From: Todd Carson <toc@daybefore.net>
Subject: pcap: add missing 802.11 subtype keywords
To: tech@openbsd.org
Date: Sun, 25 Feb 2024 11:20:52 -1000


Many of the subtype keywords for matching various 802.11 frame types
which are documented in the tcpdump(8) and pcap-filter(5) manpages
aren't implemented in the grammar and result in an
"unknown 802.11 subtype" when used.

They are found in the grammar in upstream libpcap from tcpdump.org.

The diff below adds the missing subtype keywords mentioned in the
manpages.
Tested with real traffic on a few subtypes; the rest by sanity-checking
compiled BPF printed with 'tcpdump -d'.

I don't know if this requires bumping the libpcap minor version so I
left that alone.

diff /usr/src
commit - 6c24eb55e021991196003dc7f0a643e806b14295
path + /usr/src
blob - 0c7db1641efc8c73baae467b25ca33c0b1bccbed
file + lib/libpcap/grammar.y
--- lib/libpcap/grammar.y
+++ lib/libpcap/grammar.y
@@ -353,17 +353,23 @@ type:	  NUM
 	;
 
 subtype:  NUM
-	| ID			{ if (strcasecmp($1, "assocreq") == 0)
+	| ID			{ if (strcasecmp($1, "assocreq") == 0 ||
+		 		      strcasecmp($1, "assoc-req") == 0)
 					$$ = IEEE80211_FC0_SUBTYPE_ASSOC_REQ;
-				  else if (strcasecmp($1, "assocresp") == 0)
+				  else if (strcasecmp($1, "assocresp") == 0 ||
+				      strcasecmp($1, "assoc-resp") == 0)
 					$$ = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
-				  else if (strcasecmp($1, "reassocreq") == 0)
+				  else if (strcasecmp($1, "reassocreq") == 0 ||
+				      strcasecmp($1, "reassoc-req") == 0)
 					$$ = IEEE80211_FC0_SUBTYPE_REASSOC_REQ;
-				  else if (strcasecmp($1, "reassocresp") == 0)
+				  else if (strcasecmp($1, "reassocresp") == 0 ||
+				      strcasecmp($1, "reassoc-resp") == 0)
 					$$ = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
-				  else if (strcasecmp($1, "probereq") == 0)
+				  else if (strcasecmp($1, "probereq") == 0 ||
+				      strcasecmp($1, "probe-req") == 0)
 					$$ = IEEE80211_FC0_SUBTYPE_PROBE_REQ;
-				  else if (strcasecmp($1, "proberesp") == 0)
+				  else if (strcasecmp($1, "proberesp") == 0 ||
+				      strcasecmp($1, "probe-resp") == 0)
 					$$ = IEEE80211_FC0_SUBTYPE_PROBE_RESP;
 				  else if (strcasecmp($1, "beacon") == 0)
 					$$ = IEEE80211_FC0_SUBTYPE_BEACON;
@@ -378,8 +384,55 @@ subtype:  NUM
 				  else if (strcasecmp($1, "deauth") == 0 ||
 				      strcasecmp($1, "deauthentication") == 0)
 					$$ = IEEE80211_FC0_SUBTYPE_DEAUTH;
+				  else if (strcasecmp($1, "ps-poll") == 0)
+					$$ = IEEE80211_FC0_SUBTYPE_PS_POLL;
+				  else if (strcasecmp($1, "rts") == 0)
+					$$ = IEEE80211_FC0_SUBTYPE_RTS;
+				  else if (strcasecmp($1, "cts") == 0)
+					$$ = IEEE80211_FC0_SUBTYPE_CTS;
+				  else if (strcasecmp($1, "ack") == 0)
+					$$ = IEEE80211_FC0_SUBTYPE_ACK;
+				  else if (strcasecmp($1, "cf-end") == 0)
+					$$ = IEEE80211_FC0_SUBTYPE_CF_END;
+				  else if (strcasecmp($1, "cf-end-ack") == 0)
+					$$ = IEEE80211_FC0_SUBTYPE_CF_END_ACK;
 				  else if (strcasecmp($1, "data") == 0)
 					$$ = IEEE80211_FC0_SUBTYPE_DATA;
+				  else if (strcasecmp($1, "data-cf-ack") == 0)
+					$$ = IEEE80211_FC0_SUBTYPE_DATA_CF_ACK;
+				  else if (strcasecmp($1, "data-cf-poll") == 0)
+					$$ = IEEE80211_FC0_SUBTYPE_DATA_CF_POLL;
+				  else if (strcasecmp($1, "data-cf-ack-poll") == 0)
+					$$ = IEEE80211_FC0_SUBTYPE_DATA_CF_ACKPOLL;
+				  else if (strcasecmp($1, "null") == 0)
+					$$ = IEEE80211_FC0_SUBTYPE_NODATA;
+				  else if (strcasecmp($1, "cf-ack") == 0)
+					$$ = IEEE80211_FC0_SUBTYPE_NODATA_CF_ACK;
+				  else if (strcasecmp($1, "cf-poll") == 0)
+					$$ = IEEE80211_FC0_SUBTYPE_NODATA_CF_POLL;
+				  else if (strcasecmp($1, "cf-ack-poll") == 0)
+					$$ = IEEE80211_FC0_SUBTYPE_NODATA_CF_ACKPOLL;
+				  else if (strcasecmp($1, "qos-data") == 0)
+					$$ = IEEE80211_FC0_SUBTYPE_QOS|
+					    IEEE80211_FC0_SUBTYPE_DATA;
+				  else if (strcasecmp($1, "qos-data-cf-ack") == 0)
+					$$ = IEEE80211_FC0_SUBTYPE_QOS|
+					    IEEE80211_FC0_SUBTYPE_DATA_CF_ACK;
+				  else if (strcasecmp($1, "qos-data-cf-poll") == 0)
+					$$ = IEEE80211_FC0_SUBTYPE_QOS|
+					    IEEE80211_FC0_SUBTYPE_DATA_CF_POLL;
+				  else if (strcasecmp($1, "qos-data-cf-ack-poll") == 0)
+					$$ = IEEE80211_FC0_SUBTYPE_QOS|
+					    IEEE80211_FC0_SUBTYPE_DATA_CF_ACKPOLL;
+				  else if (strcasecmp($1, "qos") == 0)
+					$$ = IEEE80211_FC0_SUBTYPE_QOS|
+					    IEEE80211_FC0_SUBTYPE_NODATA;
+				  else if (strcasecmp($1, "qos-cf-poll") == 0)
+					$$ = IEEE80211_FC0_SUBTYPE_QOS|
+					    IEEE80211_FC0_SUBTYPE_NODATA_CF_POLL;
+				  else if (strcasecmp($1, "qos-cf-ack-poll") == 0)
+					$$ = IEEE80211_FC0_SUBTYPE_QOS|
+					    IEEE80211_FC0_SUBTYPE_NODATA_CF_ACKPOLL;
 				  else
 					  bpf_error("unknown 802.11 subtype");
 				}