A network engineer received a pcap from a remote site that claimed to be "Ethernet" but file command reported "pcap: DLT 276". The remote script had a bug: pcap_open_dead() was called with the wrong DLT due to an uninitialized variable. Solution: They fixed the capture script and re-ran the test.
Wireshark's editcap tool can change the DLT of a pcap file without altering the packet data. Caution: Only do this if you are certain of the true link-layer type.
For example, if you know the packets are actually raw Ethernet (Type 1):
editcap -T 1 broken_type276.pcap fixed_ethernet.pcap
If the packets are raw IP (no header, Type 101): -pcap network type 276 unknown or unsupported-
editcap -T 101 broken_type276.pcap fixed_rawip.pcap
If the original data was Linux SLL (Type 113):
editcap -T 113 broken_type276.pcap fixed_linux.pcap
How to guess the right type? Run tcpdump -r broken_type276.pcap -v and ignore the header error. If you see familiar IP addresses after garbage, try DLT_RAW (101). If you see MAC addresses, try DLT_EN10MB (1).
If you absolutely need to preserve DLT 276 because you are writing a custom dissector, you can modify pcap-common.c in the libpcap source. Add an entry to the dlt_to_linktype array: A network engineer received a pcap from a
276, "CUSTOM_MY_PROTO", DLT_CUSTOM ,
Recompile and install libpcap. This is overkill for most users.
The error -pcap network type 276 unknown or unsupported- is a frustrating but surmountable obstacle. It signals a mismatch between your capture tool’s expectations and your analyzer’s capabilities—not a corrupted file or a hopeless situation.
By understanding DLTs, using editcap to force a link type, updating your libpcap, or converting to pcapng, you can almost always recover the packets. In the world of network forensics, data is king. Do not let a three-digit number stand between you and your analysis. Wireshark's editcap tool can change the DLT of
Final Checklist when you see "276":
Your packets are there. You just need to teach your tool how to greet them.
Some proprietary analysis tools (e.g., from Cisco, Arista, or certain SD-WAN probes) assign custom DLT values (often in the range 200–300) for internal telemetry. DLT 276 might be repurposed in your specific environment—though officially it's Nordic BLE, not all vendors follow the registry.