tcpdump
-c count - Exit after receiving X packets
-i interface
-q quiet - print less protocol information
-v -vv -vvv verbose
-w file - write raw packets to file instead of displaying them
Listen on interface ens192, don't capture anything on port 22, traffic to/from host 192.168.3.2.
tcpdump -i ens192 not port 22 and host 192.168.3.2Listen on interface ens192, double verbose, to traffic on port 80.
tcpdump -i ens192 -vv port 80Listen on interface ens192, triple verbose, to traffic on port 636, write the output to a file called capture1.pcap.
tcpdump -i ens192 -vvv port 636 -w capture1.pcapListen on interface en0 for mac address 00:00:00:00:00:00 using port 67 or 68 (notice the quotation marks)
tcpdump -i en0 'ether host 00:00:00:00:00:00 and (port 67 or port 68)'Listen for IPv6 DHCP on the server side
tcpdump -i ens224 port 547Add a capture group and add yourself to it:
groupadd pcap
usermod -a -G pcap rossNext, change the group of tcpdump and set permissions:
chgrp pcap /usr/sbin/tcpdump
chmod 750 /usr/sbin/tcpdumpFinally, use setcap to give tcpdump the necessary permissions:
setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump