How to Use Wireshark HTTP Filter

The use of the NOT (!=) operator in Wireshark comes with a caveat, as mentioned in the documentation

6.4.4. A common mistake

Warning! Using the != operator on combined expressions like: eth.addr, ip.addr, tcp.port, udp.port and alike will probably not work as expected!

Often people use a filter string to display something like ip.addr == 1.2.3.4 which will display all packets containing the IP address 1.2.3.4.

Then they use ip.addr != 1.2.3.4 to see all packets not containing the IP address 1.2.3.4 in it. Unfortunately, this does not do the expected.

Instead, that expression will even be true for packets where either source or destination IP address equals 1.2.3.4. The reason for this, is that the expression ip.addr != 1.2.3.4 must be read as "the packet contains a field named ip.addr with a value different from 1.2.3.4". As an IP datagram contains both a source and a destination address, the expression will evaluate to true whenever at least one of the two addresses differs from 1.2.3.4.

If you want to filter out all packets containing IP datagrams to or from IP address 1.2.3.4, then the correct filter is !(ip.addr == 1.2.3.4) as it reads "show me all the packets for which it is not true that a field named ip.addr exists with a value of 1.2.3.4", or in other words, "filter out all packets for which there are no occurrences of a field named ip.addr with the value 1.2.3.4".

It might be that for your specific filter at hand, the current capture are displaying the same results, but it might give you a different result with a different capture

"http.host" means any packet which have HTTP hosts "http.host != "" " means any packet which http.hosts isn't empty.

How will the second one react if you do not have http.host at all (ie: non-http traffic?) you might want to check that