Add PCAP file parsing support (offline mode)

Author: zonque

README.md

@@ -19,6 +19,7 @@ A powerful cross-platform terminal-based application for monitoring and analyzin
 ### 🌐 **Network Monitoring**
 - 🔍 Automatic PTP host discovery on port 319 and 320
 - 📡 **Cross-platform packet capture** - Uses libpcap/pcap for promiscuous mode on Linux, macOS, and Windows
+- 📄 **PCAP file support** - Read and analyze PTP packets from captured pcap files (offline analysis mode)
 - 🌐 **Multicast group membership** - Ensures network interfaces receive multicast PTP traffic
 - 🔍 **Full packet analysis** - Records both raw packet data and parsed PTP content
 - 🎯 **Smart interface selection** - Automatically filters virtual interfaces while supporting manual override
@@ -28,6 +29,7 @@ A powerful cross-platform terminal-based application for monitoring and analyzin
 - 📊 Primary Time Transmitter marked with "PTT" indicator
 - 📈 Network statistics and quality metrics
 - 🕐 Timing relationship tracking
+- ⏸️ **Time reference modes** - Live network uses current system time; pcap mode uses last packet timestamp as reference
 - 🌳 **Tree view mode** - Hierarchical display showing transmitter-receiver relationships with proper indentation and PTT (Primary Time Transmitter) indicators
 - 🌳 Visual hierarchy mapping of transmitter-receiver relationships
 - 🏷️ **VLAN support** - Detects and displays VLAN tags in PTP packets
@@ -45,6 +47,23 @@ A powerful cross-platform terminal-based application for monitoring and analyzin
 - 🎨 Color-coded message types (ANNOUNCE, SYNC, DELAY_REQ, PDELAY_REQ, etc.)
 - 🌐 **Interface-aware capture** - Tracks which interface each packet was received on
 
+## 📄 PCAP File Analysis
+
+PTP Trace supports offline analysis of PTP traffic from pcap files in offline mode.
+
+### Creating PCAP Files:
+```bash
+# Capture PTP traffic with tcpdump (Linux/macOS)
+sudo tcpdump -i eth0 -w ptp_capture.pcap 'udp port 319 or udp port 320'
+
+# Capture with Wireshark (all platforms)
+# Filter: udp.port == 319 or udp.port == 320
+# Save as: ptp_capture.pcap
+
+# Analyze the captured file
+./target/release/ptp-trace --pcap-file ptp_capture.pcap
+```
+
 ## Demo
 
 ![Demo](demo.gif)
@@ -53,7 +72,7 @@ A powerful cross-platform terminal-based application for monitoring and analyzin
 
 ### 📋 Prerequisites
 - 🦀 Rust 1.70.0 or later
-- 🔧 **Administrator privileges required** - Needed for promiscuous mode packet capture
+- 🔧 **Administrator privileges required** - Needed for promiscuous mode packet capture (in live capture mode)
 - 🌐 Network interfaces with PTP traffic (ports 319/320)
 - 📦 **Platform-specific requirements**:
   - **Linux**: libpcap-dev (`sudo apt install libpcap-dev`)
@@ -77,6 +96,9 @@ sudo ./target/release/ptp-trace
 ### ⚙️ Command Line Options
 
 ```bash
+# 📄 Analyze packets from pcap file (offline mode, no admin privileges needed)
+./target/release/ptp-trace --pcap-file capture.pcap
+
 # 🌐 Monitor specific interface (requires root)
 sudo ./target/release/ptp-trace --interface eth0
 
@@ -97,11 +119,16 @@ sudo ./target/release/ptp-trace --update-interval 500
 # 🎨 Use Matrix theme
 sudo ./target/release/ptp-trace --theme matrix
 
+# 📄 Analyze pcap file with custom theme and faster updates
+./target/release/ptp-trace --pcap-file capture.pcap --theme matrix --update-interval 250
+
 # 🐛 Enable debug mode
 sudo ./target/release/ptp-trace --debug
 
-# 🔧 Combine options
+# 🔧 Combine options for live monitoring
 sudo ./target/release/ptp-trace --interface eth0 --interface eth1 --theme matrix --update-interval 500
+
+# Note: --interface and --pcap-file options are mutually exclusive
 ```
 
 ## 🎮 Controls
@@ -146,10 +173,11 @@ Choose from multiple built-in themes. See the output of `ptp-trace --help` to ge
 
 ### 🗺️ **Future Roadmap**
 - 📤 **Data export** - JSON, PCAP output formats for raw packet data
-- 🔍 **Advanced filtering** - Search and filter capabilities
+- 🔍 **Advanced filtering** - Search and filter capabilities for both live and pcap modes
 - 📊 **Enhanced analytics** - Statistical analysis of timing data
 - 🔧 **Configuration management** - Save/load application settings
 - 📦 **Packet inspection tools** - Hex dump viewer for raw packet analysis
+- 🎬 **PCAP enhancements** - Playback controls, time range selection, and analysis reports
 
 ## 🛠️ Development
 

src/app.rs

@@ -134,7 +134,7 @@ impl App {
         update_interval: Duration,
         debug: bool,
         theme_name: crate::themes::ThemeName,
-        raw_socket_receiver: crate::socket::RawSocketReceiver,
+        raw_socket_receiver: crate::source::RawSocketReceiver,
     ) -> Result<Self> {
         let ptp_tracker = PtpTracker::new(raw_socket_receiver)?;
         let theme = crate::themes::Theme::new(theme_name);
@@ -1187,6 +1187,10 @@ impl App {
         self.modal_packet.as_ref()
     }
 
+    pub fn get_reference_timestamp(&self) -> Option<std::time::SystemTime> {
+        self.ptp_tracker.raw_socket_receiver.get_last_timestamp()
+    }
+
     fn scroll_modal_up(&mut self) {
         if self.modal_scroll_offset > 0 {
             self.modal_scroll_offset -= 1;

src/main.rs

@@ -6,7 +6,7 @@ mod app;
 mod bounded_vec;
 mod oui_map;
 mod ptp;
-mod socket;
+mod source;
 mod themes;
 mod types;
 mod ui;
@@ -52,9 +52,13 @@ pub struct Cli {
     command: Option<Commands>,
 
     /// Network interface(s) to monitor. Can be specified multiple times. If not specified, monitors all interfaces.
-    #[arg(short, long)]
+    #[arg(short, long, conflicts_with = "pcap_file")]
     interface: Vec<String>,
 
+    /// Read packets from a pcap file instead of network interfaces. In pcap mode, timestamps are shown relative to the last packet in the file
+    #[arg(short = 'f', long, value_name = "FILE", conflicts_with = "interface")]
+    pcap_file: Option<String>,
+
     /// Update interval in milliseconds
     #[arg(short, long, default_value = "1000")]
     update_interval: u64,
@@ -93,8 +97,12 @@ async fn main() -> Result<()> {
         ThemeName::Default
     });
 
-    // Create raw socket receiver early to fail fast if network setup is problematic
-    let raw_socket_receiver = socket::create(&cli.interface).await?;
+    // Create packet source (either from network interfaces or pcap file)
+    let raw_socket_receiver = if let Some(pcap_path) = &cli.pcap_file {
+        source::create_pcap(pcap_path).await?
+    } else {
+        source::create_socket(&cli.interface).await?
+    };
 
     // Initialize the application
     let update_interval = Duration::from_millis(cli.update_interval);

src/ptp.rs

@@ -2,7 +2,7 @@ use anyhow::Result;
 use std::{
     collections::HashMap,
     net::IpAddr,
-    time::{Duration, Instant},
+    time::{Duration, Instant, SystemTime},
 };
 
 use crate::{
@@ -378,7 +378,7 @@ pub struct PtpHost {
     pub ip_addresses: HashMap<IpAddr, Vec<String>>,
     pub domain_number: Option<u8>,
     pub last_version: Option<PtpVersion>,
-    pub last_seen: Instant,
+    pub last_seen: SystemTime,
 
     pub announce_count: u32,
     pub sync_count: u32,
@@ -404,7 +404,7 @@ impl PtpHost {
             clock_identity,
             ip_addresses: HashMap::new(),
             domain_number: None,
-            last_seen: Instant::now(),
+            last_seen: SystemTime::now(),
 
             announce_count: 0,
             sync_count: 0,
@@ -430,7 +430,7 @@ impl PtpHost {
         self.domain_number = Some(header.domain_number);
         self.last_version = Some(header.version);
         self.last_correction_field = Some(header.correction_field);
-        self.last_seen = Instant::now();
+        self.last_seen = SystemTime::now();
     }
 
     pub fn get_vendor_name(&self) -> Option<&'static str> {
@@ -445,8 +445,9 @@ impl PtpHost {
         matches!(self.state, PtpHostState::TimeReceiver(_))
     }
 
-    pub fn time_since_last_seen(&self) -> Duration {
-        Instant::now().duration_since(self.last_seen)
+    pub fn time_since_last_seen(&self, reference_time: Option<SystemTime>) -> Duration {
+        let reference = reference_time.unwrap_or_else(|| SystemTime::now());
+        reference.duration_since(self.last_seen).unwrap_or_default()
     }
 
     pub fn add_ip_address(&mut self, ip: IpAddr, interface: String) {
@@ -542,15 +543,15 @@ mod tests {
 pub struct PtpTracker {
     hosts: HashMap<ClockIdentity, PtpHost>,
     last_packet: Instant,
-    raw_socket_receiver: crate::socket::RawSocketReceiver,
+    pub raw_socket_receiver: crate::source::RawSocketReceiver,
     // Track recent sync/follow-up senders per domain for transmitter-receiver correlation
     recent_sync_senders: HashMap<u8, Vec<(ClockIdentity, Instant)>>,
     // Track interfaces for determining inbound interface of packets
     interfaces: Vec<(String, std::net::Ipv4Addr)>,
 }
 
 impl PtpTracker {
-    pub fn new(raw_socket_receiver: crate::socket::RawSocketReceiver) -> Result<Self> {
+    pub fn new(raw_socket_receiver: crate::source::RawSocketReceiver) -> Result<Self> {
         let interfaces = raw_socket_receiver.get_interfaces().to_vec();
         Ok(Self {
             hosts: HashMap::new(),
@@ -585,7 +586,7 @@ impl PtpTracker {
         }
     }
 
-    async fn handle_raw_packet(&mut self, raw_packet: std::sync::Arc<crate::socket::RawPacket>) {
+    async fn handle_raw_packet(&mut self, raw_packet: std::sync::Arc<crate::source::RawPacket>) {
         let msg = match PtpMessage::try_from(raw_packet.ptp_payload.as_slice()) {
             Ok(m) => m,
             Err(_) => return, // Invalid message
@@ -610,6 +611,8 @@ impl PtpTracker {
 
         sending_host.total_messages_sent_count += 1;
         sending_host.update_from_ptp_header(msg.header());
+        // Update last_seen with packet timestamp
+        sending_host.last_seen = raw_packet.timestamp;
 
         match msg {
             PtpMessage::Announce(msg) => {
@@ -807,7 +810,7 @@ impl PtpTracker {
         }
     }
 
-    pub fn get_local_ips(&self) -> Vec<std::net::IpAddr> {
+    pub fn get_local_ips(&self) -> Vec<IpAddr> {
         self.interfaces
             .iter()
             .map(|(_, ip)| std::net::IpAddr::V4(*ip))

src/socket.rs src/source.rssrc/socket.rs renamed to src/source.rs

@@ -30,19 +30,55 @@ pub struct RawPacket {
     pub ptp_payload: Vec<u8>,
 }
 
+pub enum PacketSource {
+    Socket {
+        receiver: mpsc::UnboundedReceiver<RawPacket>,
+        interfaces: Vec<(String, Ipv4Addr)>,
+        _multicast_sockets: Vec<Socket>,
+    },
+    Pcap {
+        packets: Vec<RawPacket>,
+        current_index: usize,
+        last_timestamp: Option<SystemTime>,
+    },
+}
+
 pub struct RawSocketReceiver {
-    pub receiver: mpsc::UnboundedReceiver<RawPacket>,
-    pub interfaces: Vec<(String, Ipv4Addr)>,
-    pub _multicast_sockets: Vec<Socket>,
+    source: PacketSource,
 }
 
 impl RawSocketReceiver {
     pub fn try_recv(&mut self) -> Option<RawPacket> {
-        self.receiver.try_recv().ok()
+        match &mut self.source {
+            PacketSource::Socket { receiver, .. } => receiver.try_recv().ok(),
+            PacketSource::Pcap {
+                packets,
+                current_index,
+                ..
+            } => {
+                if *current_index < packets.len() {
+                    let packet = packets[*current_index].clone();
+                    *current_index += 1;
+                    Some(packet)
+                } else {
+                    None
+                }
+            }
+        }
     }
 
     pub fn get_interfaces(&self) -> &[(String, Ipv4Addr)] {
-        &self.interfaces
+        match &self.source {
+            PacketSource::Socket { interfaces, .. } => interfaces,
+            PacketSource::Pcap { .. } => &[],
+        }
+    }
+
+    pub fn get_last_timestamp(&self) -> Option<SystemTime> {
+        match &self.source {
+            PacketSource::Socket { .. } => None,
+            PacketSource::Pcap { last_timestamp, .. } => *last_timestamp,
+        }
     }
 }
 
@@ -352,7 +388,7 @@ async fn capture_on_interface(
     Ok(())
 }
 
-pub async fn create(ifnames: &[String]) -> Result<RawSocketReceiver> {
+pub async fn create_socket(ifnames: &[String]) -> Result<RawSocketReceiver> {
     // Get interfaces to monitor
     let target_interfaces = if ifnames.is_empty() {
         // Default to all available interfaces
@@ -423,8 +459,49 @@ pub async fn create(ifnames: &[String]) -> Result<RawSocketReceiver> {
     );
 
     Ok(RawSocketReceiver {
-        receiver,
-        interfaces: target_interfaces,
-        _multicast_sockets: multicast_sockets,
+        source: PacketSource::Socket {
+            receiver,
+            interfaces: target_interfaces,
+            _multicast_sockets: multicast_sockets,
+        },
+    })
+}
+
+pub async fn create_pcap(pcap_path: &str) -> Result<RawSocketReceiver> {
+    use pcap::Capture;
+
+    // Open pcap file
+    let mut cap = Capture::from_file(pcap_path)?;
+
+    let mut packets = Vec::new();
+    let mut last_timestamp: Option<SystemTime> = None;
+
+    // Read all packets from pcap file
+    while let Ok(packet) = cap.next_packet() {
+        if let Some(raw_packet) = process_ethernet_packet(&packet, "pcap") {
+            // Track the latest timestamp for reference
+            if last_timestamp.is_none() || raw_packet.timestamp > last_timestamp.unwrap() {
+                last_timestamp = Some(raw_packet.timestamp);
+            }
+            packets.push(raw_packet);
+        }
+    }
+
+    println!(
+        "Loaded {} PTP packets from pcap file: {}",
+        packets.len(),
+        pcap_path
+    );
+
+    if let Some(last_ts) = last_timestamp {
+        println!("Last packet timestamp: {:?}", last_ts);
+    }
+
+    Ok(RawSocketReceiver {
+        source: PacketSource::Pcap {
+            packets,
+            current_index: 0,
+            last_timestamp,
+        },
     })
 }

src/types.rs

@@ -1070,7 +1070,7 @@ impl Display for PtpMessage {
 #[derive(Debug, Clone)]
 pub struct ParsedPacket {
     pub ptp: PtpMessage,
-    pub raw: std::sync::Arc<crate::socket::RawPacket>,
+    pub raw: std::sync::Arc<crate::source::RawPacket>,
 }
 
 #[test]