- Check if pcap file exists and show its size
- Count raw packets in pcap file using capinfos or tshark
- Add sync after capture to ensure file is written
- This will help diagnose why main capture shows few/no packets
Co-authored-by: Cursor <cursoragent@cursor.com>
Display unique RA/TA pairs with frame counts, sorted by count (descending).
This helps identify which devices are communicating with each other and
the volume of traffic between each pair.
Co-authored-by: Cursor <cursoragent@cursor.com>
Display the name of the temporary pcap file being used for capture.
This helps with debugging and allows users to inspect the file if needed.
Co-authored-by: Cursor <cursoragent@cursor.com>
Capture to a temporary pcap file first, then parse it. This prevents
tshark from exiting early when encountering frames without RA/TA fields
during live capture. The capture phase won't error on missing fields,
and the parsing phase uses a display filter to only extract RA/TA from
frames that have them.
Co-authored-by: Cursor <cursoragent@cursor.com>
Redirect stderr to /dev/null to suppress 'Some fields aren't valid' errors
when tshark encounters frames without RA/TA fields. This should allow
tshark to continue capturing instead of exiting early.
Co-authored-by: Cursor <cursoragent@cursor.com>
Use tshark display filter to only capture frames that have RA or TA fields.
This prevents tshark from erroring when encountering management frames
that don't have these fields, which was causing early termination of captures.
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add -q flag to suppress tshark summary output
- Handle exit code 1 (field availability issues) as non-fatal
- Better filter out tshark status messages from packet counting
- Improve packet line detection to exclude status messages
Co-authored-by: Cursor <cursoragent@cursor.com>
Replace invalid wlan.addr1/wlan.addr2 with wlan.ra/wlan.ta fields.
These fields are the correct tshark field names for Receiver Address
and Transmitter Address in monitor mode captures.
Co-authored-by: Cursor <cursoragent@cursor.com>
- Fix script exit on timeout: handle exit code 124 from timeout command
- Add RA (Receiver Address) and TA (Transmitter Address) display in initial test capture
- Update main capture to show RA/TA instead of SA/DA for better monitor mode visibility
- Use wlan.addr1 and wlan.addr2 fields for universal compatibility across frame types
Co-authored-by: Cursor <cursoragent@cursor.com>
- Replace raw tab-separated values with readable format
- Show 'Frame X: PLCP header (radiotap) = yes/no' instead of '1 1'
- Add field labels for main capture sample packets
- Show SA, DA, type, subtype, and PLCP status in readable format
Co-authored-by: Cursor <cursoragent@cursor.com>
- Filter out 'X packets captured' summary lines from packet count
- Only count lines with tab-separated fields (actual packet data)
- Add sync to force output flush
- Ensure stats always display immediately after capture
- Remove trap that was interfering with normal flow
Co-authored-by: Cursor <cursoragent@cursor.com>
- Display stats right after 'Capturing packets' line completes
- Show packet count, PLCP count, and packet rate immediately
- Move sample packets display after stats
- Reorganize output for better readability
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add message that capture may take time
- Always display packet and PLCP counts
- Better parsing of tshark output
- Separate warnings/errors from packet data
- Show note if packets captured but no PLCP headers
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add progress messages and debug output
- Show tshark warnings/errors
- Always display counters even if no packets captured
- Better handling of empty output
- Show sample packets when available
- Add DLT check before capture
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add radiotap.present field to capture output
- Count packets with PLCP headers (radiotap information)
- Display PLCP count in both test capture and final summary
- Show warning if no PLCP headers detected (may indicate wrong DLT)
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add duration parameter (3rd argument, default 10 seconds, minimum 1 second)
- Change initial check to capture for 1 second instead of just 1 packet
- Count packets from actual capture output instead of running twice
- Fix field names (use wlan.fc.type/subtype instead of wlan.type)
- Show packet count summary at the end
- Display more packets (50 instead of 20)
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add test_monitor_tshark.sh to verify monitor mode works with tshark
- Fix set_monitor_mode to wait for Netlink response
- Improve libpcap initialization with pcap_create/pcap_set_rfmon/pcap_activate
- Add interface up/down control before/after setting monitor mode
- Add verification step to confirm monitor mode was set correctly
Co-authored-by: Cursor <cursoragent@cursor.com>
Robert McMahon