TShark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. TShark‘s native capture file format is libpcap format, which is also the format used by tcpdump and various other tools.
Let’s capture http traffic and save it to a file to examine it later.
tshark -f "tcp port 80" -i eth0 -w /path/to/file/capture.cap