Connecting Wireshark to a remote tcpdump session using a FIFO pipe

A neat trick I picked up somewhere on the Internet (sorry for not referencing, I simply don't remember which site I stole it from :)).

In embedded work, one often has headless access to a target device off which one wants to sniff network packets. As Wireshark is so nice to use - and everything else is not - I've been using tcpdump on the target to dump traffic into a pcap file and then transferring it and dissecting it offline. Turns out this is just plain dumb and that one can simply have tcpdump pipe the captures packets live to a remote Wireshark session.

All we have to to is create a FIFO file, run tcpdump remotely and have it output raw data to stdout, write stdout to the FIFO and have Wireshark pull from the FIFO:

#!/bin/bash
# usage(): ./sniff_remote.sh <target ip> <ssh passwd>
mkfifo /tmp/pipe  
sshpass -p "$2" ssh root@$1 "tcpdump -nn -w - -U -s 0 -w - not port 22" > /tmp/pipe &  
wireshark -k -i /tmp/pipe