Synopsis
tcpdump [ -AdDeflLnNOpqRStuUvxX ] [ -c count ]
- [ -C file_size ] [ -F file ]
- [ -i interface ] [ -m module ] [ -M secret ]
- [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
- [ -W filecount ]
- [ -E spi@ipaddr algo:secret,... ]
- [ -y datalinktype ] [ -Z user ] [ expression ]
Description
Tcpdump prints out the headers of packets on a network interface that match the boolean expression . It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface. In all cases, only packets that match expression will be processed by tcpdump .
Tcpdump will, if not run with the -c flag, continue capturing packets until it is interrupted by a SIGINT signal (generated, for example, by typing your interrupt character, typically control-C) or a SIGTERM signal (typically generated with the kill (1) command); if run with the -c flag, it will capture packets until it is interrupted by a SIGINT or SIGTERM signal or the specified number of packets have been processed.
Example
tcpdump -i eth8 -A port 24422 | grep "dest_string"
tcpdump -i eth1 -s 1500 port not 22 and port not 53
tcpdump -i eth1 port not 22 and host 1.2 .3 .4
Ref
http://linux.die.net/man/8/tcpdump