tcpdump(1)

CLI

tcpdump [opts] -i <if> [<filter>]
    -n              Don't convert host/port names.
    -w <file|->     Write pcap trace to file or stdout (-).
    -r <file>       Read & parse pcap file.

Some useful filters, for the full syntax see pcap-filter(7).

src <ip>                Filter for source IP.
dst <ip>                Filter for destination IP.
host <ip>               Filter for IP (src + dst).
net <ip>/<range>        Filter traffic on subnet.
[src/dst] port <port>   Filter for port (optionally src/dst).
tcp/udp/icmp            Filter for protocol.

Use and/or/not and () to build filter expressions.

Examples

Capture packets from remote host

# -k: Start capturing immediately.
ssh <host> tcpdump -i any -w - | sudo wireshark -k -i -

The any interface is a special keyword to capture traffic on all interfaces.