This is our old Q&A Site. Please post any new questions and answers at

Hi all,

I have a problem with HTTP filter in wireshark where the HTTP Response is displayed first then HTTP Request. This is observed in HTTP GET Request with following headers.

Authorization: xxxx. User-Agent: curl/7.30.0 Accept: / Content-Type: application/json \r\n\r\n

Please see the below HTTP.png file.alt text

If the Content-Type header is not present then wireshark is displaying the request and response in proper sequence.

I think the "Content-type" header should not be used in GET request? Is this the reason for wireshark to fail to decode it in proper sequence?

Regards, Swathi.

asked 19 Apr '16, 05:48

swathi%20jakkam's gravatar image

swathi jakkam
accept rate: 0%

Can you share the capture somewhere publicly, e.g. Google Drive, Dropbox etc?

(19 Apr '16, 06:01) grahamb ♦

where did you take that capture and how?

(19 Apr '16, 06:29) Kurt Knochner ♦

could you please see the http capture in below link.

Regards, Swathi.

(19 Apr '16, 22:08) swathi jakkam

Please apply the following display filter and take a look at the timestamps of the frames. eq 0

They are totally weird. So, there is either something wrong with your capturing system or something changed the timestamps in the pcap file (like anonymizer tools).

That's why you see the response before the request. So again my question:

where did you take that capture and how?


permanent link

answered 20 Apr '16, 00:56

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

I am Sending HTTP get request with below url. "". For HTTP get request I added "Authorization: xxxx. User-Agent: curl/7.30.0 Accept: / Content-Type: application/json \r\n\r\n" headers. Then I captured this in wireshark.

I have one doubt. Content-type header is used in HTTP get method or not?

Could you please conform when we use content-type header field in HTTP.

Regrads, Swathi.

(20 Apr '16, 02:29) swathi jakkam

The HTTP RFC defines NO "Content-Type" for GET requests only for HEAD requests and for repsonses (where it makes sense), so "Content-Type" should not appear in GET requests, as there is no "Content" in GET requests. POST requests might have a "Content-Type" as well.
Section: 14.17 Content-Type

Later RFCs might define it differently. I did not check!

But this still does not explain the weird time stamps in the pcap! Something must be wrong on your capturing system.

(20 Apr '16, 03:41) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 19 Apr '16, 05:48

question was seen: 1,125 times

last updated: 20 Apr '16, 03:45

p​o​w​e​r​e​d by O​S​Q​A