(type:execve a0:tcpdump a1:\-c a3:\-i*) OR (type:execve a0:tshark a1:\-c a3:\-i)