List all interfaces

tcpdump -D

Capture only SYN packets

tcpdump -n tcp and port 80 and 'tcp[tcpflags] & tcp-syn == tcp-syn'

Display capture and save to file at the same time

tcpdump -s 0 -i tun0 -c 10 -w - -U | tee foo.pcap | tcpdump -n -r -

Display packets with low TTL (troubleshoot routing issues or detecting traceroutes)

tcpdump -i eth1 'ip[8] < 5'

Capture and rotate capture files (200 files of 20mb each)

tcpdump -w testcapture.pcap -W 200 -C 20 -SvnAi eth2 tcp and port 80

Capture on remote and send it to snort on local computer

ssh root@remotehost\ “tcpdump -nn -i eth1 -w -” | snort -c /etc/snort/snort.conf -r –