Add diagnostics for pcap file capture issues
- Check if pcap file exists and show its size - Count raw packets in pcap file using capinfos or tshark - Add sync after capture to ensure file is written - This will help diagnose why main capture shows few/no packets Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Robert McMahon
parent
73358f9223
commit
ba4fb72a40
|
|
@ -138,15 +138,42 @@ echo "Capturing to temporary file: $TEMP_PCAP"
|
|||
|
||||
set +e # Temporarily disable exit on error
|
||||
# Capture to pcap file - this won't error on missing fields
|
||||
# Use -b filesize:100000 to rotate files if needed, but we'll only use the first
|
||||
timeout "$DURATION" tshark -q -i "$INTERFACE" -n -w "$TEMP_PCAP" 2>/dev/null
|
||||
CAPTURE_EXIT_CODE=$?
|
||||
set -e # Re-enable exit on error
|
||||
|
||||
# Force sync to ensure file is written
|
||||
sync
|
||||
|
||||
# Exit code 124 means timeout occurred (expected), 0 means command completed normally
|
||||
if [ "$CAPTURE_EXIT_CODE" -ne 0 ] && [ "$CAPTURE_EXIT_CODE" -ne 124 ]; then
|
||||
echo "Warning: tshark capture exited with code $CAPTURE_EXIT_CODE"
|
||||
fi
|
||||
|
||||
# Check if pcap file exists and get its size
|
||||
if [ -f "$TEMP_PCAP" ]; then
|
||||
PCAP_SIZE=$(stat -c%s "$TEMP_PCAP" 2>/dev/null || stat -f%z "$TEMP_PCAP" 2>/dev/null || echo "0")
|
||||
echo "Pcap file size: $PCAP_SIZE bytes"
|
||||
|
||||
# Count packets in raw pcap file using capinfos or tshark
|
||||
if command -v capinfos &> /dev/null; then
|
||||
RAW_PACKET_COUNT=$(capinfos -c "$TEMP_PCAP" 2>/dev/null | grep "^Number of packets:" | awk '{print $4}' || echo "0")
|
||||
echo "Raw packets in pcap file: $RAW_PACKET_COUNT"
|
||||
else
|
||||
# Fallback: use tshark to count packets
|
||||
RAW_PACKET_COUNT=$(tshark -q -r "$TEMP_PCAP" -n -T fields -e frame.number 2>/dev/null | tail -1 || echo "0")
|
||||
if [ "$RAW_PACKET_COUNT" != "0" ] && [ -n "$RAW_PACKET_COUNT" ]; then
|
||||
echo "Raw packets in pcap file: $RAW_PACKET_COUNT"
|
||||
else
|
||||
echo "Raw packets in pcap file: (could not determine)"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
echo "ERROR: Pcap file was not created: $TEMP_PCAP"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Now parse the pcap file to extract fields
|
||||
# Use -Y filter to only process frames that have RA/TA to avoid field errors
|
||||
CAPTURE_OUTPUT=$(tshark -q -r "$TEMP_PCAP" -n -T fields \
|
||||
|
|
|
|||
Loading…
Reference in New Issue