diff --git a/test_monitor_tshark.sh b/test_monitor_tshark.sh index 61cc399..4b32a1d 100755 --- a/test_monitor_tshark.sh +++ b/test_monitor_tshark.sh @@ -194,8 +194,7 @@ else fi # Now parse the pcap file to extract fields -# Don't use display filter - extract all frames and handle missing fields gracefully -# Include IP addresses to identify iperf traffic +# Only extract 802.11 header fields - data payloads are encrypted CAPTURE_OUTPUT=$(tshark -q -r "$TEMP_PCAP" -n -T fields \ -e frame.number \ -e frame.time \ @@ -204,14 +203,10 @@ CAPTURE_OUTPUT=$(tshark -q -r "$TEMP_PCAP" -n -T fields \ -e wlan.fc.type \ -e wlan.fc.subtype \ -e wlan.fc.type_subtype \ + -e wlan.fc.protected \ + -e wlan.fc.retry \ + -e wlan.duration \ -e radiotap.present \ - -e ip.src \ - -e ip.dst \ - -e ip.proto \ - -e tcp.srcport \ - -e tcp.dstport \ - -e udp.srcport \ - -e udp.dstport \ 2>&1 | grep -v "^tshark:" | grep -v "^Running as" | grep -v "^Capturing" || true) # Clean up temp file (unless KEEP_PCAP is set) @@ -251,8 +246,8 @@ if [ "$FINAL_COUNT" -lt "$RAW_PACKET_COUNT" ] && [ "$RAW_PACKET_COUNT" -gt 10 ]; fi # Count packets with PLCP headers (radiotap present) -# radiotap.present field is the 8th field (after frame.number, frame.time, wlan.ra, wlan.ta, wlan.fc.type, wlan.fc.subtype, wlan.fc.type_subtype) -PLCP_COUNT=$(echo "$PACKET_LINES" | awk -F'\t' 'NF >= 8 && $1 != "" && $8 != "" && $8 != "0" && $8 != "-" {count++} END {print count+0}' || echo "0") +# radiotap.present is field 11 (after frame.number, frame.time, wlan.ra, wlan.ta, wlan.fc.type, wlan.fc.subtype, wlan.fc.type_subtype, wlan.fc.protected, wlan.fc.retry, wlan.duration) +PLCP_COUNT=$(echo "$PACKET_LINES" | awk -F'\t' 'NF >= 11 && $1 != "" && $11 != "" && $11 != "0" && $11 != "-" {count++} END {print count+0}' || echo "0") # Display stats immediately - always show these echo "Total packets captured: $FINAL_COUNT" @@ -272,15 +267,13 @@ if [ -n "$PACKET_LINES" ] && [ "$FINAL_COUNT" -gt 0 ]; then ta = ($4 != "" && $4 != "-") ? $4 : "N/A" type = ($5 != "" && $5 != "-") ? $5 : "N/A" subtype = ($6 != "" && $6 != "-") ? $6 : "N/A" - radiotap = ($8 == "1" || $8 == "1.0") ? "yes" : (($8 != "" && $8 != "-") ? "no" : "N/A") - src_ip = ($9 != "" && $9 != "-") ? $9 : "" - dst_ip = ($10 != "" && $10 != "-") ? $10 : "" - ip_info = "" - if (src_ip != "" && dst_ip != "") { - ip_info = sprintf(" IP=%s->%s", src_ip, dst_ip) - } - printf " Frame %s: RA=%s, TA=%s, type=%s/%s, PLCP=%s%s\n", - $1, ra, ta, type, subtype, radiotap, ip_info + protected = ($8 == "1" || $8 == "1.0") ? "encrypted" : "unencrypted" + retry = ($9 == "1" || $9 == "1.0") ? "retry" : "" + duration = ($10 != "" && $10 != "-") ? $10 : "N/A" + radiotap = ($11 == "1" || $11 == "1.0") ? "yes" : (($11 != "" && $11 != "-") ? "no" : "N/A") + retry_str = (retry != "") ? sprintf(" [%s]", retry) : "" + printf " Frame %s: RA=%s, TA=%s, type=%s/%s, %s, dur=%s, PLCP=%s%s\n", + $1, ra, ta, type, subtype, protected, duration, radiotap, retry_str }' echo "" @@ -327,48 +320,36 @@ if [ -n "$PACKET_LINES" ] && [ "$FINAL_COUNT" -gt 0 ]; then }' | sort -rn echo "" - # Look for IP traffic (iperf typically uses TCP port 5001) - echo "IP traffic analysis (looking for iperf on TCP port 5001):" - IPERF_FRAMES=$(echo "$PACKET_LINES" | awk -F'\t' '{ - src_port = ($12 != "" && $12 != "-") ? $12 : "" - dst_port = ($13 != "" && $13 != "-") ? $13 : "" - proto = ($11 != "" && $11 != "-") ? $11 : "" - if ((src_port == "5001" || dst_port == "5001") && proto == "6") { + # Analyze data frames (iperf uses QoS Data frames, subtype 8) + echo "Data frame analysis (iperf typically uses QoS Data frames, subtype 8):" + DATA_FRAMES=$(echo "$PACKET_LINES" | awk -F'\t' '{ + type = ($5 != "" && $5 != "-") ? $5 : "" + subtype = ($6 != "" && $6 != "-") ? $6 : "" + if (type == "2" && subtype == "8") { # QoS Data frames print $0 } }') - IPERF_COUNT=$(echo "$IPERF_FRAMES" | wc -l || echo "0") - if [ "$IPERF_COUNT" -gt 0 ]; then - echo " Found $IPERF_COUNT frames with TCP port 5001 (iperf)" - echo " Sample iperf frames:" - echo "$IPERF_FRAMES" | head -5 | awk -F'\t' '{ + DATA_COUNT=$(echo "$DATA_FRAMES" | wc -l || echo "0") + echo " QoS Data frames (type 2, subtype 8): $DATA_COUNT" + + # Count encrypted vs unencrypted data frames + ENCRYPTED_DATA=$(echo "$DATA_FRAMES" | awk -F'\t' '$8 == "1" || $8 == "1.0" {count++} END {print count+0}') + UNENCRYPTED_DATA=$(echo "$DATA_FRAMES" | awk -F'\t' '$8 != "1" && $8 != "1.0" && $8 != "" && $8 != "-" {count++} END {print count+0}') + echo " Encrypted: $ENCRYPTED_DATA" + echo " Unencrypted: $UNENCRYPTED_DATA" + + if [ "$DATA_COUNT" -gt 0 ]; then + echo " Sample QoS Data frames (likely iperf traffic):" + echo "$DATA_FRAMES" | head -5 | awk -F'\t' '{ ra = ($3 != "" && $3 != "-") ? $3 : "N/A" ta = ($4 != "" && $4 != "-") ? $4 : "N/A" - src_ip = ($9 != "" && $9 != "-") ? $9 : "N/A" - dst_ip = ($10 != "" && $10 != "-") ? $10 : "N/A" - src_port = ($12 != "" && $12 != "-") ? $12 : "N/A" - dst_port = ($13 != "" && $13 != "-") ? $13 : "N/A" - printf " Frame %s: %s:%s -> %s:%s (RA=%s, TA=%s)\n", - $1, src_ip, src_port, dst_ip, dst_port, ra, ta + protected = ($8 == "1" || $8 == "1.0") ? "encrypted" : "unencrypted" + retry = ($9 == "1" || $9 == "1.0") ? "retry" : "" + duration = ($10 != "" && $10 != "-") ? $10 : "N/A" + retry_str = (retry != "") ? sprintf(" [%s]", retry) : "" + printf " Frame %s: RA=%s, TA=%s, %s, dur=%s%s\n", + $1, ra, ta, protected, duration, retry_str }' - else - echo " No frames found with TCP port 5001" - echo " Checking for any TCP traffic:" - TCP_COUNT=$(echo "$PACKET_LINES" | awk -F'\t' '$11 == "6" {count++} END {print count+0}') - echo " TCP frames: $TCP_COUNT" - if [ "$TCP_COUNT" -gt 0 ]; then - echo " Sample TCP frames:" - echo "$PACKET_LINES" | awk -F'\t' '$11 == "6" {print}' | head -5 | awk -F'\t' '{ - ra = ($3 != "" && $3 != "-") ? $3 : "N/A" - ta = ($4 != "" && $4 != "-") ? $4 : "N/A" - src_ip = ($9 != "" && $9 != "-") ? $9 : "N/A" - dst_ip = ($10 != "" && $10 != "-") ? $10 : "N/A" - src_port = ($12 != "" && $12 != "-") ? $12 : "N/A" - dst_port = ($13 != "" && $13 != "-") ? $13 : "N/A" - printf " Frame %s: %s:%s -> %s:%s (RA=%s, TA=%s)\n", - $1, src_ip, src_port, dst_ip, dst_port, ra, ta - }' - fi fi echo "" @@ -385,16 +366,33 @@ if [ -n "$PACKET_LINES" ] && [ "$FINAL_COUNT" -gt 0 ]; then SERVER_COUNT=$(echo "$SERVER_FRAMES" | wc -l || echo "0") echo " Total frames with server MAC: $SERVER_COUNT" if [ "$SERVER_COUNT" -gt 0 ]; then + echo " Frame type breakdown:" + echo "$SERVER_FRAMES" | awk -F'\t' '{ + type = ($5 != "" && $5 != "-") ? $5 : "unknown" + subtype = ($6 != "" && $6 != "-") ? $6 : "unknown" + type_name = "Unknown" + if (type == "0") type_name = "Management" + else if (type == "1") type_name = "Control" + else if (type == "2") type_name = "Data" + count[type_name]++ + } + END { + for (t in count) { + printf " %s: %d frame(s)\n", t, count[t] + } + }' | sort -rn echo " Sample frames:" echo "$SERVER_FRAMES" | head -5 | awk -F'\t' '{ ra = ($3 != "" && $3 != "-") ? $3 : "N/A" ta = ($4 != "" && $4 != "-") ? $4 : "N/A" type = ($5 != "" && $5 != "-") ? $5 : "N/A" subtype = ($6 != "" && $6 != "-") ? $6 : "N/A" - src_ip = ($9 != "" && $9 != "-") ? $9 : "N/A" - dst_ip = ($10 != "" && $10 != "-") ? $10 : "N/A" - printf " Frame %s: RA=%s, TA=%s, type=%s/%s, IP=%s->%s\n", - $1, ra, ta, type, subtype, src_ip, dst_ip + protected = ($8 == "1" || $8 == "1.0") ? "encrypted" : "unencrypted" + retry = ($9 == "1" || $9 == "1.0") ? "retry" : "" + duration = ($10 != "" && $10 != "-") ? $10 : "N/A" + retry_str = (retry != "") ? sprintf(" [%s]", retry) : "" + printf " Frame %s: RA=%s, TA=%s, type=%s/%s, %s, dur=%s%s\n", + $1, ra, ta, type, subtype, protected, duration, retry_str }' fi echo ""