Ask Your Question

Why is Wireshark displaying "wtap_encap=1" in the Info column?

asked 2019-02-15 11:04:40 +0000

JJ2106 gravatar image

updated 2019-02-15 19:41:29 +0000

Guy Harris gravatar image

For the past few days, Wireshark can no longer display packets properly. All od them say "wtap_encap=1" in the info field. I have not done anything intentionally. Can anyone help removing this strange behaviour, please? By the way, Wireshark is not necessarily the culprit, because I think I've seen the same thing with Packetyzer. I have replaced Winpcap with Npap, to no avail. Thank you

edit retag flag offensive close merge delete


Sorry, no problem with Packetyser. My bad.

JJ2106 gravatar imageJJ2106 ( 2019-02-15 11:20:56 +0000 )edit

Thanks, Graham. It works. JJ

JJ2106 gravatar imageJJ2106 ( 2019-02-15 16:09:43 +0000 )edit

@JJ2106, I've converted your "answers" to comments as that's how this site works. Unfortunately I'm unable to make them appear as comments under their respective answers, you could repost your comments in the correct place.

You should also "accept" the correct answer by clicking the checkmark icon under it.

grahamb gravatar imagegrahamb ( 2019-02-15 16:38:22 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted

answered 2019-02-15 14:45:13 +0000

cmaynard gravatar image

My guess is that the Ethernet dissector is disabled. You can verify if this is the case or not via "Analyze -> Enabled Protocols -> Ethernet", and enable it if it isn't. You can also check if there are other protocols disabled, either in that same dialog or by examining the contents of the disabled_protos file in your profile's directory. If you haven't created a profile, then the Wireshark Default profile is in use. You can locate the directory for all of your Wireshark preferences via "Help -> About Wireshark -> Folders -> Personal configuration", and if you don't want any dissectors to be disabled, you can even just delete the disabled_protos file.

If it was the case that a dissector or dissectors were disabled and you didn't disable them yourself, then it's possible someone was playing a practical joke on you.

edit flag offensive delete link more


Hi, Cmaynard, thanks for your contribution. I'm on my own, and nobody touches my PC. So, no practical joke... JJ

JJ2106 gravatar imageJJ2106 ( 2019-02-15 16:19:43 +0000 )edit

Hi, Cmaynard, thanks for your contribution. I'm on my own, and nobody touches my PC. So, no practical joke... JJ

...but you still need to make sure that the Ethernet dissector isn't disabled; if it is, the libwiretap internal encapsulation type of 1, which means "Ethernet", won't have a dissector that's used for it, so Wireshark will just report "this is a frame with libwiretap encapsulation 1, whatever that is", which is what it's doing.

Guy Harris gravatar imageGuy Harris ( 2019-02-15 19:43:17 +0000 )edit

answered 2019-02-15 11:09:38 +0000

grahamb gravatar image

In Wireshark, try creating a new profile. Right click the profile entry at the bottom right and select "New...", or from the menu Edit -> "Configuration Profiles..." and then click the "+" button".

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2019-02-15 11:04:40 +0000

Seen: 601 times

Last updated: Feb 15 '19