This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

wireshark with tcp segments.

0

Hi all,

I have a problem with HTTP filter in wireshark where the HTTP Response is displayed first then HTTP Request. This is observed in HTTP GET Request with following headers.

Authorization: xxxx. User-Agent: curl/7.30.0 Accept: / Content-Type: application/json \r\n\r\n

Please see the below HTTP.png file.alt text

If the Content-Type header is not present then wireshark is displaying the request and response in proper sequence.

I think the "Content-type" header should not be used in GET request? Is this the reason for wireshark to fail to decode it in proper sequence?

Regards, Swathi.

asked 19 Apr '16, 05:48

swathi%20jakkam's gravatar image

swathi jakkam
6778
accept rate: 0%

Can you share the capture somewhere publicly, e.g. Google Drive, Dropbox etc?

(19 Apr '16, 06:01) grahamb ♦

where did you take that capture and how?

(19 Apr '16, 06:29) Kurt Knochner ♦

could you please see the http capture in below link.

https://drive.google.com/file/d/0B_VkVWWaLuj5NnJ3Uk81Sm84ckk/view?usp=sharing

Regards, Swathi.

(19 Apr '16, 22:08) swathi jakkam

One Answer:

0

Please apply the following display filter and take a look at the timestamps of the frames.

tcp.stream eq 0

They are totally weird. So, there is either something wrong with your capturing system or something changed the timestamps in the pcap file (like anonymizer tools).

That's why you see the response before the request. So again my question:

where did you take that capture and how?

Regards
Kurt

answered 20 Apr '16, 00:56

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

I am Sending HTTP get request with below url. "http://www.get-utc.appspot.com/getutc". For HTTP get request I added "Authorization: xxxx. User-Agent: curl/7.30.0 Accept: / Content-Type: application/json \r\n\r\n" headers. Then I captured this in wireshark.

I have one doubt. Content-type header is used in HTTP get method or not?

Could you please conform when we use content-type header field in HTTP.

Regrads, Swathi.

(20 Apr '16, 02:29) swathi jakkam

The HTTP RFC defines NO "Content-Type" for GET requests only for HEAD requests and for repsonses (where it makes sense), so "Content-Type" should not appear in GET requests, as there is no "Content" in GET requests. POST requests might have a "Content-Type" as well.

https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
Section: 14.17 Content-Type

Later RFCs might define it differently. I did not check!

But this still does not explain the weird time stamps in the pcap! Something must be wrong on your capturing system.

(20 Apr '16, 03:41) Kurt Knochner ♦