To edit the capture filters, go to the Capture, menu choice and then select Capture Filters, which will display a list of prebuilt filters, as shown in the following screenshot:

At the bottom of the dialog box, there are three icons:

• A plus icon to add a new capture filter
• A minus icon to delete a capture filter
• A copy icon to copy a capture filter

Similar to the plus icon used to add a display filter, you can do the same to add a capture filter. However, you'll need to be careful when crafting a capture filter as it uses different syntax than a display filter. 

For example, if I need a filter to capture File Transfer Protocol (FTP) traffic only, then I might enter ftp in the capture filter, as I would in the display filter. However, you will see the syntax checker turn red, as shown here. Although this filter would work as a display filter, you must write a capture filter that uses the correct syntax:

If you do need to create a new capture filter, try using one of the prebuilt filters as a guide to properly build your filter. Find a capture filter similar to the one you need, select the filter, and click the copy icon. Wireshark will copy the filter and place it at the end where you can edit the filter

Let's go through an example of creating a capture filter for FTP by copying an existing filter:

1. Go to the Capture menu and select Capture Filters.
2. Select the HTTP TCP port (80) capture filter and then click the copy icon. Wireshark will place the copied filter at the end of the list, as shown in the following screenshot:

3. To edit the filter, change the name to FTP and change the filter to tcp port ftp or tcp port 21.
4. Close the Capture Filters dialog box.

To use the newly created filter, follow these steps:

1. Go to the Capture menu choice, and then select Options....
2. Click the interface that will be used to capture traffic. For example, in the following screenshot, the Microsoft: Wi-Fi interface is selected.

3. In the capture filter area, drop down the green bookmark and select the filter you just created. The bookmark will turn yellow, as shown here:

Once you click Start to begin your capture, you will only capture FTP traffic.

For an extensive list of examples, go to the Wireshark Wiki at https://wiki.wireshark.org/CaptureFilters.

Capture filters can be useful, however, keep in mind that while using a capture filter, you might miss important traffic that can help during troubleshooting or malware analysis. 

After building a few simple filters, you may need to create a more complex filter or expression. The following section outlines how to use the expression builder.