1 | initial version |
Looking at the capture I see three packets (#2, #4 and #6) with HTTP posts containing multipart MIME contents. The multipart parts are shown as data. When selecting these data parts the highlighted bytes in the packet bytes pane show where this field starts. The first bytes are 0d 0a
, which I assume does mean there's no header in this multipart part. Only then the Content-Type: application/json
is seen, which I assume is considered part of the body of this multipart part. If my assumption is correct that the header is considered empty, I would assume also that there's no handoff to a MIME type dissector and that is why you don't see the json dissection.
I would have to dig into the RFC's and/or dissector code to confirm my suspicion, but if you are in control of the composition of that POST, you could try removing the leading CRLF and see what happens.