Fix packet parsing by removing restrictive display filter
- Remove -Y filter that was excluding frames without RA/TA - Process all frames and handle missing fields gracefully - Add warning when parsed count differs from raw packet count - This should fix the issue where pcap has 217 packets but script only shows 1 Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Robert McMahon
parent
bc282a348a
commit
0b946a6d53
|
|
@ -194,9 +194,9 @@ else
|
|||
fi
|
||||
|
||||
# Now parse the pcap file to extract fields
|
||||
# Use -Y filter to only process frames that have RA/TA to avoid field errors
|
||||
# Don't use display filter - extract all frames and handle missing fields gracefully
|
||||
# Use -E header=y to include field names, then parse
|
||||
CAPTURE_OUTPUT=$(tshark -q -r "$TEMP_PCAP" -n -T fields \
|
||||
-Y "(wlan.ra) || (wlan.ta)" \
|
||||
-e frame.number \
|
||||
-e frame.time \
|
||||
-e wlan.ra \
|
||||
|
|
@ -205,7 +205,7 @@ CAPTURE_OUTPUT=$(tshark -q -r "$TEMP_PCAP" -n -T fields \
|
|||
-e wlan.fc.subtype \
|
||||
-e wlan.fc.type_subtype \
|
||||
-e radiotap.present \
|
||||
2>/dev/null || true)
|
||||
2>&1 | grep -v "^tshark:" | grep -v "^Running as" | grep -v "^Capturing" || true)
|
||||
|
||||
# Clean up temp file (unless KEEP_PCAP is set)
|
||||
if [ -z "$KEEP_PCAP" ]; then
|
||||
|
|
@ -233,9 +233,16 @@ fi
|
|||
# Count total packets captured (lines starting with a number followed by tab)
|
||||
# Filter out tshark status messages like "100 packets captured" or "Capturing on..."
|
||||
# Only count lines that look like actual packet data: number, tab, then more fields
|
||||
PACKET_LINES=$(echo "$CAPTURE_OUTPUT" | grep -E '^[0-9]+\t' | grep -v -E '(packets captured|Capturing on|Running as)' || true)
|
||||
# Also handle lines that start with just a number (frame.number field)
|
||||
PACKET_LINES=$(echo "$CAPTURE_OUTPUT" | grep -E '^[0-9]+' | grep -v -E '(packets captured|Capturing on|Running as|tshark:)' || true)
|
||||
FINAL_COUNT=$(echo "$PACKET_LINES" | wc -l || echo "0")
|
||||
|
||||
# If we got very few packets but raw count shows many, there might be a parsing issue
|
||||
if [ "$FINAL_COUNT" -lt "$RAW_PACKET_COUNT" ] && [ "$RAW_PACKET_COUNT" -gt 10 ]; then
|
||||
echo "Warning: Parsed $FINAL_COUNT packets but pcap file contains $RAW_PACKET_COUNT packets"
|
||||
echo " This may indicate field extraction issues. Check tshark output above."
|
||||
fi
|
||||
|
||||
# Count packets with PLCP headers (radiotap present)
|
||||
# radiotap.present field is the 8th field (after frame.number, frame.time, wlan.ra, wlan.ta, wlan.fc.type, wlan.fc.subtype, wlan.fc.type_subtype)
|
||||
PLCP_COUNT=$(echo "$PACKET_LINES" | awk -F'\t' 'NF >= 8 && $1 != "" && $8 != "" && $8 != "0" && $8 != "-" {count++} END {print count+0}' || echo "0")
|
||||
|
|
|
|||
Loading…
Reference in New Issue