diff --git a/parse_tshark_pcap.py b/parse_tshark_pcap.py index 28e4dc5..25cd1f2 100755 --- a/parse_tshark_pcap.py +++ b/parse_tshark_pcap.py @@ -68,10 +68,21 @@ def parse_tshark_output(pcap_file: str) -> List[List[str]]: check=False # Don't fail on errors ) + # Debug: Check if we got any output + if result.stderr: + # Print stderr warnings but don't fail + pass # We'll filter these out + # Filter out error messages and status lines lines = [] - for line in result.stdout.splitlines(): - line = line.strip() + raw_lines = result.stdout.splitlines() + + # Debug: If no lines parsed, show what we got + if len(raw_lines) == 0: + return [] + + for line in raw_lines: + line = line.rstrip() # Only strip trailing whitespace, keep leading tabs # Skip empty lines and tshark status messages if not line: continue @@ -79,11 +90,23 @@ def parse_tshark_output(pcap_file: str) -> List[List[str]]: continue if "tshark:" in line.lower() or "packets captured" in line.lower(): continue - # Only process lines that start with a number (frame number) - if line and line[0].isdigit(): - fields = line.split("\t") - if len(fields) > 0: + + # Split by tab to get fields + fields = line.split("\t") + if len(fields) == 0: + continue + + # Check if first field (frame.number) is a valid number + # This handles cases where frame.number might be empty or the line starts with tabs + first_field = fields[0].strip() + # Try to parse as integer - if it succeeds, it's a valid frame number + try: + frame_num = int(first_field) + if frame_num > 0: # Valid frame numbers are positive lines.append(fields) + except (ValueError, IndexError): + # Not a valid frame number, skip this line + continue return lines @@ -234,6 +257,22 @@ def main(): # Parse packets packets = parse_tshark_output(pcap_file) final_count = count_packets(packets) + + # Debug: If no packets parsed but raw count shows packets, try to see what tshark output + if final_count == 0 and raw_packet_count > 0: + # Try a simple test to see if tshark can read the file + import subprocess + test_result = subprocess.run( + ["tshark", "-q", "-r", pcap_file, "-n", "-T", "fields", "-e", "frame.number"], + capture_output=True, + text=True + ) + if test_result.stdout: + sample_lines = test_result.stdout.splitlines()[:5] + print(f"Debug: tshark -T fields -e frame.number returned {len(test_result.stdout.splitlines())} lines") + print(f"Debug: First 5 lines: {sample_lines}") + else: + print("Debug: tshark returned no output") plcp_count = count_plcp_headers(packets) # Check for parsing issues diff --git a/test_monitor_tshark.sh b/test_monitor_tshark.sh index b8eed77..8d510ac 100755 --- a/test_monitor_tshark.sh +++ b/test_monitor_tshark.sh @@ -39,7 +39,7 @@ echo "Duration: $DURATION seconds" echo "" # Check if running as root -if [ "$EUID" -ne 0 ]; then +if [ "$EUID" -ne 0 ]; then echo "Please run as root (use sudo)" exit 1 fi @@ -174,7 +174,7 @@ fi if [ -f "$TEMP_PCAP" ]; then PCAP_SIZE=$(stat -c%s "$TEMP_PCAP" 2>/dev/null || stat -f%z "$TEMP_PCAP" 2>/dev/null || echo "0") echo "Pcap file size: $PCAP_SIZE bytes" - + # Count packets in raw pcap file using capinfos or tshark if command -v capinfos &> /dev/null; then RAW_PACKET_COUNT=$(capinfos -c "$TEMP_PCAP" 2>/dev/null | grep "^Number of packets:" | awk '{print $4}' || echo "0")