The Wireshark Display Filter "(tcp.flags==0x12) and not tcp.analysis.initial_rtt" works in Wireshark, but not tshark.
Problem:
My router is dropping SYN-ACK packets and NO-FLAG packets. I have about 12 hours worth of pcap files to sort through, so I created a script to loop through all pcap files in the directory, and delete any pcap file that does not contain SYN-ACK or NO-FLAG packets. I am now left with 284 files that contain to locate a total of 4 packets that were dropped.
Since the router should only drop SYN-ACK packets on half-open connections, the Wireshark display filter needs to include a check for the value of tcp.analysis.initial_rtt and the above display filter works. But it seems that Wireshark calculates tcp.analysis.initial_rtt, but tshark does not and I get the following error.
[bob@Linux dev]$ tshark -t ad -r "$fname" -Y "(tcp.flags==0x12) and not tcp.analysis.initial_rtt" tshark: "tcp.analysis.initial_rtt" is neither a field nor a protocol name.
Is there another way around this in tshark to find a half-open connect with tcp.flags==0x12?