Blog posts related to general networking and IT infrastructure related updates.
I am attempting to put a mind map of WLAN issues. I will look forward at expanding each one of the classifications in the revisions of this blog.
Read more link text
This post covers the important 802.11 Frames which can help in performing the analysis and troubleshoot any issues related to WLAN networks. I have referenced Wireshark filters for the ease of each frame.
Beacon (1000, Subtype : 8) (wlan.fc.type_subtype == 0x08)
- Used to announce the Basic Service Set (BSS) for the Client (STAs).
- Transmitted by AP every 100 time units. 1 TU = 1024 microseconds. Default is 102.4 m/s
- To reduce any potential overhead, TU values might need adjustment in some cases where multiple SSIDs exist on AP radio.
Probe Request and Probe Response (0100, 0101 Subtype : 4 & 5) (wlan.fc.type_subtype == 0x4 or wlan.fc.type_subtype ==0x5)
- Used for active scanning
- STAs send the probe request, AP sends the probe response.
- Amount of probing may be able to be reduced by adjusting the roaming aggressiveness on the client.
- Probe request are sent to broadcast address (DA - ff:ff:ff:ff:ff:ff:ff)
- Directed probe request are when STA sending probe request may specify the SSID they are looking, like in example below.
- The SSID value can also be set to 0, SSID field is present, but empty. This is called Wildcard SSID or null probe request, e.g. below
- Probe requests are always sent on the lowest supported data rates. In above examples they are sent at 1 Mb/s.
- Probe response contain the requested information elements that may have been requested by the probing station. .e.g. below
Authentication & Deauthentication Frames (1011, subtype :11, 12) (wlan.fc.type_subtype == 0xb, wlan.fc.type_subtype==0xc)
- Used to authenticate to an AP to prepare association or roaming
- Used to remove the AID (Authentication ID) and deauthenticate with an AP.
- Frame body consists of
- Authentication Algorithm Number - 0 for Open System and 1 for Shared Key
- Authentication Transaction Sequence Number - Indicate current status of progress
- Status Code - 0 for Success,1 for Unspecified failures
- Challenge Text Used in Shared Key Authentication frame 2 & 3
and Disassociation Frames (0000, subtype =0)(0001 subtype =1) wlan.fc.type_subtype==0 or wlan.fc.type_subtype==10
- Simple 4-frame exchange (authentication request, ACK, authentication response & ACK) used to enter the authenticated and associated state with the AP.
- After Association STA may either use the network (open system authentication) or begin the 802.1x/EAP authentication process if used.
- The Disassociation frame is used to change from authenticated/associated state to "authenticated not associated state". They contain a reason for disassociation. In case of below frame the reason code is unspecified reason.
Request and Response Frames - (0010, subtype : 2) (0011, subtype : 3) (wlan.fc.type_subtype == 0x2 or wlan.fc.type_subtype ==0x3)
- These frames are used to roam to another AP within the ESS (extended service set) or to reconnect after brief disconnection.
- The reassociation response frame will also include an AID for the STA and the status code indicating the reassociation success or failure.
RTS / CTS - (1011, Subtype : 11), (1100, Subtype : 12) (wlan.fc.type_subtype == 0x2 or wlan.fc.type_subtype ==0x3)
- RTS and CTS frames are used to clear the medium for transmission of larger frames.
- The Duration Field in RTS/CTS is very important.
- SIFS (Short Interframe Space) - Amount of time in m/s required for a wireless interface to process a received frame and to respond with resoonse frame.
- RTS duration = SIFS(3) + CTS + Data + ACK(1)
- CTS duration = SIFS(2) + Data + ACK(1)
- CTS-to-self > is another method of performing NAV (Network Allocation Vector) distribution that use only CTS frames. It is used strictly as a protection mechanism for mixed mode environment.
Frames (ACK)(1011, Subtype : 13) (wlan.fc.type_subtype == 0x1d)
- These frames are sent right after data/management frames to inform(ack) the transmitter.
- With ACK frame, the transmitter assumes the frame was lost due to the corruption from interface or some other issue, and so retransmits the frame.
- ACK frame includes Frame Control, Duration, RA and FCS subfields
- Duration Field value is set to : Duration Value of previous frame + ACK(1) + SIFS(1)
Data & PS-Poll Frames (0100 Subtype : 4) (wlan.fc.type_subtype
== 0x24) or (wlan.fc.type_subtype == 0x1a)
- Null Data Frames are used to notify an AP that the STA is awake and able to receive the frames.
- It is simply a data frame with no date in the Frame Body field.
- PS-Poll on the other hand are used to notify the AP that the client STA is awake and available for buffered frames.
- STA indicate the power save mode using the Power Management bit the Frame Control field. When a STA is in PM mode = 1 it alternates between awake and sleep states.
- AP may send buffered data frames to the client in two ways.
- If the data belongs to legacy power-save queue, transmission follows the legacy power save.
- If the data belongs to WMM Power Save queue, data frames are downloaded according to a trigger-and-delivery mechanism.
Links for this Post :
Main Objective: To successfully transfer every bit of information(data) from one device to another.
802.11 MAC HEADER
Let us now go through the basics of the frame header and the components. I have captured a simple beacon (management) frame using Wireshark.
I will briefly explain each of the fields. Notice the number in the bracket refers to the bytes. For memory 1 Byte = 8 bits. 🙂
Frame Control > 16 bits | 2 Bytes - contains 11 subfields as displayed in the above examples. Considering the amount of valuable information contained in 802.11 Frame Control sub-fields is mind-boggling
Protocol Version (2 bits): For now, always set to 0 by default. Changes in the version are expected in the future.
Type: Management (0,0), Data(1,0), Control(0,1), Extension Frame(1,1)*only available with 802.11D
Sub Type (4 bits): There are different kinds of management, control and data frames. Therefore the 4-bit Subtype field is required to differentiate. The above examples have Beacon & ACK subtypes.
To DS - if set to "1" - Frame going from STA > Distribution System (DS)
From DS - if set to "1" - Frame going from DS > STA
To DS = 0, From DS = 0 > Management or Control frames where it does not go to DS, Can be STA to STA communication in an ADHOC/IBSS setup.
To DS =0, From DS = 1 > Downstream traffic from AP to the STA.
To DS =1, From DS = 0 > Upstream traffic from STA to AP
To DS =1, From DS = 1 > Data frame using 4 MAC header format, usually occurs in WDS or Mesh Network.
More Fragments - If set to "1" it is usually preceded by another fragment of current MSDU or MMPDU to follow.
Retry - 0 or 1. 1 is for retransmissions. Lot of 1's may indicate a network with a lot of retry rate due to some issue. The issues can impact the performance by increased application/network latency thereby degrading user experience.
Power Management - if set to "1", STA is using power save mode.
More Data: if set to "1" it indicates that the AP or STA is holding more frames for the STA to which the current frame is targeted.
Protected Frame - if set to "1" it indicates payload is encrypted.
Order - If set to "1" in any non-QoS data frame when a higher layer has requested that the data be sent using strictly ordered CoS, which tells the receiving STA to process the frames in order.
Duration/ID > 2 Bytes | 16 bits - May be used for 2 purposes, it may contain the duration of the frame. Secondly, it may contain association identifier (AID) of the STA that transmitted the frame.
Address 1,2,3 and 4: Each address contains 6bytes/48 bits of data.
SA > Source Address
DA > Destination Address
TA > Transmitting Address
RA > Receiving Address
Sequence Control Field (2 Bytes/16 bits): Divided into 4-bit fragment number and a 12-bit sequence number. Used when MSDUs are fragmented. 802.11-2016 allows for fragmentation of frames.
QoS Control Field: (2 Bytes/16 bits): Only used in MAC header of QoS frames. Sometimes referred to as WMM (Wi-Fi Multimedia) which provides traffic prioritization.
HT Control Field (4 bytes/32 bits): Parameters related to HT & VHT operations. Only used in Management + QoS control frames.
Frame Body: Contains the actual MSDU payload to be transmitted.
FCS: (Frame check sequence field 4Bytes/32 Bits) - Final field on the frame header. Also known as Trailer as the word says. Used to detect errors in communication.Read more link text
I will be summarising each chapter on the Certitrek Publishing - Official Study Guide for CWAP 403 Exam.
I've learned plenty of concepts from the first chapter - 802.11 - The Protocol. This is one of the chapters which you have to read and learn. One may not learn the contents of this chapter directly while working or experience this in his/her day today. Following the posts should give you a fair idea of what the chapter entails and get close to fulfilling the exam requirements. You still have to go through the book multiple times and revise the concepts discussed in the CWNA exam to fully grasp the knowledge required for this exam.
(APSTNDP) - For the purpose of our CWAP exam we will be concentrating our efforts on layer 1-4 only. More so we have to aim at learning layers 1 and 2 as IEEE 802.11 is focussed around them.
Layer 4 is typically TCP/UDP. TCP is a connection-oriented protocol that uses a 3-way handshake, whereas UDP is a connectionless protocol typically used in time-sensitive applications where occasionally dropping packets is better than waiting.
Layer 3 is typically IP with the exception of WAN related protocols like HDLC, ATM, Frame Relay, etc.
Layer 2 (Data Link layer) - This is subdivided into MAC(lower) + LLC (upper). Frames are organized and meaningful collection of bits that are prepended and appended to upper-layer data within the network communications. When Network layer 3 sends data to the Data-Link layer (2), the data is handed off to the LLC and becomes known as MSDU (MAC Service Data Unit). The MSDU consists of data payload that contains the IP packet + some LLC data. When LLC sends the MAC service data unit info to the MAC sublayer, the MAC header information gets added in a MAC Protocol Data Unit (MPDU).
Layer 1 (PHY) - Physical Medium can be RF, Light Waves, Fibre cables. Capabilities include encoding, modulation, demodulation, timing & signals. This layer is subdivided into PLCP (Physical Layer Convergence protocol - Upper) & PMD (Physical Medium Dependent). The PLCP sublayer prepares the frame for transmission by taking the frame from the MAC sublayer and creating the PLCP Protocol Data Unit (PPDU).
802.11 Physical Layers
|Frequency||Channel Width (MHz)||MIMO||PHY|
|802.11az||Late 2021||60 GHz||
|802.11ax||Late 2019||2.4 or 5GHz||20,40,80, 160||MU-MIMO||HEW|
|802.11ac wave2||2015||5 GHz||20,40,80, 160||MU-MIMO||VHT|
|802.11ac wave1||2014||5 GHz||20,40,80||SU-MIMO||VHT|
|802.11n||2009||2.4 or 5 GHz||20,40||SU-MIMO||HT|
|802.11 Prime||1997||2.4 GHz||22||N/A||DSSS|
Modulation is the process of imposing bits on a transmission medium. I have detailed the keying methods useful in understanding the basics of Modulation here. Also, refer to mcsindex.com for numbers related to Modulation and Coding. We will be exploring in detail about this in the forthcoming chapters which entail about PHY Layers and Technologies.
The industry troubleshooting methods e.g. from Cisco, Microsoft or CompTIA are not tested on the CWAP exam. The CWAP exam objectives list the following troubleshooting actions.
- Define the Problem
- Identify the Scale of the Problem
- Identity Probable Causes
- Capture and Analyze the Data (Most of the CWAP concentrated here)
- Observe the Problem
- Choose appropriate Remedial Steps.
- Document the Problem and Resolution.
Special Thanks to Rasika as I've learned a lot from his blogs.
Summary of the 802.11 Mac Header
Network Layer - IP header is added.
Data Link Layer - MAC header is added.
Physical Layer - PHY header is added.
Data is eventually transmitted as individual bits at the Physical layer.
BIT > 0/1, Octet > Byte of data.
Data Link Layer - LLC (802 based networks), MAC
MAC Service Data Unit > When network layer sends data to the Data Link layer, the data is handed off to the LLC and becomes MSDU
MSDU = IP Packet + Some LLC Data.
Only 802.11 Data Frames carry MSDU - Ratification 802.11n-2009, introduced A-MSDU
MSDU = 2304 Octets, A-MSDU = up to 7935 Octets.
MAC Protocol Data Unit > When the LLC sublayer sends MSDU to the MAC sublayer, the MAC header info is added to identify it.
MPDU = MAC Header + Frame Body(MSDU) + FCS (Trailer)
A-MPDU > transmissions are created by transmitting multiple MPDUs as one PHY frame as opposed to A-MSDU transmissions, which are created by passing MSDUs down the PHY layer as single MPDU.
Physical Layer comprises of PLCP & PMD - PLCP prepares the frame for transmission by taking the frame MAC sublayer and creating the PLCP Protocol Data Unit.
PPDU = PLCP + Frame from Mac Layer.
PLCP Service Data Unit > Pretty much like MPDU at PHY layer.
PLCP = PPDU + PSDU
CWNA Chapter 2 - IEEE 802.11 Standards and Amendments.
“Defined” means the amendment either no longer exists or it was rolled into the existing (or prior versions) 802.11-2007 spec. “Defines” means it is a ratified amendment that will be rolled into 802.11-2011. “Will define” means it is a work in progress and not yet amended.
802.11-1997 (sometimes called 802.11 “prime”) — the original 802.11 specifications included the base functionality along with FHSS and DSSS PHYs.
802.11a — Defined OFDM usage in 5 GHz with data rates up to 54 Mbps.
802.11b —Defined 5.5 and 11 Mbps with HR/DSSS in 2.4 GHz.
802.11c — Defined MAC bridging for 802.11. Was incorporated into 802.1D.
802.11-1999 rolled up 802.11 prime with new enhancements.
802.11d — Defined 802.11 operation in new regulatory domains.
802.11e — Defined QoS
802.11F — Recommended Inter-Access Point Protocol (IAPP) for interoperability of different vendor products. Was not used by anyone and is now withdrawn.
Note: A capital letter designates a recommended practice standalone standard (similar to 802.1X). A lowercase letter designates an amendment to a parent standard. Hence, 802.11F was designed to be a standalone document (and also happened to be a recommended practice), not a part of the full 802.11 standards. This is often a confusing topic in standards naming.
802.11g — Defined ERP PHY, which introduces data rates up to 54 Mbps in 2.4 GHz.
802.11-R2003 rolled up 802.11-1999 and prior amendments, excluding 802.11e.
802.11h — Defined Dynamic Frequency Selection (DFS) for radar detection and avoidance in some 5 GHz bands. Also defined Transmit Power Control (TPC) for managing client transmit power.
802.11i — Defined security enhancements including TKIP, CCMP, and use of 802.1X with WLANs.
802.11j — Defined 4.9 - 5 GHz operation in Japan.
802.11-2007 rolled up 802.11-R2003 with prior amendments.
802.11k — Defines radio resource management processes for RF data collection and sharing.
802.11l — Due to potential confusion between an “l” (letter) and “1” (number), 802.11l was bypassed.
802.11m — Was used as a maintenance amendment that updated inaccuracies, omissions, and ambiguities.
802.11n — Defines High Throughput (HT) PHY with MCS rates up to 600 Mbps in 2.4 GHz and 5 GHz.
802.11o — For similar reasons as 802.11l, 802.11o was bypassed. ‘Is that an “o” (letter) or a “0” (number)? I don’t know, let’s just skip it.’
802.11p — Defines wireless access for the vehicular environment (WAVE).
802.11q — Due to potential confusion with 802.1Q, 802.11q was bypassed.
802.11r — Defines fast BSS transitions (fast secure roaming). Maybe one of these days we’ll use it.
802.11s — Will define 802.11 mesh internetworking.
802.11T — Specified a way to test wireless performance prediction. Remember, capital letters are recommended practices standalone standards. 802.11T was canceled.
802.11u — Will define internetworking with external networks, such as cellular.
802.11v — Will define enhancements for network management.
802.11w — Defines protected management frames to prevent some security vulnerabilities.
802.11x — 802.11 technologies as a whole are often referred to as 802.11x, so this amendment was bypassed.
802.11y — Defines use of OFDM in 3650-3700 MHz.
802.11z —Defines enhancements to Direct Link Setup, which no one uses.
802.11aa — Will define enhancements to video transport streams.
802.11ab —Was bypassed to avoid confusion with devices using 802.11a and 802.11b PHY technologies, which are often abbreviated as 802.11ab.
802.11ac — Will define Very High Throughput (VHT) with gigabit speeds, building on 802.11n MIMO technology.
802.11ad — Will define short range Very High Throughput (VHT) in the 60 GHz spectrum.
802.11ae — Will define enhancements for QoS management.
802.11af — Will define the usage of Wi-Fi in newly opened TV whitespace frequencies.
802.11ag — Similar to 802.11ab, 802.11ag was skipped to avoid confusion with devices using 802.11a and 802.11g PHY technologies, which are often abbreviated as 802.11ag.
802.11ah — Will define the usage of Wi-Fi in frequencies below 1 GHz. Also used as an expression of Wi-Fi pleasure. 802.11…ah!
802.11ai — Will define FILS (fast initial link setup). Designed to address challenges in high-density environments which a large number of mobile users face.
802.11aj - Will define modifications to the IEEE 802.11ad-2012 amendment's PHY and MAC layer to provide support to the Chinese Millimeter Wave (CMMW).
802.11ak - Will define amendment to General Link for use in bridged networks.
802.11aq - Will define delivery of network service information prior to the association of stations on 802.11 networks.
802.11ax - Will define HE(High Efficiency). Expected to be next big PHY enhancement to the 802.11 standards. Operate in both 2.4/5GHz.
802.11ay - Will define improvement of an 802.11ad amendment providing faster speeds.
802.11az - TBC