An assortment of capture filters because my brain has other things to remember and “port not 22” never sticks.

This guy has a longer list: https://danielmiessler.com/study/tcpdump/

Note: The “not” goes after the command, e.g. port not 22.

# no lookups (DNS or port, OMFG I hate the port names) and specify the interface
tcpdump -nni eth0

# src or dst
tcpdump -nn host 1.1.1.1


tcpdump -nn src 1.1.1.1 and dst 1.0.0.1

# not port 22
tcpdump port not 22
# you can also use src/dst with ports
tcpdump -nn src port 22

# packet size
tcpdump -nn less 32
tcpdump -nn greater 64

-X : Show the packet’s contents in both hex and ASCII.
-XX : Same as -X, but also shows the ethernet header.
-D : Show the list of available interfaces
-l : Line-readable output (for viewing as you save, or sending to other commands)
-q : Be less verbose (more quiet) with your output.
-t : Give human-readable timestamp output.
-tttt : Give maximally human-readable timestamp output.
-i eth0 : Listen on the eth0 interface.
-vv : Verbose output (more v’s gives more output).
-c : Only get x number of packets and then stop.
-s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.