ssh root@server.com 'tshark -f \"port !22\" -w -' | wireshark -k -i - - (analyze traffic remotely over ssh w/ wireshark This captures traffic on a remote machine with tshark, sends the raw pcap data over the ssh link, and displays it in wireshark. Hitting ctrl+C will stop the capture and unfortunately close your wireshark window. This can be worked-around by passing -c # to tshark to only capture a certain # of packets, or redirecting the data through a named pipe rather than piping directly from ssh to wireshark. I recommend filtering as much as you can in the tshark command to conserve bandwidth. tshark can be replaced with tcpdump thusly: $ ssh root@example.com tcpdump -w - 'port !22' | wireshark -k -i -). The best command line collection on the internet, submit yours and save your favorites.