• you can see the packet dump in your terminal,
• you can also create a pcap file (to see the capture in wireshark),
• you can create filter to capture only required packets like ftp or ssh etc.
• you can directly see the capture of a remote system in any other Linux system using wireshark, for more detail click “Remote packet capture using WireShark and tcpdump”.
• so many other options available, see tcpdump man page.

tcpdump man page

When you create a pcap file using tcpdump it will truncate your capture file to shorten it and you may not able to understand that. I am writing this post, so that you can create a pcap file effectively. You can use following command to capture the dump in a file:

tcpdump -s 0 port ftp or ssh -i eth0 -w mycap.pcap

In above command

-s 0 will set the capture byte to its maximum i.e. 65535, after this capture file will not truncate.

-i eth0 is using to give Ethernet interface, which you to capture. Default is eth0, if you not use this option.

port ftp or ssh is the filter, which will capture only ftp and ssh packets. You can remove this to capture all packets.

-w mypcap.pcap will create that pcap file, which will be opened using wireshark.

wireshark.org

Now I think, you can play with the command as per your need.

mkfifo /tmp/packet_capture

2. Second give the following ssh command on your terminal, to start the tcpdump on remote PC.

ssh hostname_or_ip_of_remote_pc "tcpdump -s 0 -U -n -w - -i eth0 not port 22" 
 > /tmp/packet_capture

3. Third & last step, give the following command to start the WireShark on your PC, which will read packets from the special FIFO file ‘/tmp/packet_capture’ at runtime.

wireshark -k -i /tmp/packet_capture

After giving the above command all the packets of remote pc’s eth0 will be visible on WireShark.