The general structure of an offset filter is:

proto [Offset in bytes from the start of the header : Number of bytes to check] 

Common examples for string matching filters are:

• For filtering destination TCP ports between 50 and 100, configure (tcp[2:2] > 50 and tcp[2:2] < 100). Here we count two bytes from the beginning of the TCP header, and check the next two bytes are lower than 100 and higher than 50:

• For checking a TCP window size smaller than 8192, configure tcp[14:2] < 8192. Here we count two bytes from the beginning of the TCP header, and check the next two bytes (the window size) are less than 8192:

• For filtering only HTTP GET packets, configure port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):3] = 0x474554. Here, tcp[12:1] & 0xf0) >> 2 gives out the TCP header length. Right after it, go and check the strings G, E, T (that is, the HTTP GET command) which have the hex values 47, 45, 54 in the packet bytes pane just after the TCP header.

There's a nice string-matching capture filter generator at: http://www.wireshark.org/tools/string-cf.html.