Hi Stephan,
Thanks for explanation. I missed that external is used for -i. I am novice but already learned a bit about noise and p parameter :-) I am curious if -i external:nnnp will indeed catch full flow - both client and server side or just client side part? I had impression that to catch full flow 0.0 has to be used?
As far as I understand, in case of using p parameter monitor traffic is automatically excluded, even if server ip is used for host parameter (let's say I do not know client IP or would like to catch all SNAT<->server traffic)
Considering your example, to get just server side traffic from the dump I still need to use tcpdump -r /dump.cap not host ? I assume that in case of reading dump file using -i is not necessary or it is?
Piotr