tcpdump uses pcap-filter syntax to apply Berkeley Packet Filters (BPF) to the traffic. More details about the syntax are shown in the manpage.
man 7 pcap-filter
As of version 4.99.5 (2024-04-07) be careful with IPv6 filters. For example, the 'tcp' filter doesn't support IPv6.
See the BUG section of “man 7 pcap-filters”.
Arithmetic expression against transport layer headers, like tcp[0],
does not work against IPv6 packets. It only looks at IPv4 packets.
tcpdump -n -tttt -i rl0 dst port 221027
tcpdump -n -tttt -i rl0 host 192.168.10.2
tcpdump -n -i rl0 'not port 22'
tcpdump -n 'net 2001:470:26:6bd::/64 and port 443'
tcpdump -i igb0 -n -p 'udp port 500 or udp port 4500 or ip proto 50'
tcpdump -i eth0 -nn "tcp[tcpflags] == tcp-syn"
tcpdump -i eth0 -nn "ip6 and (ip6[6] == 0x06) and (ip6[53] == 0x02)"
tcpdump -i eth0 -nn "(tcp[tcpflags] == tcp-syn) or (ip6 and (ip6[6] == 0x06) and (ip6[53] == 0x02))"
If the snaplen (-s) is not specified or set to zero, it will use the default lenght of 262144 bytes.
You may find some examples on the internet where it is set to 65535. The reason is, that in the early days, the default was 68 Bytes (IPv4) and 96 Bytes (IPv6). It was changed to 65535 Bytes with commit GitHub: tcpdump: Commit: Make the default snapshot length the maximum; add a #define for the on 2009-03-05T09:01:29.000Z (tcpdump 4.1.0). Later the commit GitHub: tcpdump: Commit: Don't treat 65535 as the maximum snapshot length. on 2014-06-25T20:18:18.000Z (tcpdump 4.6.0-bp) extended the max to 131072 after libpcap extended the max from 65535 Bytes to 131072 Bytes with commit Github: libpcap: Commit: Don't treat 65535 as the maximum snapshot length. on 2014-06-25T20:15:51.000Z (libpcap 1.6.0-bp).
tcpdump -s 65535 -w /tmp/test.pcap
tcpdump -i lo -G $((10*60)) -w /tmp/test.%Y-%m-%dT%H:%M.pcap -Z root