diff --git a/PPPOE_misc_tricks.md b/PPPOE_misc_tricks.md
index 65b8e46..855af5e 100644
--- a/PPPOE_misc_tricks.md
+++ b/PPPOE_misc_tricks.md
@@ -48,6 +48,17 @@ Which means:
 * -vvv - verbose output
 * -c 100 - capture 100 packets and exit
 
+## pcap filters
 
+You can use various pcap filters in trafw, iptop and tcpdump.
+For example if you want to see only traffic from subnet 8.8.8.0/24 and source port 53 you can use:
+```
+# to show total traffic for this filter
+trafw ppp0 "src net 8.8.8.0/24 and src port 53" ppp0 "src net 8.8.8.0/24 and src port 53" 1
+# to show top consumers of such traffic
+iptop eth0 "src net 8.8.8.0/24 and src port 53" 10000 dst
+# to capture such traffic and see each packet, only 100 packets
+tcpdump -ni ppp185 -vvv -c 100 "src net 8.8.8.0/24 and src port 53"
 
-
+More info, in articles:
+https://iphelix.medium.com/packet-filtering-techniques-84fc3fc2ea3b