- Check for tcpdump availability before printing startup message
- Show 'Note: tcpdump not found, skipping concurrent count' when unavailable
- Prevents confusing message when tcpdump is not installed
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add detailed error messages when tcpdump fails or produces no output
- Show tcpdump stderr output for debugging filter issues
- Return 0 instead of None when tcpdump finds 0 packets (so it's displayed)
- Handle SIGTERM return code properly (expected when terminating)
- Display tcpdump count even when 0 to help diagnose issues
- Add note when tcpdump counter is unavailable
Co-authored-by: Cursor <cursoragent@cursor.com>
- Run tcpdump concurrently with scapy to count data frames
- Use BPF filter (wlan[0] & 0x0C == 0x08) to filter data frames only
- Display comparison between scapy and tcpdump data frame counts
- Show capture ratio to identify if scapy is missing packets
- Add re import for regex parsing of tcpdump output
Co-authored-by: Cursor <cursoragent@cursor.com>
- Change CLI argument from -d/--duration to -t/--time
- Add timestamps with milliseconds to sample packets output
- Update all documentation examples to use --time/-t
- Format timestamps as HH:MM:SS.mmm for better readability
Co-authored-by: Cursor <cursoragent@cursor.com>
- Replace custom argument parsing with argparse for better CLI design
- Use key-value pairs: --interface/-i, --channel/-c, --duration/-d, --pcap
- Remove iperf-specific references (server MAC analysis, iperf mentions)
- Improve data frame subtype detection for encrypted frames
- Add _get_subtype_from_fc() to parse Frame Control field directly
- Show data frame subtype breakdown in analysis output
- Add better debugging when QoS Data frames aren't found
- Maintain backward compatibility for positional pcap file argument
Co-authored-by: Cursor <cursoragent@cursor.com>
- Fix async subprocess.communicate() usage: await before unpacking tuple
Changed from: stderr = await proc.communicate()[1]
To: _, stderr = await proc.communicate()
- Remove snaplen parameter from sniff() calls (not supported for live interface capture)
- Update messages to reflect that full packets are captured for live capture
- Remove redundant proc.wait() calls after communicate()
Co-authored-by: Cursor <cursoragent@cursor.com>
- Rename MonitorModeSetup class to WiFiMonitor (better naming)
- Add async start() method for setting up monitor mode
- Add async stop() method for restoring interface to managed mode
- Convert all subprocess calls to async (asyncio.create_subprocess_exec)
- Add is_started property to track monitor mode state
- Update capture methods to use async implementation
- Use try/finally to ensure proper cleanup
- Run blocking scapy sniff() calls in executor for async compatibility
- Improve error handling with proper stderr communication
Co-authored-by: Cursor <cursoragent@cursor.com>
- Created test_monitor.py: single Python script using scapy for packet capture
- Removed test_monitor_tshark.sh: replaced by Python solution
- Avoids tshark parsing issues by using scapy directly
- Provides same functionality: RA/TA extraction, histograms, statistics
- Supports --keep-pcap flag for saving pcap files
Co-authored-by: Cursor <cursoragent@cursor.com>
- Use int() parsing instead of isdigit() for more robust frame number validation
- Preserve leading tabs with rstrip() instead of strip()
- Add debug output when parsing fails to help diagnose issues
- Handle empty fields and whitespace more gracefully
Co-authored-by: Cursor <cursoragent@cursor.com>
- Change grep pattern from '^[0-9]+\t' (requires tab) to '^[0-9]+' (matches working test capture)
- Add -q flag back to suppress packet count output
- Filter out empty lines and whitespace-only lines
- Fix debug section to use temp file before deletion
This fixes the regression where only 1 packet was parsed despite the pcap
file containing 216 packets. The tab requirement in the grep pattern was
too strict and didn't match tshark's actual output format.
Co-authored-by: Cursor <cursoragent@cursor.com>
- Write tshark output to temp file first to avoid pipe issues
- Redirect stderr to /dev/null to suppress field errors
- Filter to only keep lines starting with frame numbers
- This should fix the issue where only 1 packet was parsed instead of 217
Co-authored-by: Cursor <cursoragent@cursor.com>
- Filter output to only keep lines starting with frame numbers
- Remove complex error filtering that was removing valid packet data
- Use head to limit output size
- This should fix the issue where only 1 packet was parsed instead of 217
Co-authored-by: Cursor <cursoragent@cursor.com>
- Extract radiotap.datarate, radiotap.mcs.index, wlan_radio.data_rate, wlan_radio.mcs.index
- Generate histograms showing PHY rate distribution per RA/TA pair
- Generate histograms showing MCS index distribution per RA/TA pair
- Only analyze data frames (type 2) for histograms
- Histograms are sorted numerically for easy reading
Co-authored-by: Cursor <cursoragent@cursor.com>
- Remove IP/TCP/UDP field extraction (payloads are encrypted)
- Extract 802.11 frame control fields: protected, retry, duration
- Analyze QoS Data frames (type 2, subtype 8) which iperf uses
- Show encryption status and frame characteristics
- Update field numbers for radiotap.present (now field 11)
Co-authored-by: Cursor <cursoragent@cursor.com>
- Extract IP addresses, TCP/UDP ports from frames
- Look for TCP port 5001 (iperf default)
- Show frame type breakdown (Management/Control/Data)
- Analyze frames involving server MAC address
- This will help identify where iperf traffic is in the capture
Co-authored-by: Cursor <cursoragent@cursor.com>
- Remove -Y filter that was excluding frames without RA/TA
- Process all frames and handle missing fields gracefully
- Add warning when parsed count differs from raw packet count
- This should fix the issue where pcap has 217 packets but script only shows 1
Co-authored-by: Cursor <cursoragent@cursor.com>
- Check if pcap file exists and show its size
- Count raw packets in pcap file using capinfos or tshark
- Add sync after capture to ensure file is written
- This will help diagnose why main capture shows few/no packets
Co-authored-by: Cursor <cursoragent@cursor.com>
Display unique RA/TA pairs with frame counts, sorted by count (descending).
This helps identify which devices are communicating with each other and
the volume of traffic between each pair.
Co-authored-by: Cursor <cursoragent@cursor.com>
Display the name of the temporary pcap file being used for capture.
This helps with debugging and allows users to inspect the file if needed.
Co-authored-by: Cursor <cursoragent@cursor.com>
Capture to a temporary pcap file first, then parse it. This prevents
tshark from exiting early when encountering frames without RA/TA fields
during live capture. The capture phase won't error on missing fields,
and the parsing phase uses a display filter to only extract RA/TA from
frames that have them.
Co-authored-by: Cursor <cursoragent@cursor.com>
Redirect stderr to /dev/null to suppress 'Some fields aren't valid' errors
when tshark encounters frames without RA/TA fields. This should allow
tshark to continue capturing instead of exiting early.
Co-authored-by: Cursor <cursoragent@cursor.com>
Use tshark display filter to only capture frames that have RA or TA fields.
This prevents tshark from erroring when encountering management frames
that don't have these fields, which was causing early termination of captures.
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add -q flag to suppress tshark summary output
- Handle exit code 1 (field availability issues) as non-fatal
- Better filter out tshark status messages from packet counting
- Improve packet line detection to exclude status messages
Co-authored-by: Cursor <cursoragent@cursor.com>
Replace invalid wlan.addr1/wlan.addr2 with wlan.ra/wlan.ta fields.
These fields are the correct tshark field names for Receiver Address
and Transmitter Address in monitor mode captures.
Co-authored-by: Cursor <cursoragent@cursor.com>
- Fix script exit on timeout: handle exit code 124 from timeout command
- Add RA (Receiver Address) and TA (Transmitter Address) display in initial test capture
- Update main capture to show RA/TA instead of SA/DA for better monitor mode visibility
- Use wlan.addr1 and wlan.addr2 fields for universal compatibility across frame types
Co-authored-by: Cursor <cursoragent@cursor.com>
- Replace raw tab-separated values with readable format
- Show 'Frame X: PLCP header (radiotap) = yes/no' instead of '1 1'
- Add field labels for main capture sample packets
- Show SA, DA, type, subtype, and PLCP status in readable format
Co-authored-by: Cursor <cursoragent@cursor.com>
- Filter out 'X packets captured' summary lines from packet count
- Only count lines with tab-separated fields (actual packet data)
- Add sync to force output flush
- Ensure stats always display immediately after capture
- Remove trap that was interfering with normal flow
Co-authored-by: Cursor <cursoragent@cursor.com>
- Display stats right after 'Capturing packets' line completes
- Show packet count, PLCP count, and packet rate immediately
- Move sample packets display after stats
- Reorganize output for better readability
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add message that capture may take time
- Always display packet and PLCP counts
- Better parsing of tshark output
- Separate warnings/errors from packet data
- Show note if packets captured but no PLCP headers
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add progress messages and debug output
- Show tshark warnings/errors
- Always display counters even if no packets captured
- Better handling of empty output
- Show sample packets when available
- Add DLT check before capture
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add radiotap.present field to capture output
- Count packets with PLCP headers (radiotap information)
- Display PLCP count in both test capture and final summary
- Show warning if no PLCP headers detected (may indicate wrong DLT)
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add duration parameter (3rd argument, default 10 seconds, minimum 1 second)
- Change initial check to capture for 1 second instead of just 1 packet
- Count packets from actual capture output instead of running twice
- Fix field names (use wlan.fc.type/subtype instead of wlan.type)
- Show packet count summary at the end
- Display more packets (50 instead of 20)
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add test_monitor_tshark.sh to verify monitor mode works with tshark
- Fix set_monitor_mode to wait for Netlink response
- Improve libpcap initialization with pcap_create/pcap_set_rfmon/pcap_activate
- Add interface up/down control before/after setting monitor mode
- Add verification step to confirm monitor mode was set correctly
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add fallback channel verification using 'iw' command
- Show data link type on startup
- Print first 10 non-data frames for debugging
- Add periodic status during capture loop
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add get_current_channel() function to query actual channel/frequency
- Add freq_to_channel() helper to convert frequency back to channel
- Display verified channel and frequency after setting monitor mode
- Warn if requested channel doesn't match actual channel
Co-authored-by: Cursor <cursoragent@cursor.com>
A C program using GNU Automake for capturing and parsing 802.11 WiFi
frame headers in monitor mode. Designed to verify ESP32 monitor code
by comparing Linux vs ESP32 frame parsing.
Features:
- Monitor mode setup using libnl3
- Packet capture using libpcap
- 802.11 frame parsing (RA, TA, duration, retry flag)
- MAC address filtering (matches ESP32 filter behavior)
- Output format matches ESP32 debug logs for easy comparison
Co-authored-by: Cursor <cursoragent@cursor.com>
Robert McMahon