When you're doing a packet capture for the purpose of examining the frame payload, you'll want to extend the snaplen (snapshot length) to 1515. That's long enough to accomodate the 1500 MTU and should give you a pretty good look at what you're after.

For example:

# tcpdump -s1515 -X -ieth0 -w sample.cap

Note: This applies to 'ethereal' and 'wireshark' but their defaults are to capture max(INT) by default.

If you have a really large capture file and you need to grab the first 5 minutes, you can do something like the following:

[root@system]# tcpslice -R ./capture.cap
./capture.cap   1168365532.235679       1168370500.728519

[root@system]# expr 1168365532 "+" 300
1168365832

[root@system]# tcpslice -w 5m.cap 1168365532.235679 1168365832.235679 ./capture.cap

That leaves you with a smaller capture consisting of 300 seconds (5 minutes) worth of traffic.

Note: Newer versions of tcpslice than the one I used (v1.1a3) support relative notation like +30m.

Due to the checksum offloading logic that's built into most current NICs you'll sometimes get several TCP checksum errors in your Wireshark packet captures. To prevent this, you can go into Edit > Preferences and choose TCP in the left frame. In the right frame, un-check 'Validate the checksum if possible'.