Wireshark is a really useful tool to record and analyse network traffic across any network interface. I use it when faulting embedded applications in order to conduct a sanity check that data is leaving or arriving correctly. I recently wanted to use Wireshark on a remote computer — a task that would normally be quite easy to do — but in this instance, there was no remote desktop as such and, instead, was purely CLI-based.

Fortunately, Wireshark has a CLI alternative, tshark that can pretty much do everything Wireshark can, minus the GUI. tshark is available for most Linux distros (e.g. via apt install tshark for Debian-based installs) so is quite convenient. Unfortunately, there’s a “bug” when running tshark under sudo that causes tshark to think it doesn’t have the correct priviledges (despite running under root) to write an output file. For example:

sudo tshark -i enp0s25 -w filename.pcap

will tend to fail. The fix? Pipe the output of tshark, such as:

sudo tshark -i enp0s25 -w - > filename.pcap