From ee168ad839f90061451285d9b3de0477148834fd Mon Sep 17 00:00:00 2001 From: Robert McMahon Date: Fri, 13 Feb 2026 14:29:38 -0800 Subject: [PATCH] Add IP traffic analysis to identify iperf packets - Extract IP addresses, TCP/UDP ports from frames - Look for TCP port 5001 (iperf default) - Show frame type breakdown (Management/Control/Data) - Analyze frames involving server MAC address - This will help identify where iperf traffic is in the capture Co-authored-by: Cursor --- test_monitor_tshark.sh | 109 +++++++++++++++++++++++++++++++++++++++-- 1 file changed, 106 insertions(+), 3 deletions(-) diff --git a/test_monitor_tshark.sh b/test_monitor_tshark.sh index 1dadb3a..61cc399 100755 --- a/test_monitor_tshark.sh +++ b/test_monitor_tshark.sh @@ -195,7 +195,7 @@ fi # Now parse the pcap file to extract fields # Don't use display filter - extract all frames and handle missing fields gracefully -# Use -E header=y to include field names, then parse +# Include IP addresses to identify iperf traffic CAPTURE_OUTPUT=$(tshark -q -r "$TEMP_PCAP" -n -T fields \ -e frame.number \ -e frame.time \ @@ -205,6 +205,13 @@ CAPTURE_OUTPUT=$(tshark -q -r "$TEMP_PCAP" -n -T fields \ -e wlan.fc.subtype \ -e wlan.fc.type_subtype \ -e radiotap.present \ + -e ip.src \ + -e ip.dst \ + -e ip.proto \ + -e tcp.srcport \ + -e tcp.dstport \ + -e udp.srcport \ + -e udp.dstport \ 2>&1 | grep -v "^tshark:" | grep -v "^Running as" | grep -v "^Capturing" || true) # Clean up temp file (unless KEEP_PCAP is set) @@ -266,8 +273,14 @@ if [ -n "$PACKET_LINES" ] && [ "$FINAL_COUNT" -gt 0 ]; then type = ($5 != "" && $5 != "-") ? $5 : "N/A" subtype = ($6 != "" && $6 != "-") ? $6 : "N/A" radiotap = ($8 == "1" || $8 == "1.0") ? "yes" : (($8 != "" && $8 != "-") ? "no" : "N/A") - printf " Frame %s: RA=%s, TA=%s, type=%s/%s, PLCP=%s\n", - $1, ra, ta, type, subtype, radiotap + src_ip = ($9 != "" && $9 != "-") ? $9 : "" + dst_ip = ($10 != "" && $10 != "-") ? $10 : "" + ip_info = "" + if (src_ip != "" && dst_ip != "") { + ip_info = sprintf(" IP=%s->%s", src_ip, dst_ip) + } + printf " Frame %s: RA=%s, TA=%s, type=%s/%s, PLCP=%s%s\n", + $1, ra, ta, type, subtype, radiotap, ip_info }' echo "" @@ -295,6 +308,96 @@ if [ -n "$PACKET_LINES" ] && [ "$FINAL_COUNT" -gt 0 ]; then echo " (no valid RA/TA pairs found)" fi echo "" + + # Frame type breakdown + echo "Frame type breakdown:" + echo "$PACKET_LINES" | awk -F'\t' '{ + type = ($5 != "" && $5 != "-") ? $5 : "unknown" + subtype = ($6 != "" && $6 != "-") ? $6 : "unknown" + type_name = "Unknown" + if (type == "0") type_name = "Management" + else if (type == "1") type_name = "Control" + else if (type == "2") type_name = "Data" + count[type_name]++ + } + END { + for (t in count) { + printf " %s: %d frame(s)\n", t, count[t] + } + }' | sort -rn + echo "" + + # Look for IP traffic (iperf typically uses TCP port 5001) + echo "IP traffic analysis (looking for iperf on TCP port 5001):" + IPERF_FRAMES=$(echo "$PACKET_LINES" | awk -F'\t' '{ + src_port = ($12 != "" && $12 != "-") ? $12 : "" + dst_port = ($13 != "" && $13 != "-") ? $13 : "" + proto = ($11 != "" && $11 != "-") ? $11 : "" + if ((src_port == "5001" || dst_port == "5001") && proto == "6") { + print $0 + } + }') + IPERF_COUNT=$(echo "$IPERF_FRAMES" | wc -l || echo "0") + if [ "$IPERF_COUNT" -gt 0 ]; then + echo " Found $IPERF_COUNT frames with TCP port 5001 (iperf)" + echo " Sample iperf frames:" + echo "$IPERF_FRAMES" | head -5 | awk -F'\t' '{ + ra = ($3 != "" && $3 != "-") ? $3 : "N/A" + ta = ($4 != "" && $4 != "-") ? $4 : "N/A" + src_ip = ($9 != "" && $9 != "-") ? $9 : "N/A" + dst_ip = ($10 != "" && $10 != "-") ? $10 : "N/A" + src_port = ($12 != "" && $12 != "-") ? $12 : "N/A" + dst_port = ($13 != "" && $13 != "-") ? $13 : "N/A" + printf " Frame %s: %s:%s -> %s:%s (RA=%s, TA=%s)\n", + $1, src_ip, src_port, dst_ip, dst_port, ra, ta + }' + else + echo " No frames found with TCP port 5001" + echo " Checking for any TCP traffic:" + TCP_COUNT=$(echo "$PACKET_LINES" | awk -F'\t' '$11 == "6" {count++} END {print count+0}') + echo " TCP frames: $TCP_COUNT" + if [ "$TCP_COUNT" -gt 0 ]; then + echo " Sample TCP frames:" + echo "$PACKET_LINES" | awk -F'\t' '$11 == "6" {print}' | head -5 | awk -F'\t' '{ + ra = ($3 != "" && $3 != "-") ? $3 : "N/A" + ta = ($4 != "" && $4 != "-") ? $4 : "N/A" + src_ip = ($9 != "" && $9 != "-") ? $9 : "N/A" + dst_ip = ($10 != "" && $10 != "-") ? $10 : "N/A" + src_port = ($12 != "" && $12 != "-") ? $12 : "N/A" + dst_port = ($13 != "" && $13 != "-") ? $13 : "N/A" + printf " Frame %s: %s:%s -> %s:%s (RA=%s, TA=%s)\n", + $1, src_ip, src_port, dst_ip, dst_port, ra, ta + }' + fi + fi + echo "" + + # Frames involving server MAC (80:84:89:93:c4:b6) + echo "Frames involving server MAC (80:84:89:93:c4:b6):" + SERVER_MAC="80:84:89:93:c4:b6" + SERVER_FRAMES=$(echo "$PACKET_LINES" | awk -F'\t' -v mac="$SERVER_MAC" '{ + ra = ($3 != "" && $3 != "-") ? $3 : "" + ta = ($4 != "" && $4 != "-") ? $4 : "" + if (ra == mac || ta == mac) { + print $0 + } + }') + SERVER_COUNT=$(echo "$SERVER_FRAMES" | wc -l || echo "0") + echo " Total frames with server MAC: $SERVER_COUNT" + if [ "$SERVER_COUNT" -gt 0 ]; then + echo " Sample frames:" + echo "$SERVER_FRAMES" | head -5 | awk -F'\t' '{ + ra = ($3 != "" && $3 != "-") ? $3 : "N/A" + ta = ($4 != "" && $4 != "-") ? $4 : "N/A" + type = ($5 != "" && $5 != "-") ? $5 : "N/A" + subtype = ($6 != "" && $6 != "-") ? $6 : "N/A" + src_ip = ($9 != "" && $9 != "-") ? $9 : "N/A" + dst_ip = ($10 != "" && $10 != "-") ? $10 : "N/A" + printf " Frame %s: RA=%s, TA=%s, type=%s/%s, IP=%s->%s\n", + $1, ra, ta, type, subtype, src_ip, dst_ip + }' + fi + echo "" else echo "(No packets captured)" echo ""