0

I have several raspberry pi's that are all the same model with the same build of raspbian and running the same code where I am simply using pyshark to sniff out probe requests and record them to a log file. I can have 5 identical raspberry pi's running the same code sniffing for probe requests in the exact same area and there will be at least a 20% different in the number of probe requests captured for say a 2 hour period. Sometimes higher than a 20% difference. Shouldn't they be much more similar?

I've looked at CPU usage and its not overloading one or multiple cores. THere is plenty of RAM available. The only thing I can think of if over time, raspbian runs various OS related "tuning" and some raspberry pi's have "configured themselves" better than others? (is that possible? Does raspberry pi have system events running that fine tunes itself?)

Here's a sample tshark command that captures my probe requests:

sudo nice -n -15 stdbuf -oL tshark -i wlan1 -I -f 'wlan type mgt subtype probe-req' -Y 'wlan.sa[0:3] ne b8:27:eb && radiotap.dbm_antsignal gt -73' -T fields -e frame.time_epoch -e wlan.sa -e radiotap.dbm_antsignal -E header=y -E separator=, -E quote=d -E occurrence=f >> ../data-test/tsharkoutput.txt

I would expect that if the CPU or RAM isn't tapped out, that different raspberry pi's running the same command should capture pretty close to the same number of packets, but they vary by 20% or more. Any thoughts on why that could be?

inspectorG4dget
  • 110,290
  • 27
  • 149
  • 241
KS_MVP
  • 11
  • 1

1 Answers1

0

Don't use tshark (or libraries that depend on it)

When capturing from a physical interface, tshark is a wrapper for dumpcap. In this mode, tshark experiences higher loss than dumpcap.

You should use dumpcap or tcpdump instead. You will want to use a library other than PyShark if you want to avoid tshark usage.

802.11 traffic is noisy

On a separate note, 802.11 traffic is by definition noisy and prone to loss, so seeing different packets on different capturing devices is expected behavior.

Ross Jacobs
  • 2,962
  • 1
  • 17
  • 27
  • Thank you for the answer... that is helpful. I've run some other tests and I am still receiving some pretty large variation in the number of packets captured among identical Raspberry Pi's even running dumpcap. Variations of at least 20%... sometimes 50%. (in other words, one raspberry pi might capture 5,000 probe requests in an hour and another identical raspberry pi might capture 7500). Is that all attributable to 802.11 traffic being noisy? or might there be other things going on? – KS_MVP Sep 21 '19 at 12:09
  • Yes, 802.11 is expected to be noisy. – Ross Jacobs Sep 21 '19 at 16:24
  • OK. That makes sense. However, for some reason, I have 1 of my 5 raspberry pi's seems to be capturing close to 50% more probes than the other ones. The other 4 seem to vary by maybe 10-20%. Way more common. And yet that one raspberry pi has the same hardware and software as the others. Could there be something else I'm missing? An OS tweak that happened automatically that I wasn't aware of? Anything different within the hardware that I'm not thinking of (aside from firmware)? – KS_MVP Sep 28 '19 at 09:39
  • Yeah you're barking down the wrong path. 802.11 captures between adjacent devices will have different traffic *by definition*. If you want to know more about 802.11, the CWNA study guide is a good resource (and you can find this on Amazon). If this answers your question, please mark it as such. – Ross Jacobs Sep 29 '19 at 05:27
  • So, I'm not a 802.11 expert so that study guide will say a lot but will be hard for me to pull out something relevant to this situation. Can you help provide a general idea for me on why wouldn't two adjacent devices sniffing only probe requests not have pretty similar data? – KS_MVP Sep 30 '19 at 13:18