Only TCP_SYN from some nets
-> tcpdump -i eth0 -nn '( src net 117 or src net 178 ) and ( dst port 5252 or dst port 80 or dst port 443 or dst port 3080 ) and ( tcp[tcpflags] == tcp-syn )' -w capture.cap -v -U -S -nn - numbers -w - write to file -U - write each packet at once -S - print absolute, rather than relative, TCP sequence numbers.
TCP_SYN or TCP_ACK from some nets
-> tcpdump -i eth0 -nn '( src net 117 or src net 178 ) and ( dst port 5252 or dst port 80 or dst port 443 or dst port 3080 ) and ( tcp[tcpflags] == tcp-syn or tcp[tcpflags] == tcp-ack )' -w capture.cap -v -U -S
reference: serverfault.com/questions/217605/how-to-capture-ack-or-syn-packets-by-tcpdump