From ba4fb72a40df4dc832c563d9877efe8b0be8a7a9 Mon Sep 17 00:00:00 2001
From: Robert McMahon <rjmcmahon@rjmcmahon.com>
Date: Fri, 13 Feb 2026 14:13:19 -0800
Subject: [PATCH] Add diagnostics for pcap file capture issues

- Check if pcap file exists and show its size
- Count raw packets in pcap file using capinfos or tshark
- Add sync after capture to ensure file is written
- This will help diagnose why main capture shows few/no packets

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 test_monitor_tshark.sh | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/test_monitor_tshark.sh b/test_monitor_tshark.sh
index b2a0dc8..11e33b3 100755
--- a/test_monitor_tshark.sh
+++ b/test_monitor_tshark.sh
@@ -138,15 +138,42 @@ echo "Capturing to temporary file: $TEMP_PCAP"
 
 set +e  # Temporarily disable exit on error
 # Capture to pcap file - this won't error on missing fields
+# Use -b filesize:100000 to rotate files if needed, but we'll only use the first
 timeout "$DURATION" tshark -q -i "$INTERFACE" -n -w "$TEMP_PCAP" 2>/dev/null
 CAPTURE_EXIT_CODE=$?
 set -e  # Re-enable exit on error
 
+# Force sync to ensure file is written
+sync
+
 # Exit code 124 means timeout occurred (expected), 0 means command completed normally
 if [ "$CAPTURE_EXIT_CODE" -ne 0 ] && [ "$CAPTURE_EXIT_CODE" -ne 124 ]; then
     echo "Warning: tshark capture exited with code $CAPTURE_EXIT_CODE"
 fi
 
+# Check if pcap file exists and get its size
+if [ -f "$TEMP_PCAP" ]; then
+    PCAP_SIZE=$(stat -c%s "$TEMP_PCAP" 2>/dev/null || stat -f%z "$TEMP_PCAP" 2>/dev/null || echo "0")
+    echo "Pcap file size: $PCAP_SIZE bytes"
+    
+    # Count packets in raw pcap file using capinfos or tshark
+    if command -v capinfos &> /dev/null; then
+        RAW_PACKET_COUNT=$(capinfos -c "$TEMP_PCAP" 2>/dev/null | grep "^Number of packets:" | awk '{print $4}' || echo "0")
+        echo "Raw packets in pcap file: $RAW_PACKET_COUNT"
+    else
+        # Fallback: use tshark to count packets
+        RAW_PACKET_COUNT=$(tshark -q -r "$TEMP_PCAP" -n -T fields -e frame.number 2>/dev/null | tail -1 || echo "0")
+        if [ "$RAW_PACKET_COUNT" != "0" ] && [ -n "$RAW_PACKET_COUNT" ]; then
+            echo "Raw packets in pcap file: $RAW_PACKET_COUNT"
+        else
+            echo "Raw packets in pcap file: (could not determine)"
+        fi
+    fi
+else
+    echo "ERROR: Pcap file was not created: $TEMP_PCAP"
+    exit 1
+fi
+
 # Now parse the pcap file to extract fields
 # Use -Y filter to only process frames that have RA/TA to avoid field errors
 CAPTURE_OUTPUT=$(tshark -q -r "$TEMP_PCAP" -n -T fields \