How to filter POST requests using pcap?

I am playing around with the pcap library in C. I can filter http traffic using the filter expression "port 80" in the pcap_compile call, but now I'm wondering whether I can filter POST requests specifically.

开发者_如何转开发Does anyone know of a filter expression for filtering http POST requests?

The following should match only POSTs:

port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354

However, a HTTP request is likely to be split in various TCP packets, and thus you may not get the full request.