tcpdump - dump traffic on a network

Synopsis

tcpdump
[ -AdDeflLnNOpqRStuUvxX
] [ -c
count
]

[ -C
file_size
] [ -F
file
]

[ -i
interface
] [ -m
module
] [ -M
secret
]

[ -r
file
] [ -s
snaplen
] [ -T
type
] [ -w
file
]

[ -W
filecount
]

[ -E
spi@ipaddr algo:secret,...
]

[ -y
datalinktype
] [ -Z
user
] [ expression
]

Description

Tcpdump
prints out the headers of packets on a network interface that match the boolean expression
. It can also be run with the
-w
flag, which causes it to save the packet data to a file for later analysis, and/or with the -r
flag, which causes it to read from
a saved packet file rather than to read packets from a network interface. In all cases, only packets that match expression
will be processed by
tcpdump
.

Tcpdump
will, if not run with the -c
flag, continue capturing packets until it is interrupted by a SIGINT signal (generated, for
example, by typing your interrupt character, typically control-C) or a SIGTERM signal (typically generated with the kill

(1) command); if run with the
-c
flag, it will capture packets until it is interrupted by a
SIGINT or SIGTERM signal or the specified number of packets have been
processed.

Example

tcpdump -i eth8 -A port 24422 | grep "dest_string"

tcpdump -i eth1  -s 1500
port not 22
and port not 53

tcpdump -i eth1 port not 22
and host 1.2
.3
.4

Ref

http://linux.die.net/man/8/tcpdump