a named pipe:
mkfifo /tmp/capfifo
ssh $ssh_options $ssh_command > /tmp/capinfo &
$read_cmd /tmp/capfifo