Wireshark filter

Im currently working on a filter that captures source IP address, visited URL and a timestamp.

In Wireshark/TShark, the term "filter" refers to something that a packet does, or doesn't match - i.e., all it does is say "this packet passes" or "this packet doesn't pass". In that context, "capture source IP address" means "packets with this IP source address pass the filter and other packets don't", "capture visited URL" means "packets that are HTTP requests using this URL pass the filter and other packets don't", and "capture timestamp" means "packets with this timestamp pass the filter and other packets don't".

The Wireshark display filter you show looks for "GET / HTTP/1.1{CR}{LF}", so you appear to be trying to construct a filter that passes only HTTP requests with a visited URL of /.

The frame[] filter looks at raw byte values at very specific offsets in the packet. There is no guarantee that the payload of a TCP segment - which is what would contain the HTTP request line in your example - will be at a fixed offset in the packet; the link-layer header is variable-length in some networks such as 802.11, an IPv4 header can have options and thus be bigger than 20 bytes, a TCP header can have options and thus be bigger than 20 bytes, and the packet might have an IPv6 header plus a variable number of extension headers rather than an IPv4 header.

So a frame[] filter is, in general, a lot less useful than people might think.

A tcp[] filter looks at the TCP header and payload, so it's more useful in this case, but it still doesn't handle TCP options making the TCP header bigger than 20 bytes.

What you really want here is:

http.request.method == "GET" and http.request.uri == "/"

which is a LOT easier than trying to match raw bytes in a packet. That one will work no matter how big the link-layer, IP, and TCP headers are.