Networks and IoT

Blog posts related to general networking and IT infrastructure related updates.

Remote Frame Captures & Application Issues on Wi-Fi

After the deployment of new Extreme Aerohive Wireless solution at an Enterprise office, a number of user complaints were received for applications resetting and disconnecting while working on Wi-Fi. The users did not have this problem while working from other offices or their home.

Some of the applications like Teradata SQL Assistant & other applications which used SQL backend reset itself while executing queries. From the Wi-Fi standpoint, the client had no issues with the Signal/Noise/RSSI which was received.

Teradata SQL and other SQL application use TCP port 125. After engaging the TAC team requested for remote pcap aka frames for wireless for wired/wireless interfaces of the Extreme Access Points. Below are the steps required to run the remote captures.

  1. Enable remote capture on the Extreme Aerohive AP 650/510C with the cli command - exec capture remote-sniffer
  2. Logon to the machine with Wireshark installed and configure the remote interfaces. Enter the management IP of the Access Point (Host), leave the port field blank.

3. Install Wireshark on a remote machine and apply packet slicing as the pcap/frame capture will be huge. Make sure the system capturing has enough disk space for doing so.

4. Choose all the interfaces/required interfaces and start the capture.

After analysing the pcap it was found that there were some TCP retransmissions being caused on TCP port 1025 but the root cause/reason was not yet determined.

After a few days of captures and analysing the frames, it was discovered that the issues were primarily caused due to DoS prevention rule in place for the SSID as an optional setting. We had to disable this feature and the issue just vanished. The below option caused TCP to reset if the client IP session was idle.

Though it took a while to come to this it was interesting to learn on how to perform remote frame captures which is still helpful to understand and analyse on what is going on the wireless end.

As in most cases, this was not a radio/wireless issue all together but still resolved from the vendor side after disabling the feature.

Read more link text

Configuring an Aerohive AP on ExtremeCloud IQ

It has been a while I did a blog post, work has been relatively busier post Covid19 lockdown. Some time ago I did a site survey for my home and found insufficient 5GHz coverage. As we are all aiming to have 5 GHz wherever possible why not start with the home.

I had a couple of Cisco 2802 AP but they don't allow to run in standalone AP mode unless you guys know a method please let me know.

I tried to source a Cisco Meraki AP with a license but could not get one. My workplace is undergoing through wireless upgrade project so we now had a lot of spare Aerohive Extreme AP in stock. Those old AP 230 have a permanent license installed so I wanted to give it a try to set up AP at home. The AP setup for Extreme is pretty straightforward. Even though it is first time venturing in the world of Aerohive/Extreme, I found it pretty easy to navigate and follow the options. The Aerohive CLI commands closely match with Cisco.

IMPORTANT NOTE: Before beginning the procedure, you may need to remove the AP230 from its existing hive manager / extreme inventory. Get the license details from the hive manager so that you can transfer it to the new one.

Setup of Aerohive AP 230

Aerohive AP 230

  • Logon to https://www.extremenetworks.com/starthere/
  • Register your details for the CloudIQ setup - https://www.extremenetworks.com/cloud-networking/
  • Complete your account setup with password etc..
  • Login with your account details - https://aus.extremecloudiq.com/#/devices
  • If you have an AP230 or equivalent, reset it first by pressing on the reset button.
  • Use a console cable and connect it to a POE switch or Injector 802.3at POE to power up the AP.
  • Let the AP complete the bootup process and then wait for the username prompt.
  • The default username/password for Aerohive/Extreme AP is - admin/Aerohive
  • Find the details of CAPWAP client/server from hovering over the top right corner and clicking on the name and then "About Extreme IQ"

  • Go to "Global Settings" > VIQ Management to acquire the vhm-name (virtual hive manager) as this is needed for AP to point to the correct hive manager.

Logon to AP and configure below settings with the commands.

capwap client server name "<enter from abov>"
capwap client server backup name "<enter from above">
capwap client vhm-name e.g VNF-SJDJAA (Enter from above)I

Issue the below command on the AP to find the details "show capwap client"

  • Issue "show int mgt0" to confirm you have received IP via DHCP.

If there is no DHCP server on the network then configure a static IP with below commands. (example only)

no int mgt0 dhcp client
int mgt0 ip 172.17.17.5 255.255.255.0
ip route net 0.0.0.0 0.0.0.0 gateway 172.17.17.1
dns server-ip 8.8.8.8
dns server-ip 4.4.2.2 second
ntp server 172.17.17.1

Transfer the entitlement key from the old hive manager/extreme to the ExtremeCloudIQ . This can be done from the global settings.

  • After this step, check if you can ping from AP to the default gateway and then to Google (8.8.8.8)
  • If you cannot ping OK, check if the firewall is blocking UDP port 12222
  • You may also try: capwap client transport HTTP
  • If everything is OK, you can see the AP come online on the ExtremeCloudIQ as below

  • You are now expected to create network policies and deploy SSID, radios configuration etc.
  • Each time you make a change you are expected to update the configuration by doing a "configuration delta upgrade".

The AP password will now change syncing to the one from ExtremeCloudIQ. The new password can be found from the Global Settings. Administration > Device Management Settings > Show Password.

Useful Resources:

Extreme Support Portal
Aerohive CLI Support Guides
https://words.bombast.net/basic-cli-configuration-for-an-aerohive-ap230/

Read more link text

Troubleshooting WLAN Issues - #MindMap CWAP#4

I am attempting to put a mind map of WLAN issues. I will look forward at expanding each one of the classifications in the revisions of this blog.



Read more link text

Key 802.11 Frames - CWAP#3

This post covers the important 802.11 Frames which can help in performing the analysis and troubleshoot any issues related to WLAN networks. I have referenced Wireshark filters for the ease of each frame.

Beacon (1000, Subtype : 8) (wlan.fc.type_subtype == 0x08)

  • Used to announce the Basic Service Set (BSS) for the Client (STAs).
  • Transmitted by AP every 100 time units.  1 TU = 1024 microseconds. Default is 102.4 m/s
  • To reduce any potential overhead, TU values might need adjustment in some cases where multiple SSIDs exist on AP radio.

IEEE 8ø2.11 wireless LAN 
Fixed parameters (12 bytes) 
Timestamp: 5304013374 
Beacon Interval: ø. 1024øø (Seconds) 
Capabilities Information: exø421 
Tagged 
Tag : 
Tag : 
Tag : 
Tag 
Tag: 
Tag : 
Tag : 
Tag: 
Tag: 
Tag : 
Tag : 
Tag : 
parameters (144 bytes) 
SSID parameter set: Hob—guest 
supported Rates 12(B), 18, 24(B), 36, 48, 54, [Mbit/secl 
DS Parameter set: Current Channel: 1 
: Traffic Indication map (TIM): DTIM ø of ø bitmap 
Country Information: Country Code NZ, Environment Any 
ERP Information 
Vendor Specific: Microsoft Corp.: H%/WME: Parameter Element 
HT capabilities (8ø2.11n DI. 10) 
HT Information (8ø2.11n DI. lø) 
QBSS Load Element 802. lie CCA version 
Extended Capabilities (8 octets) 
Vendor Specific: Ruckus Wireless

Probe Request and Probe Response (0100, 0101 Subtype : 4 & 5) (wlan.fc.type_subtype == 0x4 or wlan.fc.type_subtype ==0x5)

  • Used for active scanning
  • STAs send the probe request, AP sends the probe response.
  • Amount of probing may be able to be reduced by adjusting the roaming aggressiveness on the client.
  • Probe request are sent to broadcast address (DA - ff:ff:ff:ff:ff:ff:ff)
  • Directed probe request are when STA sending probe request may specify the SSID they are looking, like in example below.

IEEE 8ø2.11 Probe Request, Flags: ..... ...C 
Type/Subtype: Probe Request (øxeeø4) 
Frame Control Field: ex4øoe 
. ..øø = Version: e 
eløø 
ø . — Type: Management frame (e) 
= Subtype: 4 
Flags: øxee 
. øøø oøøø eøøø eeøø = Duration: e microseconds 
Receiver address: Broadcast ff) 
Destination address: Broadcast ff:ff) 
Transmitter address: (fc:fc:48:5e:2b:33) 
Source address: Apple_5e:2b:33 (fc: fc:48: 
BSS Id: Broadcast (ff:ff:ff:ff:ff:ff) 
= Fragment number: ø 
eeøø 
0101 eøøø løøl 
= Sequence number: 1289 
Frame check sequence: øxda049ff4 (unverified] 
(FCS Status: Unverified] 
IEEE 8ø2.11 wireless LAN 
v Tagged parameters (141 bytes) 
Tag: SSID parameter set: Hob—wireless 
Tag Number: SSID parameter set (e) 
Tag length: 12 
SSID: Hob—wi re less 
Tag: Supported Rates 1, 2, 5.5, 11, (Mbit/sec) 
Tag Number: Supported Rates (1) 
Tag length: 4 
Suppo rted Rates: 1 (exø2) 
Suppo rted Rates: 2 (exø4) 
Suppo rted Rates: 5.5 (øxøb) 
Suppo rted Rates: 11 (ex16) 
Tag: Extended Supported Rates 6, 9, 12, 18, 24, 
Tag Number: Extended Suppo rted Rates (5ø) 
Tag length: 8 
36, 
48, 
54, 
(mbit/sec) 
Extended 
Extended 
Extended 
Extended 
Supported 
Supported 
Supported 
Supported 
Rates: 
Rates : 
Rates: 
Rates: 
6 (øxec) 
g (øx12) 
12 (øx18) 
18 (øx24)

  • The SSID value can also be set to 0, SSID field is present, but empty. This is called Wildcard SSID or null probe request, e.g. below

IEEE 8ø2.11 Probe Request, Flags: ..... ...C 
Type/Subtype: Probe Request (øxeeø4) 
Frame Control Field: ex4øoe 
. ..øø = Version: e 
eløø 
ø . — Type: Management frame (e) 
= Subtype: 4 
Flags: øxee 
. øøø oøøø eøøø eeøø = Duration: e microseconds 
Receiver address: Broadcast ff) 
Destination address: Broadcast ff:ff) 
Transmitter address: (fc:fc:48:5e:2b:33) 
Source address: Apple_5e:2b:33 (fc: fc:48: 
BSS Id: Broadcast (ff:ff:ff:ff:ff:ff) 
= Fragment number: ø 
eeøø 
0101 eøøø løøl 
= Sequence number: 1289 
Frame check sequence: øxda049ff4 (unverified] 
(FCS Status: Unverified] 
IEEE 8ø2.11 wireless LAN 
v Tagged parameters (141 bytes) 
Tag: SSID parameter set: Hob—wireless 
Tag Number: SSID parameter set (e) 
Tag length: 12 
SSID: Hob—wi re less 
Tag: Supported Rates 1, 2, 5.5, 11, (Mbit/sec) 
Tag Number: Supported Rates (1) 
Tag length: 4 
Suppo rted Rates: 1 (exø2) 
Suppo rted Rates: 2 (exø4) 
Suppo rted Rates: 5.5 (øxøb) 
Suppo rted Rates: 11 (ex16) 
Tag: Extended Supported Rates 6, 9, 12, 18, 24, 
Tag Number: Extended Suppo rted Rates (5ø) 
Tag length: 8 
36, 
48, 
54, 
(mbit/sec) 
Extended 
Extended 
Extended 
Extended 
Supported 
Supported 
Supported 
Supported 
Rates: 
Rates : 
Rates: 
Rates: 
6 (øxec) 
g (øx12) 
12 (øx18) 
18 (øx24)

  • Probe requests are always sent on the lowest supported data rates. In above examples they are sent at 1 Mb/s.
  • Probe response contain the requested information elements that may have been requested by the probing station. .e.g. below

Authentication & Deauthentication Frames (1011, subtype :11, 12) (wlan.fc.type_subtype == 0xb,  wlan.fc.type_subtype==0xc)

  • Used to authenticate to an AP to prepare association or roaming
  • Used to remove the AID (Authentication ID) and deauthenticate with an AP.
  • Frame body consists of
    • Authentication Algorithm Number - 0 for Open System and 1 for Shared Key
    • Authentication Transaction Sequence Number - Indicate current status of progress
    • Status Code - 0 for Success,1 for Unspecified failures
    • Challenge Text  Used in Shared Key Authentication frame 2 & 3

IEEE 802.11 Authentication, Flags: ..... ...C 
Type/ Subtype: Authentication (OxØØØb) 
v Frame Control Field: OxbØØØ 
00 
1011 
= Version: 
00.. = Type: Management frame (0) 
= Subtype: 11 
Flags: ØXØØ 
.øøø 0001 0011 1010 
= Duration: 314 microseconds 
Receiver address: RuckusWi_4f:d3:c8 (2c:5d:93:4f:d3:c8) 
Destination address: RuckusWi_4f:d3:c8 c8) 
Transmitter address: SamsungE_2d:6Ø:91 (5c:51:81:2d:6Ø:91) 
Source address: 
BSS Id: 
. øøøø 
= Fragment number: 
1101 1001 0001 
= Sequence number: 3473 
Frame check sequence: Oxa186b162 [unverified] 
[FCS Status: Unverified] 
IEEE 802.11 wireless LAN 
v Fixed parameters (6 bytes) 
Authentication Algorithm: Open System (0) 
Authentication SEQ: Ox0ØØ1 
Status code: Successful (Ox0ØØ0)

137 
•33: ab 
24. ø 
8ø2. 11 
—55 dBm 
• 33 : ab 
138 
• a4:2e 
8ø2 . 11 
24. 
139 
•a4:2e 
8ø2.11 
140 
•a8:33 
•a4:2e 
8ø2 . 11 
24.0 
141 
lø. 644498 
lø. 645173 
lø. 645190 
lø. 646791 
lø. 646843 
Cisco 
5e:a7 
bf. 
:ec. 
5e:a7 
:ec. 
Cisco_bf. 
Cisco 
bf. 
(øø-. 
8ø2.1 
58 
112 
58 
277 
58 
—52 
—41 
2 
d Bm 
d Bm 
d Bm 
Ack 
Authentication 
Ack 
Association Request 
Ack 
CWAP-TEST 
24. 
132 
132 
132 
132 
Acknowledgement, Flags=..... 
Authentication, SN=1032, FN=ø, Flags=. 
Acknowledgement, Flags=..... 
Association Request, SN=2097, FN=ø, Flags=. 
Acknowledgement, Flags=..... 
SSID=CWAP-TEST

Association
and Disassociation Frames (0000, subtype =0)(0001 subtype =1) wlan.fc.type_subtype==0 or wlan.fc.type_subtype==10

  • Simple 4-frame exchange (authentication request, ACK, authentication response & ACK) used to enter the authenticated and associated state with the AP.
  • After Association STA may either use the network (open system authentication) or begin the 802.1x/EAP authentication process if used.
  • The Disassociation frame is used to change from authenticated/associated state to "authenticated not associated state". They contain a reason for disassociation. In case of below frame the reason code is unspecified reason.

802.11 radio information 
PHY type: 8ø2. lla (5) 
Turbo type: Non—turbo (ø) 
Data rate: 12.0 Mb/s 
channel: 108 
Frequency: 554%Hz 
Signal strength (dBm): —84dBm 
Noise level (dBm): —89dBm 
Signal/noise ratio (dB): 5dB 
TSE timestamp: 6964589ø3 
(Du ration: 44gsl 
IEEE 8ø2.11 Disassociate, Flags: ..... ...C 
Type/Subtype: Disassociate (øxøeea) 
Frame Control Field: exaøøø 
..øø = Version: e 
lølø 
= Type: management frame (e) 
= Subtype: lø 
Flags: øxee 
.øøø oøøø eø11 eeøø = Duration: 48 microseconds 
Receiver address: SamsungE_2d:øe:4ø (4c:66:41:2d:øø:4ø) 
Destination address: SamsungE_2d:øø:4e (4c:66: 41:2d 
Transmitter address: (2c:5d: 72:5c) 
source address: 72:5c) 
BSS Id: 
Fragment number: ø 
. eeøø = 
eøøø eøøø eløl 
= Sequence number: 5 
Frame check sequence: øx8043a47a [unverified] 
(FCS Status: Unverified] 
IEEE 8ø2.11 wireless LAN 
v Fixed parameters (2 bytes) 
Reason code: Unspecified reason 
( øxøool)

Reassociation
Request and Response Frames - (0010, subtype : 2) (0011, subtype : 3) (wlan.fc.type_subtype == 0x2 or wlan.fc.type_subtype ==0x3)

  • These frames are used to roam to another AP within the ESS (extended service set) or to reconnect after brief disconnection.
  • The reassociation response frame will also include an AID for the STA and the status code indicating the reassociation success or failure.

8ø2.11 radio information 
Data rate: 7.0 Mb/s 
channel: 108 
Signal strength (percentage): 78* 
IEEE 8ø2.11 Reassociation Request, Flags: op.PR.F. 
Type/Subtype: Reassociation Request (Oxøø02) 
Frame Control Field: ex2øda 
eølø 
. .øø = Version: e 
= Type: management frame (e) 
= Subtype: 2 
Flags: øxda 
Duration/ID: 5391 (reserved) 
Receiver address: 
Destination address: 89: ba (c9:6a: 
Transmitter address: al:2a:51:84:9b:9e (al:2a:51:84:9b:9e) 
source address: 
BSS Id: 79) 
STA address: 
= Fragment number: ø 
ooøø 
— Sequence number: 1860 
0111 eløø eløø - 
HT control (+HTC): øx2473a9cd 
WEP parameters 
Initialization Vector: øx952d2a 
Key Index: ø 
WEP ICV: exac6532aø (not verified) 
Data (1514 bytes) 
Data: 73a428øa537ø8af4618Ø23beb54d94ba647d7ø892c5øc22cm 
(Length: 1514]

RTS / CTS - (1011, Subtype : 11), (1100, Subtype : 12) (wlan.fc.type_subtype == 0x2 or wlan.fc.type_subtype ==0x3)

  • RTS and CTS frames are used to clear the medium for transmission of larger frames.
  • The Duration Field in RTS/CTS is very important.
    • SIFS (Short Interframe Space) - Amount of time in m/s required for a wireless interface to process a received frame and to respond with resoonse frame.
    • RTS duration = SIFS(3) + CTS +  Data +  ACK(1)
    • CTS duration = SIFS(2) + Data + ACK(1)

info rmat 
PHY type: 8ø2. lig (6) 
Short preamble: True 
Proprietary mode: None (0) 
Data rate: 24.0 Mb/s 
Channel: 6 
Frequency: 2437MHz 
Signal strength (dBm) 
: -42dBm 
Noise level (dBm) 
: -96dBm 
Signal/noise ratio (dB): 54dB 
TSE timestamp: 94735155 
(Du ration: 28gs) 
IEEE 8ø2.11 Request-to-send, Flags: ..... ...C 
Type/Subtype: Request—to—send (exøølb) 
Frame Control Field: exb4øø 
. .øø = Version: e 
løll 
= Type: Control frame (1) 
= Subtype: 11 
Flags: øxee 
.øøø oøøø løll eelø = Duration: 178 microseconds 
Receiver address: RuckusWi_cf:cf:d8 (2c:5d:93:cf:cf :d8) 
Transmitter address: 
Frame check sequence: øxbde58b2c (unverified] 
(FCS Status: Unverified]

802.11 radio information 
PHY type: 8ø2. lig (6) 
Short preamble: True 
Proprietary mode: None (0) 
Data rate: 24.0 Mb/s 
Channel: 1 
Frequency: 2412MHz 
Signal strength (dBm) 
: -83dBm 
Noise level (dBm) 
: -90dBm 
Signal/noise ratio (dB): 7dB 
TSE timestamp: 92681566 
[Du ration: 64gs) 
IEEE 8ø2.11 Clear-to-send, Flags: .pm.R.FTC 
Type/Subtype: Clear—to—send (øx001c) 
Frame Control Field: exc66b 
. .10 = Version: 2 
= Type: Control frame (1) 
. — Subtype: 12 
lløø - 
Flags: øx6b 
Duration/ID: 11803 (reserved) 
Receiver address: 
Frame check sequence: øx1b21827a (unverified] 
(FCS Status: Unverified]

  • CTS-to-self > is another method of performing NAV (Network Allocation Vector) distribution that use only CTS frames. It is used strictly as a protection mechanism for mixed mode environment.

Acknowledgement
Frames (ACK)(1011, Subtype : 13) (wlan.fc.type_subtype == 0x1d)

  • These frames are sent right after data/management frames to inform(ack) the transmitter.
  • With ACK frame, the transmitter assumes the frame was lost due to the corruption from interface or some other issue, and so retransmits the frame.
  • ACK frame includes Frame Control, Duration, RA and FCS subfields

802.11 radio information 
PHY type: 8ø2. lig (6) 
Short preamble: True 
Proprietary mode: None (0) 
Data rate: 12.0 Mb/s 
Channel: 11 
Frequency: 2462MHz 
Signal strength (dBm) 
: -85dBm 
Noise level (dBm) 
: -90dBm 
Signal/noise ratio (dB): 5dB 
TSE timestamp: 91694972 
[Du ration: 32gs) 
IEEE 8ø2.11 Acknowledgement, Flags: .C 
Type/Subtype: Acknowledgement (exøøld) 
Frame Control Field: exd4ee 
. .øø = Version: e 
1101 
= Type: Control frame (1) 
= Subtype: 13 
Flags: øxoe 
.øøø oøøø eøøø eeøø = Duration: e microseconds 
Receiver address: (fc: 
Frame check sequence: øx66678fb7 (unverified] 
[FCS Status: Unverified]

  • Duration Field value is set to : Duration Value of previous frame + ACK(1) + SIFS(1)

Null
Data & PS-Poll Frames (0100 Subtype : 4) (wlan.fc.type_subtype
== 0x24) or (wlan.fc.type_subtype == 0x1a)

  • Null Data Frames  are used to notify an AP that the STA is awake and able to receive the frames. 
  • It is simply a data frame with no date in the Frame Body field.

8ø2.11 radio 
info rmation 
PHY type: 8ø2. lig (6) 
Short preamble: True 
Proprietary mode: None (0) 
Data rate: 24.0 Mb/s 
Channel: 11 
Frequency: 2462MHz 
Signal strength (dBm) 
: -88dBm 
Noise level (dBm) 
: -96dBm 
Signal/noise ratio (dB): 8dB 
TSE timestamp: 54ø37578 
(Du ration: 92gsl 
IEEE 8ø2.11 Nutt function (No data), Flags: o.m. .MFTC 
Type/Subtype: Nutt function (No data) (øxee24) 
Frame Control Field: ex4ba7 
.. 11 = Version: 3 
Type: Data frame (2) 
lø.. = 
eløø 
= Subtype: 4 
Flags: øxa7 
Duration/ID: 11355 (reserved) 
Receiver address: 1b: 
Transmitter address: ce:2f :9e 
Destination address: 89:ae:ø6:4e:6d:7e (89:ae:ø6:4e:6d:7ø) 
source address: by: 13: 
= Fragment number: 12 
lløø 
1110 lløl eølø 
= Sequence number: 3794 
Frame check sequence: øxa0bff4b1 [unverified] 
(FCS Status: Unverified]

  • PS-Poll on the other hand are used to notify the AP that the client STA is awake and available for buffered frames.
  • STA indicate the power save mode using the Power Management bit the Frame Control field. When a STA is in PM mode = 1 it alternates between awake and sleep states.

v 8ø2.11 radio information 
PHY type: 8ø2. lig (6) 
Short preamble: True 
Proprietary mode: None (0) 
Data rate: 24.0 Mb/s 
Channel: 11 
Frequency: 2462MHz 
Signal strength (dBm): —88dBm 
Noise level (dBm) 
: -96dBm 
Signal/noise ratio (dB): 8dB 
TSE timestamp: 54143357 
(Du ration: 1ø4gsl 
IEEE 8ø2.11 Power-save poll, Flags: 
...P.M.TC 
Type/Subtype: Power—Save pott (exøøla) 
Frame Control Field: exa415 
..øø = Version: e 
= Type: Control frame (1) 
= Subtype: lø 
lølø 
Flags: øx15 
. løø eløø lløø eløl = Duration: 17605 microseconds 
Receiver address: fc. 
•55 
BSS Id: 
Transmitter address: 24. 
•f5:e8 
(unverif iedl 
Frame check sequence: øxb471eø46 
(FCS Status: Unverified]

  • AP may send buffered data frames to the client in two ways.
    • If the data belongs to legacy power-save queue, transmission follows the legacy power save.
    • If the data belongs to WMM Power Save queue, data frames are downloaded according to a trigger-and-delivery mechanism.

Useful
Links for this Post :

Read more link text

How did I Decipher 802.11 Frames! #CWAP-2

Main Objective: To successfully transfer every bit of information(data) from one device to another.

802.11 MAC HEADER

Let us now go through the basics of the frame header and the components. I have captured a simple beacon (management) frame using Wireshark.

I will briefly explain each of the fields. Notice the number in the bracket refers to the bytes. For memory 1 Byte = 8 bits. 🙂

802.11 Beacon frame capture

Frame Control Field dissection

Frame Control > 16 bits | 2 Bytes - contains 11 subfields as displayed in the above examples. Considering the amount of valuable information contained in 802.11 Frame Control sub-fields is mind-boggling

Protocol Version (2 bits): For now, always set to 0 by default. Changes in the version are expected in the future.

Type: Management (0,0), Data(1,0), Control(0,1), Extension Frame(1,1)*only available with 802.11D

Sub Type (4 bits): There are different kinds of management, control and data frames. Therefore the 4-bit Subtype field is required to differentiate. The above examples have Beacon & ACK subtypes.

To DS - if set to "1" - Frame going from STA > Distribution System (DS)
From DS - if set to "1" - Frame going from DS > STA


To DS = 0, From DS = 0  > Management or Control frames where it does not go to DS, Can be STA to STA communication in an ADHOC/IBSS setup.
To DS =0, From DS = 1 > Downstream traffic from AP to the STA.
To DS =1, From DS = 0 > Upstream traffic from STA to AP
To DS =1, From DS = 1 > Data frame using 4 MAC header format, usually occurs in WDS or Mesh Network
.

More Fragments - If set to "1" it is usually preceded by another fragment of current MSDU or MMPDU to follow.

Retry - 0 or 1. 1 is for retransmissions. Lot of 1's may indicate a network with a lot of retry rate due to some issue. The issues can impact the performance by increased application/network latency thereby degrading user experience.

Power Management - if set to "1", STA is using power save mode.

More Data: if set to "1" it indicates that the AP or STA is holding more frames for the STA to which the current frame is targeted.

Protected Frame - if set to "1" it indicates payload is encrypted.

Order - If set to "1" in any non-QoS data frame when a higher layer has requested that the data be sent using strictly ordered CoS, which tells the receiving STA to process the frames in order.

Duration/ID > 2 Bytes | 16 bits - May be used for 2 purposes, it may contain the duration of the frame. Secondly, it may contain association identifier (AID) of the STA that transmitted the frame.

Address 1,2,3 and 4: Each address contains 6bytes/48 bits of data.

SA > Source Address
DA > Destination Address
TA > Transmitting Address
RA > Receiving Address
BSSID >

Sequence Control Field (2 Bytes/16 bits): Divided into 4-bit fragment number and a 12-bit sequence number. Used when MSDUs are fragmented. 802.11-2016 allows for fragmentation of frames.

QoS Control Field: (2 Bytes/16 bits): Only used in MAC header of QoS frames. Sometimes referred to as WMM (Wi-Fi Multimedia) which provides traffic prioritization.

HT Control Field (4 bytes/32 bits): Parameters related to HT & VHT operations. Only used in Management + QoS control frames.

Frame Body: Contains the actual MSDU payload to be transmitted.

FCS: (Frame check sequence field 4Bytes/32 Bits) - Final field on the frame header. Also known as Trailer as the word says. Used to detect errors in communication.

Read more link text