Key 802.11 Frames - CWAP#3 - keep calm and ping

January 7, 2020

Key 802.11 Frames – CWAP#3

This post covers the important 802.11 Frames which can help in performing the analysis and troubleshoot any issues related to WLAN networks. I have referenced Wireshark filters for the ease of each frame.

Beacon (1000, Subtype : 8) (wlan.fc.type_subtype == 0x08)

Used to announce the Basic Service Set (BSS) for the Client (STAs).
Transmitted by AP every 100 time units. 1 TU = 1024 microseconds. Default is 102.4 m/s
To reduce any potential overhead, TU values might need adjustment in some cases where multiple SSIDs exist on AP radio.

IEEE 8ø2.11 wireless LAN
Fixed parameters (12 bytes)
Timestamp: 5304013374
Beacon Interval: ø. 1024øø (Seconds)
Capabilities Information: exø421
Tagged
Tag :
Tag :
Tag :
Tag
Tag:
Tag :
Tag :
Tag:
Tag:
Tag :
Tag :
Tag :
parameters (144 bytes)
SSID parameter set: Hob—guest
supported Rates 12(B), 18, 24(B), 36, 48, 54, [Mbit/secl
DS Parameter set: Current Channel: 1
: Traffic Indication map (TIM): DTIM ø of ø bitmap
Country Information: Country Code NZ, Environment Any
ERP Information
Vendor Specific: Microsoft Corp.: H%/WME: Parameter Element
HT capabilities (8ø2.11n DI. 10)
HT Information (8ø2.11n DI. lø)
QBSS Load Element 802. lie CCA version
Extended Capabilities (8 octets)
Vendor Specific: Ruckus Wireless

Probe Request and Probe Response (0100, 0101 Subtype : 4 & 5) (wlan.fc.type_subtype == 0x4 or wlan.fc.type_subtype ==0x5)

Used for active scanning
STAs send the probe request, AP sends the probe response.
Amount of probing may be able to be reduced by adjusting the roaming aggressiveness on the client.
Probe request are sent to broadcast address (DA – ff:ff:ff:ff:ff:ff:ff)
Directed probe request are when STA sending probe request may specify the SSID they are looking, like in example below.

IEEE 8ø2.11 Probe Request, Flags: ..... ...C
Type/Subtype: Probe Request (øxeeø4)
Frame Control Field: ex4øoe
. ..øø = Version: e
eløø
ø . — Type: Management frame (e)
= Subtype: 4
Flags: øxee
. øøø oøøø eøøø eeøø = Duration: e microseconds
Receiver address: Broadcast ff)
Destination address: Broadcast ff:ff)
Transmitter address: (fc:fc:48:5e:2b:33)
Source address: Apple_5e:2b:33 (fc: fc:48:
BSS Id: Broadcast (ff:ff:ff:ff:ff:ff)
= Fragment number: ø
eeøø
0101 eøøø løøl
= Sequence number: 1289
Frame check sequence: øxda049ff4 (unverified]
(FCS Status: Unverified]
IEEE 8ø2.11 wireless LAN
v Tagged parameters (141 bytes)
Tag: SSID parameter set: Hob—wireless
Tag Number: SSID parameter set (e)
Tag length: 12
SSID: Hob—wi re less
Tag: Supported Rates 1, 2, 5.5, 11, (Mbit/sec)
Tag Number: Supported Rates (1)
Tag length: 4
Suppo rted Rates: 1 (exø2)
Suppo rted Rates: 2 (exø4)
Suppo rted Rates: 5.5 (øxøb)
Suppo rted Rates: 11 (ex16)
Tag: Extended Supported Rates 6, 9, 12, 18, 24,
Tag Number: Extended Suppo rted Rates (5ø)
Tag length: 8
36,
48,
54,
(mbit/sec)
Extended
Extended
Extended
Extended
Supported
Supported
Supported
Supported
Rates:
Rates :
Rates:
Rates:
6 (øxec)
g (øx12)
12 (øx18)
18 (øx24)

The SSID value can also be set to 0, SSID field is present, but empty. This is called Wildcard SSID or null probe request, e.g. below

Probe requests are always sent on the lowest supported data rates. In above examples they are sent at 1 Mb/s.
Probe response contain the requested information elements that may have been requested by the probing station. .e.g. below

Authentication & Deauthentication Frames (1011, subtype :11, 12) (wlan.fc.type_subtype == 0xb, wlan.fc.type_subtype==0xc)

Used to authenticate to an AP to prepare association or roaming
Used to remove the AID (Authentication ID) and deauthenticate with an AP.
Frame body consists of
- Authentication Algorithm Number – 0 for Open System and 1 for Shared Key
- Authentication Transaction Sequence Number – Indicate current status of progress
- Status Code – 0 for Success,1 for Unspecified failures
- Challenge Text Used in Shared Key Authentication frame 2 & 3

IEEE 802.11 Authentication, Flags: ..... ...C
Type/ Subtype: Authentication (OxØØØb)
v Frame Control Field: OxbØØØ
00
1011
= Version:
00.. = Type: Management frame (0)
= Subtype: 11
Flags: ØXØØ
.øøø 0001 0011 1010
= Duration: 314 microseconds
Receiver address: RuckusWi_4f:d3:c8 (2c:5d:93:4f:d3:c8)
Destination address: RuckusWi_4f:d3:c8 c8)
Transmitter address: SamsungE_2d:6Ø:91 (5c:51:81:2d:6Ø:91)
Source address:
BSS Id:
. øøøø
= Fragment number:
1101 1001 0001
= Sequence number: 3473
Frame check sequence: Oxa186b162 [unverified]
[FCS Status: Unverified]
IEEE 802.11 wireless LAN
v Fixed parameters (6 bytes)
Authentication Algorithm: Open System (0)
Authentication SEQ: Ox0ØØ1
Status code: Successful (Ox0ØØ0)

137
•33: ab
24. ø
8ø2. 11
—55 dBm
• 33 : ab
138
• a4:2e
8ø2 . 11
24.
139
•a4:2e
8ø2.11
140
•a8:33
•a4:2e
8ø2 . 11
24.0
141
lø. 644498
lø. 645173
lø. 645190
lø. 646791
lø. 646843
Cisco
5e:a7
bf.
:ec.
5e:a7
:ec.
Cisco_bf.
Cisco
bf.
(øø-.
8ø2.1
58
112
58
277
58
—52
—41
2
d Bm
d Bm
d Bm
Ack
Authentication
Ack
Association Request
Ack
CWAP-TEST
24.
132
132
132
132
Acknowledgement, Flags=.....
Authentication, SN=1032, FN=ø, Flags=.
Acknowledgement, Flags=.....
Association Request, SN=2097, FN=ø, Flags=.
Acknowledgement, Flags=.....
SSID=CWAP-TEST

Association and Disassociation Frames (0000, subtype =0)(0001 subtype =1) wlan.fc.type_subtype==0 or wlan.fc.type_subtype==10

Simple 4-frame exchange (authentication request, ACK, authentication response & ACK) used to enter the authenticated and associated state with the AP.
After Association STA may either use the network (open system authentication) or begin the 802.1x/EAP authentication process if used.
The Disassociation frame is used to change from authenticated/associated state to “authenticated not associated state”. They contain a reason for disassociation. In case of below frame the reason code is unspecified reason.

802.11 radio information
PHY type: 8ø2. lla (5)
Turbo type: Non—turbo (ø)
Data rate: 12.0 Mb/s
channel: 108
Frequency: 554%Hz
Signal strength (dBm): —84dBm
Noise level (dBm): —89dBm
Signal/noise ratio (dB): 5dB
TSE timestamp: 6964589ø3
(Du ration: 44gsl
IEEE 8ø2.11 Disassociate, Flags: ..... ...C
Type/Subtype: Disassociate (øxøeea)
Frame Control Field: exaøøø
..øø = Version: e
lølø
= Type: management frame (e)
= Subtype: lø
Flags: øxee
.øøø oøøø eø11 eeøø = Duration: 48 microseconds
Receiver address: SamsungE_2d:øe:4ø (4c:66:41:2d:øø:4ø)
Destination address: SamsungE_2d:øø:4e (4c:66: 41:2d
Transmitter address: (2c:5d: 72:5c)
source address: 72:5c)
BSS Id:
Fragment number: ø
. eeøø =
eøøø eøøø eløl
= Sequence number: 5
Frame check sequence: øx8043a47a [unverified]
(FCS Status: Unverified]
IEEE 8ø2.11 wireless LAN
v Fixed parameters (2 bytes)
Reason code: Unspecified reason
( øxøool)

Reassociation Request and Response Frames – (0010, subtype : 2) (0011, subtype : 3) (wlan.fc.type_subtype == 0x2 or wlan.fc.type_subtype ==0x3)

These frames are used to roam to another AP within the ESS (extended service set) or to reconnect after brief disconnection.
The reassociation response frame will also include an AID for the STA and the status code indicating the reassociation success or failure.

8ø2.11 radio information
Data rate: 7.0 Mb/s
channel: 108
Signal strength (percentage): 78*
IEEE 8ø2.11 Reassociation Request, Flags: op.PR.F.
Type/Subtype: Reassociation Request (Oxøø02)
Frame Control Field: ex2øda
eølø
. .øø = Version: e
= Type: management frame (e)
= Subtype: 2
Flags: øxda
Duration/ID: 5391 (reserved)
Receiver address:
Destination address: 89: ba (c9:6a:
Transmitter address: al:2a:51:84:9b:9e (al:2a:51:84:9b:9e)
source address:
BSS Id: 79)
STA address:
= Fragment number: ø
ooøø
— Sequence number: 1860
0111 eløø eløø -
HT control (+HTC): øx2473a9cd
WEP parameters
Initialization Vector: øx952d2a
Key Index: ø
WEP ICV: exac6532aø (not verified)
Data (1514 bytes)
Data: 73a428øa537ø8af4618Ø23beb54d94ba647d7ø892c5øc22cm
(Length: 1514]

RTS / CTS – (1011, Subtype : 11), (1100, Subtype : 12) (wlan.fc.type_subtype == 0x2 or wlan.fc.type_subtype ==0x3)

RTS and CTS frames are used to clear the medium for transmission of larger frames.
The Duration Field in RTS/CTS is very important.
- SIFS (Short Interframe Space) – Amount of time in m/s required for a wireless interface to process a received frame and to respond with resoonse frame.
- RTS duration = SIFS(3) + CTS + Data + ACK(1)
- CTS duration = SIFS(2) + Data + ACK(1)

info rmat
PHY type: 8ø2. lig (6)
Short preamble: True
Proprietary mode: None (0)
Data rate: 24.0 Mb/s
Channel: 6
Frequency: 2437MHz
Signal strength (dBm)
: -42dBm
Noise level (dBm)
: -96dBm
Signal/noise ratio (dB): 54dB
TSE timestamp: 94735155
(Du ration: 28gs)
IEEE 8ø2.11 Request-to-send, Flags: ..... ...C
Type/Subtype: Request—to—send (exøølb)
Frame Control Field: exb4øø
. .øø = Version: e
løll
= Type: Control frame (1)
= Subtype: 11
Flags: øxee
.øøø oøøø løll eelø = Duration: 178 microseconds
Receiver address: RuckusWi_cf:cf:d8 (2c:5d:93:cf:cf :d8)
Transmitter address:
Frame check sequence: øxbde58b2c (unverified]
(FCS Status: Unverified]

802.11 radio information
PHY type: 8ø2. lig (6)
Short preamble: True
Proprietary mode: None (0)
Data rate: 24.0 Mb/s
Channel: 1
Frequency: 2412MHz
Signal strength (dBm)
: -83dBm
Noise level (dBm)
: -90dBm
Signal/noise ratio (dB): 7dB
TSE timestamp: 92681566
[Du ration: 64gs)
IEEE 8ø2.11 Clear-to-send, Flags: .pm.R.FTC
Type/Subtype: Clear—to—send (øx001c)
Frame Control Field: exc66b
. .10 = Version: 2
= Type: Control frame (1)
. — Subtype: 12
lløø -
Flags: øx6b
Duration/ID: 11803 (reserved)
Receiver address:
Frame check sequence: øx1b21827a (unverified]
(FCS Status: Unverified]

CTS-to-self > is another method of performing NAV (Network Allocation Vector) distribution that use only CTS frames. It is used strictly as a protection mechanism for mixed mode environment.

Acknowledgement Frames (ACK)(1011, Subtype : 13) (wlan.fc.type_subtype == 0x1d)

These frames are sent right after data/management frames to inform(ack) the transmitter.
With ACK frame, the transmitter assumes the frame was lost due to the corruption from interface or some other issue, and so retransmits the frame.
ACK frame includes Frame Control, Duration, RA and FCS subfields

802.11 radio information
PHY type: 8ø2. lig (6)
Short preamble: True
Proprietary mode: None (0)
Data rate: 12.0 Mb/s
Channel: 11
Frequency: 2462MHz
Signal strength (dBm)
: -85dBm
Noise level (dBm)
: -90dBm
Signal/noise ratio (dB): 5dB
TSE timestamp: 91694972
[Du ration: 32gs)
IEEE 8ø2.11 Acknowledgement, Flags: .C
Type/Subtype: Acknowledgement (exøøld)
Frame Control Field: exd4ee
. .øø = Version: e
1101
= Type: Control frame (1)
= Subtype: 13
Flags: øxoe
.øøø oøøø eøøø eeøø = Duration: e microseconds
Receiver address: (fc:
Frame check sequence: øx66678fb7 (unverified]
[FCS Status: Unverified]

Duration Field value is set to : Duration Value of previous frame + ACK(1) + SIFS(1)

Null Data & PS-Poll Frames (0100 Subtype : 4) (wlan.fc.type_subtype == 0x24) or (wlan.fc.type_subtype == 0x1a)

Null Data Frames are used to notify an AP that the STA is awake and able to receive the frames.
It is simply a data frame with no date in the Frame Body field.

8ø2.11 radio
info rmation
PHY type: 8ø2. lig (6)
Short preamble: True
Proprietary mode: None (0)
Data rate: 24.0 Mb/s
Channel: 11
Frequency: 2462MHz
Signal strength (dBm)
: -88dBm
Noise level (dBm)
: -96dBm
Signal/noise ratio (dB): 8dB
TSE timestamp: 54ø37578
(Du ration: 92gsl
IEEE 8ø2.11 Nutt function (No data), Flags: o.m. .MFTC
Type/Subtype: Nutt function (No data) (øxee24)
Frame Control Field: ex4ba7
.. 11 = Version: 3
Type: Data frame (2)
lø.. =
eløø
= Subtype: 4
Flags: øxa7
Duration/ID: 11355 (reserved)
Receiver address: 1b:
Transmitter address: ce:2f :9e
Destination address: 89:ae:ø6:4e:6d:7e (89:ae:ø6:4e:6d:7ø)
source address: by: 13:
= Fragment number: 12
lløø
1110 lløl eølø
= Sequence number: 3794
Frame check sequence: øxa0bff4b1 [unverified]
(FCS Status: Unverified]

PS-Poll on the other hand are used to notify the AP that the client STA is awake and available for buffered frames.
STA indicate the power save mode using the Power Management bit the Frame Control field. When a STA is in PM mode = 1 it alternates between awake and sleep states.

v 8ø2.11 radio information
PHY type: 8ø2. lig (6)
Short preamble: True
Proprietary mode: None (0)
Data rate: 24.0 Mb/s
Channel: 11
Frequency: 2462MHz
Signal strength (dBm): —88dBm
Noise level (dBm)
: -96dBm
Signal/noise ratio (dB): 8dB
TSE timestamp: 54143357
(Du ration: 1ø4gsl
IEEE 8ø2.11 Power-save poll, Flags:
...P.M.TC
Type/Subtype: Power—Save pott (exøøla)
Frame Control Field: exa415
..øø = Version: e
= Type: Control frame (1)
= Subtype: lø
lølø
Flags: øx15
. løø eløø lløø eløl = Duration: 17605 microseconds
Receiver address: fc.
•55
BSS Id:
Transmitter address: 24.
•f5:e8
(unverif iedl
Frame check sequence: øxb471eø46
(FCS Status: Unverified]

AP may send buffered data frames to the client in two ways.
- If the data belongs to legacy power-save queue, transmission follows the legacy power save.
- If the data belongs to WMM Power Save queue, data frames are downloaded according to a trigger-and-delivery mechanism.

Useful Links for this Post :

Wireshark 802.11 Display Filters

802.11 Mgmt : Association Req/Response