eBPF map type array for storing the timestamps of packets

Question

I have defined a map named timestamp_map of type 'BPF_MAP_TYPE_PERCPU_ARRAY' in my eBPF program

struct {
    __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
    __uint(max_entries, 1);
    __type(key, int);
    __type(value, uint64_t);
} timestamp_map SEC(".maps");

After processing some packets, I want to get the timestamps of packets that are processed. I used the command sudo bpftool map dump <map ID> to dump the details that are stored in the map timestamp_map. And I got

[{
        "key": 0,
        "values": [{
                "cpu": 0,
                "value": 287032432816
            },{
                "cpu": 1,
                "value": 0
            }
        ]
    }
]

I'am getting a single value of timestamp and came to know that it was the timestamp of last packet that processed.

How to get the timestamp values of all packets that are processed. Should I use different type of array?

Answer 1

We need more context to provide a better answer. I can think of two solutions:

1. Consider increasing the max_entries. Seems the max entries is set to 1. and values may be overwritten. Try increasing the value to 1024 and see whether it helps?

   struct {
   __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
   __uint(max_entries, 1024);
   __type(key, int);
   __type(value, uint64_t);
   

   } timestamp_map SEC(".maps");

Have a look at the sample code in the kernel documentation: https://docs.kernel.org/bpf/map_array.html#bpf-map-type-array

2. Check your keys and make sure they are unique, so you don't accidentally overwrite/update the values.