Note that "-e" can be used to get MAC addresses printed.

Also give more details on shell metacharacters in filter expressions -
in particular, note that a common use of a shell metacharacter is a
backslash used to escape protocol names, e.g. "ether proto \ip", and
that the alternative to quoting the entire expression is to escapet he
shell metacharacters, e.g.

	tcpdump ether proto \\ip

diff --git a/tcpdump.1.in b/tcpdump.1.in
index 2fcc8445bc8a614b62ebff745383f814bae190b9..57447fb3a7dfef2dd0a2c6354380885e19284962 100644 (file)
--- a/tcpdump.1.in
+++ b/tcpdump.1.in
@@ -256,7 +256,9 @@ that lacks the
 function.
 .TP
 .B \-e
-Print the link-level header on each dump line.
+Print the link-level header on each dump line.  This can be used, for
+example, to print MAC layer addresses for protocols such as Ethernet and
+IEEE 802.11.
 .TP
 .B \-E
 Use \fIspi@ipaddr algo:secret\fP for decrypting IPsec ESP packets that
@@ -716,8 +718,10 @@ For the \fIexpression\fP syntax, see
 .LP
 Expression arguments can be passed to \fItcpdump\fP as either a single
 argument or as multiple arguments, whichever is more convenient.
-Generally, if the expression contains Shell metacharacters, it is
-easier to pass it as a single, quoted argument.
+Generally, if the expression contains Shell metacharacters, such as
+backslashes used to escape protocol names, it is easier to pass it as
+a single, quoted argument rather than to escape the Shell
+metacharacters.
 Multiple arguments are concatenated with spaces before being parsed.
 .SH EXAMPLES
 .LP