Tcpdump (remote) and WireShark (local) can be combined to analyse your router’s traffic
While debugging my DDWRT router, I wanted to analyse some traffic between my DDWRT router and my iPhone. Usually I do a MITM attack, but I recently found that tcpdump can be installed on DDWRT. WireShark can thus be used to analyse the traffic dumped locally by the remote tcpdump application.
Some other examples can be found on the following page, analyze traffic remotely over ssh w/ wireshark. Unfortunately under MacOS FIFO files combined with pipes are not supported by Wireshark . To bypass this limitation, all traffic must be stored into a file using the following command line:
ssh root@ROUTER_IP tcpdump -i wl0.1 -U -s0 -w - 'not port 22' > /tmp/wireshark_analyse_01 &
The traffic dumped by tcpdump is stored locally into the file /tmp/wireshark_analyse_01. WireShark can be used to open this file . The only disadvantage is that you must perform a reload of the file to refresh the newly dumped traffic (there is a button in WireShark to do it).
If you really want the FIFO functionality, you should use another OS or Wireshark version to be able to use pipes/FIFO files tricks. You can also install a decent version of WireShark using MacPorts if you are running MacOS X