我一般用 tcpdump 有两种用法，一个是存盘，拿 wireshark 看，那么的话，就这么写

tcpdump -s 0 -i any -p udp and src 10.170.7.40 -w `date +%s`.pcap

或者实时打印到屏幕，就参考这里，http://www.askbjoernhansen.com/2007/07/12/how_to_dump_packets_with_tcpdump.html，这么写

I always forget the parameters for this and have to look them up in the man page, so enough of that:

tcpdump -nnXSs 0 ‘port 80’ “-nn” makes it not lookup hostnames in DNS and service names (in /etc/services) for respectively faster and cleaner output. “-X” makes it print each packet in hex and ascii; that’s really the useful bit for tracking headers and such “-S” print absolute rather than relative TCP sequence numbers - If I remember right this is so you can compare tcpdump outputs from multiple users doing this at once “-s 0” by default tcpdump will only capture the beginning of each packet, using 0 here will make it capture the full packets. We are debugging, right? Instead of “port 80” you can make more complicated rules like “port 80 and host 10.50.33.10”.