StreamLens/debug_frame_298_reference.py

#!/usr/bin/env python3
"""Debug any outlier with previous frame 298"""

import sys
sys.path.append('.')

from analyzer.analysis import EthernetAnalyzer
from analyzer.analysis.background_analyzer import BackgroundAnalyzer
import time

def debug_frame_298_reference(pcap_file="1 PTPGM.pcapng", src_ip="192.168.4.89"):
    """Debug any outlier that has previous frame 298"""
    
    print("=== Debugging Outliers with Previous Frame 298 ===")
    
    # Test background analyzer (what TUI uses)
    analyzer = EthernetAnalyzer(enable_realtime=False, outlier_threshold_sigma=3.0)
    bg_analyzer = BackgroundAnalyzer(analyzer, num_threads=1)
    
    bg_analyzer.start_parsing(pcap_file)
    while bg_analyzer.is_parsing:
        time.sleep(0.1)
    
    # Find test flow
    test_flow = None
    for flow_key, flow in analyzer.flows.items():
        if flow.src_ip == src_ip:
            test_flow = flow
            break
    
    if not test_flow:
        print(f"❌ No flow found from {src_ip}")
        bg_analyzer.cleanup()
        return
    
    print(f"✅ Found flow: {test_flow.src_ip}:{test_flow.src_port} → {test_flow.dst_ip}:{test_flow.dst_port}")
    
    # Search for any outliers with previous frame around 298
    target_prev_frame = 298
    found_suspicious = False
    
    print(f"\n=== Searching for outliers with prev_frame_num around {target_prev_frame} ===")
    
    for frame_type, ft_stats in test_flow.frame_types.items():
        if hasattr(ft_stats, 'enhanced_outlier_details') and ft_stats.enhanced_outlier_details:
            for frame_num, prev_frame_num, delta_t in ft_stats.enhanced_outlier_details:
                # Check for exact match or close matches
                if abs(prev_frame_num - target_prev_frame) <= 5:
                    print(f"🔍 FOUND: {frame_type} - Frame {frame_num} (from {prev_frame_num}): {delta_t * 1000:.3f} ms")
                    
                    # Verify this is wrong by checking the actual sequence
                    if frame_num in ft_stats.frame_numbers:
                        frame_index = ft_stats.frame_numbers.index(frame_num)
                        if frame_index > 0:
                            expected_prev = ft_stats.frame_numbers[frame_index - 1]
                            if prev_frame_num != expected_prev:
                                print(f"  ❌ WRONG REFERENCE: Expected {expected_prev}, got {prev_frame_num}")
                                print(f"  Frame sequence: {ft_stats.frame_numbers[max(0, frame_index-2):frame_index+3]}")
                            else:
                                print(f"  ✅ Reference is actually correct")
                    found_suspicious = True
    
    if not found_suspicious:
        print(f"No outliers found with prev_frame_num around {target_prev_frame}")
    
    # Also search for frame 2002 specifically in any outlier
    print(f"\n=== Searching for frame 2002 in any outlier ===")
    target_frame = 2002
    found_2002 = False
    
    for frame_type, ft_stats in test_flow.frame_types.items():
        if hasattr(ft_stats, 'enhanced_outlier_details') and ft_stats.enhanced_outlier_details:
            for frame_num, prev_frame_num, delta_t in ft_stats.enhanced_outlier_details:
                if frame_num == target_frame:
                    print(f"🔍 FOUND 2002: {frame_type} - Frame {frame_num} (from {prev_frame_num}): {delta_t * 1000:.3f} ms")
                    
                    # Check if this is the problematic reference
                    if prev_frame_num == target_prev_frame:
                        print(f"  ⚠️  This is the problematic outlier you mentioned!")
                    
                    found_2002 = True
    
    if not found_2002:
        print(f"Frame 2002 not found in any outlier")
    
    # Show all outliers for this flow to get the complete picture
    print(f"\n=== All Enhanced Outliers for this Flow ===")
    total_outliers = 0
    
    for frame_type, ft_stats in test_flow.frame_types.items():
        if hasattr(ft_stats, 'enhanced_outlier_details') and ft_stats.enhanced_outlier_details:
            print(f"\n{frame_type} ({len(ft_stats.enhanced_outlier_details)} outliers):")
            for frame_num, prev_frame_num, delta_t in ft_stats.enhanced_outlier_details:
                deviation = (delta_t - ft_stats.avg_inter_arrival) / ft_stats.std_inter_arrival if ft_stats.std_inter_arrival > 0 else 0
                print(f"  Frame {frame_num} (from {prev_frame_num}): {delta_t * 1000:.3f} ms ({deviation:.1f}σ)")
                total_outliers += 1
    
    print(f"\nTotal enhanced outliers: {total_outliers}")
    
    # Check real-time mode as well
    print(f"\n=== Testing Real-time Mode ===")
    analyzer_rt = EthernetAnalyzer(enable_realtime=True, outlier_threshold_sigma=3.0)
    
    from analyzer.utils import PCAPLoader
    loader = PCAPLoader(pcap_file)
    packets = loader.load_all()
    
    for i, packet in enumerate(packets, 1):
        analyzer_rt._process_single_packet(packet, i)
    
    # Find flow in real-time mode
    test_flow_rt = None
    for flow_key, flow in analyzer_rt.flows.items():
        if flow.src_ip == src_ip:
            test_flow_rt = flow
            break
    
    if test_flow_rt:
        print(f"Real-time mode outliers:")
        for frame_type, ft_stats in test_flow_rt.frame_types.items():
            if hasattr(ft_stats, 'enhanced_outlier_details') and ft_stats.enhanced_outlier_details:
                for frame_num, prev_frame_num, delta_t in ft_stats.enhanced_outlier_details:
                    if frame_num == 2002 or prev_frame_num == 298:
                        print(f"  {frame_type}: Frame {frame_num} (from {prev_frame_num}): {delta_t * 1000:.3f} ms")
    
    bg_analyzer.cleanup()

if __name__ == "__main__":
    if len(sys.argv) > 1:
        debug_frame_298_reference(sys.argv[1])
    else:
        debug_frame_298_reference()