How to capture filter by tshark http.request Of traffic

edit

Well, you will need to construct a suitable capture filter that captures the traffic you're after. I provided a typical example using port 80 because that's the default port for HTTP traffic. If the HTTP traffic of interest uses a different port, then substitute 80 with whatever port is relevant. If you want SSDP traffic as well, then you may need to include something like "host 239.255.255.250" in your capture filter. Read more about capture filters on the pcap-filter man page.

The main reason is that tshark is a little slow in processing data, so I want to solve this problem by modifying the capture filter rules.There are many ports for HTTP traffic in my network, which is obviously impossible to implement with rules, because there are hundreds of hosts in my network. And I want to capture all the traffic and analyze HTTP data in real time, so I want to ask if there is any way to improve tshark's ability to process data. If the processing power is not improved, a large part of data will be lost.

It sounds more like you need to improve capture performance first. Perhaps the first suggestion I would make is to stop using tshark for capturing and simply use dumpcap (or tcpdump) and then post-analyze the traffic with tshark. If you want/need real-time (or semi-real-time) monitoring, then you'd have to come up with a method for having tsharkprocess one file at a time written by the capture tool once that tool is done writing to a file and moves to the next file. I'm sure something could be scripted. I'm sure there are other possible solutions as well, but this is just one idea. If your capture hardware can't keep up with the load, then you may need to invest in dedicated built-for-purpose hardware hardware, but that's typically not cheap, depending on your needs. Other tips may be found at https://wiki.wireshark.org/Performance