tcpdump主要分为两个部分，一是tcpdump本身，二是过滤器（pcap-filter）,本文主要讲过滤器用法：

https://www.tcpdump.org/manpages/pcap-filter.7.html

The filter expression consists of one or more primitives. Primitives usually consist of an id (a name, a number or something slightly more complex, such as a CIDR prefix) preceded by one or more qualifiers. There are three different kinds of qualifier:

proto

proto qualifiers restrict the match to a particular protocol. (This should not be confused with the proto type qualifier below.) Possible protocols are: ether, link, wlan, ip, ip6, arp, tcp, udp, sctp, iso, isis, rarp, decnet, fddi, tr, ppp and slip. E.g., `ether src foo’, `arp net 128.3′, `tcp port 21′, `ip proto ospf’, `ether proto 0x88CC’, `udp portrange 7000-7009′, `wlan addr2 0:2:3:4:5:6′. If there is no proto qualifier, all protocols consistent with the type are assumed. E.g., `src foo’ means `(ip6 or ip or arp or rarp) src foo’, `proto tcp’ means `(ip6 or ip) proto tcp’ `net bar’ means `(ip6 or ip or arp or rarp) net bar’ and `port 53′ means `(tcp or udp or sctp) port 53′ (note that these examples use invalid syntax to illustrate the principle).

dir

dir qualifiers specify a particular transfer direction to and/or from id. Possible directions are src, dst, src or dst, src and dst, ra, ta, addr1, addr2, addr3, and addr4. E.g., `src foo’, `dst net 128.3′, `src or dst port ftp-data’. If there is no dir qualifier, `src or dst‘ is assumed. The ra, ta, addr1, addr2, addr3, and addr4 qualifiers are only valid for IEEE 802.11 Wireless LAN link layers.

type

type qualifiers say what kind of thing the id name or number refers to. Possible types are host, net, proto, port, portrange, protochain and gateway. E.g., `host foo’, `net 128.3′, `port 20′, `portrange 6000-6008′, `proto 17′. If there is no type qualifier, host is assumed.

主要是说过滤器表达式由一个或多个基元组成。基元通常是由一个或多个修饰符前导的id(可以是名字、数字或是一些更复杂的内容，如：CIDR前缀)组成。