In the Wireshark wiki is an example for filtering HTTP GET
requests:
Capture HTTP GET requests. This looks for the bytes 'G', 'E', 'T', and ' ' (hex values 47, 45, 54, and 20) just after the TCP header. "tcp[12:1] & 0xf0) >> 2" figures out the TCP header length. From Jefferson Ogata via the tcpdump-workers mailing list.
with this filter:
port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420
Unfortunately this does not work. How is the correct filter for HTTP GET
requests?
Best Answer
It does work, make sure you are surrounding your filter in double quotes so the shell doesn't try and parse the filter arguments.
e.g. a curl of google.com for me:
This is a rather complicated way of doing it though. tshark does allow you the concept of applying read filters. Now these may not be as useful if you've got a large volume of data (filtering happens after capturing) but they're certainly more intuitive and readable.