- Write tshark output to temp file first to avoid pipe issues
- Redirect stderr to /dev/null to suppress field errors
- Filter to only keep lines starting with frame numbers
- This should fix the issue where only 1 packet was parsed instead of 217
Co-authored-by: Cursor <cursoragent@cursor.com>
- Filter output to only keep lines starting with frame numbers
- Remove complex error filtering that was removing valid packet data
- Use head to limit output size
- This should fix the issue where only 1 packet was parsed instead of 217
Co-authored-by: Cursor <cursoragent@cursor.com>
- Extract radiotap.datarate, radiotap.mcs.index, wlan_radio.data_rate, wlan_radio.mcs.index
- Generate histograms showing PHY rate distribution per RA/TA pair
- Generate histograms showing MCS index distribution per RA/TA pair
- Only analyze data frames (type 2) for histograms
- Histograms are sorted numerically for easy reading
Co-authored-by: Cursor <cursoragent@cursor.com>
- Remove IP/TCP/UDP field extraction (payloads are encrypted)
- Extract 802.11 frame control fields: protected, retry, duration
- Analyze QoS Data frames (type 2, subtype 8) which iperf uses
- Show encryption status and frame characteristics
- Update field numbers for radiotap.present (now field 11)
Co-authored-by: Cursor <cursoragent@cursor.com>
- Extract IP addresses, TCP/UDP ports from frames
- Look for TCP port 5001 (iperf default)
- Show frame type breakdown (Management/Control/Data)
- Analyze frames involving server MAC address
- This will help identify where iperf traffic is in the capture
Co-authored-by: Cursor <cursoragent@cursor.com>
- Remove -Y filter that was excluding frames without RA/TA
- Process all frames and handle missing fields gracefully
- Add warning when parsed count differs from raw packet count
- This should fix the issue where pcap has 217 packets but script only shows 1
Co-authored-by: Cursor <cursoragent@cursor.com>
- Check if pcap file exists and show its size
- Count raw packets in pcap file using capinfos or tshark
- Add sync after capture to ensure file is written
- This will help diagnose why main capture shows few/no packets
Co-authored-by: Cursor <cursoragent@cursor.com>
Display unique RA/TA pairs with frame counts, sorted by count (descending).
This helps identify which devices are communicating with each other and
the volume of traffic between each pair.
Co-authored-by: Cursor <cursoragent@cursor.com>
Display the name of the temporary pcap file being used for capture.
This helps with debugging and allows users to inspect the file if needed.
Co-authored-by: Cursor <cursoragent@cursor.com>
Capture to a temporary pcap file first, then parse it. This prevents
tshark from exiting early when encountering frames without RA/TA fields
during live capture. The capture phase won't error on missing fields,
and the parsing phase uses a display filter to only extract RA/TA from
frames that have them.
Co-authored-by: Cursor <cursoragent@cursor.com>
Redirect stderr to /dev/null to suppress 'Some fields aren't valid' errors
when tshark encounters frames without RA/TA fields. This should allow
tshark to continue capturing instead of exiting early.
Co-authored-by: Cursor <cursoragent@cursor.com>
Use tshark display filter to only capture frames that have RA or TA fields.
This prevents tshark from erroring when encountering management frames
that don't have these fields, which was causing early termination of captures.
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add -q flag to suppress tshark summary output
- Handle exit code 1 (field availability issues) as non-fatal
- Better filter out tshark status messages from packet counting
- Improve packet line detection to exclude status messages
Co-authored-by: Cursor <cursoragent@cursor.com>
Replace invalid wlan.addr1/wlan.addr2 with wlan.ra/wlan.ta fields.
These fields are the correct tshark field names for Receiver Address
and Transmitter Address in monitor mode captures.
Co-authored-by: Cursor <cursoragent@cursor.com>
- Fix script exit on timeout: handle exit code 124 from timeout command
- Add RA (Receiver Address) and TA (Transmitter Address) display in initial test capture
- Update main capture to show RA/TA instead of SA/DA for better monitor mode visibility
- Use wlan.addr1 and wlan.addr2 fields for universal compatibility across frame types
Co-authored-by: Cursor <cursoragent@cursor.com>
- Replace raw tab-separated values with readable format
- Show 'Frame X: PLCP header (radiotap) = yes/no' instead of '1 1'
- Add field labels for main capture sample packets
- Show SA, DA, type, subtype, and PLCP status in readable format
Co-authored-by: Cursor <cursoragent@cursor.com>
- Filter out 'X packets captured' summary lines from packet count
- Only count lines with tab-separated fields (actual packet data)
- Add sync to force output flush
- Ensure stats always display immediately after capture
- Remove trap that was interfering with normal flow
Co-authored-by: Cursor <cursoragent@cursor.com>
- Display stats right after 'Capturing packets' line completes
- Show packet count, PLCP count, and packet rate immediately
- Move sample packets display after stats
- Reorganize output for better readability
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add message that capture may take time
- Always display packet and PLCP counts
- Better parsing of tshark output
- Separate warnings/errors from packet data
- Show note if packets captured but no PLCP headers
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add progress messages and debug output
- Show tshark warnings/errors
- Always display counters even if no packets captured
- Better handling of empty output
- Show sample packets when available
- Add DLT check before capture
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add radiotap.present field to capture output
- Count packets with PLCP headers (radiotap information)
- Display PLCP count in both test capture and final summary
- Show warning if no PLCP headers detected (may indicate wrong DLT)
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add duration parameter (3rd argument, default 10 seconds, minimum 1 second)
- Change initial check to capture for 1 second instead of just 1 packet
- Count packets from actual capture output instead of running twice
- Fix field names (use wlan.fc.type/subtype instead of wlan.type)
- Show packet count summary at the end
- Display more packets (50 instead of 20)
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add test_monitor_tshark.sh to verify monitor mode works with tshark
- Fix set_monitor_mode to wait for Netlink response
- Improve libpcap initialization with pcap_create/pcap_set_rfmon/pcap_activate
- Add interface up/down control before/after setting monitor mode
- Add verification step to confirm monitor mode was set correctly
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add fallback channel verification using 'iw' command
- Show data link type on startup
- Print first 10 non-data frames for debugging
- Add periodic status during capture loop
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add get_current_channel() function to query actual channel/frequency
- Add freq_to_channel() helper to convert frequency back to channel
- Display verified channel and frequency after setting monitor mode
- Warn if requested channel doesn't match actual channel
Co-authored-by: Cursor <cursoragent@cursor.com>
A C program using GNU Automake for capturing and parsing 802.11 WiFi
frame headers in monitor mode. Designed to verify ESP32 monitor code
by comparing Linux vs ESP32 frame parsing.
Features:
- Monitor mode setup using libnl3
- Packet capture using libpcap
- 802.11 frame parsing (RA, TA, duration, retry flag)
- MAC address filtering (matches ESP32 filter behavior)
- Output format matches ESP32 debug logs for easy comparison
Co-authored-by: Cursor <cursoragent@cursor.com>
Robert McMahon