1.基础范例：

 

See the list of interfaces on which tcpdump can listen:

tcpdump -D

Listen on interface eth0:

tcpdump -i eth0

Listen on any available interface (cannot be done in promiscuous mode. Requires Linux kernel 2.2 or greater):

tcpdump -i any

Be verbose while capturing packets:

tcpdump -v

Be more verbose while capturing packets:

tcpdump -vv

Be very verbose while capturing packets:

tcpdump -vvv

Be less verbose (than the default) while capturing packets:

tcpdump -q

Limit the capture to 100 packets:

tcpdump -c 100

Record the packet capture to a file called capture.cap:

tcpdump -w capture.cap

Record the packet capture to a file called capture.cap but display on-screen how many packets have been captured in real-time:

tcpdump -v -w capture.cap

Display the packets of a file called capture.cap:

tcpdump -r capture.cap

Display the packets using maximum detail of a file called capture.cap:

tcpdump -vvv -r capture.cap

Display IP addresses and port numbers instead of domain and service names when capturing packets:

tcpdump -n

Capture any packets where the destination host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n dst host 192.168.1.1

Capture any packets where the source host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n src host 192.168.1.1

Capture any packets where the source or destination host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n host 192.168.1.1

Capture any packets where the destination network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n dst net 192.168.1.0/24

Capture any packets where the source network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n src net 192.168.1.0/24

Capture any packets where the source or destination network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n net 192.168.1.0/24

Capture any packets where the destination port is 23. Display IP addresses and port numbers:

tcpdump -n dst port 23

Capture any packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n dst portrange 1-1023

Capture only TCP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n tcp dst portrange 1-1023

Capture only UDP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n udp dst portrange 1-1023

Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP addresses and port numbers:

tcpdump -n "dst host 192.168.1.1 and dst port 23"

Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443. Display IP addresses and port numbers:

tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)"

Capture any ICMP packets:

tcpdump -v icmp

Capture any ARP packets:

tcpdump -v arp

Capture either ICMP or ARP packets:

tcpdump -v "icmp or arp"

Capture any packets that are broadcast or multicast:

tcpdump -n "broadcast or multicast"

Capture 500 bytes of data for each packet rather than the default of 68 bytes:

tcpdump -s 500

Capture all bytes of data within the packet:

tcpdump -s 0

2.进阶范例：

1) analyze traffic remotely over ssh w/ wireshark
ssh tcpdump -w - 'port !22' | wireshark -k -i -
This captures traffic on a remote machine with tcpdump, sends the raw pcap data over the ssh link, and displays it in wireshark. Hitting ctrl+C will stop the capture and unfortunately close your wireshark window.
2) Get Cisco network information
tcpdump -nn -v -i eth0 -s 1500 -c 1 ‘ether[20:2] == 0×2000′
This gives you lots of nifty Cisco network information like VLAN tag, port and switch information.
3) Remotely sniff traffic and pass to snort
ssh \ “tcpdump -nn -i eth1 -w -” | snort -c /etc/snort/snort.conf  - r -

I have a small embedded linux device that I wanted to use for sniffing my external network, but I didn’t want to recompile/cross-compile snort for the embedded platform. So I used tcpdump over ssh to pass all the traffic as pcap data to a “normal” Linux system that then takes the pcap data and passes it to snort for processing.
4) Sniffing network (gui)
tcpdump -v -i -s 0 -w /tmp/sniff.pcap port # On the remote side
Then hit ^C to stop, get the file by scp, and you can now use wireshark like this :
wireshark /tmp/sniff.pcap
If you have tshark on remote host, you could use that :
wireshark -k -i <(ssh -l root tshark -w - not tcp port 22)
The last snippet comes from
5) Getting started with tcpdump
tcpdump -nli eth0; tcpdump -nli eth0 src or dst w.x.y.z;
tcpdump -nli eth0 port 80; tcpdump -nli eth0 proto udp
At some point you want to know what packets are flowing on your network. Use tcpdump for this. The man page is obtuse, to say the least, so here are some simple commands to get you started.
-n means show IP numbers and don’t try to translate them to names.
-l means write a line as soon as it is ready.
-i eth0 means trace the packets flowing through the first ethernet interface.
src or dst w.x.y.z traces only packets going to or from IP address w.x.y.z.
port 80 traces only packets for HTTP.
proto udp traces only packets for UDP protocol.
Once you are happy with each option combine them with ‘and’ ‘or’ ‘not’ to get the effects you want.
6) Capture data in ASCII. 1500 bytes
tcpdump -i eth0 -n tcp port 80 -A -s1500
Sniffing traffic on port 80 only the first 1500 bytes
7) See entire packet payload using tcpdump.
tcpdump -nnvvXSs 1514 -i
This command will show you the entire payload of a packet.
The final “s” increases the snaplength, grabbing the whole packet.
8) view http traffic
tcpdump -i eth0 port 80 -w - | hd
9) ignore all ssh traffic
tcpdump -i eth0 -n 'port ! 22'