ssh firstname.lastname@example.org 'tcpdump -i eth0 -c 1000 -w -' > host.pcap
This command logs into the remote system, captures 1000 packets with
tcpdump, and saves them to local file
host.pcap in pcap format for analysis by Wireshark.
This is a simple and quick command. If performance was a concern, e.g., if you needed to capture 10 billion packets per second, you might need to take a different approach.