ssh root@host.example.com 'tcpdump -i eth0 -c 1000 -w -' > host.pcapThis command logs into the remote system, captures 1000 packets with tcpdump, and saves them to local file host.pcap in pcap format for analysis by Wireshark.
This is a simple and quick command. If performance was a concern, e.g., if you needed to capture 10 billion packets per second, you might need to take a different approach.
The Libre Hacker 