WLAN Medium Contention – #CWAP6

Accounts for 10% of the CWAP knowledge domain areas, approx. 6/60 questions

Medium Contention :Protocols that allow large number of devices to effectively share the wireless channel. All AP & STAs will contend with each other on a common transmission medium.

CSMA / CA – The AP/STAs (802.11) use carrier sense multiple access with collision avoidance as opposed to collision detection used by the Ethernet (802.3) realm.

802.11 devices must avoid multiple devices transmitting simultaneously over a shared medium which can cause failed transmissions. Wireless mediums cannot detect collision but find ways to avoid them. Collision handling is not straight forward and may be time consuming at times. Hence one of the reasons that 802.11(WLANs) have much lower throughput-to-data rate ratio than 802.3(Wired LANs).

CSMA/CA uses DCF (Distributed Coordination Function)  for non-QoS WLANs & HCF (Hybrid Coordination Function) for QoS WLANs using EDCA (Enhanced Distributed Channel Access).

There are two carrier sense protocols used by the stations to indicate whether a channel is busy or idle.

  • Physical Carrier Sense, also known as CCA (Clear Channel Assessment)
  • Virtual Carrier Sense, also known as NAV (Network Allocation Vector)

Both QoS & non-QoS use either of the above protocols for transmitting data.

CCA (Layer 1) > Identify whether the channel is unused and available prior to the packet transmission.

  • Channel Occupied = State of Busy ~ Energy Detection Levels.
  • Channel Clear = State of Idle

Apply to 802.11 modulation, if the AP or STA is too far away to detect any transmission at requisite energy level, the CCA may go into the idle state even though the channel is still occupied.

NAV (Layer 2) > is a timer that counts down toward zero(0). When a device has a NAV value greater than zero, the device says quiet. Once the NAV = 0, the medium is considered clear.

As discussed earlier, CCA may fail to keep other devices on the channel quiet (Too far transmitting device, obstruction, interference), the design of the NAV keeps APs and stations quiet.

Duration value in the 802.11 header set the NAV values for AP and STAs.

It is vital for the AP and STA to stay with the RSSI data range in order to successfully demodulate a transmitted frame so that the Duration/ID field in the header can be accurately set.

Interframe Spaces

When 2 or more STAs begin frame transmission at the same time in the idle environment, collisions are bound to happen. Hence we have additional medium contention protocols beyond CCA & NAV. These protocols must keeps AP and STAs quiet like CCA/NAV & also allow differentiated medium access.

IFS is the quiet period that AP & STA must wait before any 802.11 frame transmission.

TIPS to Remember!

  • If the contention has been completed, then a reduced IFS (RIFS) or short IFS (SIFS) will be used. Most cases it is SIFS but RIFS is only used between consecutive frames transmitted by 802.11n device.
  • If the contention/arbitration is not determined, then arbitration IFS (AIFS) or DCF IFS (DIFS) will be used. The AIFS is used for WLANs that support 802.11e QoS, and the DIFS is used for WLANs that do not support 802.11e QoS.
  • If an AP or STA has received a corrupted frame as defined by having an incorrect FCS, then extended IFS will be used.
  • PCF IFS (PIFS) is part of PCF and therefore not used in real world. (May be ignored for CWAP prep!)
  • 802.11 FHSS network use 50ms slot time.
  • Steps involved for a STA to go through before starting the frame transmission in the wireless medium (Source : 802.11 Arbitration CWNP White Paper)
— Arbitration Flowchart 
is clear 
idle F 
"S inte rval 
it one is 
timer one slot. 
Is NAV O• 
Transmit Frame


  • Foundation of all IFSs.
  • 10ms for 802.11b/g/n (2.4GHz)
  • 16ms for 802.11a/n (5GHz).
  • It is used after contention/arbitration is completed. Exception being 802.11n device using MIMO to transmit frames then RIFS is used.


  • Simplest IFS to understand.
  • Length is always the same 2ms.
  • Only for devices which use 802.11n/MIMO.
  • It precedes for only “data” frame.


  • Designed to force AP and STA with ordinary data in the queue to stay quiet for enough time to allow QoS frames to have access to the channel.
  • It is used when arbitration process has not yet completed.
  • DIFS is equal to length of SIFS + 2 slot times. Slot times are quiet periods, similar to IFS.
  • They are equal to 9ms for 802.11a/n/ac operating in 5GHz and 802.11g/n with 2.4GHz.
  • The 20ms slot is used if the HT or ERP is used with long preamble and 802.11b/g/n 2.4 GHz DSSS.
  • The short preamble is default setting when HT or ERP is used.


  • Designed to give AP and STA a chance to retransmit after a failed frame.
  • This happens when AP/STA failed to receive ACK after transmission.
  •  EIFS = SIFS + DIFS plus the time taken acknowledge the frame to transmit.
  • 802.11b/g/n(2.4GHz) using DSSS= 364ms, 802.11a/n(5GHz) & 802.11g/n (2.4GHz) = 160ms. EIFS is the longest of the IFS.

Near/Far Problem : STA closer to AP may cause problem to STA at far. When data is transmitted between AP and nearby STAs they can use higher data rate than far stations. (This is why STA dynamically switch their data rates downward when moving away from the AP). The frame therefore will appear to be corrupt even though it was successfully transmitted. The far STA have to stay quiet for an EIFS at the beginning of the arbitration process, while the near STA will be allowed to use the shorter DIFS.

PIFS > Equal to one slot time + 1 SIFS and it is designed to give AP the chance to send the beacon in order to begin the CFP (Contention Free Period). In real-world the PIFS is only used with Channel Switch Announcement frame, which is one of the Action frames from 802.11h.


The mechanism which prevents collision by differentiating 802.11 channel access is the Random Backoff. Unlike the IFS, the random backoff is not static. It is the period of time that changes based on a random number chosen by AP or STA.

AP and STA stay quiet during the random backoff by randomly choosing a number of slot times and then counting down until the number of slot times equal to zero. Transmission resumes after slot time equals zero.

  • For the random backoff to work, there must be an upper and lower limit to the number of slot times that ca be chosen.
  • The lower limit is always 0. The upper limit for the random backoff is equal to the contention window (CW). 
  • The CW is derived from the equation 2x – 1, where x is a value that increments with each failed frame. For DSSS-based networks, x starts at 5, which results in a CW of 31. For OFDM-based networks, x starts at 4, which results in a CW value of 15. For both DSSS and OFDM-based networks, the x value stops incrementing at 10, which results in a CW value of 1023.
  • Failed frames cause the contention window to grow exponentially. More quiet time means a less efficient channel thus causing latency and throughput issues.
Immediate access when 
Medium is idle DIFS or AlFSti1 
Busy Medium 
Defer Access 
Contention Window 
Backoff Slots 
Slot time 
Next Frame 
Select Slot and Decrement Backoff as long 
as medium is idle 
Figure 2.4: The DCF Operation Overview



  • Used by QoS enabled STA to transmit all data, management, PS-Poll, RTS, CTS (when not transmitted as response to RTS), Block Ack Req and Block Ack (when not transmitted as a response to Block Ack Req).
  • Slot times in AIFS is called as AIFSN (slot number).
  • 802.11e specifies Voice (AV_VO), Video (AV_VI), Background (AV_BK) & Best Effort (AV_BE).
  • Video and Voice = 2 Slot times
  • Best Effort = 3 Slot times
  • Background = 7 Slot times
  • Calculate AIFS for a given Access Category = AIFSN[AC] x Slot Time x SIFSTime


  • Transmit Opportunity or TXOP is the amount of time a STA can send frames when it has won contention for the wireless medium. This is in relation to EDCA (Enhanced Distributed Channel Access).
  • When a STA sends QoS data, it must first contend for the access to the wireless medium.
  • STAs perform CCA and determine if the channel is idle. It must have its NAV set to 0. Then it must wait for the appropriate InterFrame Spacing.
  • Then it would wait for the contention window to complete. CW has 4 categories as discussed in the previous section. Each category has different TXOP.
IEEE Std 802.11-2016 
IEEE Standard for Information Technolog—ocal and Metropolitan Area Networks—Specific Requirements 
part 1 1: Wreless LAN MAC and PHY Specifications 
Table 9-137—Default EDCA parameter Set element parameter values if dot110CBActivated is false 
T.xop limit 
aCW min 
ac Wmin 
(aCWmin + I 
(a CWmin+ 
CW max 
a CWmax 
a CWmax 
ac Wmin 
(a C Wmin+ I 
in Clauw IS 
3.264 ms 
6.016 ms 
Clause 17, 
Clauw IS, 
4.096 ms 
2.080 ms 
For denned 
in 22 
22.56 ms 
(BCU. 60r7 
16.92 ms 
(BCU. S MHz) 
1128 ms 
(BCU 60r7 
S MHz) 

PHY Layer – CWAP#5

This chapter accounts for 10% of the Knowledge Domain in the CWAP exam. Approx. 6/60 questions!

Exam Moment from the Book : It is not important, for the CWAP exam, that you know all the details of the variations of the PHY preambles; however, you should know that the preamble adds extra overhead to the communications and that older devices may introduce a preamble that reduces performance overall and forces all devices in the BSS to communicate based on that long preamble.


Carrier Sense > State of STA where it is ready to transmit or receive packets/signals

Clear Channel Assessment > Identify whether the channel is unused and available prior to the packet transmission

Transmit (Tx) > Upon checking if the wireless medium is available the STA needs to transmit a frame which is enabled by CS/CCA process. Unlike ethernet the wireless frames cannot transmit and receive the frames at the same time.

Receive (Rx) > The transmitting STA will precede the data portion of the frame with a preamble.  It contains a binary strings that the receiving station can identify and synchronise with , essentially alerting the receiving station to the transmission. The preamble also includes a Start Frame Delimiter field, which the receiving station uses to identify the beginning of the frame. An ACK frame Is sent with the entire frame is received.

Upper : Physical Layer Convergence Procedure (PLCP) 
Lower : Physical Medium Dependant (PMD) 
MSDU (MAC service Data Unit) 
MAC header and trailer are added,'removed 
creates PLC? Protocol Data Unit (PPDIJ) from MAC sublayer. 
MPDU is handed down to the PHY referred as PLCP Service 
Data Unit (PLC?) 
PMD modulates and transmits the data as bits.

PMD > transmits the data as RF modulated 1s and 0s. When receiving , the PMD listens to the RF and passes the received data up to the PLCP sublayer.
PLCP Protocol Data Unit> When PLCP receives PSDU, it then prepares PPDU. PLCP adds a preamble + PHY header to the PSDU.

PLCP Preamble > String of 0/1 bits that are used to synchronise incoming transmissions. IEEE 802.11-2007 standard defines 3 different PPDUs.

Long PPDU > 144 bit PLCP Preamble, 128 bit Sync field + 16 bit Start of Frame Delimiter (SFD).

Short PPDU > 72 bit PLCP Preamble, 56 bit Sync field and 16 bit SFD

OFDM PLCP Preamble >10 short symbols + 2 long symbols

PLCP Header > Long & Short PLCP Headers are both 48 bits log and contain 4 fields (Signal(8) + Service(8) + Length(16) + CRC(16).

PLC? Preamble 
PLC? Header 
Short PPDIJ 
Long Header 
Short Header

802.11n PPDUs

802.11n PPDU formats 
L=Legacy (non-HT) 
STF=Short Training held 
LTF=Long Training Field 
HT=High Throughput 

Non-HT Legacy PPDU

  • Consists of Preamble(Short/Long symbols)
  • Mandatory for 802.11n radios and transmissions can occur in only 20MHz channels.
  • Effectively same format used by legacy 802.11a/g radios.


  • 802.11n amendment
  • Likely be most commonly used format as it supports HT + Legacy 802.11a/g.
  • Transmission can occur in both 20MHz and 40MHz channels

HT-Greenfield PPDU

  • 2nd of the two new PPDU formats defined by 802.11n.
  • Not compatible with legacy 802.11 radios, only the HT Radios can communicate with this format.
  • Can transmit using 20MHz and 40MHz fields.

Data Field

The data field portion of PPDU is the PSDU. In easy terms, the data field is the 802.11 MAC frame.

Key 802.11 Frames – CWAP#3

This post covers the important 802.11 Frames which can help in performing the analysis and troubleshoot any issues related to WLAN networks. I have referenced Wireshark filters for the ease of each frame.

Beacon (1000, Subtype : 8) (wlan.fc.type_subtype == 0x08)

  • Used to announce the Basic Service Set (BSS) for the Client (STAs).
  • Transmitted by AP every 100 time units.  1 TU = 1024 microseconds. Default is 102.4 m/s
  • To reduce any potential overhead, TU values might need adjustment in some cases where multiple SSIDs exist on AP radio.
IEEE 8ø2.11 wireless LAN 
Fixed parameters (12 bytes) 
Timestamp: 5304013374 
Beacon Interval: ø. 1024øø (Seconds) 
Capabilities Information: exø421 
Tag : 
Tag : 
Tag : 
Tag : 
Tag : 
Tag : 
Tag : 
Tag : 
parameters (144 bytes) 
SSID parameter set: Hob—guest 
supported Rates 12(B), 18, 24(B), 36, 48, 54, [Mbit/secl 
DS Parameter set: Current Channel: 1 
: Traffic Indication map (TIM): DTIM ø of ø bitmap 
Country Information: Country Code NZ, Environment Any 
ERP Information 
Vendor Specific: Microsoft Corp.: H%/WME: Parameter Element 
HT capabilities (8ø2.11n DI. 10) 
HT Information (8ø2.11n DI. lø) 
QBSS Load Element 802. lie CCA version 
Extended Capabilities (8 octets) 
Vendor Specific: Ruckus Wireless

Probe Request and Probe Response (0100, 0101 Subtype : 4 & 5) (wlan.fc.type_subtype == 0x4 or wlan.fc.type_subtype ==0x5)

  • Used for active scanning
  • STAs send the probe request, AP sends the probe response.
  • Amount of probing may be able to be reduced by adjusting the roaming aggressiveness on the client.
  • Probe request are sent to broadcast address (DA – ff:ff:ff:ff:ff:ff:ff)
  • Directed probe request are when STA sending probe request may specify the SSID they are looking, like in example below.
IEEE 8ø2.11 Probe Request, Flags: ..... ...C 
Type/Subtype: Probe Request (øxeeø4) 
Frame Control Field: ex4øoe 
. ..øø = Version: e 
ø . — Type: Management frame (e) 
= Subtype: 4 
Flags: øxee 
. øøø oøøø eøøø eeøø = Duration: e microseconds 
Receiver address: Broadcast ff) 
Destination address: Broadcast ff:ff) 
Transmitter address: (fc:fc:48:5e:2b:33) 
Source address: Apple_5e:2b:33 (fc: fc:48: 
BSS Id: Broadcast (ff:ff:ff:ff:ff:ff) 
= Fragment number: ø 
0101 eøøø løøl 
= Sequence number: 1289 
Frame check sequence: øxda049ff4 (unverified] 
(FCS Status: Unverified] 
IEEE 8ø2.11 wireless LAN 
v Tagged parameters (141 bytes) 
Tag: SSID parameter set: Hob—wireless 
Tag Number: SSID parameter set (e) 
Tag length: 12 
SSID: Hob—wi re less 
Tag: Supported Rates 1, 2, 5.5, 11, (Mbit/sec) 
Tag Number: Supported Rates (1) 
Tag length: 4 
Suppo rted Rates: 1 (exø2) 
Suppo rted Rates: 2 (exø4) 
Suppo rted Rates: 5.5 (øxøb) 
Suppo rted Rates: 11 (ex16) 
Tag: Extended Supported Rates 6, 9, 12, 18, 24, 
Tag Number: Extended Suppo rted Rates (5ø) 
Tag length: 8 
Rates : 
6 (øxec) 
g (øx12) 
12 (øx18) 
18 (øx24)
  • The SSID value can also be set to 0, SSID field is present, but empty. This is called Wildcard SSID or null probe request, e.g. below
IEEE 8ø2.11 Probe Request, Flags: ..... ...C 
Type/Subtype: Probe Request (øxeeø4) 
Frame Control Field: ex4øoe 
. ..øø = Version: e 
ø . — Type: Management frame (e) 
= Subtype: 4 
Flags: øxee 
. øøø oøøø eøøø eeøø = Duration: e microseconds 
Receiver address: Broadcast ff) 
Destination address: Broadcast ff:ff) 
Transmitter address: (fc:fc:48:5e:2b:33) 
Source address: Apple_5e:2b:33 (fc: fc:48: 
BSS Id: Broadcast (ff:ff:ff:ff:ff:ff) 
= Fragment number: ø 
0101 eøøø løøl 
= Sequence number: 1289 
Frame check sequence: øxda049ff4 (unverified] 
(FCS Status: Unverified] 
IEEE 8ø2.11 wireless LAN 
v Tagged parameters (141 bytes) 
Tag: SSID parameter set: Hob—wireless 
Tag Number: SSID parameter set (e) 
Tag length: 12 
SSID: Hob—wi re less 
Tag: Supported Rates 1, 2, 5.5, 11, (Mbit/sec) 
Tag Number: Supported Rates (1) 
Tag length: 4 
Suppo rted Rates: 1 (exø2) 
Suppo rted Rates: 2 (exø4) 
Suppo rted Rates: 5.5 (øxøb) 
Suppo rted Rates: 11 (ex16) 
Tag: Extended Supported Rates 6, 9, 12, 18, 24, 
Tag Number: Extended Suppo rted Rates (5ø) 
Tag length: 8 
Rates : 
6 (øxec) 
g (øx12) 
12 (øx18) 
18 (øx24)
  • Probe requests are always sent on the lowest supported data rates. In above examples they are sent at 1 Mb/s.
  • Probe response contain the requested information elements that may have been requested by the probing station. .e.g. below

Authentication & Deauthentication Frames (1011, subtype :11, 12) (wlan.fc.type_subtype == 0xb,  wlan.fc.type_subtype==0xc)

  • Used to authenticate to an AP to prepare association or roaming
  • Used to remove the AID (Authentication ID) and deauthenticate with an AP.
  • Frame body consists of
    • Authentication Algorithm Number – 0 for Open System and 1 for Shared Key
    • Authentication Transaction Sequence Number – Indicate current status of progress
    • Status Code – 0 for Success,1 for Unspecified failures
    • Challenge Text  Used in Shared Key Authentication frame 2 & 3
IEEE 802.11 Authentication, Flags: ..... ...C 
Type/ Subtype: Authentication (OxØØØb) 
v Frame Control Field: OxbØØØ 
= Version: 
00.. = Type: Management frame (0) 
= Subtype: 11 
Flags: ØXØØ 
.øøø 0001 0011 1010 
= Duration: 314 microseconds 
Receiver address: RuckusWi_4f:d3:c8 (2c:5d:93:4f:d3:c8) 
Destination address: RuckusWi_4f:d3:c8 c8) 
Transmitter address: SamsungE_2d:6Ø:91 (5c:51:81:2d:6Ø:91) 
Source address: 
BSS Id: 
. øøøø 
= Fragment number: 
1101 1001 0001 
= Sequence number: 3473 
Frame check sequence: Oxa186b162 [unverified] 
[FCS Status: Unverified] 
IEEE 802.11 wireless LAN 
v Fixed parameters (6 bytes) 
Authentication Algorithm: Open System (0) 
Authentication SEQ: Ox0ØØ1 
Status code: Successful (Ox0ØØ0)

•33: ab 
24. ø 
8ø2. 11 
—55 dBm 
• 33 : ab 
• a4:2e 
8ø2 . 11 
8ø2 . 11 
lø. 644498 
lø. 645173 
lø. 645190 
lø. 646791 
lø. 646843 
d Bm 
d Bm 
d Bm 
Association Request 
Acknowledgement, Flags=..... 
Authentication, SN=1032, FN=ø, Flags=. 
Acknowledgement, Flags=..... 
Association Request, SN=2097, FN=ø, Flags=. 
Acknowledgement, Flags=..... 

Association and Disassociation Frames (0000, subtype =0)(0001 subtype =1) wlan.fc.type_subtype==0 or wlan.fc.type_subtype==10

  • Simple 4-frame exchange (authentication request, ACK, authentication response & ACK) used to enter the authenticated and associated state with the AP.
  • After Association STA may either use the network (open system authentication) or begin the 802.1x/EAP authentication process if used.
  • The Disassociation frame is used to change from authenticated/associated state to “authenticated not associated state”. They contain a reason for disassociation. In case of below frame the reason code is unspecified reason.
802.11 radio information 
PHY type: 8ø2. lla (5) 
Turbo type: Non—turbo (ø) 
Data rate: 12.0 Mb/s 
channel: 108 
Frequency: 554%Hz 
Signal strength (dBm): —84dBm 
Noise level (dBm): —89dBm 
Signal/noise ratio (dB): 5dB 
TSE timestamp: 6964589ø3 
(Du ration: 44gsl 
IEEE 8ø2.11 Disassociate, Flags: ..... ...C 
Type/Subtype: Disassociate (øxøeea) 
Frame Control Field: exaøøø 
..øø = Version: e 
= Type: management frame (e) 
= Subtype: lø 
Flags: øxee 
.øøø oøøø eø11 eeøø = Duration: 48 microseconds 
Receiver address: SamsungE_2d:øe:4ø (4c:66:41:2d:øø:4ø) 
Destination address: SamsungE_2d:øø:4e (4c:66: 41:2d 
Transmitter address: (2c:5d: 72:5c) 
source address: 72:5c) 
BSS Id: 
Fragment number: ø 
. eeøø = 
eøøø eøøø eløl 
= Sequence number: 5 
Frame check sequence: øx8043a47a [unverified] 
(FCS Status: Unverified] 
IEEE 8ø2.11 wireless LAN 
v Fixed parameters (2 bytes) 
Reason code: Unspecified reason 
( øxøool)

Reassociation Request and Response Frames – (0010, subtype : 2) (0011, subtype : 3) (wlan.fc.type_subtype == 0x2 or wlan.fc.type_subtype ==0x3)

  • These frames are used to roam to another AP within the ESS (extended service set) or to reconnect after brief disconnection.
  • The reassociation response frame will also include an AID for the STA and the status code indicating the reassociation success or failure.
8ø2.11 radio information 
Data rate: 7.0 Mb/s 
channel: 108 
Signal strength (percentage): 78* 
IEEE 8ø2.11 Reassociation Request, Flags: op.PR.F. 
Type/Subtype: Reassociation Request (Oxøø02) 
Frame Control Field: ex2øda 
. .øø = Version: e 
= Type: management frame (e) 
= Subtype: 2 
Flags: øxda 
Duration/ID: 5391 (reserved) 
Receiver address: 
Destination address: 89: ba (c9:6a: 
Transmitter address: al:2a:51:84:9b:9e (al:2a:51:84:9b:9e) 
source address: 
BSS Id: 79) 
STA address: 
= Fragment number: ø 
— Sequence number: 1860 
0111 eløø eløø - 
HT control (+HTC): øx2473a9cd 
WEP parameters 
Initialization Vector: øx952d2a 
Key Index: ø 
WEP ICV: exac6532aø (not verified) 
Data (1514 bytes) 
Data: 73a428øa537ø8af4618Ø23beb54d94ba647d7ø892c5øc22cm 
(Length: 1514]

RTS / CTS – (1011, Subtype : 11), (1100, Subtype : 12) (wlan.fc.type_subtype == 0x2 or wlan.fc.type_subtype ==0x3)

  • RTS and CTS frames are used to clear the medium for transmission of larger frames.
  • The Duration Field in RTS/CTS is very important.
    • SIFS (Short Interframe Space) – Amount of time in m/s required for a wireless interface to process a received frame and to respond with resoonse frame.
    • RTS duration = SIFS(3) + CTS +  Data +  ACK(1)
    • CTS duration = SIFS(2) + Data + ACK(1)
info rmat 
PHY type: 8ø2. lig (6) 
Short preamble: True 
Proprietary mode: None (0) 
Data rate: 24.0 Mb/s 
Channel: 6 
Frequency: 2437MHz 
Signal strength (dBm) 
: -42dBm 
Noise level (dBm) 
: -96dBm 
Signal/noise ratio (dB): 54dB 
TSE timestamp: 94735155 
(Du ration: 28gs) 
IEEE 8ø2.11 Request-to-send, Flags: ..... ...C 
Type/Subtype: Request—to—send (exøølb) 
Frame Control Field: exb4øø 
. .øø = Version: e 
= Type: Control frame (1) 
= Subtype: 11 
Flags: øxee 
.øøø oøøø løll eelø = Duration: 178 microseconds 
Receiver address: RuckusWi_cf:cf:d8 (2c:5d:93:cf:cf :d8) 
Transmitter address: 
Frame check sequence: øxbde58b2c (unverified] 
(FCS Status: Unverified]
802.11 radio information 
PHY type: 8ø2. lig (6) 
Short preamble: True 
Proprietary mode: None (0) 
Data rate: 24.0 Mb/s 
Channel: 1 
Frequency: 2412MHz 
Signal strength (dBm) 
: -83dBm 
Noise level (dBm) 
: -90dBm 
Signal/noise ratio (dB): 7dB 
TSE timestamp: 92681566 
[Du ration: 64gs) 
IEEE 8ø2.11 Clear-to-send, Flags: .pm.R.FTC 
Type/Subtype: Clear—to—send (øx001c) 
Frame Control Field: exc66b 
. .10 = Version: 2 
= Type: Control frame (1) 
. — Subtype: 12 
lløø - 
Flags: øx6b 
Duration/ID: 11803 (reserved) 
Receiver address: 
Frame check sequence: øx1b21827a (unverified] 
(FCS Status: Unverified]
  • CTS-to-self > is another method of performing NAV (Network Allocation Vector) distribution that use only CTS frames. It is used strictly as a protection mechanism for mixed mode environment.

Acknowledgement Frames (ACK)(1011, Subtype : 13) (wlan.fc.type_subtype == 0x1d)

  • These frames are sent right after data/management frames to inform(ack) the transmitter.
  • With ACK frame, the transmitter assumes the frame was lost due to the corruption from interface or some other issue, and so retransmits the frame.
  • ACK frame includes Frame Control, Duration, RA and FCS subfields
802.11 radio information 
PHY type: 8ø2. lig (6) 
Short preamble: True 
Proprietary mode: None (0) 
Data rate: 12.0 Mb/s 
Channel: 11 
Frequency: 2462MHz 
Signal strength (dBm) 
: -85dBm 
Noise level (dBm) 
: -90dBm 
Signal/noise ratio (dB): 5dB 
TSE timestamp: 91694972 
[Du ration: 32gs) 
IEEE 8ø2.11 Acknowledgement, Flags: .C 
Type/Subtype: Acknowledgement (exøøld) 
Frame Control Field: exd4ee 
. .øø = Version: e 
= Type: Control frame (1) 
= Subtype: 13 
Flags: øxoe 
.øøø oøøø eøøø eeøø = Duration: e microseconds 
Receiver address: (fc: 
Frame check sequence: øx66678fb7 (unverified] 
[FCS Status: Unverified]
  • Duration Field value is set to : Duration Value of previous frame + ACK(1) + SIFS(1)

Null Data & PS-Poll Frames (0100 Subtype : 4) (wlan.fc.type_subtype == 0x24) or (wlan.fc.type_subtype == 0x1a)

  • Null Data Frames  are used to notify an AP that the STA is awake and able to receive the frames. 
  • It is simply a data frame with no date in the Frame Body field.
8ø2.11 radio 
info rmation 
PHY type: 8ø2. lig (6) 
Short preamble: True 
Proprietary mode: None (0) 
Data rate: 24.0 Mb/s 
Channel: 11 
Frequency: 2462MHz 
Signal strength (dBm) 
: -88dBm 
Noise level (dBm) 
: -96dBm 
Signal/noise ratio (dB): 8dB 
TSE timestamp: 54ø37578 
(Du ration: 92gsl 
IEEE 8ø2.11 Nutt function (No data), Flags: o.m. .MFTC 
Type/Subtype: Nutt function (No data) (øxee24) 
Frame Control Field: ex4ba7 
.. 11 = Version: 3 
Type: Data frame (2) 
lø.. = 
= Subtype: 4 
Flags: øxa7 
Duration/ID: 11355 (reserved) 
Receiver address: 1b: 
Transmitter address: ce:2f :9e 
Destination address: 89:ae:ø6:4e:6d:7e (89:ae:ø6:4e:6d:7ø) 
source address: by: 13: 
= Fragment number: 12 
1110 lløl eølø 
= Sequence number: 3794 
Frame check sequence: øxa0bff4b1 [unverified] 
(FCS Status: Unverified]
  • PS-Poll on the other hand are used to notify the AP that the client STA is awake and available for buffered frames.
  • STA indicate the power save mode using the Power Management bit the Frame Control field. When a STA is in PM mode = 1 it alternates between awake and sleep states.
v 8ø2.11 radio information 
PHY type: 8ø2. lig (6) 
Short preamble: True 
Proprietary mode: None (0) 
Data rate: 24.0 Mb/s 
Channel: 11 
Frequency: 2462MHz 
Signal strength (dBm): —88dBm 
Noise level (dBm) 
: -96dBm 
Signal/noise ratio (dB): 8dB 
TSE timestamp: 54143357 
(Du ration: 1ø4gsl 
IEEE 8ø2.11 Power-save poll, Flags: 
Type/Subtype: Power—Save pott (exøøla) 
Frame Control Field: exa415 
..øø = Version: e 
= Type: Control frame (1) 
= Subtype: lø 
Flags: øx15 
. løø eløø lløø eløl = Duration: 17605 microseconds 
Receiver address: fc. 
BSS Id: 
Transmitter address: 24. 
(unverif iedl 
Frame check sequence: øxb471eø46 
(FCS Status: Unverified]
  • AP may send buffered data frames to the client in two ways.
    • If the data belongs to legacy power-save queue, transmission follows the legacy power save.
    • If the data belongs to WMM Power Save queue, data frames are downloaded according to a trigger-and-delivery mechanism.

Useful Links for this Post :

How did I Decipher 802.11 Frames! #CWAP-2

Main Objective: To successfully transfer every bit of information(data) from one device to another.


Let us now go through the basics of the frame header and the components. I have captured a simple beacon (management) frame using Wireshark.

I will briefly explain each of the fields. Notice the number in the bracket refers to the bytes. For memory 1 Byte = 8 bits. 🙂

802.11 Beacon frame capture
Frame Control Field dissection

Frame Control > 16 bits | 2 Bytes – contains 11 subfields as displayed in the above examples. Considering the amount of valuable information contained in 802.11 Frame Control sub-fields is mind-boggling

Protocol Version (2 bits): For now, always set to 0 by default. Changes in the version are expected in the future.

Type: Management (0,0), Data(1,0), Control(0,1), Extension Frame(1,1)*only available with 802.11D

Sub Type (4 bits): There are different kinds of management, control and data frames. Therefore the 4-bit Subtype field is required to differentiate. The above examples have Beacon & ACK subtypes.

To DSif set to “1” – Frame going from STA > Distribution System (DS)
From DSif set to “1” – Frame going from DS > STA

To DS = 0, From DS = 0  > Management or Control frames where it does not go to DS, Can be STA to STA communication in an ADHOC/IBSS setup.
To DS =0, From DS = 1 > Downstream traffic from AP to the STA.
To DS =1, From DS = 0 > Upstream traffic from STA to AP
To DS =1, From DS = 1 > Data frame using 4 MAC header format, usually occurs in WDS or Mesh Network

More Fragments – If set to “1” it is usually preceded by another fragment of current MSDU or MMPDU to follow.

Retry – 0 or 1. 1 is for retransmissions. Lot of 1’s may indicate a network with a lot of retry rate due to some issue. The issues can impact the performance by increased application/network latency thereby degrading user experience.

Power Management – if set to “1”, STA is using power save mode.

More Data: if set to “1” it indicates that the AP or STA is holding more frames for the STA to which the current frame is targeted.

Protected Frame – if set to “1” it indicates payload is encrypted.

Order – If set to “1” in any non-QoS data frame when a higher layer has requested that the data be sent using strictly ordered CoS, which tells the receiving STA to process the frames in order.

Duration/ID > 2 Bytes | 16 bits – May be used for 2 purposes, it may contain the duration of the frame. Secondly, it may contain association identifier (AID) of the STA that transmitted the frame.

Address 1,2,3 and 4: Each address contains 6bytes/48 bits of data.

SA > Source Address
DA > Destination Address
TA > Transmitting Address
RA > Receiving Address

Sequence Control Field (2 Bytes/16 bits): Divided into 4-bit fragment number and a 12-bit sequence number. Used when MSDUs are fragmented. 802.11-2016 allows for fragmentation of frames.

QoS Control Field: (2 Bytes/16 bits): Only used in MAC header of QoS frames. Sometimes referred to as WMM (Wi-Fi Multimedia) which provides traffic prioritization.

HT Control Field (4 bytes/32 bits): Parameters related to HT & VHT operations. Only used in Management + QoS control frames.

Frame Body: Contains the actual MSDU payload to be transmitted.

FCS: (Frame check sequence field 4Bytes/32 Bits) – Final field on the frame header. Also known as Trailer as the word says. Used to detect errors in communication.

CWAP 403 – Start >

I will be summarising each chapter on the Certitrek Publishing – Official Study Guide for CWAP 403 Exam.

I’ve learned plenty of concepts from the first chapter – 802.11 – The Protocol. This is one of the chapters which you have to read and learn. One may not learn the contents of this chapter directly while working or experience this in his/her day today. Following the posts should give you a fair idea of what the chapter entails and get close to fulfilling the exam requirements. You still have to go through the book multiple times and revise the concepts discussed in the CWNA exam to fully grasp the knowledge required for this exam.

OSI Layers

(APSTNDP) – For the purpose of our CWAP exam we will be concentrating our efforts on layer 1-4 only. More so we have to aim at learning layers 1 and 2 as IEEE 802.11 is focussed around them.

IEEE 802.3(Ethernet) & 802.11 (WLAN) operate primarily at Layers 1 & 2 of the OSI model. The Internet Engineering Task Force (IETF) operates at Layer 3 & 4.

Layer 4 is typically TCP/UDP. TCP is a connection-oriented protocol that uses a 3-way handshake, whereas UDP is a connectionless protocol typically used in time-sensitive applications where occasionally dropping packets is better than waiting.

Layer 3 is typically IP with the exception of WAN related protocols like HDLC, ATM, Frame Relay, etc.

Layer 2 (Data Link layer) – This is subdivided into MAC(lower) + LLC (upper). Frames are organized and meaningful collection of bits that are prepended and appended to upper-layer data within the network communications. When Network layer 3 sends data to the Data-Link layer (2), the data is handed off to the LLC and becomes known as MSDU (MAC Service Data Unit). The MSDU consists of data payload that contains the IP packet + some LLC data. When LLC sends the MAC service data unit info to the MAC sublayer, the MAC header information gets added in a MAC Protocol Data Unit (MPDU).

Layer 1 (PHY) – Physical Medium can be RF, Light Waves, Fibre cables. Capabilities include encoding, modulation, demodulation, timing & signals. This layer is subdivided into PLCP (Physical Layer Convergence protocol – Upper) & PMD (Physical Medium Dependent). The PLCP sublayer prepares the frame for transmission by taking the frame from the MAC sublayer and creating the PLCP Protocol Data Unit (PPDU).

802.11 Physical Layers

Protocol Year (adopted) Frequency Channel Width (MHz) MIMO PHY
802.11az Late 2021 60 GHz      
802.11ay 2020 60 GHz 8000 MU-MIMO EDMG
802.11ax Late 2019 2.4 or 5GHz 20,40,80, 160 MU-MIMO HEW
802.11ac wave2 2015 5 GHz 20,40,80, 160 MU-MIMO VHT
802.11ac wave1 2014 5 GHz 20,40,80 SU-MIMOVHT
802.11n 2009 2.4 or 5 GHz 20,40 SU-MIMOHT
802.11g 2003 2.4 GHz 20 N/A ERP
802.11a 1999 5 GHz 22 N/A OFDM
802.11b 1999 2.4 GHz 20 N/A HR-DSSS
802.11 Prime 1997 2.4 GHz 22 N/A DSSS

Modulation is the process of imposing bits on a transmission medium. I have detailed the keying methods useful in understanding the basics of Modulation here. Also, refer to mcsindex.com for numbers related to Modulation and Coding. We will be exploring in detail about this in the forthcoming chapters which entail about PHY Layers and Technologies.

Troubleshooting Methods

The industry troubleshooting methods e.g. from Cisco, Microsoft or CompTIA are not tested on the CWAP exam. The CWAP exam objectives list the following troubleshooting actions.

  • Define the Problem
  • Identify the Scale of the Problem
  • Identity Probable Causes
  • Capture and Analyze the Data (Most of the CWAP concentrated here)
  • Observe the Problem
  • Choose appropriate Remedial Steps.
  • Document the Problem and Resolution.

Special Thanks to Rasika as I’ve learned a lot from his blogs.

Summary of the 802.11 Mac Header

Network Layer – IP header is added.
Data Link Layer – MAC header is added.
Physical Layer – PHY header is added.

Data is eventually transmitted as individual bits at the Physical layer.

BIT > 0/1, Octet > Byte of data.
Data Link Layer – LLC (802 based networks), MAC

MAC Service Data Unit > When network layer sends data to the Data Link layer, the data is handed off to the LLC and becomes MSDU

MSDU = IP Packet + Some LLC Data.

Only 802.11 Data Frames carry MSDU – Ratification 802.11n-2009, introduced A-MSDU

MSDU = 2304 Octets, A-MSDU = up to 7935 Octets.

MAC Protocol Data Unit > When the LLC sublayer sends MSDU to the MAC sublayer, the MAC header info is added to identify it.

MPDU = MAC Header + Frame Body(MSDU) + FCS (Trailer)
A-MPDU > transmissions are created by transmitting multiple MPDUs as one PHY frame as opposed to A-MSDU transmissions, which are created by passing MSDUs down the PHY layer as single MPDU.

Physical Layer comprises of PLCP & PMD – PLCP prepares the frame for transmission by taking the frame MAC sublayer and creating the PLCP Protocol Data Unit.

PPDU = PLCP + Frame from Mac Layer.

PLCP Service Data Unit > Pretty much like MPDU at PHY layer.

FortiFocus – Virtual IPs

This section emphasizes on the Virtual IPs section in the FortiGate. I’ve learnt something which is not obvious behaviour and one of those ‘remind me later’ moments that I’ve encountered.

VIPs are essentially Destination Network Address Translation (DNAT) objects. For sessions matching the VIP, the destination address is translated. Let us go through some examples

In the above diagram, all connections going out from will use and not address.

Now, this is where it gets a bit tricky and deviate from default firewall behaviour. In the below firewall policy we would assume that no connections will be allowed to the LAN(internal_network) but VIPs can live up to their name (very important IP) and get users to access the web server even though the deny policy is at the top of the list.

CWNA Certification Journey


I managed to get my CWNA certification today, this was my 2nd attempt. The first attempt was a failure a few months ago.

Failed Attempt: 53%

Passed Attempt: 82%

Below are a few tips which I would like to share so that you get most for this certification.

It would be quite beneficial if you already work for a Network/Wireless service provider or Manage wireless network for a company. Being in such a position certainly pays and gives room for joining the pieces of this puzzle.

This course will require some monetary investment. I managed to get some certification videos. Though the videos are for old CWNA course but majority of the conceptual stuff does not change for new revision. Here is the link > https://www.udemy.com/certified-wireless-network-administrator-cwna/

There are no video training courses available on CBT nuggets or INE as of today. I did check with CBT Nuggets via twitter but they do not have any official dates for the.

So back to the actual course curriculum. It would be highly beneficial to check the course outline and objectives – https://www.cwnp.com/uploads/cwna-107-objectives-2017.pdf You can check the differences from CWNA 106 so that you can prepare better https://www.cwnp.com/uploads/cwna-107-what-changed-2017.pdf

If would be good a good buy to get the new sybex CWNA official study guide > https://www.wiley.com/WileyCDA/WileyTitle/productCd-1119425786,miniSiteCd-SYBEX.html

This one is quite a thick book with over 1000 pages. I guess this book will be used throughout your career in wireless as a reference guide and a starting point for everything wireless. Some great work by the 2 David(s) Westcott & Coleman. When you buy the book you also get online flash cards + practice test questions valid for 1 year which you can use for further strengthen your knowledge.

Would be great and worth downloading the common terms used in the exam/book for the CWNA – https://www.cwnp.com/wp-content/uploads/pdf/cwnp_exam_terms.pdf

I read almost 1-2 chapters per week. The book might give you a feeling of information overload every once in a while. Another resource which I used during the preparation were some podcasts listed below.

  1. CleartoSend – https://www.cleartosend.net/
  2. WLAN Professional – https://www.wlanpros.com/
  3. Packet Pushers – https://packetpushers.net/
  4. WiFi for Beginners – https://wififorbeginners.com/category/podcast/

Twitterati (Twitterverse/Twitter users) – Would highly recommend you to join and follow the wireless enthusiasts. Thankful to the wireless online community! Many of them have a vast industry experience and certifications which go a long way in helping and coaching someone who is new to the wireless domain.

Slack Groups to recommended –

All the best with your CWNA Study and the Exam! Please buy the exam voucher directly form CWNP website  (https://www.cwnp.com/cwna107v/) rather than going directly via PearsonVue. I saved $50USD by doing so.

I am on to the next Adventure of CWAP and will try and blog more often about the learnings from the course study.

QoS Overview

Wireless has somehow made it to the human needs pyramid and has become mission-critical for most of the business around the world. Proper RF and QoS design is the only way to ensure real-time apps have acceptable QoE (Quality of Experience).

The wireless environments are half duplex shared medium they are quite susceptible to collisions. One of the biggest challenges for 802.11 networks is that there is no way to detect that the collision even occured.

802.11e was introduced to bring QoS to Wi-Fi

• EDCA was introduced by IEEE 802.11e in 2005, and has been adopted by the Wi-Fi Alliance as Wireless Multimedia (WMM)
• WMM is now a mandatory part of modern Wi-Fi
• 802.11a/b/g are based on DCF (no QoS) • 802.11n/ac are based on EDCA (QoS is supported)

NOTE: The post describes about QoS in general and can be applied to any networking realm.

Latency, Jitter, and Loss

The quality of a network transmission is a result of three things:

■ Latency
■ Jitter
■ Loss

Latency is how long it takes for a packet to be received by the endpoint after it is sent from the source. Latency is also referred to as delay. Asymmetrical tunneling after a Layer 3 roaming event between controllers can introduce delay. Again, symmetrical mobility tunneling is the recommended configuration.

Delay can be broken into two parts:

■ Fixed delay: The time it takes to encode and decode the packets and the time it takes for the packet to traverse the network.

■ Variable delay: Caused by network conditions. If the network is highly utilized at certain times of the day, the variable delay would be higher at those times than others.

Jitter is the value that results from the difference in end-to-end latency between packets. If a packet takes 50 ms to traverse the network and the next packet takes 100 ms, you have a jitter value of 50 ms.

Loss is simply the ratio of packets that are successfully received by the endpoint to those that were sent by the transmitter.

Correct Packet Marking

Depending on the traffic flow of a packet, traffic can be classified or tagged. This can be used to prioritise the packet thereby impacting the traffic flow. Efforts should be made to ensure that QoS policies are applied end to end which means from WLAN Controller > Core Switch Ports > Access Switch Ports > AP Ports.

Upstream and Downstream QoS

As discussed above, it is important to understand the terminology and direction of the traffic flow to and from the AP and the controller. You have both upstream and downstream QoS:

Radio downstream: Traffic leaving the AP and traveling to the WLAN clients.

Radio upstream: Traffic leaving the WLAN clients and travelling to the AP. Enhanced Distributed Channel Access (EDCA) rules provide upstream QoS settings for WLAN clients

Network downstream: Traffic leaving the controller travelling to the AP. QoS can be applied at this point to prioritize and rate-limit LWAPP/CAPWAP traffic to the AP.

Wi-Fi Multimedia

WMM is a certification that applies to both clients and APs. The features are taken from the 802.11e draft.

Each of the four WMM queues competes for the wireless bandwidth available on the channel. Four queues namely – Background, Best Effort, Video, Voice. WMM uses Enhanced Distributed Coordination Function (EDCF) for handling the queue traffic. If more than one frame from different access categories collides internally, the frame with the higher priority is sent. The lower-priority frame adjusts its backoff parameters as though it had collided with a frame external to the queuing mechanism.

Intermittent Fasting – Interim Results

This one will be short. The outcome of intermittent fasting has been positive. I have now successfully been able to adapt to the trends of intermittent fasting. I do a mix of 20/4 and 16/8 methods of fasting and follow them at least 4 days in the week, with 3 other days being normal or what is considered cheat days.

Bearing in mind that even though 3 days are referred to as cheat days do not actually end up cheating the whole time. I still aim for portion control and reduce the speed of food intake. Emphasize more on choosing a better quality of food rather than quantity. I am also limiting the intake of processed & sugary foods in particular. I can happily say that managed to reduce at least 4.5 kgs so far in the past 3 months. I have also lost 1.5 inches off my waist helping me to use some good old trousers. Next update will be close to completion of 6 months at the end of July 2019.