rjmcmahon
/
fiwi_monitor
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix packet parsing by removing restrictive display filter 

- Remove -Y filter that was excluding frames without RA/TA
- Process all frames and handle missing fields gracefully
- Add warning when parsed count differs from raw packet count
- This should fix the issue where pcap has 217 packets but script only shows 1

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Robert McMahon 2026-02-13 14:24:14 -08:00
parent bc282a348a
commit 0b946a6d53
1 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
test_monitor_tshark.sh
View File

@ -194,9 +194,9 @@ else
fi fi
# Now parse the pcap file to extract fields # Now parse the pcap file to extract fields
# Use -Y filter to only process frames that have RA/TA to avoid field errors # Don't use display filter - extract all frames and handle missing fields gracefully
# Use -E header=y to include field names, then parse
CAPTURE_OUTPUT=$(tshark -q -r "$TEMP_PCAP" -n -T fields \ CAPTURE_OUTPUT=$(tshark -q -r "$TEMP_PCAP" -n -T fields \
-Y "(wlan.ra) || (wlan.ta)" \
-e frame.number \ -e frame.number \
-e frame.time \ -e frame.time \
-e wlan.ra \ -e wlan.ra \
@ -205,7 +205,7 @@ CAPTURE_OUTPUT=$(tshark -q -r "$TEMP_PCAP" -n -T fields \
-e wlan.fc.subtype \ -e wlan.fc.subtype \
-e wlan.fc.type_subtype \ -e wlan.fc.type_subtype \
-e radiotap.present \ -e radiotap.present \
2>/dev/null || true) 2>&1 | grep -v "^tshark:" | grep -v "^Running as" | grep -v "^Capturing" || true)
# Clean up temp file (unless KEEP_PCAP is set) # Clean up temp file (unless KEEP_PCAP is set)
if [ -z "$KEEP_PCAP" ]; then if [ -z "$KEEP_PCAP" ]; then
@ -233,9 +233,16 @@ fi
# Count total packets captured (lines starting with a number followed by tab) # Count total packets captured (lines starting with a number followed by tab)
# Filter out tshark status messages like "100 packets captured" or "Capturing on..." # Filter out tshark status messages like "100 packets captured" or "Capturing on..."
# Only count lines that look like actual packet data: number, tab, then more fields # Only count lines that look like actual packet data: number, tab, then more fields
PACKET_LINES=$(echo "$CAPTURE_OUTPUT" | grep -E '^[0-9]+\t' | grep -v -E '(packets captured|Capturing on|Running as)' || true) # Also handle lines that start with just a number (frame.number field)
PACKET_LINES=$(echo "$CAPTURE_OUTPUT" | grep -E '^[0-9]+' | grep -v -E '(packets captured|Capturing on|Running as|tshark:)' || true)
FINAL_COUNT=$(echo "$PACKET_LINES" | wc -l || echo "0") FINAL_COUNT=$(echo "$PACKET_LINES" | wc -l || echo "0")
# If we got very few packets but raw count shows many, there might be a parsing issue
if [ "$FINAL_COUNT" -lt "$RAW_PACKET_COUNT" ] && [ "$RAW_PACKET_COUNT" -gt 10 ]; then
echo "Warning: Parsed $FINAL_COUNT packets but pcap file contains $RAW_PACKET_COUNT packets"
echo " This may indicate field extraction issues. Check tshark output above."
fi
# Count packets with PLCP headers (radiotap present) # Count packets with PLCP headers (radiotap present)
# radiotap.present field is the 8th field (after frame.number, frame.time, wlan.ra, wlan.ta, wlan.fc.type, wlan.fc.subtype, wlan.fc.type_subtype) # radiotap.present field is the 8th field (after frame.number, frame.time, wlan.ra, wlan.ta, wlan.fc.type, wlan.fc.subtype, wlan.fc.type_subtype)
PLCP_COUNT=$(echo "$PACKET_LINES" | awk -F'\t' 'NF >= 8 && $1 != "" && $8 != "" && $8 != "0" && $8 != "-" {count++} END {print count+0}' || echo "0") PLCP_COUNT=$(echo "$PACKET_LINES" | awk -F'\t' 'NF >= 8 && $1 != "" && $8 != "" && $8 != "0" && $8 != "-" {count++} END {print count+0}' || echo "0")