Packet Capture – TCPdump

TCPdump is an indispensable tool system administrators, network engineers, and cybersecurity professionals use for network troubleshooting and analysis. The tool captures packets traveling through the network and can be used for live traffic analysis or saved into a PCAP file for offline analysis. With its powerful filtering capabilities, TCPdump can capture a specific subset of traffic, helping you delve into the depth of network behavior.

Let’s dive into 20 essential TCPdump command examples that you can use for your network analysis tasks.

1. Capturing All Traffic:

$ sudo tcpdump -i eth0

This command captures all traffic on interface eth0 and displays packet details in real-time. It is an excellent starting point for monitoring general network activities.

2. Saving Captured Traffic to a File:

$ sudo tcpdump -i eth0 -w capture.pcap

This command captures all traffic on the interface eth0 and saves it to a file named “capture.pcap” for further analysis.

3. Displaying Captured Traffic from a File:

$ tcpdump -r capture.pcap

This command allows you to read and display packet details from a previously captured file, “capture.pcap”.

4. Filtering Traffic by Source IP:

$ tcpdump src

This command captures packets originating from a specific source IP address, such as

5. Filtering Traffic by Destination IP:

$ tcpdump dst

This command captures packets destined for a specific IP address, in this case,

6. Filtering Traffic by Port:

$ tcpdump port 80

This command captures packets on a specific port number, like port 80, which is typically used for HTTP traffic.

7. Filtering Traffic by Protocol:

$ tcpdump icmp

This command captures packets using a specific network protocol, such as ICMP, commonly used for ping commands.

8. Displaying Traffic in ASCII:

$ tcpdump -A

This command displays the packet contents in ASCII format, providing a more human-readable format.

9. Displaying Traffic in Hexadecimal:

$ tcpdump -X

This command shows packet contents in hexadecimal and ASCII format, which can be useful for deep packet inspection.

10. Capturing Specific Number of Packets:

$ tcpdump -c 100

This command captures only the first 100 packets and then exits, allowing you to limit the amount of data you collect.

11. Capturing and Displaying IPv6 Traffic:

$ tcpdump -6

This command captures and displays IPv6 packets, helping you analyze the newer Internet Protocol version.

12. Displaying Captured Traffic in Timestamp Format:

$ tcpdump -tttt

This command displays captured packets with a timestamp in a human-readable format.

13. Capturing Traffic on a Specific Interface:

$ tcpdump -i wlan0

This command captures network traffic on a specific interface, such as wlan0, which is typically a wireless interface.

14. Capturing Specific Protocol and Port:

$ tcpdump tcp port 443

This command captures only TCP packets on port 443 (HTTPS), useful for focusing on encrypted web traffic.

15. Filtering Traffic by Source and Destination IP:

$ tcpdump src and dst

This command captures packets between a specific source IP ( and destination IP (, allowing you to focus on traffic between two specific hosts.

16. Capturing HTTP Request and Response Headers:

$ tcpdump -i eth0 -s 0 -A -n 'tcp dst port 80'

This command captures and displays HTTP traffic on port 80, including both request and response headers, making it useful for web application troubleshooting.

17. Filtering Traffic by IP Range and Protocol:

$ tcpdump -i eth0 'net and (tcp port 22 or icmp)'

This command captures packets within the IP range, filtering for SSH (port 22) and ICMP traffic.

18. Capturing DNS Traffic and Resolve Hostnames:

$ tcpdump -i eth0 'udp port 53' -nnvvv

This command captures DNS packets on port 53 and displays verbose output without hostname resolution, useful for DNS troubleshooting.

19. Capturing FTP Control Channel Traffic:

$ tcpdump -i eth0 -s 0 'tcp port 21'

This command captures FTP control channel traffic on port 21, including commands and responses exchanged between the FTP client and server, assisting you in diagnosing FTP connection problems.

20. Monitoring SSH Connections:

$ tcpdump -i eth0 'tcp port 22' -l -e

This command monitors SSH connections by capturing packets on port 22, displaying them in real-time, and including Ethernet headers, aiding you in diagnosing SSH connection issues.

21. Display All Available Interfaces with -D:

$ tcpdump -D

This command lists all available network interfaces that TCPdump can listen to. This can be particularly helpful if you’re not sure what interfaces are available on your machine.

22. Limit the Amount of Packets Captured with -c:

$ tcpdump -c 5 -i eth0

This command captures only the first 5 packets on interface eth0 and then exits. It is useful when you need a quick snapshot of the traffic for instant analysis.

23. Print the Capture to Screen in ASCII & HEX Format with -XX:

$ tcpdump -XX -i eth0

This command prints both the header and the data of each packet in hexadecimal and ASCII to the terminal. This is a more detailed view than -X, which only includes the data of the packet.

24. Capture only TCP Packets:

$ tcpdump -i eth0 tcp

This command captures only TCP packets. This can be useful when analyzing traffic for protocols that use TCP, such as HTTP, HTTPS, FTP, SSH, and SMTP.

25. Traffic from a Specific Host to Another Specific Host:

$ tcpdump -i eth0 -s 1500 -w dump host and host

This command captures all traffic from the host to the host The “-s 1500” sets the size of the packet to capture, and “-w dump” saves the captured data to a file named “dump”.

26. Traffic FROM a Specific IP AND to Specific Ports (RDP/SSH):

$ tcpdump 'src and (dst port 3389 or 22)'

This command captures all traffic originating from and destined to either port 3389 (RDP) or port 22 (SSH).

27. Find all Traffic from a Specific IP to Any Host on a Specific Port:

$ tcpdump -nnvvS src and dst port 3389

This command captures all traffic originating from IP and destined to any host on port 3389.

28. Find All Traffic from One Network to Another:

$ tcpdump -nvX src net and dst net or

This command captures all traffic originating from the network and destined to the networks or It is a great way to monitor traffic flows between different subnets in your network.

TCPdump MAN Page

tcpdump – dump traffic on a network
tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ]
[ -c count ] [ –count ] [ -C file_size ]
[ -E spi@ipaddr algo:secret,… ]
[ -F file ] [ -G rotate_seconds ] [ -i interface ]
[ –immediate-mode ] [ -j tstamp_type ] [ -m module ]
[ -M secret ] [ –number ] [ –print ]
[ –print-sampling nth ] [ -Q in|out|inout ] [ -r file ]
[ -s snaplen ] [ -T type ] [ –version ] [ -V file ]
[ -w file ] [ -W filecount ] [ -y datalinktype ]
[ -z postrotate-command ] [ -Z user ]
[ –time-stamp-precision=tstamp_precision ]
[ –micro ] [ –nano ]
[ expression ]
Tcpdump prints out a description of the contents of packets on a network interface that match the Boolean expression (see pcap-filter(7) for the expression syntax); the description is preceded by a time stamp, printed, by default, as hours, minutes, seconds, and fractions of a second since midnight. It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface. It can also be run with the -V flag, which causes it to read a list of saved packet files. In all cases, only packets that match expression will be processed by tcpdump.

Tcpdump will, if not run with the -c flag, continue capturing packets until it is interrupted by a SIGINT signal (generated, for example, by typing your interrupt character, typically control-C) or a SIGTERM signal (typically generated with the kill(1) command); if run with the -c flag, it will capture packets until it is interrupted by a SIGINT or SIGTERM signal or the specified number of packets have been processed.

When tcpdump finishes capturing packets, it will report counts of:

packets “captured” (this is the number of packets that tcpdump has received and processed);
packets “received by filter” (the meaning of this depends on the OS on which you’re running tcpdump, and possibly on the way the OS was configured – if a filter was specified on the command line, on some OSes it counts packets regardless of whether they were matched by the filter expression and, even if they were matched by the filter expression, regardless of whether tcpdump has read and processed them yet, on other OSes it counts only packets that were matched by the filter expression regardless of whether tcpdump has read and processed them yet, and on other OSes it counts only packets that were matched by the filter expression and were processed by tcpdump);
packets “dropped by kernel” (this is the number of packets that were dropped, due to a lack of buffer space, by the packet capture mechanism in the OS on which tcpdump is running, if the OS reports that information to applications; if not, it will be reported as 0).
On platforms that support the SIGINFO signal, such as most BSDs (including macOS) and Digital/Tru64 UNIX, it will report those counts when it receives a SIGINFO signal (generated, for example, by typing your “status” character, typically control-T, although on some platforms, such as macOS, the “status” character is not set by default, so you must set it with stty(1) in order to use it) and will continue capturing packets. On platforms that do not support the SIGINFO signal, the same can be achieved by using the SIGUSR1 signal.

Using the SIGUSR2 signal along with the -w flag will forcibly flush the packet buffer into the output file.

Reading packets from a network interface may require that you have special privileges; see the pcap(3PCAP) man page for details. Reading a saved packet file doesn’t require special privileges.

Print each packet (minus its link level header) in ASCII. Handy for capturing web pages.
Print the AS number in BGP packets in ASDOT notation rather than ASPLAIN notation.
-B buffer_size
Set the operating system capture buffer size to buffer_size, in units of KiB (1024 bytes).
-c count
Exit after receiving count packets.
Print only on stdout the packet count when reading capture file(s) instead of parsing/printing the packets. If a filter is specified on the command line, tcpdump counts only packets that were matched by the filter expression.
-C file_size
Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward. The default unit of file_size is millions of bytes (1,000,000 bytes, not 1,048,576 bytes).
By adding a suffix of k/K, m/M or g/G to the value, the unit can be changed to 1,024 (KiB), 1,048,576 (MiB), or 1,073,741,824 (GiB) respectively.
Dump the compiled packet-matching code in a human readable form to standard output and stop.
Please mind that although code compilation is always DLT-specific, typically it is impossible (and unnecessary) to specify which DLT to use for the dump because tcpdump uses either the DLT of the input pcap file specified with -r, or the default DLT of the network interface specified with -i, or the particular DLT of the network interface specified with -y and -i respectively. In these cases the dump shows the same exact code that would filter the input file or the network interface without -d.
However, when neither -r nor -i is specified, specifying -d prevents tcpdump from guessing a suitable network interface (see -i). In this case the DLT defaults to EN10MB and can be set to another valid value manually with -y.
Dump packet-matching code as a C program fragment.
Dump packet-matching code as decimal numbers (preceded with a count).
Print the list of the network interfaces available on the system and on which tcpdump can capture packets. For each network interface, a number and an interface name, possibly followed by a text description of the interface, are printed. The interface name or the number can be supplied to the -i flag to specify an interface on which to capture.
This can be useful on systems that don’t have a command to list them (e.g., Windows systems, or UNIX systems lacking ifconfig -a); the number can be useful on Windows 2000 and later systems, where the interface name is a somewhat complex string.
The -D flag will not be supported if tcpdump was built with an older version of libpcap that lacks the pcap_findalldevs(3PCAP) function.
Print the link-level header on each dump line. This can be used, for example, to print MAC layer addresses for protocols such as Ethernet and IEEE 802.11.
Use spi@ipaddr algo:secret for decrypting IPsec ESP packets that are addressed to addr and contain Security Parameter Index value spi. This combination may be repeated with comma or newline separation.
Note that setting the secret for IPv4 ESP packets is supported at this time.
Algorithms may be des-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc, or none. The default is des-cbc. The ability to decrypt packets is only present if tcpdump was compiled with cryptography enabled.
secret is the ASCII text for ESP secret key. If preceded by 0x, then a hex value will be read.
The option assumes RFC 2406 ESP, not RFC 1827 ESP. The option is only for debugging purposes, and the use of this option with a true `secret’ key is discouraged. By presenting IPsec secret key onto command line you make it visible to others, via ps(1) and other occasions.
In addition to the above syntax, the syntax file name may be used to have tcpdump read the provided file in. The file is opened upon receiving the first ESP packet, so any special permissions that tcpdump may have been given should already have been given up.
Print `foreign’ IPv4 addresses numerically rather than symbolically (this option is intended to get around serious brain damage in Sun’s NIS server — usually it hangs forever translating non-local internet numbers).
The test for `foreign’ IPv4 addresses is done using the IPv4 address and netmask of the interface on that capture is being done. If that address or netmask are not available, either because the interface on that capture is being done has no address or netmask or because it is the “any” pseudo-interface, which is available in Linux and in recent versions of macOS and Solaris, and which can capture on more than one interface, this option will not work correctly.
-F file
Use file as input for the filter expression. An additional expression given on the command line is ignored.
-G rotate_seconds
If specified, rotates the dump file specified with the -w option every rotate_seconds seconds. Savefiles will have the name specified by -w which should include a time format as defined by strftime(3). If no time format is specified, each new file will overwrite the previous. Whenever a generated filename is not unique, tcpdump will overwrite the pre-existing data; providing a time specification that is coarser than the capture period is therefore not advised.
If used in conjunction with the -C option, filenames will take the form of `file’.
Print the tcpdump and libpcap version strings, print a usage message, and exit.
Print the tcpdump and libpcap version strings and exit.
Attempt to detect 802.11s draft mesh headers.
-i interface
Listen, report the list of link-layer types, report the list of time stamp types, or report the results of compiling a filter expression on interface. If unspecified and if the -d flag is not given, tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loopback), which may turn out to be, for example, “eth0”.
On Linux systems with 2.2 or later kernels and on recent versions of macOS and Solaris, an interface argument of “any” can be used to capture packets from all interfaces. Note that captures on the “any” pseudo-interface will not be done in promiscuous mode.
If the -D flag is supported, an interface number as printed by that flag can be used as the interface argument, if no interface on the system has that number as a name.
Put the interface in “monitor mode”; this is supported only on IEEE 802.11 Wi-Fi interfaces, and supported only on some operating systems.
Note that in monitor mode the adapter might disassociate from the network with which it’s associated, so that you will not be able to use any wireless networks with that adapter. This could prevent accessing files on a network server, or resolving host names or network addresses, if you are capturing in monitor mode and are not connected to another network with another adapter.
This flag will affect the output of the -L flag. If -I isn’t specified, only those link-layer types available when not in monitor mode will be shown; if -I is specified, only those link-layer types available when in monitor mode will be shown.
Capture in “immediate mode”. In this mode, packets are delivered to tcpdump as soon as they arrive, rather than being buffered for efficiency. This is the default when printing packets rather than saving packets to a “savefile” if the packets are being printed to a terminal rather than to a file or pipe.
-j tstamp_type
Set the time stamp type for the capture to tstamp_type. The names to use for the time stamp types are given in pcap-tstamp(7); not all the types listed there will necessarily be valid for any given interface.
List the supported time stamp types for the interface and exit. If the time stamp type cannot be set for the interface, no time stamp types are listed.
When capturing, set the time stamp precision for the capture to tstamp_precision. Note that availability of high precision time stamps (nanoseconds) and their actual accuracy is platform and hardware dependent. Also note that when writing captures made with nanosecond accuracy to a savefile, the time stamps are written with nanosecond resolution, and the file is written with a different magic number, to indicate that the time stamps are in seconds and nanoseconds; not all programs that read pcap savefiles will be able to read those captures.
When reading a savefile, convert time stamps to the precision specified by timestamp_precision, and display them with that resolution. If the precision specified is less than the precision of time stamps in the file, the conversion will lose precision.
The supported values for timestamp_precision are micro for microsecond resolution and nano for nanosecond resolution. The default is microsecond resolution.
Shorthands for –time-stamp-precision=micro or –time-stamp-precision=nano, adjusting the time stamp precision accordingly. When reading packets from a savefile, using –micro truncates time stamps if the savefile was created with nanosecond precision. In contrast, a savefile created with microsecond precision will have trailing zeroes added to the time stamp when –nano is used.
Don’t attempt to verify IP, TCP, or UDP checksums. This is useful for interfaces that perform some or all of those checksum calculation in hardware; otherwise, all outgoing TCP checksums will be flagged as bad.
Make stdout line buffered. Useful if you want to see the data while capturing it. E.g.,
tcpdump -l | tee dat
tcpdump -l > dat & tail -f dat
Note that on Windows,“line buffered” means “unbuffered”, so that WinDump will write each character individually if -l is specified.
-U is similar to -l in its behavior, but it will cause output to be “packet-buffered”, so that the output is written to stdout at the end of each packet rather than at the end of each line; this is buffered on all platforms, including Windows.
List the known data link types for the interface, in the specified mode, and exit. The list of known data link types may be dependent on the specified mode; for example, on some platforms, a Wi-Fi interface might support one set of data link types when not in monitor mode (for example, it might support only fake Ethernet headers, or might support 802.11 headers but not support 802.11 headers with radio information) and another set of data link types when in monitor mode (for example, it might support 802.11 headers, or 802.11 headers with radio information, only in monitor mode).
-m module
Load SMI MIB module definitions from file module. This option can be used several times to load several MIB modules into tcpdump.
-M secret
Use secret as a shared secret for validating the digests found in TCP segments with the TCP-MD5 option (RFC 2385), if present.
Don’t convert addresses (i.e., host addresses, port numbers, etc.) to names.
Don’t print domain name qualification of host names. E.g., if you give this flag then tcpdump will print “nic” instead of “”.
Print an optional packet number at the beginning of the line.
Do not run the packet-matching code optimizer. This is useful only if you suspect a bug in the optimizer.
Don’t put the interface into promiscuous mode. Note that the interface might be in promiscuous mode for some other reason; hence, `-p’ cannot be used as an abbreviation for `ether host {local-hw-addr} or ether broadcast’.
Print parsed packet output, even if the raw packets are being saved to a file with the -w flag.
Print every nth packet. This option enables the –print flag.
Unprinted packets are not parsed, which decreases processing time. Setting nth to 100 for example, will (counting from 1) parse and print the 100th packet, 200th packet, 300th packet, and so on.
This option also enables the -S flag, as relative TCP sequence numbers are not tracked for unprinted packets.
-Q direction
Choose send/receive direction direction for which packets should be captured. Possible values are `in’, `out’ and `inout’. Not available on all platforms.
Quick (quiet?) output. Print less protocol information so output lines are shorter.
-r file
Read packets from file (which was created with the -w option or by other tools that write pcap or pcapng files). Standard input is used if file is “-”.
Print absolute, rather than relative, TCP sequence numbers.
-s snaplen
Snarf snaplen bytes of data from each packet rather than the default of 262144 bytes. Packets truncated because of a limited snapshot are indicated in the output with “[|proto]”, where proto is the name of the protocol level at which the truncation has occurred.
Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering. This may cause packets to be lost. Note also that taking smaller snapshots will discard data from protocols above the transport layer, which loses information that may be important. NFS and AFS requests and replies, for example, are very large, and much of the detail won’t be available if a too-short snapshot length is selected.
If you need to reduce the snapshot size below the default, you should limit snaplen to the smallest number that will capture the protocol information you’re interested in. Setting snaplen to 0 sets it to the default of 262144, for backwards compatibility with recent older versions of tcpdump.
-T type
Force packets selected by “expression” to be interpreted the specified type. Currently known types are aodv (Ad-hoc On-demand Distance Vector protocol), carp (Common Address Redundancy Protocol), cnfp (Cisco NetFlow protocol), domain (Domain Name System), lmp (Link Management Protocol), pgm (Pragmatic General Multicast), pgm_zmtp1 (ZMTP/1.0 inside PGM/EPGM), ptp (Precision Time Protocol), quic (QUIC), radius (RADIUS), resp (REdis Serialization Protocol), rpc (Remote Procedure Call), rtcp (Real-Time Applications control protocol), rtp (Real-Time Applications protocol), snmp (Simple Network Management Protocol), someip (SOME/IP), tftp (Trivial File Transfer Protocol), vat (Visual Audio Tool), vxlan (Virtual eXtensible Local Area Network), wb (distributed White Board) and zmtp1 (ZeroMQ Message Transport Protocol 1.0).
Note that the pgm type above affects UDP interpretation only, the native PGM is always recognised as IP protocol 113 regardless. UDP-encapsulated PGM is often called “EPGM” or “PGM/UDP”.
Note that the pgm_zmtp1 type above affects interpretation of both native PGM and UDP at once. During the native PGM decoding the application data of an ODATA/RDATA packet would be decoded as a ZeroMQ datagram with ZMTP/1.0 frames. During the UDP decoding in addition to that any UDP packet would be treated as an encapsulated PGM packet.
Don’t print a timestamp on each dump line.
Print the timestamp, as seconds since January 1, 1970, 00:00:00, UTC, and fractions of a second since that time, on each dump line.
Print a delta (microsecond or nanosecond resolution depending on the –time-stamp-precision option) between current and previous line on each dump line. The default is microsecond resolution.
Print a timestamp, as hours, minutes, seconds, and fractions of a second since midnight, preceded by the date, on each dump line.
Print a delta (microsecond or nanosecond resolution depending on the –time-stamp-precision option) between current and first line on each dump line. The default is microsecond resolution.
Print undecoded NFS handles.
If the -w option is not specified, or if it is specified but the –print flag is also specified, make the printed packet output “packet-buffered”; i.e., as the description of the contents of each packet is printed, it will be written to the standard output, rather than, when not writing to a terminal, being written only when the output buffer fills.
If the -w option is specified, make the saved raw packet output “packet-buffered”; i.e., as each packet is saved, it will be written to the output file, rather than being written only when the output buffer fills.
The -U flag will not be supported if tcpdump was built with an older version of libpcap that lacks the pcap_dump_flush(3PCAP) function.
When parsing and printing, produce (slightly more) verbose output. For example, the time to live, identification, total length and options in an IP packet are printed. Also enables additional packet integrity checks such as verifying the IP and ICMP header checksum.
When writing to a file with the -w option and at the same time not reading from a file with the -r option, report to stderr, once per second, the number of packets captured. In Solaris, FreeBSD and possibly other operating systems this periodic update currently can cause loss of captured packets on their way from the kernel to tcpdump.
Even more verbose output. For example, additional fields are printed from NFS reply packets, and SMB packets are fully decoded.
Even more verbose output. For example, telnet SB … SE options are printed in full. With -X Telnet options are printed in hex as well.
-V file
Read a list of filenames from file. Standard input is used if file is “-”.
-w file
Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is “-”.
This output will be buffered if written to a file or pipe, so a program reading from the file or pipe may not see packets for an arbitrary amount of time after they are received. Use the -U flag to cause packets to be written as soon as they are received.
The MIME type application/vnd.tcpdump.pcap has been registered with IANA for pcap files. The filename extension .pcap appears to be the most commonly used along with .cap and .dmp. Tcpdump itself doesn’t check the extension when reading capture files and doesn’t add an extension when writing them (it uses magic numbers in the file header instead). However, many operating systems and applications will use the extension if it is present and adding one (e.g. .pcap) is recommended.
See pcap-savefile(5) for a description of the file format.
-W filecount
Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin overwriting files from the beginning, thus creating a ‘rotating’ buffer. In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly.
Used in conjunction with the -G option, this will limit the number of rotated dump files that get created, exiting with status 0 when reaching the limit.
If used in conjunction with both -C and -G, the -W option will currently be ignored, and will only affect the file name.
When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex. The smaller of the entire packet or snaplen bytes will be printed. Note that this is the entire link-layer packet, so for link layers that pad (e.g. Ethernet), the padding bytes will also be printed when the higher layer packet is shorter than the required padding. In the current implementation this flag may have the same effect as -xx if the packet is truncated.
When parsing and printing, in addition to printing the headers of each packet, print the data of each packet, including its link level header, in hex.
When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII. This is very handy for analysing new protocols. In the current implementation this flag may have the same effect as -XX if the packet is truncated.
When parsing and printing, in addition to printing the headers of each packet, print the data of each packet, including its link level header, in hex and ASCII.
-y datalinktype
Set the data link type to use while capturing packets (see -L) or just compiling and dumping packet-matching code (see -d) to datalinktype.
-z postrotate-command
Used in conjunction with the -C or -G options, this will make tcpdump run ” postrotate-command file ” where file is the savefile being closed after each rotation. For example, specifying -z gzip or -z bzip2 will compress each savefile using gzip or bzip2.
Note that tcpdump will run the command in parallel to the capture, using the lowest priority so that this doesn’t disturb the capture process.
And in case you would like to use a command that itself takes flags or different arguments, you can always write a shell script that will take the savefile name as the only argument, make the flags & arguments arrangements and execute the command that you want.
-Z user
If tcpdump is running as root, after opening the capture device or input savefile, but before opening any savefiles for output, change the user ID to user and the group ID to the primary group of user.
This behavior can also be enabled by default at compile time.
selects which packets will be dumped. If no expression is given, all packets on the net will be dumped. Otherwise, only packets for which expression is `true’ will be dumped.
For the expression syntax, see pcap-filter(7).

The expression argument can be passed to tcpdump as either a single Shell argument, or as multiple Shell arguments, whichever is more convenient. Generally, if the expression contains Shell metacharacters, such as backslashes used to escape protocol names, it is easier to pass it as a single, quoted argument rather than to escape the Shell metacharacters. Multiple arguments are concatenated with spaces before being parsed.