This post covers the important 802.11 Frames which can help in performing the analysis and troubleshoot any issues related to WLAN networks. I have referenced Wireshark filters for the ease of each frame.
Beacon (1000, Subtype : 8) (wlan.fc.type_subtype == 0x08)
- Used to announce the Basic Service Set (BSS) for the Client (STAs).
- Transmitted by AP every 100 time units. 1 TU = 1024 microseconds. Default is 102.4 m/s
- To reduce any potential overhead, TU values might need adjustment in some cases where multiple SSIDs exist on AP radio.
Probe Request and Probe Response (0100, 0101 Subtype : 4 & 5) (wlan.fc.type_subtype == 0x4 or wlan.fc.type_subtype ==0x5)
- Used for active scanning
- STAs send the probe request, AP sends the probe response.
- Amount of probing may be able to be reduced by adjusting the roaming aggressiveness on the client.
- Probe request are sent to broadcast address (DA – ff:ff:ff:ff:ff:ff:ff)
- Directed probe request are when STA sending probe request may specify the SSID they are looking, like in example below.
- The SSID value can also be set to 0, SSID field is present, but empty. This is called Wildcard SSID or null probe request, e.g. below
- Probe requests are always sent on the lowest supported data rates. In above examples they are sent at 1 Mb/s.
- Probe response contain the requested information elements that may have been requested by the probing station. .e.g. below
Authentication & Deauthentication Frames (1011, subtype :11, 12) (wlan.fc.type_subtype == 0xb, wlan.fc.type_subtype==0xc)
- Used to authenticate to an AP to prepare association or roaming
- Used to remove the AID (Authentication ID) and deauthenticate with an AP.
- Frame body consists of
- Authentication Algorithm Number – 0 for Open System and 1 for Shared Key
- Authentication Transaction Sequence Number – Indicate current status of progress
- Status Code – 0 for Success,1 for Unspecified failures
- Challenge Text Used in Shared Key Authentication frame 2 & 3
Association and Disassociation Frames (0000, subtype =0)(0001 subtype =1) wlan.fc.type_subtype==0 or wlan.fc.type_subtype==10
- Simple 4-frame exchange (authentication request, ACK, authentication response & ACK) used to enter the authenticated and associated state with the AP.
- After Association STA may either use the network (open system authentication) or begin the 802.1x/EAP authentication process if used.
- The Disassociation frame is used to change from authenticated/associated state to “authenticated not associated state”. They contain a reason for disassociation. In case of below frame the reason code is unspecified reason.
Reassociation Request and Response Frames – (0010, subtype : 2) (0011, subtype : 3) (wlan.fc.type_subtype == 0x2 or wlan.fc.type_subtype ==0x3)
- These frames are used to roam to another AP within the ESS (extended service set) or to reconnect after brief disconnection.
- The reassociation response frame will also include an AID for the STA and the status code indicating the reassociation success or failure.
RTS / CTS – (1011, Subtype : 11), (1100, Subtype : 12) (wlan.fc.type_subtype == 0x2 or wlan.fc.type_subtype ==0x3)
- RTS and CTS frames are used to clear the medium for transmission of larger frames.
- The Duration Field in RTS/CTS is very important.
- SIFS (Short Interframe Space) – Amount of time in m/s required for a wireless interface to process a received frame and to respond with resoonse frame.
- RTS duration = SIFS(3) + CTS + Data + ACK(1)
- CTS duration = SIFS(2) + Data + ACK(1)
- CTS-to-self > is another method of performing NAV (Network Allocation Vector) distribution that use only CTS frames. It is used strictly as a protection mechanism for mixed mode environment.
Acknowledgement Frames (ACK)(1011, Subtype : 13) (wlan.fc.type_subtype == 0x1d)
- These frames are sent right after data/management frames to inform(ack) the transmitter.
- With ACK frame, the transmitter assumes the frame was lost due to the corruption from interface or some other issue, and so retransmits the frame.
- ACK frame includes Frame Control, Duration, RA and FCS subfields
- Duration Field value is set to : Duration Value of previous frame + ACK(1) + SIFS(1)
Null Data & PS-Poll Frames (0100 Subtype : 4) (wlan.fc.type_subtype == 0x24) or (wlan.fc.type_subtype == 0x1a)
- Null Data Frames are used to notify an AP that the STA is awake and able to receive the frames.
- It is simply a data frame with no date in the Frame Body field.
- PS-Poll on the other hand are used to notify the AP that the client STA is awake and available for buffered frames.
- STA indicate the power save mode using the Power Management bit the Frame Control field. When a STA is in PM mode = 1 it alternates between awake and sleep states.
- AP may send buffered data frames to the client in two ways.
- If the data belongs to legacy power-save queue, transmission follows the legacy power save.
- If the data belongs to WMM Power Save queue, data frames are downloaded according to a trigger-and-delivery mechanism.
Useful Links for this Post :