In my day-to-day operations, I frequently need to execute tcpdump's on remote servers, and it's a pain to save the output to a file and then have to move the file to my laptop to analyze it on wireshark.
I was exploring the command below, and it works fine in linux
ssh <remote_host> sudo tcpdump -vv -i eth0 -U -w - | wireshark -k -i -
But, unfortunately, my work laptop that is provided by my company has windows on it, and they don't allow me to change to another OS. Given this restriction, I was trying to achieve the same result, but in windows...
If i execute the following command in windows in a powershell
ssh <remote_host> sudo tcpdump -vv -i eth0 -U -w - | 'C:\Program Files\Wireshark\Wireshark.exe' -k -i -
I get this error
At line:1 char:87
+ ... -i eth0 -U -w - | 'C:\Program Files\Wireshark\Wireshark.exe' -k -i -
+ ~~
Unexpected token '-k' in expression or statement.
At line:1 char:44
+ ... -i eth0 -U -w - | 'C:\Program Files\Wireshark\Wireshark.exe' -k -i -
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Expressions are only allowed as the first element of a pipeline.
At line:1 char:90
+ ... -i eth0 -U -w - | 'C:\Program Files\Wireshark\Wireshark.exe' -k -i -
+ ~~
Unexpected token '-i' in expression or statement.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnexpectedToken
If I execute the wireshark command without the ssh part I get the same error, but if I execute it like this
& 'C:\Program Files\Wireshark\Wireshark.exe' -k -i -
It opens wireshark and waits for data input. With this in mind I tried to change the command to
ssh <remote_host> sudo tcpdump -vv -i eth0 -U -w - | & 'C:\Program Files\Wireshark\Wireshark.exe' -k -i -
This way the ssh command gets executed and the tcpdump starts in the remote host, the wireshark never starts. What am I doing wrong? Why is the piped command that is most similar to the one in linux doesnt work in windows, is piping different?
