Hi,

here are some command line examples for often requested packet filter strings

Filter for a MAC address

tcpdump ether host 12:34:56:78:90:ab

Layer 2 broadcasts

tcpdump ether dst ff:ff:ff:ff:ff:ff

Filter icmp packets. For example on interface eth0

tcpdump -i eth0 icmp

All packets to or from a TCP port

tcpdump -i eth0 port 22

All packets to or from an IP Address

tcpdump -i eth0 host 10.10.254.10

And combined

tcpdump -i eth0 host 10.10.254.10 and port 22

Filter for the TCP Flags SYN or FIN

tcpdump tcp[tcpflags] & (tcp-syn|tcp-fin) != 0

Filter for Packets where SYN and ACK is set

tcpdump tcp[tcpflags] & tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)

CDP/LLDP Pakets

ether dst 01:00:0c:cc:cc:cc and (ether[24:2] = 0x2000 or ether[20:2] = 0x2000)

All hosts in a subnet

net 10.10.254.0/24

Michael

Futher details could be found in the pcap man page.