tcpdump usage

Synopsis

tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ] 

         [ -c count ] [ -C file_size ] 
         [ -E spi@ipaddr algo:secret,... ] 
         [ -F file ] [ -G rotate_seconds ] [ -i interface ] 
         [ --immediate-mode ] [ -j tstamp_type ] [ -m module ] 
         [ -M secret ] [ --number ] [ --print ] [ -Q in|out|inout ] 
         [ -r file ] [ -s snaplen ] [ -T type ] [ --version ] 
         [ -V file ] [ -w file ] [ -W filecount ] [ -y datalinktype ] 
         [ -z postrotate-command ] [ -Z user ] 
         [ --time-stamp-precision=tstamp_precision ] 
         [ expression ] 

Example

 # packets on eth0 interface
 tcpdump -i eth0

 # packets on any interface
 tcpdump -i any

 # tcp port 1935 packets on eth0 interface
 tcpdump -i eth0 tcp port 1935

 # tcp port 1935 packets including bodies on eth0 interface and write a file
 tcpdump -s 0 -l -w - -i eth0 "(tcp port 1935)" > /tmp/output.pcap

 # ((Destination IP == 192.168.0.2 && tcp port 1935) || tcp port 5521) on any interface
 tcpdump -i any "(dst 192.168.0.2 && tcp port 1935) or (tcp port 5521)"

 # (((Destination IP == 192.168.0.2 && tcp port 1935) || tcp port 5521) && TCP SYN packet) on any    interface

 tcpdump -i any "((dst 192.168.0.2) or (tcp port 5521)) and (tcp[tcpflags] & tcp-syn != 0)"

Reference

https://www.tcpdump.org/manpages/tcpdump.1.html