Today I was visualizing a remote tcpdump output with my local wireshark/ethereal.

# ssh myserver “tcpdump -w – ” | wireshark -k -i –

Strangely I found wireshark truncating or skipping some pkt.
Using -s0 remove limits on pkts’ size
# tcpdump -s 0 -w – ;
did partially solve the pkt truncation, but even more pkt were skipped!
Even fine tuning pkt size -s1000 wasn’t enough…

The solution was to dump to a shared fs… less elegant but more robust.