Here's another way of doing it using tshark
. The idea is the same as the answer from @artistoex - the difference is that it doesn't look at each half-connection for itself, and the output is TCP stream number (from Wireshark/tshark) which might be easier to work with when you want to open that stream in Wireshark and continue to post process it there.
tshark -r pcap_file.pcap -R "tcp.flags & 0x03" -Tfields -etcp.stream |
sort -n | uniq -c | awk -F ' ' '{ if ($1<4) print $1," ", $2 }'
The display filter does the same as the capture filter from the other answer, it uses the fact that the SYN and FIN bits are two of the least significant bits in the TCP flags field, so if both are set, that would be 0b11
or 0x3
. AND-ing the tcp.flags
field with 0x3
would give non-zero values if either flag is set.
tshark
outputs the TCP stream number for each packet here. We sort them and count the unique numbers. The last step only prints the lines where the number of packet for this stream is less than 4 (1 SYN and 1 FIN for each half-direction).
Then you can open Wireshark with
wireshark -r pcap-file -R "tcp.stream eq 1234"
where 1234 is from the previous command.
Pretty? I guess not.
Fast? No...