It’s very easy to capture packets from a remote server if everything is installed — Wireshark on the local machine, SSH keys are set up, and tcpdump is installed on the remote host.
I always forget the exact command because I don’t use it often; when I need it I usually end up Googling for a few minutes. This post exists so I can open my blog and find the command faster.
Commands
Capturing everything:
$ ssh root@$REMOTE_SRV tcpdump -n -i $INTERFACE -U -s0 -w - | wireshark -k -i -
Capturing with a pre-filter (reduce transferred traffic):
$ ssh root@$REMOTE_SRV tcpdump -n -i $INTERFACE -U -s0 -w - 'not port 22' | wireshark -k -i -