To print IP broadcast or multicast packets that were not
sent via ethernet broadcast or multicast: tcpdump ‘ether[0] & 1 = 0 and ip[16] >= 224’
To print all ICMP packets that are not echo
requests/replies (i.e., not ping packets): tcpdump ‘icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply’
For example, `ether[0] & 1 != 0′ catches all multicast traffic. The expression `ip[0] &0xf != 5′ catches all IP packets with options. The expression `ip[6:2] & 0x1fff =0′ catches only unfragmented datagrams and frag zero of fragmented datagrams.