-n : don't convert addresses (disable DNS resolution)
-X : in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII.
-S : print absolute, rather than relative, TCP sequence numbers.
-i : listen on interface, -i any can be used to capture packets from all interfaces
-XX : same as -X including its link level header
-v -vv or -vvv : increase verbose output
-c count : exit after receiving countpackets
-e : print the link level header on each dump line
-q : Print less protocol information so out‐ put lines are shorter.
-E : Use spi@ipaddr algo:secret for decrypting IPsec ESP packets.
-w : write the raw packets to file
-r : read packets from file
-s : Snarf snaplen bytes of data from each packet rather than the default of 65535 bytes. You should limit snaplen to the smallest number that will capture the protocol information you're interested in. Setting snaplen to 0 sets it to the default of 65535, for back-wards compatibility with recent older versions of tcpdump.
and or && :
root@host:~# tcpdump -nnvvS and src 10.5.2.3 and dst port 3389
or or || :
root@host:~# tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
not or ! :
root@host:~# tcpdump -vv src mars and not dst port 22
root@host:~# tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'
Only listen a specific host (22.214.171.124)
root@host:~# tcpdump host 126.96.36.199
src 188.8.131.52 : source address filter
dst 184.108.40.206 : destination address filter
root@host:~# tcpdump src 220.127.116.11
root@host:~# tcpdump icmp
root@host:~# tcpdump port 443
ports range filter
root@host:~# tcpdump portrange 443-445
source port filter
root@host:~# tcpdump src port 443
source port filter and port filter
root@host:~# tcpdump src port 443 and tcp
Create a capture file and rotate automatically each 3600 seconds
If you tcpdump from the machine which established the ipsec tunnel you won't be able to see decapsulated traffic. You will only see ESP packets. To be able to get decapsulated traffic we will have to use netfilter/iptables with nflog.