Today I was visualizing a remote tcpdump output with my local wireshark/ethereal.
# ssh myserver “tcpdump -w – ” | wireshark -k -i –
Strangely I found wireshark truncating or skipping some pkt.
Using -s0 remove limits on pkts’ size
# tcpdump -s 0 -w – ;
did partially solve the pkt truncation, but even more pkt were skipped!
Even fine tuning pkt size -s1000 wasn’t enough…
The solution was to dump to a shared fs… less elegant but more robust.