When I use display filter for HTTP it shows only HTTP packets when HTTP message is on standard port i.e. on port 80. But, when message is not using standard port, then display filter not works for HTTP and I need to filter for TCP and then need to find out HTTP packets manually.
I want to know why this happen? Is it standard behavior or I am doing (or expecting) it wrongly.
Thanks.
The well-known port for HTTP is port 80. If you're looking at traffic on a different port Wireshark would normally expect traffic to be in the form for whatever service normally uses that port (if any). It has no way to know that traffic on, say, port 1080 is actually HTTP. This is not a bug, but a limitation of the way you are trying to use TCP