I have a big trace: 12GBytes and I would like to use tshark to filter the traffic I'm interested in. It has the following characteristic: - session ends up in RST - session duration is lower than 30 seconds - session's traffic is between 200KB and 1MB - amount of packets in session is < than 200. Can I use any of the tshark 2 pass filters to only extract packets belonging to these sessions I'm interested in (using any of the criteria above) and drop everything else? I have to make trace smaller by throwing away the data, which is not interesting for the analysis. FYI: capture is between F5 and a server, and IPs pair is fixed, and ports are random, therefore no standard filtering can be applied …