- 指定源,目的IP
tcpdump src=1.1.1.1 and dst=2.2.2.2
wireshark: ip.src = 1.1.1.1 and ip.dst = 2.2.2.2
- 指定某个主机
tcpdump host=1.1.1.1
wireshark: ip.src=1.1.1.1 or ip.dst = 1.1.1.1, 请注意wireshark host指定的是hostname
- vxlan
tcpdump -l -n -i <if> 'port 4789 and udp[8:2] = 0x0800 & 0x0800 and udp[11:4] = <vni> & 0x00FFFFFF'
- 根据协议
tcpdump tcp/udp/icmp
wireshark tcp/udp/icmp
ssh登录到系统后,过滤掉ssh报文
tcpdump port not 22 and <the other filters>