Stream packets from a Remote VM directly into Wireshark on your Local Machine.

First, ensure you have the necessary tools installed on your local computer.

sudo apt update sudo apt install wireshark

Create a FIFO (First-In, First-Out) pipe file on your local machine. This acts as a bridge to feed data from SSH into Wireshark.

mkfifo /tmp/remote_capture

Open a terminal on your local machine and start Wireshark. It will wait for data to arrive in the pipe you just created.

wireshark -k -i /tmp/remote_capture

• -k: Start capturing immediately.
• -i: Specify the input interface (our pipe file).

Open a new terminal window on your local machine. Run one of the following commands to connect to the VM and start piping traffic.

Option A: Standard Capture (Best for most cases) Use this if you have SSH key access (passwordless) or can type the password interactively.

ssh <user>@<remote_ip> "sudo tcpdump -s 0 -U -n -w - -i <interface_name> not port 22" > /tmp/remote_capture

Option B: If you need to filter multiple ports Use this to exclude specific noise (like the SSH port 22 and perhaps a web port 80).

ssh <user>@<remote_ip> "sudo tcpdump -s 0 -U -n -w - -i <interface_name> not port 22 and not port 80" > /tmp/remote_capture

Option C: If the remote user requires a SUDO password non-interactively Use this only if you must automate the sudo password entry (less secure, but sometimes necessary).

ssh <user>@<remote_ip> "echo '<password>' | sudo -S tcpdump -s 0 -U -n -w - -i <interface_name> not port 22" > /tmp/remote_capture

When you are done, close Wireshark and the terminal running SSH. Then remove the pipe file on your local machine:

rm /tmp/remote_capture