github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/sys/linux/net_80211.txt (about) 1 # Copyright 2020 syzkaller project authors. All rights reserved. 2 # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. 3 4 # This file contains descriptions of fields, structs and frames that are necessary to generate and inject 802.11 frames. 5 # Descriptions specified here follow the IEEE 802.11-2016 standard. It can be accessed here: https://ieeexplore.ieee.org/document/7786995 (the document is freely available through the IEEE GET programâ„¢). 6 7 include <linux/ieee80211.h> 8 9 # Mac addresses of virtual wifi devices created during executor initialization. 10 type ieee80211_fixed_mac_addr[LAST] { 11 byte0 const[0x8, int8] 12 byte1 const[0x2, int8] 13 byte2 const[0x11, int8] 14 byte3 const[0x0, int8] 15 byte4 const[0x0, int8] 16 byte5 LAST 17 } [packed] 18 19 ieee80211_mac_addr [ 20 device_a ieee80211_fixed_mac_addr[const[0x0, int8]] 21 device_b ieee80211_fixed_mac_addr[const[0x1, int8]] 22 broadcast array[const[0xff, int8], 6] 23 ] 24 25 ieee80211_ssid [ 26 random array[int8, 0:IEEE80211_MAX_SSID_LEN] 27 default_ibss_ssid array[const[0x1, int8], 6] 28 default_ap_ssid array[const[0x2, int8], 6] 29 ] [varlen] 30 31 ieee80211_mesh_id [ 32 default array[const[0x3, int8], 6] 33 ] [varlen] 34 35 ieee80211_frame [ 36 data_frame ieee80211_data_frame 37 mgmt_frame ieee80211_mgmt_frame 38 ctrl_frame ieee80211_ctrl_frame 39 ] [varlen] 40 41 ieee80211_bssid [ 42 initial array[const[0x50, int8], 6] 43 from_mac ieee80211_mac_addr 44 random array[int8, 6] 45 ] 46 47 # Inject an 802.11 frame. 48 # mac_addr -- mac address of the device that will receive the message (actually it determines 49 # the network interface that will receive this message). 50 # buf -- raw 802.11 frame. It should neither include an FCS, nor leave space for it at the end of the frame. 51 syz_80211_inject_frame(mac_addr ptr[in, ieee80211_mac_addr], buf ptr[in, ieee80211_frame], buf_len len[buf]) 52 53 # Pseudo system call that puts a specific interface into IBSS state and joins an IBSS network. 54 # Although it is done for all interfaces at executor initialization and the nl80211 commands that it executes 55 # are present in syzkaller descriptions of nl80211, experiments demonstrated that addition of this pseudo 56 # syscall provokes a much bigger number of issues. 57 # Also, this pseudo call makes it possible to put interfaces generated by sendmsg$NL80211_CMD_NEW_INTERFACE 58 # into an operable state at runtime. 59 syz_80211_join_ibss(interface ptr[in, string[nl80211_devnames]], ssid ptr[in, ieee80211_ssid], ssid_len len[ssid], join_mode flags[join_ibss_modes]) 60 61 # Modes of syz_80211_join_ibss operation: 62 # JOIN_IBSS_NO_SCAN -- channel scan is not performed and syz_80211_join_ibss waits until the interface reaches IF_OPER_UP 63 # JOIN_IBSS_BG_SCAN -- channel scan is performed (takes ~ 9 seconds), syz_80211_join_ibss does not await IF_OPER_UP 64 # JOIN_IBSS_BG_NO_SCAN -- channel scan is not performed, syz_80211_join_ibss does not await IF_OPER_UP 65 66 define JOIN_IBSS_NO_SCAN 0x0 67 define JOIN_IBSS_BG_SCAN 0x1 68 define JOIN_IBSS_BG_NO_SCAN 0x2 69 70 join_ibss_modes = JOIN_IBSS_NO_SCAN, JOIN_IBSS_BG_SCAN, JOIN_IBSS_BG_NO_SCAN 71 72 ################################################################################ 73 # Common fields and enums. 74 ################################################################################ 75 76 # As defined in drivers/net/wireless/mac80211_hwsim.c 77 ieee80211_channel_freq_mhz = 2412, 2417, 2422, 2427, 2432, 2437, 2442, 2447, 2452, 2457, 2462, 2467, 2472, 2484, 5180, 5200, 5220, 5240, 5260, 5280, 5300, 5320, 5500, 5520, 5540, 5560, 5580, 5600, 5620, 5640, 5660, 5680, 5700, 5745, 5765, 5785, 5805, 5825, 5845, 5855, 5860, 5865, 5870, 5875, 5880, 5885, 5890, 5895, 5900, 5905, 5910, 5915, 5920, 5925 78 79 ieee80211_raw_rates = 10, 20, 55, 60, 90, 110, 120, 180, 240, 360, 480, 540 80 81 # Combined set of 802.11 rates for 5Mhz, 10Mhz and other channel widths. 82 # Only rates for drivers/net/wireless/mac80211_hwsim.c are defined. 83 ieee80211_rate_label = 1, 2, 3, 4, 5, 6, 9, 11, 12, 18, 22, 24, 27, 36, 48, 54, 72, 96, 108 84 85 # Rates as they are represented (see 9.4.2.3 of IEEEE 802.11-2016). 86 ieee80211_rate { 87 label flags[ieee80211_rate_label, int8:7] 88 mandatory int8:1 89 } [packed] 90 91 type ieee80211_beacon_interval[BASE_TYPE] [ 92 default const[100, BASE_TYPE] 93 random BASE_TYPE 94 ] 95 96 type ieee80211_timestamp int64 97 98 ieee80211_assoc_id [ 99 default const[0x1, int16] 100 random int16 101 ] 102 103 # Pseudo syscalls and initially created devices use the default frequency below. 104 type ieee80211_frequency_mhz[BASE_TYPE] [ 105 default const[2412, BASE_TYPE] 106 random flags[ieee80211_channel_freq_mhz, BASE_TYPE] 107 ] 108 109 # These are the channels supported by mac80211_hwsim. 110 ieee80211_channels = 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 149, 153, 157, 161, 165, 169, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185 111 type ieee80211_channel[BASE_TYPE] flags[ieee80211_channels, BASE_TYPE] 112 113 # HT Capabilities (see 9.4.2.56 of IEEE 802.11-2016). 114 ieee80211_ht_cap_info = IEEE80211_HT_CAP_LDPC_CODING, IEEE80211_HT_CAP_SUP_WIDTH_20_40, IEEE80211_HT_CAP_SM_PS, IEEE80211_HT_CAP_SM_PS_SHIFT, IEEE80211_HT_CAP_GRN_FLD, IEEE80211_HT_CAP_SGI_20, IEEE80211_HT_CAP_SGI_40, IEEE80211_HT_CAP_TX_STBC, IEEE80211_HT_CAP_RX_STBC, IEEE80211_HT_CAP_RX_STBC_SHIFT, IEEE80211_HT_CAP_DELAY_BA, IEEE80211_HT_CAP_MAX_AMSDU, IEEE80211_HT_CAP_DSSSCCK40, IEEE80211_HT_CAP_RESERVED, IEEE80211_HT_CAP_40MHZ_INTOLERANT, IEEE80211_HT_CAP_LSIG_TXOP_PROT 115 116 ieee80211_ht_ext_cap_info = IEEE80211_HT_EXT_CAP_PCO, IEEE80211_HT_EXT_CAP_PCO_TIME, IEEE80211_HT_EXT_CAP_PCO_TIME_SHIFT, IEEE80211_HT_EXT_CAP_MCS_FB, IEEE80211_HT_EXT_CAP_MCS_FB_SHIFT, IEEE80211_HT_EXT_CAP_HTC_SUP, IEEE80211_HT_EXT_CAP_RD_RESPONDER 117 118 # See 9.4.2.56.4 of IEEE 802.11-2016. 119 ieee80211_mcs_info { 120 rx_bitmask_1 int64 121 rx_bitmask_2 int64:13 122 reserved const[0, int64:3] 123 rx_highest_dr int64:10 124 reserved_2 const[0, int64:6] 125 tx_set_defined int64:1 126 tx_rx_not_eq int64:1 127 max_spac_streams int64:2 128 uneq_modulation int64:1 129 reserved_3 const[0, int64:27] 130 } [packed] 131 132 # See Fig. 9-332 of IEEE 802.11-2016. 133 ieee80211_ht_cap { 134 cap_info flags[ieee80211_ht_cap_info, int16] 135 a_mpdu_exponent int8:2 136 a_mpdu_min_spacing int8:3 137 a_mpdu_reserved const[0, int8:3] 138 mcs ieee80211_mcs_info 139 extended_ht_cap_info flags[ieee80211_ht_ext_cap_info, int16] 140 tx_BF_cap_info int32 141 antenna_selection_info int8 142 } [packed] 143 144 # VHT Capabilities (see 9.4.2.56 of IEEE 802.11-2016). 145 ieee80211_vht_cap_info = IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_3895, IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_7991, IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454, IEEE80211_VHT_CAP_MAX_MPDU_MASK, IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ, IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ, IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_MASK, IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_SHIFT, IEEE80211_VHT_CAP_RXLDPC, IEEE80211_VHT_CAP_SHORT_GI_80, IEEE80211_VHT_CAP_SHORT_GI_160, IEEE80211_VHT_CAP_TXSTBC, IEEE80211_VHT_CAP_RXSTBC_1, IEEE80211_VHT_CAP_RXSTBC_2, IEEE80211_VHT_CAP_RXSTBC_3, IEEE80211_VHT_CAP_RXSTBC_4, IEEE80211_VHT_CAP_RXSTBC_MASK, IEEE80211_VHT_CAP_RXSTBC_SHIFT, IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE, IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE, IEEE80211_VHT_CAP_BEAMFORMEE_STS_SHIFT, IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK, IEEE80211_VHT_CAP_SOUNDING_DIMENSIONS_SHIFT, IEEE80211_VHT_CAP_SOUNDING_DIMENSIONS_MASK, IEEE80211_VHT_CAP_MU_BEAMFORMER_CAPABLE, IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE, IEEE80211_VHT_CAP_VHT_TXOP_PS, IEEE80211_VHT_CAP_HTC_VHT, IEEE80211_VHT_CAP_MAX_A_MPDU_LENGTH_EXPONENT_SHIFT, IEEE80211_VHT_CAP_MAX_A_MPDU_LENGTH_EXPONENT_MASK, IEEE80211_VHT_CAP_VHT_LINK_ADAPTATION_VHT_UNSOL_MFB, IEEE80211_VHT_CAP_VHT_LINK_ADAPTATION_VHT_MRQ_MFB, IEEE80211_VHT_CAP_RX_ANTENNA_PATTERN, IEEE80211_VHT_CAP_TX_ANTENNA_PATTERN, IEEE80211_VHT_CAP_EXT_NSS_BW_SHIFT, IEEE80211_VHT_CAP_EXT_NSS_BW_MASK 146 147 ieee80211_vht_mcs_info { 148 rx_mcs_map int16 149 rx_highest int16 150 tx_mcs_map int16 151 tx_highest int16 152 } [packed] 153 154 ieee80211_vht_cap { 155 vht_cap_info flags[ieee80211_vht_cap_info, int32] 156 supp_mcs ieee80211_vht_mcs_info 157 } [packed] 158 159 # As defined by Table 9-45 of IEEE 802.11-2016. 160 type ieee80211_reason_code[BASE_TYPE] BASE_TYPE[0:66] 161 162 # As defined by Table 9-46 of IEEE 802.11-2016. 163 type ieee80211_status_code[BASE_TYPE] BASE_TYPE[0:107] 164 165 # Only NAV is supported at the moment. No CPE or PS-Poll frames. 166 ieee80211_duration { 167 duration int16:15 168 nav_flag const[0, int16:1] 169 } [packed] 170 171 # As defined in sect. 9.2.4.4.1 of IEEE 802.11-2016. 172 ieee80211_seq_control { 173 frag_number int16:4 174 seq_number int16:12 175 } [packed] 176 177 ieee80211_block_ack_ssc { 178 fragment int16:4 179 ssn int16:12 180 } [packed] 181 182 # As defined by Table 9-342 of IEEE 802.11-2016. 183 ieee80211_tdls_action_codes = WLAN_TDLS_SETUP_REQUEST, WLAN_TDLS_SETUP_RESPONSE, WLAN_TDLS_SETUP_CONFIRM, WLAN_TDLS_TEARDOWN, WLAN_TDLS_PEER_TRAFFIC_INDICATION, WLAN_TDLS_CHANNEL_SWITCH_REQUEST, WLAN_TDLS_CHANNEL_SWITCH_RESPONSE, WLAN_TDLS_PEER_PSM_REQUEST, WLAN_TDLS_PEER_PSM_RESPONSE, WLAN_TDLS_PEER_TRAFFIC_RESPONSE, WLAN_TDLS_DISCOVERY_REQUEST 184 185 # As defined by Table 9-131 of IEEE 802.11-2016. 186 ieee80211_cipher_suites = WLAN_CIPHER_SUITE_USE_GROUP, WLAN_CIPHER_SUITE_WEP40, WLAN_CIPHER_SUITE_TKIP, WLAN_CIPHER_SUITE_CCMP, WLAN_CIPHER_SUITE_WEP104, WLAN_CIPHER_SUITE_AES_CMAC, WLAN_CIPHER_SUITE_GCMP, WLAN_CIPHER_SUITE_GCMP_256, WLAN_CIPHER_SUITE_CCMP_256, WLAN_CIPHER_SUITE_BIP_GMAC_128, WLAN_CIPHER_SUITE_BIP_GMAC_256, WLAN_CIPHER_SUITE_BIP_CMAC_256 187 188 # As defined by Table 9-133 of IEEE 802.11-2016. 189 ieee80211_akm_suites = WLAN_AKM_SUITE_8021X, WLAN_AKM_SUITE_PSK, WLAN_AKM_SUITE_FT_8021X, WLAN_AKM_SUITE_FT_PSK, WLAN_AKM_SUITE_8021X_SHA256, WLAN_AKM_SUITE_PSK_SHA256, WLAN_AKM_SUITE_TDLS, WLAN_AKM_SUITE_SAE, WLAN_AKM_SUITE_FT_OVER_SAE, WLAN_AKM_SUITE_AP_PEER_KEY, WLAN_AKM_SUITE_8021X_SUITE_B, WLAN_AKM_SUITE_8021X_SUITE_B_192, WLAN_AKM_SUITE_FT_8021X_SHA384, WLAN_AKM_SUITE_FILS_SHA256, WLAN_AKM_SUITE_FILS_SHA384, WLAN_AKM_SUITE_FT_FILS_SHA256, WLAN_AKM_SUITE_FT_FILS_SHA384, WLAN_AKM_SUITE_OWE, WLAN_AKM_SUITE_FT_PSK_SHA384, WLAN_AKM_SUITE_PSK_SHA384 190 191 # Capability Information field (see sect. 9.4.1.4 of IEEE 802.11-2016). 192 ieee80211_capabilities = WLAN_CAPABILITY_ESS, WLAN_CAPABILITY_IBSS, WLAN_CAPABILITY_CF_POLLABLE, WLAN_CAPABILITY_CF_POLL_REQUEST, WLAN_CAPABILITY_PRIVACY, WLAN_CAPABILITY_SHORT_PREAMBLE, WLAN_CAPABILITY_PBCC, WLAN_CAPABILITY_CHANNEL_AGILITY, WLAN_CAPABILITY_SPECTRUM_MGMT, WLAN_CAPABILITY_QOS, WLAN_CAPABILITY_SHORT_SLOT_TIME, WLAN_CAPABILITY_APSD, WLAN_CAPABILITY_RADIO_MEASURE, WLAN_CAPABILITY_DSSS_OFDM, WLAN_CAPABILITY_DEL_BACK, WLAN_CAPABILITY_IMM_BACK 193 194 type ieee80211_capability[TYPE] flags[ieee80211_capabilities, TYPE] 195 196 # QoS Control field is quite complicated (see Table 9-6 of IEEE 802.11-2016), but 197 # for fuzzing purposes we don't really care about most of its bits. 198 type ieee80211_qos_control[A_MSDU] { 199 tid int8:4 200 eosp int8:1 201 ack_policy int8:2 202 a_msdu const[A_MSDU, int8:1] 203 rest int8 204 } [packed] 205 206 # Operating Mode field (see sect. 9.4.1.53 of IEEE 802.11-2016). 207 ieee80211_operating_mode { 208 channel_width int8:2 209 supp_160_80_80 int8:1 210 no_ldpc int8:1 211 rx_nss int8:3 212 rx_nss_type int8:1 213 } [packed] 214 215 # SM Power Control field (see sect. 9.4.1.23 of IEEE 802.11-2016). 216 ieee80211_sm_power_control { 217 smps_enabled int8:1 218 sm_mode int8:1 219 reserver const[0, int8:6] 220 } [packed] 221 222 ############################################# 223 # Basic 802.11 frame structures. 224 ############################################# 225 226 ieee80211_ht_control_80211n { 227 vht const[0, int16:1] 228 link_adaptation_ctrl int16:15 229 calibration_pos int8:2 230 calibration_seq int8:2 231 reserved_1 const[0, int8:2] 232 csi_steering int8:2 233 ndp int8:1 234 reserved_2 const[0, int8:5] 235 ac int8:1 236 rdg int8:1 237 } [packed] 238 239 # 802.11ac introduced another version of this struct, but it is omitted because HT header is not supported by mac80211 anyway 240 ieee80211_ht_control [ 241 ver_80211n ieee80211_ht_control_80211n 242 ] 243 244 # Generic Frame Control field. 245 type ieee80211_fc[TO_DS, FROM_DS, TYPE, SUBTYPE] { 246 version const[0, int8:2] 247 type TYPE 248 subtype SUBTYPE 249 to_ds const[TO_DS, int8:1] 250 from_ds const[FROM_DS, int8:1] 251 more int8:1 252 retry int8:1 253 power_mgmt int8:1 254 more_data int8:1 255 protected const[0, int8:1] 256 order int8:1 257 } [packed] 258 259 # Control packets use a simpler version of Frame Control. 260 type ieee80211_control_fc[SUBTYPE_CONST] { 261 version const[0, int8:2] 262 type const[0x1, int8:2] 263 subtype const[SUBTYPE_CONST, int8:4] 264 rest const[0, int8:6] 265 } [packed] 266 267 define IEEE80211_MGMT_FRAME_TYPE (IEEE80211_FTYPE_MGMT >> 2) 268 define IEEE80211_DATA_FRAME_TYPE (IEEE80211_FTYPE_DATA >> 2) 269 define IEEE80211_CTL_FRAME_TYPE (IEEE80211_FTYPE_CTL >> 2) 270 271 ############################################ 272 # Information Elements. 273 ############################################ 274 275 # Information Element structure (see 9.4.2.1 of IEEE 802.11-2016). 276 type ieee80211_generic_ie[ID_TYPE, DATA_TYPE] { 277 id ID_TYPE 278 len len[data, int8] 279 data DATA_TYPE 280 } [packed] 281 282 type ieee80211_generic_ie_const[ID_VAL, DATA_TYPE] ieee80211_generic_ie[const[ID_VAL, int8], DATA_TYPE] 283 284 type ieee80211_random_vendor_ie ieee80211_generic_ie_const[WLAN_EID_VENDOR_SPECIFIC, array[int8, 6:255]] 285 286 # SSID Information Element (see 9.4.2.2 of IEEE 802.11-2016). 287 type ieee80211_ie_ssid ieee80211_generic_ie_const[WLAN_EID_SSID, ieee80211_ssid] 288 289 # SSID Information Element (see 9.4.2.3 of IEEE 802.11-2016). 290 type ieee80211_ie_supported_rates ieee80211_generic_ie_const[WLAN_EID_SUPP_RATES, array[ieee80211_rate, 0:8]] 291 292 # DS Parameter Set / DSSS Information Element (see 9.4.2.4 of IEEE 802.11-2016). 293 type ieee80211_ie_dsss ieee80211_generic_ie_const[WLAN_EID_DS_PARAMS, ieee80211_channel[int8]] 294 295 # CF Parameter Set Information Element (see 9.4.2.5 of IEEE 802.11-2016). 296 ieee80211_ie_cf_payload { 297 count int8 298 period int8 299 max_duration int16 300 dur_remaining int16 301 } [packed] 302 303 type ieee80211_ie_cf ieee80211_generic_ie_const[WLAN_EID_CF_PARAMS, ieee80211_ie_cf_payload] 304 305 # Traffic Indication Map (TIM) Information Element (see 9.4.2.6 of IEEE 802.11-2016). 306 ieee80211_ie_tim_payload { 307 dtim_count int8 308 dtim_period int8[1:255] 309 bitmap_control int8 310 partial_bitmap array[int8, 0:251] 311 } [packed] 312 313 type ieee80211_ie_tim ieee80211_generic_ie_const[WLAN_EID_TIM, ieee80211_ie_tim_payload] 314 315 # IBSS Parameter Set Information Element (see 9.4.2.7 of IEEE 802.11-2016). 316 type ieee80211_ie_ibss ieee80211_generic_ie_const[WLAN_EID_IBSS_PARAMS, int16] 317 318 # Challenge Text Information Element (see 9.4.2.8 of IEEE 802.11-2016). 319 type ieee80211_ie_challenge ieee80211_generic_ie_const[WLAN_EID_CHALLENGE, int8[1:253]] 320 321 # Extended Rate PHY (ERP) Information Element (see 9.4.2.12 of IEEE 802.11-2016). 322 ieee80211_ie_erp_payload { 323 non_erp_present int8:1 324 use_protection int8:1 325 barker_preamble_mode int8:1 326 reserved const[0, int8:5] 327 } [packed] 328 329 type ieee80211_ie_erp ieee80211_generic_ie_const[WLAN_EID_ERP_INFO, ieee80211_ie_erp_payload] 330 331 # Channel Switch Announcement Information Element (see 9.4.2.19 of IEEE 802.11-2016). 332 ieee80211_ie_channel_switch_annce_payload { 333 switch_mode int8[0:1] 334 new_channel ieee80211_channel[int8] 335 switch_count int8 336 } [packed] 337 338 type ieee80211_ie_channel_switch ieee80211_generic_ie_const[WLAN_EID_CHANNEL_SWITCH, ieee80211_ie_channel_switch_annce_payload] 339 340 # Secondary Channel Offset Information Element (see 9.4.2.20 of IEEE 802.11-2016). 341 type ieee80211_ie_sec_chan_ofs ieee80211_generic_ie_const[WLAN_EID_SECONDARY_CHANNEL_OFFSET, int8[0:3]] 342 343 # Measurement Request Information Element (see 9.4.2.21 of IEEE 802.11-2016). 344 ieee80211_ie_measure_req_payload { 345 token int8 346 mode int8 347 type int8 348 req_details array[int8] 349 } [packed] 350 351 type ieee80211_ie_measure_req ieee80211_generic_ie_const[WLAN_EID_MEASURE_REQUEST, ieee80211_ie_measure_req_payload] 352 353 # Fast BSS Transition element (FTE) (see 9.4.2.48 of IEEE 802.11-2016). 354 ieee80211_ie_fast_bss_trans_payload { 355 mic_control_reserved int8 356 mic_element_count len[params, int8] 357 mic array[int8, 16] 358 a_nonce array[int8, 32] 359 s_nonce array[int8, 32] 360 params array[ieee80211_generic_ie[int8[1:4], array[int8, 0:40]]] 361 } [packed] 362 363 type ieee80211_ie_fast_bss_trans ieee80211_generic_ie_const[WLAN_EID_FAST_BSS_TRANSITION, ieee80211_ie_fast_bss_trans_payload] 364 365 # Extended Channel Switch Announcement Information Element (see 9.4.2.53 of IEEE 802.11-2016). 366 ieee80211_ie_ext_channel_switch_annce_payload { 367 switch_mode int8[0:1] 368 new_class int8 369 new_channel ieee80211_channel[int8] 370 switch_count int8 371 } [packed] 372 373 type ieee80211_ie_ext_channel_switch ieee80211_generic_ie_const[WLAN_EID_EXT_CHANSWITCH_ANN, ieee80211_ie_ext_channel_switch_annce_payload] 374 375 # Management MIC Information Element (see 9.4.2.55 of IEEE 802.11-2016). 376 type ieee80211_ie_mic ieee80211_generic_ie_const[WLAN_EID_MIC, ieee80211_ie_mic_payload] 377 378 ieee80211_ie_mic_code [ 379 short array[int8, 8] 380 long array[int8, 16] 381 ] [varlen] 382 383 ieee80211_ie_mic_payload { 384 key_id int16[0:4095] 385 ipn array[int8, 6] 386 mic ieee80211_ie_mic_code 387 } [packed] 388 389 # HT Capabilities Information Element (see 9.4.2.56 of IEEE 802.11-2016). 390 type ieee80211_ie_ht ieee80211_generic_ie_const[WLAN_EID_HT_CAPABILITY, ieee80211_ht_cap] 391 392 # Link Identifier Information Element (see 9.4.2.62 of IEEE 802.11-2016). 393 ieee80211_ie_link_id_payload { 394 bssid ieee80211_bssid 395 initiator ieee80211_mac_addr 396 responder ieee80211_mac_addr 397 } [packed] 398 399 type ieee80211_ie_link_id ieee80211_generic_ie_const[WLAN_EID_LINK_ID, ieee80211_ie_link_id_payload] 400 401 # Channel Switch Timing Information Element (see 9.4.2.64 of IEEE 802.11-2016). 402 ieee80211_ie_channel_switch_timing_payload { 403 switch_time int16 404 switch_timeout int16 405 } [packed] 406 407 type ieee80211_ie_channel_switch_timing ieee80211_generic_ie_const[WLAN_EID_CHAN_SWITCH_TIMING, ieee80211_ie_channel_switch_timing_payload] 408 409 # Mesh Configuration Information Element (see 9.4.2.98 of IEEE 802.11-2016). 410 type ieee80211_ie_mesh_config ieee80211_generic_ie_const[WLAN_EID_MESH_CONFIG, ieee80211_ie_mesh_config_payload] 411 412 ieee80211_ie_mesh_config_payload { 413 psel_proto int8[-1:1] 414 psel_metric int8[-1:1] 415 cmode_id int8[-1:1] 416 syncm_id int8[-1:1] 417 auth_proto int8[-1:2] 418 mesh_info int8 419 mesh_cap flags[mesh_config_capab_flags, int8] 420 } [packed] 421 422 mesh_config_capab_flags = IEEE80211_MESHCONF_CAPAB_ACCEPT_PLINKS, IEEE80211_MESHCONF_CAPAB_FORWARDING, IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING, IEEE80211_MESHCONF_CAPAB_POWER_SAVE_LEVEL 423 424 # Mesh Channel Switch Information Element (see 9.4.2.103 of IEEE 802.11-2016). 425 ieee80211_ie_mesh_channel_switch_payload { 426 mesh_ttl int8 427 mesh_flags int8 428 mesh_reason ieee80211_reason_code[int16] 429 meash_pre_value int16 430 } [packed] 431 432 type ieee80211_ie_mesh_channel_switch ieee80211_generic_ie_const[WLAN_EID_CHAN_SWITCH_PARAM, ieee80211_ie_mesh_channel_switch_payload] 433 434 # GCR Group Address Information Element (see 9.4.2.126 of IEEE 802.11-2016). 435 type ieee80211_ie_gcr_ga ieee80211_generic_ie_const[WLAN_EID_GCR_GROUP_ADDR, ieee80211_mac_addr] 436 437 # PREQ Information Element (see 9.4.2.113 of IEEE 802.11.2016). 438 type ieee80211_ie_preq ieee80211_generic_ie_const[WLAN_EID_PREQ, ieee80211_ie_preq_payload] 439 440 # See Figure 9-478 of IEEE 802.11-2016. 441 ieee80211_preq_flags { 442 gate_anncement int8:1 443 addr_mode int8:1 444 proactive_prep int8:1 445 reserved const[0, int8:3] 446 ae int8:1 447 reserved_2 const[0, int8:1] 448 } [packed] 449 450 # See Figure 9-479 of IEEE 802.11-2016. 451 ieee80211_preq_target_flags { 452 target_only int8:1 453 reserved const[0, int8:1] 454 usn int8:1 455 reserved2 const[0, int8:5] 456 } [packed] 457 458 ieee80211_preq_target { 459 flags ieee80211_preq_target_flags 460 target_addr ieee80211_mac_addr 461 target_sn int32 462 } [packed] 463 464 ieee80211_ie_preq_payload { 465 flags ieee80211_preq_flags 466 hop_count int8 467 ttl int8 468 discovery_id int32 469 originator ieee80211_mac_addr 470 originator_sn int32 471 originator_ext ieee80211_mac_addr (if[value[flags:ae] == 1]) 472 lifetime int32 473 metric int32 474 target_count len[targets, int8] 475 targets array[ieee80211_preq_target] 476 } [packed] 477 478 # PREP Information Element (see 9.4.2.113 of IEEE 802.11.2016). 479 type ieee80211_ie_prep ieee80211_generic_ie_const[WLAN_EID_PREP, ieee80211_ie_prep_payload] 480 481 # See Figure 9-481 and Figure 9-483 of IEEE 802.11.2016. 482 ieee80211_ae_flags { 483 reserved const[0, int8:6] 484 ae int8:1 485 reserved2 const[0, int8:1] 486 } [packed] 487 488 ieee80211_ie_prep_payload { 489 flags ieee80211_ae_flags 490 hop_count int8 491 ttl int8 492 target_addr ieee80211_mac_addr 493 target_sn int32 494 target_ext ieee80211_mac_addr (if[value[flags:ae] == 1]) 495 lifetime int32 496 metric int32 497 originator ieee80211_mac_addr 498 originator_sn int32 499 } [packed] 500 501 # PERR Information Element (see 9.4.2.115 of IEEE 802.11.2016). 502 type ieee80211_ie_perr ieee80211_generic_ie_const[WLAN_EID_PERR, ieee80211_ie_perr_payload] 503 504 ieee80211_ie_perr_payload { 505 ttl int8 506 dest_count len[dest_list, int8] 507 dest_list array[ieee80211_ie_perr_dest, 0:19] 508 } [packed] 509 510 ieee80211_ie_perr_dest { 511 flags ieee80211_ae_flags 512 dest_addr ieee80211_mac_addr 513 dest_sn int32 514 dest_ext ieee80211_mac_addr (if[value[flags:ae] == 1]) 515 reason ieee80211_reason_code[int16] 516 } [packed] 517 518 # RANN Information Element (see 9.4.2.112 of IEEE 802.11-2016). 519 type ieee80211_ie_rann ieee80211_generic_ie_const[WLAN_EID_RANN, ieee80211_ie_rann_payload] 520 521 # See Figure 9-476 of IEEE 802.11-2016. 522 ieee80211_rann_flags { 523 gate_annce int8:1 524 reserved int8:7 525 } [packed] 526 527 ieee80211_ie_rann_payload { 528 flags ieee80211_rann_flags 529 hop_count int8 530 ttl int8 531 root_sta ieee80211_mac_addr 532 hwmp_seqno int32 533 interval int32 534 metric int32 535 } [packed] 536 537 # Mesh ID Information Element (see 9.4.2.99 of IEEE 802.11-2016). 538 type ieee80211_ie_mesh_id ieee80211_generic_ie_const[WLAN_EID_MESH_ID, ieee80211_mesh_id] 539 540 # Mesh Peering Management (see 9.4.2.102 of IEEE 802.11-2016). 541 type ieee80211_ie_peer_mgmt ieee80211_generic_ie_const[WLAN_EID_PEER_MGMT, ieee80211_ie_peering_mgmt_payload] 542 543 ieee80211_ie_peering_mgmt_payload { 544 proto_id int16[0:1] 545 local_link_id int16 546 peer_link_id optional[int16] 547 reason_code optional[ieee80211_reason_code[int16]] 548 pmk optional[array[int8, 16]] 549 } [packed] 550 551 # This union is not used in packet descriptions because IEs have a strictly specified order there. 552 # It is only needed to feed nl80211 commands that require IEs. 553 ieee80211_ie [ 554 ssid ieee80211_ie_ssid 555 supported_rates ieee80211_ie_supported_rates 556 dsss ieee80211_ie_dsss 557 cf ieee80211_ie_cf 558 tim ieee80211_ie_tim 559 ibss ieee80211_ie_ibss 560 challenge ieee80211_ie_challenge 561 erp ieee80211_ie_erp 562 channel_switch ieee80211_ie_channel_switch 563 sec_chan_ofs ieee80211_ie_sec_chan_ofs 564 measure_req ieee80211_ie_measure_req 565 fast_bss_trans ieee80211_ie_fast_bss_trans 566 ext_channel_switch ieee80211_ie_ext_channel_switch 567 ht ieee80211_ie_ht 568 link_id ieee80211_ie_link_id 569 chsw_timing ieee80211_ie_channel_switch_timing 570 mesh_chsw ieee80211_ie_mesh_channel_switch 571 gcr_ga ieee80211_ie_gcr_ga 572 preq ieee80211_ie_preq 573 prep ieee80211_ie_prep 574 perr ieee80211_ie_perr 575 rann ieee80211_ie_rann 576 mesh_id ieee80211_ie_mesh_id 577 mesh_config ieee80211_ie_mesh_config 578 peer_mgmt ieee80211_ie_peer_mgmt 579 mic ieee80211_ie_mic 580 random_vendor ieee80211_random_vendor_ie 581 random ieee80211_generic_ie[int8, array[int8, 0:253]] 582 ] [varlen] 583 584 ################################################## 585 # 802.11 Data frames (9.3.2 of IEEE 802.11-2016) 586 ################################################## 587 588 # Specific 802.11 data frame headers determined by to_ds and from_ds values. 589 # See Table 26 of IEEE 802.11-2016. 590 591 type ieee80211_data_gen_hdr[TO, FROM, ADDR_1, ADDR_2, ADDR_3, ADDR_4, A_MSDU] { 592 fc ieee80211_fc[TO, FROM, const[IEEE80211_DATA_FRAME_TYPE, int8:2], int8:4] 593 duration ieee80211_duration 594 addr_1 ADDR_1 595 addr_2 ADDR_2 596 addr_3 ADDR_3 597 seqno ieee80211_seq_control 598 addr_4 ADDR_4 599 qos ieee80211_qos_control[A_MSDU] (if[value[fc:subtype] & 0x8]) 600 # It can be somewhat more nuanced, but for data frames it should work. 601 ht ieee80211_ht_control (if[value[fc:order] == 1]) 602 } [packed] 603 604 ieee80211_msdu_header [ 605 # 00: RA = DA, TA = SA, BSSID 606 type00 ieee80211_data_gen_hdr[0, 0, ieee80211_mac_addr, ieee80211_mac_addr, ieee80211_bssid, void, 0] 607 # 01: RA = DA, TA = BSSID, SA 608 type01 ieee80211_data_gen_hdr[0, 1, ieee80211_mac_addr, ieee80211_bssid, ieee80211_mac_addr, void, 0] 609 # 10: RA = BSSID, TA = SA, DA 610 type10 ieee80211_data_gen_hdr[1, 0, ieee80211_bssid, ieee80211_mac_addr, ieee80211_mac_addr, void, 0] 611 # 11: RA, TA, DA, SA 612 type11 ieee80211_data_gen_hdr[1, 1, ieee80211_mac_addr, ieee80211_mac_addr, ieee80211_mac_addr, ieee80211_mac_addr, 0] 613 ] [varlen] 614 615 ieee80211_a_msdu_header [ 616 # 00: RA = DA, TA = SA, BSSID 617 type00 ieee80211_data_gen_hdr[0, 0, ieee80211_mac_addr, ieee80211_mac_addr, ieee80211_bssid, void, 1] 618 # 01: RA = DA, TA = BSSID, BSSID 619 type01 ieee80211_data_gen_hdr[0, 1, ieee80211_mac_addr, ieee80211_bssid, ieee80211_bssid, void, 1] 620 # 10: RA = BSSID, TA = SA, BSSID 621 type10 ieee80211_data_gen_hdr[1, 0, ieee80211_bssid, ieee80211_mac_addr, ieee80211_bssid, void, 1] 622 # 11: RA, TA, BSSID, SA 623 type11 ieee80211_data_gen_hdr[1, 1, ieee80211_mac_addr, ieee80211_mac_addr, ieee80211_bssid, ieee80211_mac_addr, 1] 624 ] [varlen] 625 626 ieee80211_data_frame_hdr [ 627 msdu ieee80211_msdu_header 628 a_msdu ieee80211_a_msdu_header 629 ] [varlen] 630 631 ieee80211_a_msdu_subframe { 632 da ieee80211_mac_addr 633 sa ieee80211_mac_addr 634 len len[data, int16] 635 data array[int8] 636 } [packed, align[4]] 637 638 ieee80211_data_frame_payload [ 639 random array[int8, 0:IEEE80211_MAX_DATA_LEN] 640 # TODO: here it could have helped to reference conditional fields in if[]. 641 a_msdu array[ieee80211_a_msdu_subframe] 642 ] [varlen] 643 644 ieee80211_data_frame { 645 header ieee80211_data_frame_hdr 646 payload ieee80211_data_frame_payload 647 } [packed] 648 649 ############################################### 650 # 802.11 Management frames 651 ############################################### 652 653 define IEEE80211_MGMT_FRAME_ASSOC_REQ (IEEE80211_STYPE_ASSOC_REQ >> 4) 654 define IEEE80211_MGMT_FRAME_ASSOC_RESP (IEEE80211_STYPE_ASSOC_RESP >> 4) 655 define IEEE80211_MGMT_FRAME_REASSOC_REQ (IEEE80211_STYPE_REASSOC_REQ >> 4) 656 define IEEE80211_MGMT_FRAME_REASSOC_RESP (IEEE80211_STYPE_REASSOC_RESP >> 4) 657 define IEEE80211_MGMT_FRAME_PROBE_REQ (IEEE80211_STYPE_PROBE_REQ >> 4) 658 define IEEE80211_MGMT_FRAME_PROBE_RESP (IEEE80211_STYPE_PROBE_RESP >> 4) 659 define IEEE80211_MGMT_FRAME_BEACON (IEEE80211_STYPE_BEACON >> 4) 660 define IEEE80211_MGMT_FRAME_ATIM (IEEE80211_STYPE_ATIM >> 4) 661 define IEEE80211_MGMT_FRAME_DISASSOC (IEEE80211_STYPE_DISASSOC >> 4) 662 define IEEE80211_MGMT_FRAME_AUTH (IEEE80211_STYPE_AUTH >> 4) 663 define IEEE80211_MGMT_FRAME_DEAUTH (IEEE80211_STYPE_DEAUTH >> 4) 664 define IEEE80211_MGMT_FRAME_ACTION (IEEE80211_STYPE_ACTION >> 4) 665 define IEEE80211_MGMT_FRAME_ACTION_NOACK ((IEEE80211_STYPE_ACTION >> 4) + 1) 666 667 type ieee80211_mgmt_header[SUBTYPE_CONST] { 668 fc ieee80211_fc[0, 0, const[IEEE80211_MGMT_FRAME_TYPE, int8:2], const[SUBTYPE_CONST, int8:4]] 669 duration ieee80211_duration 670 addr_1 ieee80211_mac_addr 671 addr_2 ieee80211_mac_addr 672 addr_3 ieee80211_bssid 673 seqno ieee80211_seq_control 674 ht ieee80211_ht_control (if[value[fc:order] == 1]) 675 } [packed] 676 677 # Beacon frame (see Table 9-27 of IEEE 802.11-2016). 678 ieee80211_mgmt_beacon { 679 header ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_BEACON] 680 timestamp ieee80211_timestamp 681 beacon_interval ieee80211_beacon_interval[int16] 682 capability ieee80211_capability[int16] 683 ssid optional[ieee80211_ie_ssid] 684 supported_rates optional[ieee80211_ie_supported_rates] 685 dsss optional[ieee80211_ie_dsss] 686 cf optional[ieee80211_ie_cf] 687 ibss optional[ieee80211_ie_ibss] 688 tim optional[ieee80211_ie_tim] 689 chsw optional[ieee80211_ie_channel_switch] 690 erp optional[ieee80211_ie_erp] 691 expt_chsw optional[ieee80211_ie_ext_channel_switch] 692 ht optional[ieee80211_ie_ht] 693 mesh_id optional[ieee80211_ie_mesh_id] 694 mesh_config optional[ieee80211_ie_mesh_config] 695 mesh_chsw optional[ieee80211_ie_mesh_channel_switch] 696 vendor array[ieee80211_random_vendor_ie] 697 } [packed] 698 699 # Disassociation frame (see Table 9-28 of IEEE 802.11-2016). 700 ieee80211_mgmt_disassoc_frame { 701 header ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_DISASSOC] 702 reason_code ieee80211_reason_code[int16] 703 mic optional[ieee80211_ie_mic] 704 } [packed] 705 706 # Association Request (see Table 9-29 of IEEE 802.11-2016). 707 ieee80211_mgmt_assoc_req_frame { 708 header ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_ASSOC_REQ] 709 capabilities ieee80211_capability[int16] 710 listen_interval int16 711 ssid ieee80211_ie_ssid 712 supported_rates optional[ieee80211_ie_supported_rates] 713 ht optional[ieee80211_ie_ht] 714 vendor array[ieee80211_random_vendor_ie] 715 } [packed] 716 717 # Association Response (see Table 9-30 of IEEE 802.11-2016). 718 ieee80211_mgmt_assoc_resp_frame { 719 header ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_ASSOC_RESP] 720 capabilities ieee80211_capability[int16] 721 status_code ieee80211_status_code[int16] 722 assoc_id ieee80211_assoc_id 723 supported_rates optional[ieee80211_ie_supported_rates] 724 ht optional[ieee80211_ie_ht] 725 vendor array[ieee80211_random_vendor_ie] 726 } [packed] 727 728 # Reassociation Request (see Table 9-31 of IEEE 802.11-2016). 729 ieee80211_mgmt_reassoc_req_frame { 730 header ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_REASSOC_REQ] 731 capabilities ieee80211_capability[int16] 732 listen_interval int16 733 current_ap ieee80211_mac_addr 734 ssid ieee80211_ie_ssid 735 supported_rates optional[ieee80211_ie_supported_rates] 736 ht optional[ieee80211_ie_ht] 737 vendor array[ieee80211_random_vendor_ie] 738 } [packed] 739 740 # Reassociation Response (see Table 9-32 of IEEE 802.11-2016). 741 ieee80211_mgmt_reassoc_resp_frame { 742 header ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_REASSOC_RESP] 743 capabilities ieee80211_capability[int16] 744 status_code ieee80211_status_code[int16] 745 assoc_id ieee80211_assoc_id 746 supported_rates optional[ieee80211_ie_supported_rates] 747 ht optional[ieee80211_ie_ht] 748 vendor array[ieee80211_random_vendor_ie] 749 } [packed] 750 751 # Probe Request (see Table 9-33 of IEEE 802.11-2016). 752 ieee80211_mgmt_probe_request { 753 header ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_PROBE_REQ] 754 ssid optional[ieee80211_ie_ssid] 755 supported_rates optional[ieee80211_ie_supported_rates] 756 dsss optional[ieee80211_ie_dsss] 757 ht optional[ieee80211_ie_ht] 758 mesh_id optional[ieee80211_ie_mesh_id] 759 vendor array[ieee80211_random_vendor_ie] 760 } [packed] 761 762 # Probe Response (see Table 9-34 of IEEE 802.11-2016). 763 ieee80211_mgmt_probe_response { 764 header ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_PROBE_RESP] 765 timestamp ieee80211_timestamp 766 beacon_interval ieee80211_beacon_interval[int16] 767 capabilities ieee80211_capability[int16] 768 ssid optional[ieee80211_ie_ssid] 769 supported_rates optional[ieee80211_ie_supported_rates] 770 dsss optional[ieee80211_ie_dsss] 771 cf optional[ieee80211_ie_cf] 772 ibss optional[ieee80211_ie_ibss] 773 ht optional[ieee80211_ie_ht] 774 mesh_id optional[ieee80211_ie_mesh_id] 775 mesh_config optional[ieee80211_ie_mesh_config] 776 vendor array[ieee80211_random_vendor_ie] 777 } [packed] 778 779 # Authentication (see Table 9-35 of IEEE 802.11-2016). 780 ieee80211_mgmt_auth_frame { 781 header ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_AUTH] 782 algo int16[0:1] 783 trans_seq int16[0:4] 784 status ieee80211_status_code[int16] 785 challenge_tag optional[ieee80211_ie_challenge] 786 vendor array[ieee80211_random_vendor_ie] 787 } [packed] 788 789 # Deauthenticaiton (see Table 9-37 of IEEE 802.11-2016). 790 ieee80211_mgmt_deauth_frame { 791 header ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_DEAUTH] 792 reason_code ieee80211_reason_code[int16] 793 mic optional[ieee80211_ie_mic] 794 } [packed] 795 796 ieee80211_mgmt_frame [ 797 probe_request ieee80211_mgmt_probe_request 798 probe_response ieee80211_mgmt_probe_response 799 beacon ieee80211_mgmt_beacon 800 action ieee80211_mgmt_action 801 action_no_ack ieee80211_mgmt_action_no_ack 802 assoc_req ieee80211_mgmt_assoc_req_frame 803 assoc_resp ieee80211_mgmt_assoc_resp_frame 804 disassoc ieee80211_mgmt_disassoc_frame 805 deauth ieee80211_mgmt_deauth_frame 806 reassoc_req ieee80211_mgmt_reassoc_req_frame 807 reassoc_resp ieee80211_mgmt_reassoc_resp_frame 808 auth ieee80211_mgmt_auth_frame 809 ] [varlen] 810 811 ###################################################### 812 # 802.11 Management Action frames 813 ###################################################### 814 815 # This is a large group of frames, so it is placed in a separate section. 816 817 type ieee80211_mgmt_action_raw[CATEGORY, ACTION, PAYLOAD_TYPE] { 818 category const[CATEGORY, int8] 819 action const[ACTION, int8] 820 payload PAYLOAD_TYPE 821 } [packed] 822 823 # Measurement Request (see sect. 9.6.2.2 of IEEE 802.11-2016). 824 ieee80211_mgmt_action_measure_req { 825 dialog_token int8 826 ie array[ieee80211_ie_measure_req] 827 } [packed] 828 829 # Channel Switch Announcement (see sect. 9.6.2.6 of IEEE 802.11-2016). 830 ieee80211_mgmt_action_channel_switch { 831 channel_switch ieee80211_ie_channel_switch 832 secondary optional[ieee80211_ie_sec_chan_ofs] 833 mesh optional[ieee80211_ie_mesh_channel_switch] 834 } [packed] 835 836 # ADDBA Request (see sect. 9.6.5.2 of IEEE 802.11-2016). 837 ieee80211_mgmt_action_addba_req { 838 dialog_token int8 839 block_ack_param ieee80211_block_ack_param_set 840 timeout_value int16 841 ssc ieee80211_block_ack_ssc 842 } [packed] 843 844 ieee80211_block_ack_param_set { 845 amsdu_supported int16:1 846 block_ack_policy int16:1 847 tid int16:4 848 buffer_size int16:10 849 } [packed] 850 851 # ADDBA Response (see sect. 9.6.5.3 of IEEE 802.11-2016). 852 ieee80211_mgmt_action_addba_resp { 853 dialog_token int8 854 status ieee80211_status_code[int16] 855 block_ack_param ieee80211_block_ack_param_set 856 timeout_value int16 857 } [packed] 858 859 # DELBA (see sect. 9.6.5.4 of IEEE 802.11-2016). 860 ieee80211_mgmt_action_delba { 861 delba_params ieee80211_delba_param_set 862 reason ieee80211_reason_code[int16] 863 group_addr_ie ieee80211_ie_gcr_ga 864 } [packed] 865 866 ieee80211_delba_param_set { 867 reserved const[0, int16:11] 868 initiator int16:1 869 tid int16:4 870 } [packed] 871 872 # Extended Channel Switch Announcement (see sect. 9.6.8.7 of IEEE 802.11-2016). 873 ieee80211_mgmt_action_ext_chan_switch { 874 annce_ie ieee80211_ie_ext_channel_switch_annce_payload 875 mesh_ie optional[ieee80211_ie_mesh_channel_switch] 876 } [packed] 877 878 # See Table 9-343 and Table 9-344 of 802.11-2016. 879 type ieee80211_mgmt_action_generic_tdls_setup[ACTION, STATUS] { 880 category const[WLAN_CATEGORY_TDLS, int8] 881 action const[ACTION, int8] 882 status STATUS 883 dialog_token int8 884 capability optional[ieee80211_capability[int16]] 885 supported_rates optional[ieee80211_ie_supported_rates] 886 ht optional[ieee80211_ie_ht] 887 link_id optional[ieee80211_ie_link_id] 888 } [packed] 889 890 # TDLS Setup Confirm (see sect. 9.6.13.4 of IEEE 802.11-2016). 891 ieee80211_mgmt_action_tdls_cfm { 892 status ieee80211_status_code[int16] 893 dialog_token int8 894 } [packed] 895 896 # TDLS Channel Switch Request (see sect. 9.6.13.7 of IEEE 802.11-2016). 897 ieee80211_mgmt_action_tdls_chsw_req { 898 target_channel ieee80211_channel[int8] 899 operating_class int8 900 secondary optional[ieee80211_ie_sec_chan_ofs] 901 link_id ieee80211_ie_link_id 902 timing ieee80211_ie_channel_switch_timing 903 } [packed] 904 905 # TDLS Channel Switch Response (see sect. 9.6.13.8 of IEEE 802.11-2016). 906 ieee80211_mgmt_action_tdls_chsw_resp { 907 status ieee80211_status_code[int16] 908 link_id ieee80211_ie_link_id 909 timing ieee80211_ie_channel_switch_timing 910 } [packed] 911 912 # TDLS Discovery Request (see sect. 9.6.13.12 of IEEE 802.11-2016). 913 ieee80211_mgmt_action_tdls_disc_req { 914 dialog_token int8 915 link_id ieee80211_ie_link_id 916 } [packed] 917 918 # TDLS Teardown (see sect. 9.6.13.5 of IEEE 802.11-2016). 919 ieee80211_mgmt_action_tdls_teardown { 920 reason ieee80211_reason_code[int16] 921 fte ieee80211_ie_fast_bss_trans 922 link_id ieee80211_ie_link_id 923 } [packed] 924 925 # Notify Channel Width (see sect. 9.6.12.2 of IEEE 802.11-2016). 926 type ieee80211_mgmt_action_notify_ch_sw int8[0:1] 927 928 # Group ID Management (see sect. 9.6.23.3 of IEEE 802.11-2016). 929 ieee80211_mgmt_action_group_id { 930 membership_status int64 931 user_positions array[int8, 16] 932 } [packed] 933 934 # Operating Mode Notification (see sect. 9.6.23.4 of IEEE 802.11-2016). 935 type ieee80211_mgmt_action_op_mode_ntf ieee80211_operating_mode 936 937 # HWMP Mesh Path Selection (see sect. 9.6.17.3 of IEEE 802.11-2016). 938 ieee80211_mgmt_action_hwmp_path_sel { 939 preq optional[ieee80211_ie_preq] 940 prep optional[ieee80211_ie_prep] 941 perr optional[ieee80211_ie_perr] 942 rann optional[ieee80211_ie_rann] 943 } [packed] 944 945 # Mesh Peering Open (see sect. 9.6.16.2 of IEEE 802.11-2016). 946 ieee80211_mgmt_action_mesh_peering_open { 947 capability ieee80211_capability[int16] 948 supported_rates ieee80211_ie_supported_rates 949 mesh_id optional[ieee80211_ie_mesh_id] 950 ht optional[ieee80211_ie_ht] 951 } [packed] 952 953 # Mesh Peering Confirm (see sect. 9.6.16.3 of IEEE 802.11-2016). 954 ieee80211_mgmt_action_mesh_peering_confirm { 955 capability ieee80211_capability[int16] 956 aid ieee80211_assoc_id 957 supported_rates ieee80211_ie_supported_rates 958 mesh_id optional[ieee80211_ie_mesh_id] 959 ht optional[ieee80211_ie_ht] 960 } [packed] 961 962 # Mesh Peering Close (see sect. 9.6.16.4 of IEEE 802.11-2016). 963 ieee80211_mgmt_action_mesh_peering_close { 964 mesh_id ieee80211_ie_mesh_id 965 mgmt ieee80211_ie_peer_mgmt 966 } [packed] 967 968 ieee80211_mgmt_action_payload [ 969 measure_req ieee80211_mgmt_action_raw[WLAN_CATEGORY_SPECTRUM_MGMT, WLAN_ACTION_SPCT_MSR_REQ, ieee80211_mgmt_action_measure_req] 970 channel_switch ieee80211_mgmt_action_raw[WLAN_CATEGORY_SPECTRUM_MGMT, WLAN_ACTION_SPCT_CHL_SWITCH, ieee80211_mgmt_action_channel_switch] 971 addba_req ieee80211_mgmt_action_raw[WLAN_CATEGORY_BACK, WLAN_ACTION_ADDBA_REQ, ieee80211_mgmt_action_addba_req] 972 addba_resp ieee80211_mgmt_action_raw[WLAN_CATEGORY_BACK, WLAN_ACTION_ADDBA_RESP, ieee80211_mgmt_action_addba_resp] 973 delba ieee80211_mgmt_action_raw[WLAN_CATEGORY_BACK, WLAN_ACTION_DELBA, ieee80211_mgmt_action_delba] 974 ext_ch_sw ieee80211_mgmt_action_raw[WLAN_CATEGORY_PUBLIC, WLAN_PUB_ACTION_EXT_CHANSW_ANN, ieee80211_mgmt_action_ext_chan_switch] 975 ntf_ch_w ieee80211_mgmt_action_raw[WLAN_CATEGORY_HT, WLAN_HT_ACTION_NOTIFY_CHANWIDTH, ieee80211_mgmt_action_notify_ch_sw] 976 smps ieee80211_mgmt_action_raw[WLAN_CATEGORY_HT, WLAN_HT_ACTION_SMPS, ieee80211_sm_power_control] 977 sa_query_req ieee80211_mgmt_action_raw[WLAN_CATEGORY_SA_QUERY, WLAN_ACTION_SA_QUERY_REQUEST, int16] 978 tdls_setup_req ieee80211_mgmt_action_generic_tdls_setup[WLAN_TDLS_SETUP_REQUEST, void] 979 tdls_setup_resp ieee80211_mgmt_action_generic_tdls_setup[WLAN_TDLS_SETUP_RESPONSE, ieee80211_status_code[int16]] 980 tdls_setup_cfm ieee80211_mgmt_action_raw[WLAN_CATEGORY_TDLS, WLAN_TDLS_SETUP_CONFIRM, ieee80211_mgmt_action_tdls_cfm] 981 tdls_teardown ieee80211_mgmt_action_raw[WLAN_CATEGORY_TDLS, WLAN_TDLS_TEARDOWN, ieee80211_mgmt_action_tdls_teardown] 982 tdls_chsw_req ieee80211_mgmt_action_raw[WLAN_CATEGORY_TDLS, WLAN_TDLS_CHANNEL_SWITCH_REQUEST, ieee80211_mgmt_action_tdls_chsw_req] 983 tdls_chsw_resp ieee80211_mgmt_action_raw[WLAN_CATEGORY_TDLS, WLAN_TDLS_CHANNEL_SWITCH_RESPONSE, ieee80211_mgmt_action_tdls_chsw_resp] 984 tdls_disc_req ieee80211_mgmt_action_raw[WLAN_CATEGORY_TDLS, WLAN_TDLS_DISCOVERY_REQUEST, ieee80211_mgmt_action_tdls_disc_req] 985 vht_op_mode_ntf ieee80211_mgmt_action_raw[WLAN_CATEGORY_VHT, WLAN_VHT_ACTION_OPMODE_NOTIF, ieee80211_mgmt_action_op_mode_ntf] 986 vht_group_id ieee80211_mgmt_action_raw[WLAN_CATEGORY_VHT, WLAN_VHT_ACTION_GROUPID_MGMT, ieee80211_mgmt_action_group_id] 987 mesh_hwmp_psel ieee80211_mgmt_action_raw[WLAN_CATEGORY_MESH_ACTION, WLAN_MESH_ACTION_HWMP_PATH_SELECTION, ieee80211_mgmt_action_hwmp_path_sel] 988 sp_mp_open ieee80211_mgmt_action_raw[WLAN_CATEGORY_SELF_PROTECTED, WLAN_SP_MESH_PEERING_OPEN, ieee80211_mgmt_action_mesh_peering_open] 989 sp_mp_confirm ieee80211_mgmt_action_raw[WLAN_CATEGORY_SELF_PROTECTED, WLAN_SP_MESH_PEERING_CONFIRM, ieee80211_mgmt_action_mesh_peering_confirm] 990 sp_mp_close ieee80211_mgmt_action_raw[WLAN_CATEGORY_SELF_PROTECTED, WLAN_SP_MESH_PEERING_CLOSE, ieee80211_mgmt_action_mesh_peering_close] 991 ] [varlen] 992 993 ieee80211_mgmt_action { 994 header ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_ACTION] 995 payload ieee80211_mgmt_action_payload 996 } [packed] 997 998 ieee80211_mgmt_action_no_ack { 999 header ieee80211_mgmt_header[IEEE80211_MGMT_FRAME_ACTION_NOACK] 1000 payload ieee80211_mgmt_action_payload 1001 } [packed] 1002 1003 #################################### 1004 # Control frames. 1005 #################################### 1006 1007 # For details see sect. 9.3.1 of IEEE 802.11-2016. 1008 1009 define IEEE80211_MGMT_CTL_CTL_EXT (IEEE80211_STYPE_CTL_EXT >> 4) 1010 define IEEE80211_MGMT_CTL_BACK_REQ (IEEE80211_STYPE_BACK_REQ >> 4) 1011 define IEEE80211_MGMT_CTL_BACK (IEEE80211_STYPE_BACK >> 4) 1012 define IEEE80211_MGMT_CTL_PSPOLL (IEEE80211_STYPE_PSPOLL >> 4) 1013 define IEEE80211_MGMT_CTL_RTS (IEEE80211_STYPE_RTS >> 4) 1014 define IEEE80211_MGMT_CTL_CTS (IEEE80211_STYPE_CTS >> 4) 1015 define IEEE80211_MGMT_CTL_ACK (IEEE80211_STYPE_ACK >> 4) 1016 define IEEE80211_MGMT_CTL_CFEND (IEEE80211_STYPE_CFEND >> 4) 1017 define IEEE80211_MGMT_CTL_CFENDACK (IEEE80211_STYPE_CFENDACK >> 4) 1018 1019 # Request to Send (RTS) frame. 1020 ieee80211_ctrl_rts { 1021 header ieee80211_control_fc[IEEE80211_MGMT_CTL_RTS] 1022 duration ieee80211_duration 1023 receiver ieee80211_mac_addr 1024 transmitter ieee80211_mac_addr 1025 } [packed] 1026 1027 # Clear to Send (CTS) frame. 1028 ieee80211_ctrl_cts { 1029 header ieee80211_control_fc[IEEE80211_MGMT_CTL_CTS] 1030 duration ieee80211_duration 1031 receiver ieee80211_mac_addr 1032 } [packed] 1033 1034 # Acknowledgement (ACK) frame. 1035 ieee80211_ctrl_ack { 1036 header ieee80211_control_fc[IEEE80211_MGMT_CTL_ACK] 1037 duration ieee80211_duration 1038 receiver ieee80211_mac_addr 1039 } [packed] 1040 1041 # Contention-Free End (CF-End) frame. 1042 ieee80211_ctrl_cf_end { 1043 header ieee80211_control_fc[IEEE80211_MGMT_CTL_CFEND] 1044 duration ieee80211_duration 1045 receiver ieee80211_mac_addr 1046 bssid ieee80211_bssid 1047 } [packed] 1048 1049 # CF-End & CF-Ack frame. 1050 ieee80211_ctrl_cf_end_cf_ack { 1051 header ieee80211_control_fc[IEEE80211_MGMT_CTL_CFENDACK] 1052 duration ieee80211_duration 1053 receiver ieee80211_mac_addr 1054 transmitter ieee80211_mac_addr 1055 } [packed] 1056 1057 # Power-Save Poll (PS-Poll) frame. 1058 ieee80211_ctrl_pspoll { 1059 header ieee80211_control_fc[IEEE80211_MGMT_CTL_PSPOLL] 1060 assoc_id ieee80211_assoc_id 1061 bssid ieee80211_bssid 1062 transmitter ieee80211_mac_addr 1063 } [packed] 1064 1065 # Block Ack Request (BAR) frame (802.11n). 1066 type ieee80211_ctrl_bar_control[MULTI_CONST, COMPRESSED_CONST, TID_INFO] { 1067 ack_policy int8:1 1068 multi_tid const[MULTI_CONST, int8:1] 1069 compressed_bitmap const[COMPRESSED_CONST, int8:1] 1070 reserved const[0, int16:9] 1071 tid_info TID_INFO 1072 } [packed] 1073 1074 type ieee80211_ctrl_bar_info[SUFFIX] { 1075 tid_reserved const[0, int16:12] 1076 tid_value int16:4 1077 ssc ieee80211_block_ack_ssc 1078 suffix SUFFIX 1079 } [packed] 1080 1081 type ieee80211_ctrl_bar_simple_req[COMPRESSED] { 1082 control_hdr ieee80211_ctrl_bar_control[0, COMPRESSED, int8:4] 1083 ssc ieee80211_block_ack_ssc 1084 } [packed] 1085 1086 ieee80211_ctrl_bar_multi { 1087 control ieee80211_ctrl_bar_control[1, 1, len[ieee80211_ctrl_bar_multi:bar_info, int8:4]] 1088 bar_info array[ieee80211_ctrl_bar_info[array[int8, 8]]] 1089 } [packed] 1090 1091 ieee80211_ctrl_bar_any [ 1092 basic ieee80211_ctrl_bar_simple_req[0] 1093 compressed ieee80211_ctrl_bar_simple_req[1] 1094 multi ieee80211_ctrl_bar_multi 1095 ] [varlen] 1096 1097 ieee80211_ctrl_bar { 1098 header ieee80211_control_fc[IEEE80211_MGMT_CTL_BACK_REQ] 1099 duration ieee80211_duration 1100 receiver ieee80211_mac_addr 1101 transmitter ieee80211_mac_addr 1102 payload ieee80211_ctrl_bar_any 1103 } [packed] 1104 1105 # Block Ack (BA) frame (802.11n). 1106 type ieee80211_ctrl_ba_single[COMPRESSED, LEN] { 1107 control ieee80211_ctrl_bar_control[0, COMPRESSED, int8:4] 1108 ssc ieee80211_block_ack_ssc 1109 ack_bitmap array[int8, LEN] 1110 } [packed] 1111 1112 ieee80211_ctrl_ba_multi { 1113 control ieee80211_ctrl_bar_control[1, 1, len[ieee80211_ctrl_ba_multi:tid_list, int8:4]] 1114 tid_list array[ieee80211_ctrl_bar_info[array[int8, 8]]] 1115 # There must be TID_INFO + 1 entries, so we add an extra one. 1116 extra_tid ieee80211_ctrl_bar_info[array[int8, 8]] 1117 } [packed] 1118 1119 ieee80211_ctrl_ba_any [ 1120 basic ieee80211_ctrl_ba_single[0, 128] 1121 compressed ieee80211_ctrl_ba_single[1, 8] 1122 multi ieee80211_ctrl_ba_multi 1123 ] [varlen] 1124 1125 ieee80211_ctrl_ba { 1126 header ieee80211_control_fc[IEEE80211_MGMT_CTL_BACK] 1127 duration ieee80211_duration 1128 receiver ieee80211_mac_addr 1129 transmitter ieee80211_mac_addr 1130 payload ieee80211_ctrl_ba_any 1131 } [packed] 1132 1133 ieee80211_ctrl_frame [ 1134 rts ieee80211_ctrl_rts 1135 cts ieee80211_ctrl_cts 1136 ack ieee80211_ctrl_ack 1137 pspoll ieee80211_ctrl_pspoll 1138 bar ieee80211_ctrl_bar 1139 ba ieee80211_ctrl_ba 1140 cf_end ieee80211_ctrl_cf_end 1141 cf_end_cf_ack ieee80211_ctrl_cf_end_cf_ack 1142 ] [varlen]