Most often used flags for tcpdump and snoop are below. Snoop is for SunOS while tcpdump is available for mostly all Unix/Linux kinds. We will discuss filters in another post. And to read back and process the captured files, I use wireshark which provides lots of options to deep dive into the packet stream.
|Select Interface||-d <iface>||-i <iface>||Not needed if system has only one interface (ignoring localhost)|
|Capture full||-s 0||-s 0||Snap length controls how much to capture. Zero means capture all.|
|Write capture to a file||-o <filename>||-w <filename>|
|Avoid DNS lookups for IPs in capture||-r||-n||So no DNS lookups are performed when displaying real-time capture, good for efficiency|