tabbed frametype filtering

debug_frame_298_reference.py

@@ -0,0 +1,132 @@
+#!/usr/bin/env python3
+"""Debug any outlier with previous frame 298"""
+
+import sys
+sys.path.append('.')
+
+from analyzer.analysis import EthernetAnalyzer
+from analyzer.analysis.background_analyzer import BackgroundAnalyzer
+import time
+
+def debug_frame_298_reference(pcap_file="1 PTPGM.pcapng", src_ip="192.168.4.89"):
+    """Debug any outlier that has previous frame 298"""
+    
+    print("=== Debugging Outliers with Previous Frame 298 ===")
+    
+    # Test background analyzer (what TUI uses)
+    analyzer = EthernetAnalyzer(enable_realtime=False, outlier_threshold_sigma=3.0)
+    bg_analyzer = BackgroundAnalyzer(analyzer, num_threads=1)
+    
+    bg_analyzer.start_parsing(pcap_file)
+    while bg_analyzer.is_parsing:
+        time.sleep(0.1)
+    
+    # Find test flow
+    test_flow = None
+    for flow_key, flow in analyzer.flows.items():
+        if flow.src_ip == src_ip:
+            test_flow = flow
+            break
+    
+    if not test_flow:
+        print(f"❌ No flow found from {src_ip}")
+        bg_analyzer.cleanup()
+        return
+    
+    print(f"✅ Found flow: {test_flow.src_ip}:{test_flow.src_port} → {test_flow.dst_ip}:{test_flow.dst_port}")
+    
+    # Search for any outliers with previous frame around 298
+    target_prev_frame = 298
+    found_suspicious = False
+    
+    print(f"\n=== Searching for outliers with prev_frame_num around {target_prev_frame} ===")
+    
+    for frame_type, ft_stats in test_flow.frame_types.items():
+        if hasattr(ft_stats, 'enhanced_outlier_details') and ft_stats.enhanced_outlier_details:
+            for frame_num, prev_frame_num, delta_t in ft_stats.enhanced_outlier_details:
+                # Check for exact match or close matches
+                if abs(prev_frame_num - target_prev_frame) <= 5:
+                    print(f"🔍 FOUND: {frame_type} - Frame {frame_num} (from {prev_frame_num}): {delta_t * 1000:.3f} ms")
+                    
+                    # Verify this is wrong by checking the actual sequence
+                    if frame_num in ft_stats.frame_numbers:
+                        frame_index = ft_stats.frame_numbers.index(frame_num)
+                        if frame_index > 0:
+                            expected_prev = ft_stats.frame_numbers[frame_index - 1]
+                            if prev_frame_num != expected_prev:
+                                print(f"  ❌ WRONG REFERENCE: Expected {expected_prev}, got {prev_frame_num}")
+                                print(f"  Frame sequence: {ft_stats.frame_numbers[max(0, frame_index-2):frame_index+3]}")
+                            else:
+                                print(f"  ✅ Reference is actually correct")
+                    found_suspicious = True
+    
+    if not found_suspicious:
+        print(f"No outliers found with prev_frame_num around {target_prev_frame}")
+    
+    # Also search for frame 2002 specifically in any outlier
+    print(f"\n=== Searching for frame 2002 in any outlier ===")
+    target_frame = 2002
+    found_2002 = False
+    
+    for frame_type, ft_stats in test_flow.frame_types.items():
+        if hasattr(ft_stats, 'enhanced_outlier_details') and ft_stats.enhanced_outlier_details:
+            for frame_num, prev_frame_num, delta_t in ft_stats.enhanced_outlier_details:
+                if frame_num == target_frame:
+                    print(f"🔍 FOUND 2002: {frame_type} - Frame {frame_num} (from {prev_frame_num}): {delta_t * 1000:.3f} ms")
+                    
+                    # Check if this is the problematic reference
+                    if prev_frame_num == target_prev_frame:
+                        print(f"  ⚠️  This is the problematic outlier you mentioned!")
+                    
+                    found_2002 = True
+    
+    if not found_2002:
+        print(f"Frame 2002 not found in any outlier")
+    
+    # Show all outliers for this flow to get the complete picture
+    print(f"\n=== All Enhanced Outliers for this Flow ===")
+    total_outliers = 0
+    
+    for frame_type, ft_stats in test_flow.frame_types.items():
+        if hasattr(ft_stats, 'enhanced_outlier_details') and ft_stats.enhanced_outlier_details:
+            print(f"\n{frame_type} ({len(ft_stats.enhanced_outlier_details)} outliers):")
+            for frame_num, prev_frame_num, delta_t in ft_stats.enhanced_outlier_details:
+                deviation = (delta_t - ft_stats.avg_inter_arrival) / ft_stats.std_inter_arrival if ft_stats.std_inter_arrival > 0 else 0
+                print(f"  Frame {frame_num} (from {prev_frame_num}): {delta_t * 1000:.3f} ms ({deviation:.1f}σ)")
+                total_outliers += 1
+    
+    print(f"\nTotal enhanced outliers: {total_outliers}")
+    
+    # Check real-time mode as well
+    print(f"\n=== Testing Real-time Mode ===")
+    analyzer_rt = EthernetAnalyzer(enable_realtime=True, outlier_threshold_sigma=3.0)
+    
+    from analyzer.utils import PCAPLoader
+    loader = PCAPLoader(pcap_file)
+    packets = loader.load_all()
+    
+    for i, packet in enumerate(packets, 1):
+        analyzer_rt._process_single_packet(packet, i)
+    
+    # Find flow in real-time mode
+    test_flow_rt = None
+    for flow_key, flow in analyzer_rt.flows.items():
+        if flow.src_ip == src_ip:
+            test_flow_rt = flow
+            break
+    
+    if test_flow_rt:
+        print(f"Real-time mode outliers:")
+        for frame_type, ft_stats in test_flow_rt.frame_types.items():
+            if hasattr(ft_stats, 'enhanced_outlier_details') and ft_stats.enhanced_outlier_details:
+                for frame_num, prev_frame_num, delta_t in ft_stats.enhanced_outlier_details:
+                    if frame_num == 2002 or prev_frame_num == 298:
+                        print(f"  {frame_type}: Frame {frame_num} (from {prev_frame_num}): {delta_t * 1000:.3f} ms")
+    
+    bg_analyzer.cleanup()
+
+if __name__ == "__main__":
+    if len(sys.argv) > 1:
+        debug_frame_298_reference(sys.argv[1])
+    else:
+        debug_frame_298_reference()