TcpDump
From Vague Hope Wiki
tcpdump -i eth0 tcp port 80 -w foo.$(date +'%Y%m%d-%H%M%S').pcap tcpdump -i eth0 "(host 10.0.1.1 or 10.0.1.2) and tcp port 8000" -w foo.$(date +'%Y%m%d-%H%M%S').pcap
http.time || tcp.analysis.retransmission || _ws.expert.severity >= 0x00600000