# tcpdump -n -i $iface -s 0 -w /path/to/dump.pcap -c 25000 host a.b.c.d/mask
Once the dump is finished, ship the dump over to my desktop and analyze the full contents with Wireshark. The protocol dissectors, along with the ability to follow TCP streams, make life SO much easier.
If I already know exactly what I'm going to look for I'll add the "and [tcp|udp] and port $port" bit at the end. Gives a nice kickstart to any traffic analysis.
This becomes especially necessary when the packets matching a filter slowly trickle in - i.e. precisely the use case where the direct output to the terminal makes sense.
Edit: while troubleshooting IPv6, I frequently need to see only IPv6 Route Advertisements, which in the noise of ND traffic can be tricky with just ND, so I tend to use a below command:
tcpdump -ln -i en0 'icmp6 and ip6[40:1]=134'