HOWTO: Use Wireshark over SSH (Linux and Windows)

You want to use tcpdump in combination with Wireshark but on the server there is no X environment or no Wireshark installed?
No problem. Run Wireshark on your desktop (Linux or Windows) and capture on the remote server.


ssh remote-host "tcpdump -s0 -w - 'port 8080'" | wireshark -k -i -

This will run tcpdump on host “remote-host” and capture full packages (-s0) on port 8080. The output is sent over SSH to the local host’s “stdout” where Wireshark is waiting on “stdin” for input. (-k means start immediately).

There are a few things that may make the line above not work in your case. Make sure tcpdump is on the path on your remote host or change the line to include the path a la:

ssh remote-host "/usr/sbin/tcpdump -s0 -w - 'port 8080'" | wireshark -k -i -

You may also need to run tcpdump with sudo which means you need to change the command to:

ssh remote-host "sudo /usr/sbin/tcpdump -s0 -w - 'port 8080'" | wireshark -k -i -

Please note! Such a remote capture session can be pretty heavy on the network depending on the application. Make sure you filter as much as possible on the remote side using tcpdump’s filters.


On Windows plink.exe works best for me. Get it from the putty website.

plink -ssh username@remote-host "tcpdump -s 0 -w - 'port 8080'" | wireshark -i -

On Windows I have to omit the Wireshark option -k (immediately start capture) and manually start it from the Wireshark UI once SSH keyboard authentication is done. Alternatively, one can provide the password to plink using the -pw option.

Again, it may be that you have to provide the full path to tcpdump and/or wireshark. It also may be that you have to run tcpdump with sudo.

11 Responses to HOWTO: Use Wireshark over SSH (Linux and Windows)

  1. Chinmoy says:

    Hi Vijay,
    Could you please give some more details on windows operation. I mean where to type the comman, do we need to run both Putty an PLink together.

    • Grex says:

      “C:\tools\plink.exe” -ssh user@ “tcpdump -s 0 -w – ‘port 8080′” | “C:\Program Files\Wireshark\Wireshark.exe” -i -k –

  2. Robert Ross says:

    What interface do you start manually on Windows Wireshark to see the piped traffic?

  3. Anonymous says:

    In case of linux, with the ssh being used, we cannot control the size or rotation logic. So can you please let us know is there any way to stop the tcpdump that is remotely executed based on the size limit that can be specified by the user.


  4. Justin says:

    I believe tcpdump should be passed “-l” to prevent stdout buffering.

  5. Vishal Anantharaman says:

    I am getting the following error.”Error: Unrecognized flag (‘-ssh’)” Can you tell me what is the reason for this and how to solve it


  6. Pingback: BGA SİBER GÜVENLİK KIŞ KAMPI’18 SORULARI VE ÇÖZÜMLERİ – Bahar Uzun | Security | BigData

  7. Juliana Hammack says:


    I just checked out your website and your site takes longer than 3 seconds to load 😦

    If your site takes so Long Time To Load you are losing more than half your traffic & 50% of visitors won’t return if they have trouble loading a page…

    That’s a really expensive mistake to make, specially if you are paying for traffic. I can help you to improve that.

    Please contact me by my email for details:


  8. Cagliari president Tommaso Giulini has, however, reportedly told Barella’s agent that the starlet will not be sold this summer.

  9. and some of his best moments are EPICBREAKING NEWSManchester City confirm new 锟?9million star Gabrie.

Leave a Reply to Anonymous Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: