The correct command to capture packets that are part of established TCP sessions is tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn) == 0'. This command uses a bitwise AND operator to inspect the TCP flags and checks if the SYN flag is not set. This captures packets that are not part of the initial TCP handshake, as required. The other options incorrectly filter the traffic, either capturing all TCP packets, only SYN packets, or only packets without ACK flag set, instead of filtering out SYN packets to focus on established connections. Understanding the TCP flag filtering is crucial when performing in-depth packet analysis.