From: "Theo de Raadt" <deraadt@openbsd.org>
Subject: Re: pcap: add missing 802.11 subtype keywords
To: Todd Carson <toc@daybefore.net>
Cc: tech@openbsd.org
Date: Sun, 25 Feb 2024 15:07:37 -0700

This diff is killing me.

Can someone put these into a sorted table and use bsearch?

Todd Carson <toc@daybefore.net> wrote:

> 
> 
> Many of the subtype keywords for matching various 802.11 frame types
> which are documented in the tcpdump(8) and pcap-filter(5) manpages
> aren't implemented in the grammar and result in an
> "unknown 802.11 subtype" when used.
> 
> They are found in the grammar in upstream libpcap from tcpdump.org.
> 
> The diff below adds the missing subtype keywords mentioned in the
> manpages.
> Tested with real traffic on a few subtypes; the rest by sanity-checking
> compiled BPF printed with 'tcpdump -d'.
> 
> I don't know if this requires bumping the libpcap minor version so I
> left that alone.
> 
> diff /usr/src
> commit - 6c24eb55e021991196003dc7f0a643e806b14295
> path + /usr/src
> blob - 0c7db1641efc8c73baae467b25ca33c0b1bccbed
> file + lib/libpcap/grammar.y
> --- lib/libpcap/grammar.y
> +++ lib/libpcap/grammar.y
> @@ -353,17 +353,23 @@ type:	  NUM
>  	;
>  
>  subtype:  NUM
> -	| ID			{ if (strcasecmp($1, "assocreq") == 0)
> +	| ID			{ if (strcasecmp($1, "assocreq") == 0 ||
> +		 		      strcasecmp($1, "assoc-req") == 0)
>  					$$ = IEEE80211_FC0_SUBTYPE_ASSOC_REQ;
> -				  else if (strcasecmp($1, "assocresp") == 0)
> +				  else if (strcasecmp($1, "assocresp") == 0 ||
> +				      strcasecmp($1, "assoc-resp") == 0)
>  					$$ = IEEE80211_FC0_SUBTYPE_ASSOC_RESP;
> -				  else if (strcasecmp($1, "reassocreq") == 0)
> +				  else if (strcasecmp($1, "reassocreq") == 0 ||
> +				      strcasecmp($1, "reassoc-req") == 0)
>  					$$ = IEEE80211_FC0_SUBTYPE_REASSOC_REQ;
> -				  else if (strcasecmp($1, "reassocresp") == 0)
> +				  else if (strcasecmp($1, "reassocresp") == 0 ||
> +				      strcasecmp($1, "reassoc-resp") == 0)
>  					$$ = IEEE80211_FC0_SUBTYPE_REASSOC_RESP;
> -				  else if (strcasecmp($1, "probereq") == 0)
> +				  else if (strcasecmp($1, "probereq") == 0 ||
> +				      strcasecmp($1, "probe-req") == 0)
>  					$$ = IEEE80211_FC0_SUBTYPE_PROBE_REQ;
> -				  else if (strcasecmp($1, "proberesp") == 0)
> +				  else if (strcasecmp($1, "proberesp") == 0 ||
> +				      strcasecmp($1, "probe-resp") == 0)
>  					$$ = IEEE80211_FC0_SUBTYPE_PROBE_RESP;
>  				  else if (strcasecmp($1, "beacon") == 0)
>  					$$ = IEEE80211_FC0_SUBTYPE_BEACON;
> @@ -378,8 +384,55 @@ subtype:  NUM
>  				  else if (strcasecmp($1, "deauth") == 0 ||
>  				      strcasecmp($1, "deauthentication") == 0)
>  					$$ = IEEE80211_FC0_SUBTYPE_DEAUTH;
> +				  else if (strcasecmp($1, "ps-poll") == 0)
> +					$$ = IEEE80211_FC0_SUBTYPE_PS_POLL;
> +				  else if (strcasecmp($1, "rts") == 0)
> +					$$ = IEEE80211_FC0_SUBTYPE_RTS;
> +				  else if (strcasecmp($1, "cts") == 0)
> +					$$ = IEEE80211_FC0_SUBTYPE_CTS;
> +				  else if (strcasecmp($1, "ack") == 0)
> +					$$ = IEEE80211_FC0_SUBTYPE_ACK;
> +				  else if (strcasecmp($1, "cf-end") == 0)
> +					$$ = IEEE80211_FC0_SUBTYPE_CF_END;
> +				  else if (strcasecmp($1, "cf-end-ack") == 0)
> +					$$ = IEEE80211_FC0_SUBTYPE_CF_END_ACK;
>  				  else if (strcasecmp($1, "data") == 0)
>  					$$ = IEEE80211_FC0_SUBTYPE_DATA;
> +				  else if (strcasecmp($1, "data-cf-ack") == 0)
> +					$$ = IEEE80211_FC0_SUBTYPE_DATA_CF_ACK;
> +				  else if (strcasecmp($1, "data-cf-poll") == 0)
> +					$$ = IEEE80211_FC0_SUBTYPE_DATA_CF_POLL;
> +				  else if (strcasecmp($1, "data-cf-ack-poll") == 0)
> +					$$ = IEEE80211_FC0_SUBTYPE_DATA_CF_ACKPOLL;
> +				  else if (strcasecmp($1, "null") == 0)
> +					$$ = IEEE80211_FC0_SUBTYPE_NODATA;
> +				  else if (strcasecmp($1, "cf-ack") == 0)
> +					$$ = IEEE80211_FC0_SUBTYPE_NODATA_CF_ACK;
> +				  else if (strcasecmp($1, "cf-poll") == 0)
> +					$$ = IEEE80211_FC0_SUBTYPE_NODATA_CF_POLL;
> +				  else if (strcasecmp($1, "cf-ack-poll") == 0)
> +					$$ = IEEE80211_FC0_SUBTYPE_NODATA_CF_ACKPOLL;
> +				  else if (strcasecmp($1, "qos-data") == 0)
> +					$$ = IEEE80211_FC0_SUBTYPE_QOS|
> +					    IEEE80211_FC0_SUBTYPE_DATA;
> +				  else if (strcasecmp($1, "qos-data-cf-ack") == 0)
> +					$$ = IEEE80211_FC0_SUBTYPE_QOS|
> +					    IEEE80211_FC0_SUBTYPE_DATA_CF_ACK;
> +				  else if (strcasecmp($1, "qos-data-cf-poll") == 0)
> +					$$ = IEEE80211_FC0_SUBTYPE_QOS|
> +					    IEEE80211_FC0_SUBTYPE_DATA_CF_POLL;
> +				  else if (strcasecmp($1, "qos-data-cf-ack-poll") == 0)
> +					$$ = IEEE80211_FC0_SUBTYPE_QOS|
> +					    IEEE80211_FC0_SUBTYPE_DATA_CF_ACKPOLL;
> +				  else if (strcasecmp($1, "qos") == 0)
> +					$$ = IEEE80211_FC0_SUBTYPE_QOS|
> +					    IEEE80211_FC0_SUBTYPE_NODATA;
> +				  else if (strcasecmp($1, "qos-cf-poll") == 0)
> +					$$ = IEEE80211_FC0_SUBTYPE_QOS|
> +					    IEEE80211_FC0_SUBTYPE_NODATA_CF_POLL;
> +				  else if (strcasecmp($1, "qos-cf-ack-poll") == 0)
> +					$$ = IEEE80211_FC0_SUBTYPE_QOS|
> +					    IEEE80211_FC0_SUBTYPE_NODATA_CF_ACKPOLL;
>  				  else
>  					  bpf_error("unknown 802.11 subtype");
>  				}
>