It can be a little hard (confusing) trying to snoop for TCP header flags, but this example will pick up reset and fin packets on a given port
Snoop for rst or fin packets on port 1234
snoop port 1234 and 'tcp[13] & 4 !=0' or port 1234 and 'tcp[13] & 1 !=0'
I am sure there is a grouping mechanism to clean that up ( i.e. port and (rst or fin) ), but it does not jump out at me.
pete
Thanks for the post!