Tcpdump would also require sudo or root privileges, since it puts the network interface into promiscuous mode.

You could try strace on the incoming splunk process, since you can run that as the splunk user, but I am not sure it would give you enough information.

Another option would be to have the heavy forwarder write out the raw events it is receiving to a syslog port. To send just a subset of data, in props.conf, apply the send_to_syslog transform to the load balancer's hostname:

[host::LBhostname]
TRANSFORMS-problemLB = syslog_debug

In transforms.conf, configure the syslog_debug transform to specify _SYSLOG_ROUTING as the DEST_KEY and the my_syslog_group target group as the FORMAT:

[syslog_debug]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group

In outputs.conf, define the my_syslog_group target group for the non-Splunk server:

[syslog:my_syslog_group]
server = sysloghost.example.com:514

The syslog host here could be localhost, for example. You would also need to configure your syslog server process to accept incoming connections and write the log out to a file. Since Splunk already has access to the data stream you could run a syslog process on a non-privileged port as the Splunk user so the sysadmins don't have to be involved.

Reference: Route & Filter Data Specifically, look at "Replicate a subset of data to a third-party system".

You could ask the sysadmins to install tcpdump for you. It's not a definitive answer, but I don't know of any debug mode as such.