How to filter only Http.cookie before starting

You can't create a capture filter that looks for a specific cookie, as that filter would need to loop through the http headers to find the line cookie header. Capture filters use BPF and are executed in the kernel, that's why a jump backwards (needed for the loop) is not allowed to prevent an infinite loop in the kernel.

What you can do is filter on port 80 during capturing and the filter for the cookie when analyzing the data.

but is there anyway to only capture http.cookie from all sites??

No, it is not possible to capture only HTTP cookies (see the answer of @SYN-bit).

However, if you just need the Cookie names and the values, you can use ngrep on several Unix systems (Linux, etc.) and even on Windows.

ngrep -d eth0 -W byline 'Cookie:' port 80 | egrep '(Cookie:|->)'

This will look for the string "Cookie:" (the HTTP header) on all HTTP connections (port 80). The output looks like this (several cookies in use at the sample page).

T 192.168.158.134:60806 -> 108.162.204.234:80 [AP]
Cookie: __utma=87653150.584013553.1368057495.1368057495.1368057495.1; __utmz=87653150.1368057495.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __cfduid=d5de20eee1f1e5a337360768a92d829051373446194; csrftoken=0d7650a7e762b88664d2b9cdd7c4197f; __utma=46672567.888537486.1372378054.1375087941.1376861294.3; __utmz=46672567.1372378054.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); sessionid=a19b0f1adf49cf486e45696a742b0c38; greeting_set=True; __utmb=46672567.6.10.1376861294; __utmc=46672567.

Then pipe that output into a script and extract whatever you need.

Optionally, you can write the matched packets to a file and then analyze that file with wireshark/tshark.

ngrep -d eth0 -O /var/tmp/cookies.pcap 'Cookie:' port 80

Regards
Kurt