tshark(1) -d udp.port==8472,vxlan -r 1.cap "tcp.analysis.duplicate_ack_num==1"
Dump and analyze network traffic
-d  <layer type>==<selector>,<decode-as protocol>
    Like Wireshark's Decode As... feature, this lets you specify how a layer type should be dissected. If
    the layer type in question (for example, tcp.port or udp.port for a TCP or UDP port number) has the
    specified selector value, packets should be dissected as the specified protocol.

    Example: -d tcp.port==8888,http will decode any traffic running over TCP port 8888 as HTTP.

    Using an invalid selector or protocol will print out a list of valid selectors and protocol names,

    Example: -d . is a quick way to get a list of valid selectors.

    Example: -d ethertype==0x0800. is a quick way to get a list of protocols that can be selected with an
-r  <infile>
    Read packet data from infile, can be any supported capture file format (including gzipped files).
    It's not possible to use named pipes or stdin here!
source manpages: tshark