Capture packets via remote tcpdump using SSH and display in local Wireshark client (Windows batch file)

pcap_remote.cmd

@echo off

rem Figure out path to plink.exe
set putty_dir_key="HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PuTTY_is1"
for /f "tokens=3*" %%x in ('reg query %putty_dir_key% /v "InstallLocation"') do set putty_dir=%%x %%y
if not defined putty_dir (
    echo Please install PuTTY using Windows installer from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
    exit /b 1
)
set plink="%putty_dir%\plink.exe"

rem Figure out path to wireshark.exe
set wireshark_dir_key="HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark"
for /f "tokens=3*" %%x in ('reg query %wireshark_dir_key% /v "InstallLocation"') do set wireshark_dir=%%x %%y
if not defined wireshark_dir (
    echo Please install Wireshark using Windows installer from https://www.wireshark.org/download.html
    exit /b 1
)
set wireshark="%wireshark_dir%\Wireshark.exe"

rem Ask for hostname if not specified as first parameter
set host=%1
if not defined host set /p host= What SSH host do you want to capture from? 

rem Ask for interface if not specified as second parameter
set iface=%2
if not defined iface (
    %plink% root@%host% tcpdump -D
    set /p iface= What interface do you want to capture from? 
)

rem Default to a sensible pattern if not specified as the third parameter
set pattern=%3
if not defined pattern (
    if "%iface%" == "eth0" set pattern="not host %host% and not port 22"
    if "%iface%" == "any" set pattern="not host %host% and not port 22"
)

rem Run tcpdump with output to pipe and read pipe from wireshark
%plink% root@%host% tcpdump -U -i %iface% -s0 -w - %pattern% | %wireshark% -k -i -

thanks!