THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Why is Wireshark displaying "wtap_encap=1" in the Info column?

  • retag add tags

For the past few days, Wireshark can no longer display packets properly. All od them say "wtap_encap=1" in the info field. I have not done anything intentionally. Can anyone help removing this strange behaviour, please? By the way, Wireshark is not necessarily the culprit, because I think I've seen the same thing with Packetyzer. I have replaced Winpcap with Npap, to no avail. Thank you

JJ2106's avatar
1
JJ2106
asked 2019-02-15 11:04:40 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2019-02-15 19:41:29 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Sorry, no problem with Packetyser. My bad.

JJ2106's avatar JJ2106 (2019-02-15 11:20:56 +0000) edit
more
  • delete

Thanks, Graham. It works. JJ

JJ2106's avatar JJ2106 (2019-02-15 16:09:43 +0000) edit
more
  • delete

@JJ2106, I've converted your "answers" to comments as that's how this site works. Unfortunately I'm unable to make them appear as comments under their respective answers, you could repost your comments in the correct place.

You should also "accept" the correct answer by clicking the checkmark icon under it.

grahamb's avatar grahamb (2019-02-15 16:38:22 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

My guess is that the Ethernet dissector is disabled. You can verify if this is the case or not via "Analyze -> Enabled Protocols -> Ethernet", and enable it if it isn't. You can also check if there are other protocols disabled, either in that same dialog or by examining the contents of the disabled_protos file in your profile's directory. If you haven't created a profile, then the Wireshark Default profile is in use. You can locate the directory for all of your Wireshark preferences via "Help -> About Wireshark -> Folders -> Personal configuration", and if you don't want any dissectors to be disabled, you can even just delete the disabled_protos file.

If it was the case that a dissector or dissectors were disabled and you didn't disable them yourself, then it's possible someone was playing a practical joke on you.

cmaynard's avatar
11.1k
cmaynard
answered 2019-02-15 14:45:13 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Hi, Cmaynard, thanks for your contribution. I'm on my own, and nobody touches my PC. So, no practical joke... JJ

JJ2106's avatar JJ2106 (2019-02-15 16:19:43 +0000) edit
more
  • delete

Hi, Cmaynard, thanks for your contribution. I'm on my own, and nobody touches my PC. So, no practical joke... JJ

...but you still need to make sure that the Ethernet dissector isn't disabled; if it is, the libwiretap internal encapsulation type of 1, which means "Ethernet", won't have a dissector that's used for it, so Wireshark will just report "this is a frame with libwiretap encapsulation 1, whatever that is", which is what it's doing.

Guy Harris's avatar Guy Harris (2019-02-15 19:43:17 +0000) edit
more
  • delete
add a comment see more comments
0

In Wireshark, try creating a new profile. Right click the profile entry at the bottom right and select "New...", or from the menu Edit -> "Configuration Profiles..." and then click the "+" button".

grahamb's avatar
23.8k
grahamb
answered 2019-02-15 11:09:38 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer