Fix build on OpenBSD (#259)

* Fix building on system which use `struct bpf_timeval`

Some system (for example OpenBSD) uses `struct bpf_timeval` instead of
`struct timeval` inside `struct pcap_pkthdr`.

* Fix building with pcap.h

* Build without `DLT_PRISM_HEADER`

* Backport dl_ppp_ether from OpenBSD

* Add /usr/X11R6 to path for libraries and headers

configure.ac

@@ -77,7 +77,7 @@ esac
 if test x"${mingw}" == "xno" ; then
   # Bring additional directories where things might be found into our
   # search path. I don't know why autoconf doesn't do this by default
-  for spfx in /usr/local /opt/local /sw /usr/local/ssl /usr/boost/include ; do
+  for spfx in /usr/local /opt/local /sw /usr/local/ssl /usr/boost/include /usr/X11R6 ; do
     AC_MSG_NOTICE([checking ${spfx}/include])
     if test -d ${spfx}/include; then
         CPPFLAGS="-I${spfx}/include $CPPFLAGS"

src/be13_api/bulk_extractor_i.h

@@ -296,6 +296,8 @@ namespace be13 {
  *
  */
 class packet_info {
+private:
+    struct timeval _ts;
 public:
     // IPv4 header offsets
     static const size_t ip4_proto_off = 9;
@@ -325,7 +327,10 @@ class packet_info {
                 const struct timeval &ts_,const uint8_t *d2,size_t dl2):
         pcap_dlt(dlt),pcap_hdr(h),pcap_data(d),ts(ts_),ip_data(d2),ip_datalen(dl2){}
     packet_info(const int dlt,const struct pcap_pkthdr *h,const u_char *d):
-        pcap_dlt(dlt),pcap_hdr(h),pcap_data(d),ts(h->ts),ip_data(d),ip_datalen(h->caplen){}
+        pcap_dlt(dlt),pcap_hdr(h),pcap_data(d),ts(_ts),ip_data(d),ip_datalen(h->caplen){
+        _ts.tv_sec  = h->ts.tv_sec;
+        _ts.tv_usec = h->ts.tv_usec;
+    }
 
     const int    pcap_dlt;              // data link type; needed by libpcap, not provided
     const struct pcap_pkthdr *pcap_hdr; // provided by libpcap

src/datalink.cpp

@@ -71,6 +71,32 @@ void dl_null(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
 #pragma GCC diagnostic warning "-Wcast-align"
 
 static uint64_t counter=0;
+
+#ifdef DLT_PPP_ETHER
+
+#define	PPP_ETHER_HDRLEN 8
+
+void dl_ppp_ether(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
+{
+  u_int caplen = h->caplen;
+  u_int length = h->len;
+
+  if (length != caplen) {
+    DEBUG(6) ("warning: only captured %d bytes of %d byte PPPoE frame",
+	  caplen, length);
+  }
+
+  if (caplen < PPP_ETHER_HDRLEN) {
+    DEBUG(6) ("warning: received incomplete PPP frame");
+    return;
+  }
+
+  struct timeval tv;
+  be13::packet_info pi(DLT_PPP_ETHER,h,p,tvshift(tv,h->ts),p+PPP_ETHER_HDRLEN,caplen - PPP_ETHER_HDRLEN);
+  be13::plugin::process_packet(pi);
+}
+#endif
+
 /* DLT_RAW: just a raw IP packet, no encapsulation or link-layer
  * headers.  Used for PPP connections under some OSs including Linux
  * and IRIX. */
@@ -276,13 +302,18 @@ dlt_handler_t handlers[] = {
     { dl_ethernet, DLT_EN10MB },
     { dl_ethernet, DLT_IEEE802 },
     { dl_ppp,           DLT_PPP },
+#ifdef DLT_PPP_ETHER
+    { dl_ppp_ether,     DLT_PPP_ETHER },
+#endif
 #ifdef DLT_LINUX_SLL
     { dl_linux_sll,        DLT_LINUX_SLL },
 #endif
 #if defined(USE_WIFI) && !defined(WIN32)
     { dl_ieee802_11_radio, DLT_IEEE802_11 },
     { dl_ieee802_11_radio, DLT_IEEE802_11_RADIO },
+#ifdef DLT_PRISM_HEADER
     { dl_prism,            DLT_PRISM_HEADER},
+#endif
 #endif
     { NULL, 0 }
 };

src/tcpflow.h

@@ -297,6 +297,14 @@ inline const timeval &tvshift(struct timeval &tv,const struct timeval &tv_)
     return tv;
 }
 
+#if __has_include("net/bpf.h")
+inline const timeval &tvshift(struct timeval &tv,const struct bpf_timeval &tv_)
+{
+    tv.tv_sec  = tv_.tv_sec + datalink_tdelta;
+    tv.tv_usec = tv_.tv_usec;
+    return tv;
+}
+#endif
 
 
 /* util.cpp - utility functions */

src/wifipcap/wifipcap.cpp

@@ -1668,7 +1668,11 @@ void Wifipcap::Init(const char *name, bool live) {
     }
 
     datalink = pcap_datalink(descr);
-    if (datalink != DLT_PRISM_HEADER && datalink != DLT_IEEE802_11_RADIO && datalink != DLT_IEEE802_11) {
+    if (
+#ifdef DLT_PRISM_HEADER
+        datalink != DLT_PRISM_HEADER &&
+#endif
+        datalink != DLT_IEEE802_11_RADIO && datalink != DLT_IEEE802_11) {
 	if (datalink == DLT_EN10MB) {
 	    printf("warning: ethernet datalink type: %s\n",
 		   pcap_datalink_val_to_name(datalink));
@@ -1692,8 +1696,10 @@ void Wifipcap::handle_packet(WifipcapCallbacks *cbs,int header_type,
 {
     /* Record start time if we don't have it */
     if (startTime == TIME_NONE) {
-	startTime = header->ts;
-	lastPrintTime = header->ts;
+	startTime.tv_sec = header->ts.tv_sec;
+	startTime.tv_usec = header->ts.tv_usec;
+	lastPrintTime.tv_sec = header->ts.tv_sec;
+	lastPrintTime.tv_usec = header->ts.tv_usec;
     }
     /* Print stats if necessary */
     if (header->ts.tv_sec > lastPrintTime.tv_sec + Wifipcap::PRINT_TIME_INTERVAL) {
@@ -1704,7 +1710,8 @@ void Wifipcap::handle_packet(WifipcapCallbacks *cbs,int header_type,
 	    fprintf(stderr, "wifipcap: %2d days %2d hours, %10" PRId64 " pkts\n", 
 		    days, left, packetsProcessed);
 	}
-	lastPrintTime = header->ts;
+	lastPrintTime.tv_sec = header->ts.tv_sec;
+	lastPrintTime.tv_usec = header->ts.tv_usec;
     }
     packetsProcessed++;
 
@@ -1715,9 +1722,11 @@ void Wifipcap::handle_packet(WifipcapCallbacks *cbs,int header_type,
     cbs->PacketBegin(pkt, packet, header->caplen, header->len);
     //int frameLen = header->caplen;
     switch(header_type) {
+#ifdef DLT_PRISM_HEADER
     case DLT_PRISM_HEADER:
         pkt.handle_prism(packet,header->caplen);
         break;
+#endif
     case DLT_IEEE802_11_RADIO:
         pkt.handle_radiotap(packet,header->caplen);
         break;

src/wifipcap/wifipcap.h

@@ -12,7 +12,11 @@
 #include <stdint.h>
 #include <inttypes.h>
 
-#include <pcap/pcap.h>
+#if defined(HAVE_PCAP_PCAP_H)
+#  include <pcap/pcap.h>
+#elif defined(HAVE_PCAP_H)
+#  include <pcap.h>
+#endif
 #include <netinet/in.h>
 
 #include "arp.h"