1 | initial version |
Your approach looks correct, so the 688 packets should be the ones with the IPs you filtered for, otherwise something is not working correctly.
You should keep in mind that your approach will not give you the results you expect though - Wireshark determines the "duplicate ACK" and "retranmission" markers by comparing TCP packets. If you only save those that are marked (and not the ones they were compared against) the markers will disappear when reloading the smaller set.