 | 1 | initial version |
dumpcap -w - -f "not port 22"
That will dump on the default device that libpcap supplies, although I'm surprised it's nflog rather than bridge0. In any case, it won't necessarily pick the device you want - you should use the -i flag to specify the device you want.
wireshark -k -i em1
As Jaap notes, that tells Wireshark on the local machine, not dumpcap on the remote machine, to capture on em1; your Mac doesn't have a device named em1, so it fails.
What you want is
ssh root@remote-server-name 'dumpcap -w - -i em1 -f "not port 22"' | wireshark -k -i -
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.