I am able to filter for Client Hello messages for TLS on TCP with the following:
(tcp[((tcp[12] & 0xf0) >> 2)] = 0x16) && (tcp[((tcp[12] & 0xf0) >> 2) + 5] = 0x01)
https://www.baeldung.com/linux/tcpdump-capture-ssl-handshake
What filter can I use to achieve the same for Quic packets?
Discovered this isn't possible with Quic as the the payload which contains the TLS handshake data is protected.
See: https://datatracker.ietf.org/doc/html/rfc9001#section-5. Specifically section 5.2 related to initial packets.
The initial packets can be 'unencrypted' easily as long as you know the version specific hard coded salt value. But as far as I can tell this is something that can only be done after the packets have been captured (not as they are being captured).