For instance, I use the following tcpdump command to capture the traffic to and from www.google.com using http protocol:
sudo tcpdump -i wlan0 -w td.dat -nnvvXSs 1514 host www.google.com
Note:
sudo: It may require root privilege to capture packets.
-i wlan0: By default tcpdump captures packets on the eth0 interface. Since I am using wireless, I need to specify the wireless interface wlan0. When using VPN, the interface should be ppp0 instead usually.
-w td.dat: write all captured packets to the file td.dat.
-nn: no hostname and port resolving.
-vv: very verbose.
-X: print in both hex and ascii.
-S: absolute sequence.
-s 1514:
tcpdump takes the first 68 bytes of data from a packet by default. Here the first 1514 bytes are taken.host www.google.com: this is the expression which says capturing packets whose dst host or src host is www.google.com.
See this tcpdump tutorial for more info about tcpdump usage.
Now Wireshark can be used to analyse the captured packets by tcpdump. Here Wireshark's GUI is exploited.
Use Wireshark to open td.dat, and apply the preset http filter. The http traffic can be easily browsed.