tcpdump -i br0 -n not port 22 -w - | ssh [email protected] "cat > /home/user/tcpdump.pcap
- Tells it to listen on the bridge interface
- Not to resolve hostnames (which would slow capture and may result in droppedpackets)
- To exclude SSH traffic (so I don’t see my own ssh traffic)
- To write the file in binary format instead of text output.
- Then pipes the output to to a remote server in /home/user/tcpdump.pcap
- The extension will allow the file to be easily recognized by Wireshark.