CODEWITHSUNDEEP
dockergodocker-composegopacket
Ashish
Ashish

Reputation: 39

Unbale to capturing packets with high-precision time stamp with go packet

I am trying to capture the live packets from available interface. My code is developed in go lang and for capturing purpose, I am using google's go packet library.

I am able to capture packets but I am unable to get precise timestamp.

If I run the below command and see the timestamp in wireshark, I am getting accurate difference between timestamps.

tcpdump -i device0 -j adapter_unsynced -w captureOnMachine.pcap

But, If I generate tcp dump using go packet library there is no precision.

I looked over the internet about adapter_unsynced command and saw

 PCAP_TSTAMP_ADAPTER_UNSYNCED - adapter_unsynced
                 Time  stamp provided by the network adapter on which the cap-
                 ture is being done.  This is a high-precision time stamp;  it
                 is not synchronized with the host operating system's clock.

Can we get same setting in docker or go packet library.

Upvotes: 1

Views: 296

Answers (1)

Zeke Lu
Zeke Lu

Reputation: 7485

There is a warning for pcap.OpenLive:

Warning: this function supports only microsecond timestamps. For nanosecond resolution use an InactiveHandle.

An InactiveHandle sets the timestamp precision to nanosecond by default (see the source code). But if the hardware or software cannot supply a higher-resolution timestamp, it will fallback to microsecond resolution. If you're sure that the timestamp source adapter_unsynced is supported by the device and supplies a higher-resolution timestamp, you can set the timestamp source like this:

package main

import (
    "log"

    "github.com/google/gopacket/pcap"
)

func main() {
    inactive, err := pcap.NewInactiveHandle("device0")
    if err != nil {
        log.Fatalf("could not create: %v", err)
    }
    defer inactive.CleanUp()

    // Configure the inactive handle:
    // inactive.SetSnapLen
    // inactive.SetPromisc
    // inactive.SetTimeout

    if t, err := pcap.TimestampSourceFromString("adapter_unsynced"); err != nil {
        log.Fatalf("Supported timestamp types: %v", inactive.SupportedTimestamps())
    } else if err := inactive.SetTimestampSource(t); err != nil {
        log.Fatalf("Supported timestamp types: %v", inactive.SupportedTimestamps())
    }
    handle, err := inactive.Activate()
    if err != nil {
        log.Fatal("PCAP Activate error:", err)
    }
    defer handle.Close()

    // use the handle ...
}

Upvotes: 0

Related Questions