 | 1 | initial version |
The idea is to setup a listening port on the capture side and then connect to that from Wireshark remotely. Therefore the correct syntax is:
tcpdump -i any -w - not tcp port 57012 | nc -l 192.168.1.2 57012
Note that it does -l to make netcat listen for an incoming connection on the local interface 192.168.1.2 port 57012. And tcpdump filters out the netcat traffic itself, otherwise it will recursively capture the netcat traffic.
Now that netcat is waiting for an incoming connection you can use the pipe in Wireshark as [email protected]:57012 to connect to the remote netcat and receive the pcap traffic over the network.
As an alternative, if you can SSH into the remote host where you want to capture, you may want to try using the SSH remote capture extcap interface.