include real packet time

bpf/ptcpdump.c

@@ -73,6 +73,7 @@ struct flow_pid_value_t {
 };
 
 struct packet_event_meta_t {
+    u64 timestamp;
     u8 packet_type;
     u32 ifindex;
     u32 pid;
@@ -396,6 +397,7 @@ static __always_inline int handle_tc(struct __sk_buff *skb, bool egress) {
     } else {
         event->meta.packet_type = INGRESS_PACKET;
     }
+    event->meta.timestamp = bpf_ktime_get_ns();
     event->meta.ifindex = packet_meta.ifindex;
     event->meta.pid = value->pid;
     __builtin_memcpy(&event->meta.comm, &value->comm, sizeof(value->comm));

go.mod

@@ -7,8 +7,9 @@ require (
 	github.com/florianl/go-tc v0.4.3
 	github.com/gopacket/gopacket v1.2.0
 	github.com/shirou/gopsutil/v3 v3.24.3
+	github.com/vishvananda/netlink v1.1.0
 	github.com/x-way/pktdump v0.0.5
-	golang.org/x/sys v0.18.0
+	golang.org/x/sys v0.19.0
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028
 )
 
@@ -23,7 +24,6 @@ require (
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/tklauser/go-sysconf v0.3.12 // indirect
 	github.com/tklauser/numcpus v0.6.1 // indirect
-	github.com/vishvananda/netlink v1.1.0 // indirect
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 // indirect

go.sum

@@ -157,8 +157,9 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
+golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

internal/event/net.go

@@ -3,9 +3,13 @@ package event
 import (
 	"bytes"
 	"encoding/binary"
+	"fmt"
 	"github.com/mozillazg/ptcpdump/bpf"
 	"github.com/mozillazg/ptcpdump/internal/dev"
+	"golang.org/x/sys/unix"
 	"golang.org/x/xerrors"
+	"log"
+	"time"
 	"unsafe"
 )
 
@@ -17,6 +21,7 @@ const (
 )
 
 type Packet struct {
+	Time      time.Time
 	Type      packetType
 	Device    dev.Device
 	Pid       int
@@ -35,16 +40,23 @@ func ParsePacketEvent(devices map[int]dev.Device, rawSample []byte) (*Packet, er
 	}
 	copy(event.Payload[:], rawSample[unsafe.Offsetof(event.Payload):])
 
+	if t, err := convertBpfKTimeNs(event.Meta.Timestamp); err != nil {
+		log.Printf("convert bpf time failed: %+v", err)
+		p.Time = time.Now().UTC()
+	} else {
+		p.Time = t.UTC()
+	}
 	p.Pid = int(event.Meta.Pid)
 	p.Comm = strComm(event.Meta.Comm)
+	p.Device = devices[int(event.Meta.Ifindex)]
+
 	if event.Meta.PacketType == 1 {
 		p.Type = packetTypeEgress
 	}
 	if event.Meta.PacketSize > event.Meta.PayloadLen {
 		p.Truncated = true
 	}
 	p.Len = int(event.Meta.PacketSize)
-	p.Device = devices[int(event.Meta.Ifindex)]
 	p.Data = make([]byte, event.Meta.PayloadLen)
 	copy(p.Data[:], event.Payload[:event.Meta.PayloadLen])
 
@@ -66,3 +78,22 @@ func strComm(comm [16]int8) string {
 	}
 	return string(b)
 }
+
+func convertBpfKTimeNs(t uint64) (time.Time, error) {
+	b, err := getBootTimeNs()
+	if err != nil {
+		return time.Time{}, err
+	}
+
+	return time.Now().Add(-time.Duration(b - int64(t))), nil
+}
+
+func getBootTimeNs() (int64, error) {
+	var ts unix.Timespec
+	err := unix.ClockGettime(unix.CLOCK_MONOTONIC, &ts)
+	if err != nil {
+		return 0, fmt.Errorf("could not get time: %s", err)
+	}
+
+	return unix.TimespecToNsec(ts), nil
+}

internal/writer/pcapng.go

@@ -8,7 +8,6 @@ import (
 	"github.com/mozillazg/ptcpdump/internal/metadata"
 	"golang.org/x/xerrors"
 	"log"
-	"time"
 )
 
 type PcapNGWriter struct {
@@ -23,7 +22,7 @@ func NewPcapNGWriter(pw *pcapgo.NgWriter, pcache *metadata.ProcessCache) *PcapNG
 func (w *PcapNGWriter) Write(e *event.Packet) error {
 	payloadLen := len(e.Data)
 	info := gopacket.CaptureInfo{
-		Timestamp:      time.Now(),
+		Timestamp:      e.Time.Local(),
 		CaptureLength:  payloadLen,
 		Length:         e.Len,
 		InterfaceIndex: e.Device.Ifindex,

internal/writer/stdout.go

@@ -8,7 +8,7 @@ import (
 	"github.com/mozillazg/ptcpdump/internal/metadata"
 	"github.com/x-way/pktdump"
 	"io"
-	"time"
+	"log"
 )
 
 type StdoutWriter struct {
@@ -37,11 +37,12 @@ func (w *StdoutWriter) Write(e *event.Packet) error {
 	formated := pktdump.Format(packet)
 
 	msg := fmt.Sprintf("%s %s %s, %s\n",
-		//packet.Metadata().CaptureInfo.Timestamp.Format("15:04:05.000000"),
-		time.Now().Local().Format("15:04:05.000000"),
+		e.Time.Local().Format("15:04:05.000000"),
 		packetType, formated, pidInfo)
 
-	w.w.Write([]byte(msg))
+	if _, err := w.w.Write([]byte(msg)); err != nil {
+		log.Printf("write packet failed: %+v", err)
+	}
 
 	return nil
 }