Recently I've been trying to debug some SSL connection problems on remote machines. While tcpdump in an console-only ssh sesion usually does the trick for me, this time I really needed the user-friendliness of filters and SSL decryption features in Wireshark. I really didn't want to install Wireshark on a head-less server and do X11 forwarding, so I used tcpdump to do the actual capture on the server and forwarded the stream through a pipe and an ssh connection to Wireshark on my laptop.
Here's the recipe, mostly for my record and in case someone else might find it useful. I had problems with other recipes I found, since they either use dumpcap, which I don't have on the remote, or make it hard to start the packet capture command through sudo.
On remote machine:
$ mkfifo foo $ sudo tcpdump not port 22 -U -w - >foo
(just pointing -w to a pipe won't work)
On the local machine:
$ wireshark -k -i <(ssh example.com cat foo)