Add unique RA/TA pair counting to test_monitor_tshark.sh

Display unique RA/TA pairs with frame counts, sorted by count (descending).
This helps identify which devices are communicating with each other and
the volume of traffic between each pair.

Co-authored-by: Cursor <cursoragent@cursor.com>

test_monitor_tshark.sh

@@ -131,15 +131,26 @@ echo ""
 # Capture for specified duration and count packets
 echo "Capturing packets for $DURATION seconds..."
 
-# Run capture with timeout
+# Use a temporary pcap file to avoid field extraction errors during capture
-# Note: timeout returns 124 when it times out (expected), so we need to handle that
+# Capture to file first, then parse it - this prevents tshark from exiting early
-# Also, wlan.ra/wlan.ta may not be available for all frame types, which can cause tshark to exit with code 1
+TEMP_PCAP=$(mktemp /tmp/tshark_capture_XXXXXX.pcap)
-# We'll capture both stdout and stderr, but continue even if tshark exits with an error
+echo "Capturing to temporary file: $TEMP_PCAP"
+
 set +e  # Temporarily disable exit on error
-# Use -q to suppress packet count output
+# Capture to pcap file - this won't error on missing fields
-# Redirect stderr to /dev/null to suppress "Some fields aren't valid" errors
+timeout "$DURATION" tshark -q -i "$INTERFACE" -n -w "$TEMP_PCAP" 2>/dev/null
-# This allows tshark to continue even when encountering frames without RA/TA
+CAPTURE_EXIT_CODE=$?
-CAPTURE_OUTPUT=$(timeout "$DURATION" tshark -q -i "$INTERFACE" -n -T fields \
+set -e  # Re-enable exit on error
+
+# Exit code 124 means timeout occurred (expected), 0 means command completed normally
+if [ "$CAPTURE_EXIT_CODE" -ne 0 ] && [ "$CAPTURE_EXIT_CODE" -ne 124 ]; then
+    echo "Warning: tshark capture exited with code $CAPTURE_EXIT_CODE"
+fi
+
+# Now parse the pcap file to extract fields
+# Use -Y filter to only process frames that have RA/TA to avoid field errors
+CAPTURE_OUTPUT=$(tshark -q -r "$TEMP_PCAP" -n -T fields \
+    -Y "(wlan.ra) || (wlan.ta)" \
     -e frame.number \
     -e frame.time \
     -e wlan.ra \
@@ -148,16 +159,10 @@ CAPTURE_OUTPUT=$(timeout "$DURATION" tshark -q -i "$INTERFACE" -n -T fields \
     -e wlan.fc.subtype \
     -e wlan.fc.type_subtype \
     -e radiotap.present \
-    2>/dev/null)
+    2>/dev/null || true)
-CAPTURE_EXIT_CODE=$?
-set -e  # Re-enable exit on error
 
-# Exit code 124 means timeout occurred (expected), 0 means command completed normally
+# Clean up temp file
-# Exit code 1 might mean some fields weren't available for some frames, but we still got data
+rm -f "$TEMP_PCAP"
-# Other exit codes indicate actual errors
-if [ "$CAPTURE_EXIT_CODE" -ne 0 ] && [ "$CAPTURE_EXIT_CODE" -ne 124 ] && [ "$CAPTURE_EXIT_CODE" -ne 1 ]; then
-    echo "Warning: tshark exited with code $CAPTURE_EXIT_CODE"
-fi
 
 # Force output flush
 sync
@@ -206,6 +211,31 @@ if [ -n "$PACKET_LINES" ] && [ "$FINAL_COUNT" -gt 0 ]; then
             $1, ra, ta, type, subtype, radiotap
     }'
     echo ""
+    
+    # Count unique RA/TA pairs
+    echo "Unique RA/TA pairs (with counts):"
+    UNIQUE_PAIRS=$(echo "$PACKET_LINES" | awk -F'\t' '{
+        ra = ($3 != "" && $3 != "-") ? $3 : "N/A"
+        ta = ($4 != "" && $4 != "-") ? $4 : "N/A"
+        if (ra != "N/A" || ta != "N/A") {
+            pair = ra " -> " ta
+            count[pair]++
+        }
+    }
+    END {
+        for (pair in count) {
+            printf "%d\t%s\n", count[pair], pair
+        }
+    }' | sort -rn)
+    
+    if [ -n "$UNIQUE_PAIRS" ]; then
+        echo "$UNIQUE_PAIRS" | awk -F'\t' '{
+            printf "  %s: %d frame(s)\n", $2, $1
+        }'
+    else
+        echo "  (no valid RA/TA pairs found)"
+    fi
+    echo ""
 else
     echo "(No packets captured)"
     echo ""