 | 1 | initial version |
On https://www.wireshark.org/docs/dfref/t/tcp.html it shows that the field tcp.analysis.initial_rtt has been included in wireshark and tshark since version 1.12.0 which came out in 2014. Is your tshark running on the same host as wireshark? If not, what is it's version and can you upgrade to version 1.12 or newer?
As the field tcp.analysis.initial_rtt is calculated by looking at the delta between the SYN and the final ACK of the 3-way-handshake, it is not known yet on the SYN/ACK in the first pass over the packets. Wireshark always does 2-pass processing, while tshark by default does 1-pass processing, so your filter will indeed not work as expected and will show all SYN/ACK packets (whether or not there was a final ACK).
You can make tshark do 2-pass processing by specifying the -2 argument when running tshark. Your filter should work as expected then. You also need 2-pass processing for the tcp.completeness & 6 == 2 filter to work as expected.
