查看HTTP GET请求

sudo tcpdump -s 0 -A 'tcp dst port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

查看HTTP POST请求

sudo tcpdump -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)'

查看HTTP请求响应头以及数据

sudo tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
sudo tcpdump -X -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

抓取mysql执行的sql语句

tcpdump -i eth1 -s 0 -l -w - dst  port 3306 | strings

抓取mysql通讯的网络包(cap用wireshark打开)

tcpdump -n -nn -tttt -i eth0 -s 65535 'port 3306' -w 20160505mysql.cap

各种远程抓包方法

tcpdump -v -i <INTERFACE> -s 0 -w /tmp/sniff.pcap port <PORT> # On the remote side
mkfifo /tmp/fifo; ssh-keygen; ssh-copyid root@remotehostaddress; sudo ssh root@remotehost "tshark -i eth1 -f 'not tcp port 22' -w -" > /tmp/fifo &; sudo wireshark -k -i /tmp/fifo;
ssh user@server.com sudo tcpdump -i eth0  -w - 'port 80'| /Applications/Wireshark.app/Contents/Resources/bin/wireshark -k -i -
ssh root@HOST tcpdump -iany -U -s0 -w - 'not port 22' | wireshark -k -i -

参考资料
analyze traffic remotely over ssh w/ wireshark