Using plink for remote wireshark captures

plink.exe -ssh -pw abc123 root@ "tcpdump -ni eth0 -s 0 -w - not port 22" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -

This command uses plink to pipe the standard out of tcpdump on the remote linux device to wireshark on windows over an ssh session.

The “not port 22” is a filter that is important to prevent an endless loop of reporting ssh packets going back the remote device. If the ssh session is on a different interface this filter is not required.

Leave a Reply