tcpdump uses pcap-filter syntax to apply Berkeley Packet Filters (BPF) to the traffic. More details about the syntax are shown in the manpage.

man 7 pcap-filter

As of version 4.99.5 (2024-04-07) be careful with IPv6 filters. For example, the 'tcp' filter doesn't support IPv6.

See the BUG section of “man 7 pcap-filters”.

       Arithmetic  expression  against  transport  layer headers, like tcp[0],
       does not work against IPv6 packets.  It only looks at IPv4 packets.

tcpdump -n -tttt -i rl0 dst port 221027

tcpdump -n -tttt -i rl0 host 192.168.10.2

tcpdump -n -i rl0 'not port 22'

tcpdump -n 'net 2001:470:26:6bd::/64 and port 443'

tcpdump -i igb0 -n -p 'udp port 500 or udp port 4500 or ip proto 50'

tcpdump -s 65535 -w /tmp/test.pcap

tcpdump -i lo -G $((10*60)) -s 65535 -w /tmp/test.%Y-%m-%dT%H:%M.pcap -Z root

• -i lo
  • Listen on loopback interface.

• -G $((10*60))
  • Rotate logs every 10 minutes.

• -s 65535
  • Capture full package.

• -w /tmp/test.%Y-%m-%dT%H:%M.pcap
  • Save dump to file. Ex. test.2015-08-11T12:16.pcap

• -Z root
  • Run as root user. (default is 'tcpdump'. After attaching to the input device, tcpdump will drop its root privileges and switch the user to tcpdump (or the user specified by -Z). This means, the to write dump files with -w, this user have to be able to create and write files.)