A long time ago I started this investigations by creating a dumpfile on the remote host and copy them to my local machine.
But, that is really not the best way to do, so I want to share this litte shell command
ssh <username>@<remote_host> sudo tcpdump -s0 -w - | wireshark -k -i -If you use Windows and Cygwin the Wireshark call would look like
/cygdrive/c/Program\ Files/Wireshark/Wireshark.exe -k -i -This leads to execution of the tcpdump on the remote host and the analyze via Wireshark on your local machine.
normally I use some options, as I want to reduce the traffic which is going through the wire. Of course you could filter within Wireshark, but why using so much bandwith
sudo tcpdump -s0 -w - 'not port 22 and host <host> and not DNS'
- not port 22: Well as my traffic is coing from port 22 also, it might be a good idea to not take a look
- host <host>: I do not want to see all traffic in the network, only the traffic related to my own server
- not DNS: Just an example, many tools (like Apache, MySQL, ClamAV) are performing DNS lookups, I do not want to see them
- create an ssh key so you can login without password
- add the user to the sudoers file, best with NOPASSWD option