When you're doing a packet capture for the purpose of examining the frame payload, you'll want to extend the snaplen (snapshot length) to 1515. That's long enough to accomodate the 1500 MTU and should give you a pretty good look at what you're after.

For example:

# tcpdump -s1515 -X -ieth0 -w sample.cap

Note: This applies to 'ethereal' and 'wireshark' but their defaults are to capture max(INT) by default.

If you have a really large capture file and you need to grab the first 5 minutes, you can do something like the following:

[root@system]# tcpslice -R ./capture.cap
./capture.cap   1168365532.235679       1168370500.728519

[root@system]# expr 1168365532 "+" 300
1168365832

[root@system]# tcpslice -w 5m.cap 1168365532.235679 1168365832.235679 ./capture.cap

That leaves you with a smaller capture consisting of 300 seconds (5 minutes) worth of traffic.

Note: Newer versions of tcpslice than the one I used (v1.1a3) support relative notation like +30m.

If you want to use tcpdump to watch initiating connections (that is, the syn flag only is set indicating we're looking at the first third of the three-way handshake) on ports 80 and 443 you could do something like this:

# tcpdump '(tcp[13] & 0x3f = 2) and (dst port 80 or dst port 443)'