tcpdump uses packet filter syntax for filtering. For help see

man 7 pcap-filter

tcpdump -n -tttt -i rl0 dst port 221027

tcpdump -n -tttt -i rl0 host 192.168.10.2

tcpdump -n -i rl0 'not port 22'

tcpdump -s 65535 -w /tmp/test.pcap

tcpdump -n 'net 2001:470:26:6bd::/64 and port 443'

tcpdump -i igb0 -n -p 'udp port 500 or udp port 4500 or ip proto 50'

tcpdump -i lo -G $((10*60)) -s 65535 -w /tmp/test.%Y-%m-%dT%H:%M.pcap -Z root

• -i lo
  • Listen on loopback interface.

• -G $((10*60))
  • Rotate logs every 10 minutes.

• -s 65535
  • Capture full package.

• -w /tmp/test.%Y-%m-%dT%H:%M.pcap
  • Save dump to file. Ex. test.2015-08-11T12:16.pcap

• -Z root
  • Run as root user. I had some permission problems with the default user (tcpdump)