If you're capturing traffic on an Ethernet interface, and some or all of that traffic is PPPoE (rather than, for example, capturing on a PPP device that happens to use PPPoE), to filter on the PPPoE content you have to do
pppoes and {filter}
so that, for example, if you want all UDP PPPoE traffic, you need to say
pppoes and udp
The pcap-filter man page in libpcap 1.0.0 and later (and the tcpdump man page for the pre-4.0 versions of tcpdump released at the same time as pre-1.0 versions of libpcap) says:
pppoes True if the packet is a PPP-over-Ethernet Session packet (Ether-
net type 0x8864). Note that the first pppoes keyword encoun-
tered in expression changes the decoding offsets for the remain-
der of expression on the assumption that the packet is a PPPoE
session packet.
For example:
pppoes && ip
filters IPv4 protocols encapsulated in PPPoE.
