Regular TCPDUMP

Since tcpdump is installed by default, it's the first thing to use

# Only listen on one interface
tcpdump -i <interface/any>

# Filter to a host
tcpdump 'host <ip address/fqdn>'

# filter to a port
tcpdump 'tcp port 5000'

# combine filters
tcpdump '(tcp port 5000 or tcp port 35357) and host 192.168.0.100'

# print packets in ascii (basically always want this)
tcpdump -A

Using tshark

Another option is wireshark's command line, tshark:

apt-get install tshark

Note that tshark is really slow to get started compared to tcpdump, you need to wait a good while until it says something like "Capturing on 'eno1'"

# show interfaces
tshark -D

# Capture everything from a given source and interface
tshark -i eno1 -Y "ip.src == 10.1.0.76"

# Capture HTTP to and from a given source
tshark -i eno1 -Y "ip.addr == 10.1.0.76 and http"