rjmcmahon
/
fiwi_monitor
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add IP traffic analysis to identify iperf packets 

- Extract IP addresses, TCP/UDP ports from frames
- Look for TCP port 5001 (iperf default)
- Show frame type breakdown (Management/Control/Data)
- Analyze frames involving server MAC address
- This will help identify where iperf traffic is in the capture

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Robert McMahon 2026-02-13 14:29:38 -08:00
parent 0b946a6d53
commit ee168ad839
1 changed files with 106 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
test_monitor_tshark.sh
View File

@ -195,7 +195,7 @@ fi
# Now parse the pcap file to extract fields # Now parse the pcap file to extract fields
# Don't use display filter - extract all frames and handle missing fields gracefully # Don't use display filter - extract all frames and handle missing fields gracefully
# Use -E header=y to include field names, then parse # Include IP addresses to identify iperf traffic
CAPTURE_OUTPUT=$(tshark -q -r "$TEMP_PCAP" -n -T fields \ CAPTURE_OUTPUT=$(tshark -q -r "$TEMP_PCAP" -n -T fields \
-e frame.number \ -e frame.number \
-e frame.time \ -e frame.time \
@ -205,6 +205,13 @@ CAPTURE_OUTPUT=$(tshark -q -r "$TEMP_PCAP" -n -T fields \
-e wlan.fc.subtype \ -e wlan.fc.subtype \
-e wlan.fc.type_subtype \ -e wlan.fc.type_subtype \
-e radiotap.present \ -e radiotap.present \
-e ip.src \
-e ip.dst \
-e ip.proto \
-e tcp.srcport \
-e tcp.dstport \
-e udp.srcport \
-e udp.dstport \
2>&1 | grep -v "^tshark:" | grep -v "^Running as" | grep -v "^Capturing" || true) 2>&1 | grep -v "^tshark:" | grep -v "^Running as" | grep -v "^Capturing" || true)
# Clean up temp file (unless KEEP_PCAP is set) # Clean up temp file (unless KEEP_PCAP is set)
@ -266,8 +273,14 @@ if [ -n "$PACKET_LINES" ] && [ "$FINAL_COUNT" -gt 0 ]; then
type = ($5 != "" && $5 != "-") ? $5 : "N/A" type = ($5 != "" && $5 != "-") ? $5 : "N/A"
subtype = ($6 != "" && $6 != "-") ? $6 : "N/A" subtype = ($6 != "" && $6 != "-") ? $6 : "N/A"
radiotap = ($8 == "1" || $8 == "1.0") ? "yes" : (($8 != "" && $8 != "-") ? "no" : "N/A") radiotap = ($8 == "1" || $8 == "1.0") ? "yes" : (($8 != "" && $8 != "-") ? "no" : "N/A")
printf " Frame %s: RA=%s, TA=%s, type=%s/%s, PLCP=%s\n", src_ip = ($9 != "" && $9 != "-") ? $9 : ""
$1, ra, ta, type, subtype, radiotap dst_ip = ($10 != "" && $10 != "-") ? $10 : ""
ip_info = ""
if (src_ip != "" && dst_ip != "") {
ip_info = sprintf(" IP=%s->%s", src_ip, dst_ip)
}
printf " Frame %s: RA=%s, TA=%s, type=%s/%s, PLCP=%s%s\n",
$1, ra, ta, type, subtype, radiotap, ip_info
}' }'
echo "" echo ""
@ -295,6 +308,96 @@ if [ -n "$PACKET_LINES" ] && [ "$FINAL_COUNT" -gt 0 ]; then
echo " (no valid RA/TA pairs found)" echo " (no valid RA/TA pairs found)"
fi fi
echo "" echo ""
# Frame type breakdown
echo "Frame type breakdown:"
echo "$PACKET_LINES" | awk -F'\t' '{
type = ($5 != "" && $5 != "-") ? $5 : "unknown"
subtype = ($6 != "" && $6 != "-") ? $6 : "unknown"
type_name = "Unknown"
if (type == "0") type_name = "Management"
else if (type == "1") type_name = "Control"
else if (type == "2") type_name = "Data"
count[type_name]++
}
END {
for (t in count) {
printf " %s: %d frame(s)\n", t, count[t]
}
}' | sort -rn
echo ""
# Look for IP traffic (iperf typically uses TCP port 5001)
echo "IP traffic analysis (looking for iperf on TCP port 5001):"
IPERF_FRAMES=$(echo "$PACKET_LINES" | awk -F'\t' '{
src_port = ($12 != "" && $12 != "-") ? $12 : ""
dst_port = ($13 != "" && $13 != "-") ? $13 : ""
proto = ($11 != "" && $11 != "-") ? $11 : ""
if ((src_port == "5001" || dst_port == "5001") && proto == "6") {
print $0
}
}')
IPERF_COUNT=$(echo "$IPERF_FRAMES" | wc -l || echo "0")
if [ "$IPERF_COUNT" -gt 0 ]; then
echo " Found $IPERF_COUNT frames with TCP port 5001 (iperf)"
echo " Sample iperf frames:"
echo "$IPERF_FRAMES" | head -5 | awk -F'\t' '{
ra = ($3 != "" && $3 != "-") ? $3 : "N/A"
ta = ($4 != "" && $4 != "-") ? $4 : "N/A"
src_ip = ($9 != "" && $9 != "-") ? $9 : "N/A"
dst_ip = ($10 != "" && $10 != "-") ? $10 : "N/A"
src_port = ($12 != "" && $12 != "-") ? $12 : "N/A"
dst_port = ($13 != "" && $13 != "-") ? $13 : "N/A"
printf " Frame %s: %s:%s -> %s:%s (RA=%s, TA=%s)\n",
$1, src_ip, src_port, dst_ip, dst_port, ra, ta
}'
else
echo " No frames found with TCP port 5001"
echo " Checking for any TCP traffic:"
TCP_COUNT=$(echo "$PACKET_LINES" | awk -F'\t' '$11 == "6" {count++} END {print count+0}')
echo " TCP frames: $TCP_COUNT"
if [ "$TCP_COUNT" -gt 0 ]; then
echo " Sample TCP frames:"
echo "$PACKET_LINES" | awk -F'\t' '$11 == "6" {print}' | head -5 | awk -F'\t' '{
ra = ($3 != "" && $3 != "-") ? $3 : "N/A"
ta = ($4 != "" && $4 != "-") ? $4 : "N/A"
src_ip = ($9 != "" && $9 != "-") ? $9 : "N/A"
dst_ip = ($10 != "" && $10 != "-") ? $10 : "N/A"
src_port = ($12 != "" && $12 != "-") ? $12 : "N/A"
dst_port = ($13 != "" && $13 != "-") ? $13 : "N/A"
printf " Frame %s: %s:%s -> %s:%s (RA=%s, TA=%s)\n",
$1, src_ip, src_port, dst_ip, dst_port, ra, ta
}'
fi
fi
echo ""
# Frames involving server MAC (80:84:89:93:c4:b6)
echo "Frames involving server MAC (80:84:89:93:c4:b6):"
SERVER_MAC="80:84:89:93:c4:b6"
SERVER_FRAMES=$(echo "$PACKET_LINES" | awk -F'\t' -v mac="$SERVER_MAC" '{
ra = ($3 != "" && $3 != "-") ? $3 : ""
ta = ($4 != "" && $4 != "-") ? $4 : ""
if (ra == mac || ta == mac) {
print $0
}
}')
SERVER_COUNT=$(echo "$SERVER_FRAMES" | wc -l || echo "0")
echo " Total frames with server MAC: $SERVER_COUNT"
if [ "$SERVER_COUNT" -gt 0 ]; then
echo " Sample frames:"
echo "$SERVER_FRAMES" | head -5 | awk -F'\t' '{
ra = ($3 != "" && $3 != "-") ? $3 : "N/A"
ta = ($4 != "" && $4 != "-") ? $4 : "N/A"
type = ($5 != "" && $5 != "-") ? $5 : "N/A"
subtype = ($6 != "" && $6 != "-") ? $6 : "N/A"
src_ip = ($9 != "" && $9 != "-") ? $9 : "N/A"
dst_ip = ($10 != "" && $10 != "-") ? $10 : "N/A"
printf " Frame %s: RA=%s, TA=%s, type=%s/%s, IP=%s->%s\n",
$1, ra, ta, type, subtype, src_ip, dst_ip
}'
fi
echo ""
else else
echo "(No packets captured)" echo "(No packets captured)"
echo "" echo ""