Use tshark display filter to only capture frames that have RA or TA fields.
This prevents tshark from erroring when encountering management frames
that don't have these fields, which was causing early termination of captures.
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add -q flag to suppress tshark summary output
- Handle exit code 1 (field availability issues) as non-fatal
- Better filter out tshark status messages from packet counting
- Improve packet line detection to exclude status messages
Co-authored-by: Cursor <cursoragent@cursor.com>
Replace invalid wlan.addr1/wlan.addr2 with wlan.ra/wlan.ta fields.
These fields are the correct tshark field names for Receiver Address
and Transmitter Address in monitor mode captures.
Co-authored-by: Cursor <cursoragent@cursor.com>
- Fix script exit on timeout: handle exit code 124 from timeout command
- Add RA (Receiver Address) and TA (Transmitter Address) display in initial test capture
- Update main capture to show RA/TA instead of SA/DA for better monitor mode visibility
- Use wlan.addr1 and wlan.addr2 fields for universal compatibility across frame types
Co-authored-by: Cursor <cursoragent@cursor.com>
- Replace raw tab-separated values with readable format
- Show 'Frame X: PLCP header (radiotap) = yes/no' instead of '1 1'
- Add field labels for main capture sample packets
- Show SA, DA, type, subtype, and PLCP status in readable format
Co-authored-by: Cursor <cursoragent@cursor.com>
- Filter out 'X packets captured' summary lines from packet count
- Only count lines with tab-separated fields (actual packet data)
- Add sync to force output flush
- Ensure stats always display immediately after capture
- Remove trap that was interfering with normal flow
Co-authored-by: Cursor <cursoragent@cursor.com>
- Display stats right after 'Capturing packets' line completes
- Show packet count, PLCP count, and packet rate immediately
- Move sample packets display after stats
- Reorganize output for better readability
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add message that capture may take time
- Always display packet and PLCP counts
- Better parsing of tshark output
- Separate warnings/errors from packet data
- Show note if packets captured but no PLCP headers
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add progress messages and debug output
- Show tshark warnings/errors
- Always display counters even if no packets captured
- Better handling of empty output
- Show sample packets when available
- Add DLT check before capture
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add radiotap.present field to capture output
- Count packets with PLCP headers (radiotap information)
- Display PLCP count in both test capture and final summary
- Show warning if no PLCP headers detected (may indicate wrong DLT)
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add duration parameter (3rd argument, default 10 seconds, minimum 1 second)
- Change initial check to capture for 1 second instead of just 1 packet
- Count packets from actual capture output instead of running twice
- Fix field names (use wlan.fc.type/subtype instead of wlan.type)
- Show packet count summary at the end
- Display more packets (50 instead of 20)
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add test_monitor_tshark.sh to verify monitor mode works with tshark
- Fix set_monitor_mode to wait for Netlink response
- Improve libpcap initialization with pcap_create/pcap_set_rfmon/pcap_activate
- Add interface up/down control before/after setting monitor mode
- Add verification step to confirm monitor mode was set correctly
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add fallback channel verification using 'iw' command
- Show data link type on startup
- Print first 10 non-data frames for debugging
- Add periodic status during capture loop
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add get_current_channel() function to query actual channel/frequency
- Add freq_to_channel() helper to convert frequency back to channel
- Display verified channel and frequency after setting monitor mode
- Warn if requested channel doesn't match actual channel
Co-authored-by: Cursor <cursoragent@cursor.com>
A C program using GNU Automake for capturing and parsing 802.11 WiFi
frame headers in monitor mode. Designed to verify ESP32 monitor code
by comparing Linux vs ESP32 frame parsing.
Features:
- Monitor mode setup using libnl3
- Packet capture using libpcap
- 802.11 frame parsing (RA, TA, duration, retry flag)
- MAC address filtering (matches ESP32 filter behavior)
- Output format matches ESP32 debug logs for easy comparison
Co-authored-by: Cursor <cursoragent@cursor.com>
Robert McMahon