CWAP Reference Guide so far… #CWAP12

I’ve tried to condense my notes from the study for CWAP-403 exam. The exam consists of lot of details which need to be learnt if you have not done enough capturing and analyzing 802.11 wireless frames before.

  1. CWAP 403 – Start > Introductory blog
  2. 802.11 Mac Header explained
  3. Key 802.11 Frames
  4. Troubleshooting WLAN issues #mindmap
  5. PHY Layer
  6. WLAN medium contention
  7. 802.11 Frame Exchanges (Security)
  8. How to capture WLAN Frames?
  9. Troubleshooting WLAN issues with 802.11 Frames
  10. 802.11n | HT Operations
  11. 802.11ac | VHT Operations
  12. Spectrum Analysis (Still to come)

802.11ac and a bit of 802.11ax #CWAP11

June 1997: 
802.11-1997 
September 1 999: 
802.11m 802.11b 
March 2007: 
802.11-2007 
March 2012: 
802.11-2012 
February 2014? 
802.1 
June 2003: 
802.1 lg 
September 2005: 
802.11e 
June 2004: 
802.1 li 
September 2009: 
802.11 n 
September 2009: 
802.11w 
2006 
May 2008: 
802.11k, 802.1 Ir 
2007 2008 2009 
September 2011: 
802.11 v,802.11u 
2010 2011 2012 2013 2014 
802.11ax 
Ratified Late 2020 
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 
Figure 1-1. 802.11 timeline

This blog post will be focusing on 802.11ac in particular. We visited the aspects of 802.11n in the last blog post.

802.11ac introduced the VHT (Very High Throughput) along with some core technological advancement like MU-MIMO, 256 QAM addition & support for 80MHz/160MHz channels. One of the key differences also lie in the support of only 5GHz band. So there is still a dependency on 802.11n for 2.4Ghz support, however the upcoming 802.11ax will support both 2.4GHz and 5GHz.

Table 1. 
PHY 
Calculating the speed of 802.1 lac and 802.1 lax 
802.1 lac 
802.1 lax 
Bandwidth 
(as number of 
data subcarriers) 
234 (80 MHz) 
2 234 (160 MHz) 
980 (80 MHz) 
2 x 980 (1 60 MHz) 
Data bits per 
subcarrier 
5/6 log2(256) 
= 6.67 
x 
5/6 x log2(1 024) 
= 8.33 
Time per 
OFDM symbol 
(800ns G') 
4 ps 
13.6 vs 
390 
Mbps 
780 
Mbps 
600 
Mbps 
1.2 
Gbps 
1.17 
Gbps 
1.8 
Gbps 
3.6 
Gbps 
1 .56 
G bps 
3.12 
G bps 
2.4 
G bps 
4.8 
G bps 
4.8 
Gbps
Table 1. 
PHY 
Calculating the speed of 802.1 lac and 802.1 lax 
802.1 lac 
802.1 lax 
Bandwidth 
(as number of 
data subcarriers) 
234 (80 MHz) 
2 234 (160 MHz) 
980 (80 MHz) 
2 x 980 (1 60 MHz) 
Data bits per 
subcarrier 
5/6 log2(256) 
= 6.67 
x 
5/6 x log2(1 024) 
= 8.33 
Time per 
OFDM symbol 
(800ns G') 
4 ps 
13.6 vs 
390 
Mbps 
780 
Mbps 
600 
Mbps 
1.2 
Gbps 
1.17 
Gbps 
1.8 
Gbps 
3.6 
Gbps 
1 .56 
G bps 
3.12 
G bps 
2.4 
G bps 
4.8 
G bps 
4.8 
Gbps

Multi-user MIMO

  • One of the greatest potential of 802.11ac
  • Prior to this all the 802.11 standards used single user.
  • If there are two receivers located in sufficiently different directions, a beamformed transmission may be sent to each of them at the same time.
  • Enables better spatial reuse. As per the below example, the MU-MIMO builds on small-cell approach by enabling even more tightly packed networks. As a result AP can send independent transmissions within its own coverage area. Just as 802.3(Ethernet) reduces collision domains, MU-MIMO intends to reduce spatial contention of transmissions.
Downlink Multi-User MIMO

802.11ac Wave 1 and 2 – The first wave of 802.11ac products will be driven by the enthusiasm for higher speeds. APs will typically have three stream capabilities, but with 802.11ac providing 80 MHz channels and 256-QAM modulation, the speed will go from 450 Mbps to 1.3 Gbps. The second wave of 802.11ac products will add even wider channels and possibly even multi-user MIMO support, as outlined in the figure below.

Attribute 
Maximum number of spatial streams 
Channel width 
Maximum modulation 
Typical maximum speed 
Beamforming support 
MU-MIMO support 
First wave 
3 
80 MHz 
256-QAM 
1.3 Gbps 
Varies (depending on vendor) 
Second wave 
3 or 4 
160 MHz 
256-QAM 
26 Gbps 
Yes 
Yes

The PHY

#Channels

  • OFDM based transmission, 802.11ac divides the channel into OFDM sub carriers each 312.5kHz
  • To increase throughput, 802.11ac introduces two new channel widths. Supports 80MHz and further added 160MHz channel option for even higher speeds.
  • 802.11ac channels have exactly the same shape as previous OFDM channels (802.11a,g,n)

MCS & GI

  • MCS Index tends to be much simpler than 802.11n. First 7 are mandatory and others are supported.
MCS index value 
2 
3 
4 
5 
6 
7 
8 
9 
Modulation 
BPSK 
QPSK 
QPSK 
16-QAM 
16-QAM 
64-QAM 
64-QAM 
64-QAM 
256-QAM 
256-QAM 
Code rate (R) 
1/2 
3/4 
1/2 
3/4 
3/4 
3/4
  • 802.11ac retains the ability to select a shortened OFDM guard interval if both Tx and Rx are capable of processing it. The GI shrinks from 800ns to 400ns, providing a 10% boost in the throughput.

VHT Signal Fields

The purpose of the Signal Field is to help the receiver decode the data payload, which is done by describing the parameters used for transmission. 802.11ac separates into Signal A and Signal B fields. For CWAP purposes this has not been dealt in depth. There are 2 parts in VHT Signal A field are referred as VHT-SIG-A1 & VHT-SIG-A2.

SIGNAL A

  • Bandwidth
    • 0 – 20MHz, 1 – 40MHz, 2- 80MHz & 3 – 160MHz
  • STBC
    • If the payload is encoded with STBC (Space-time block coding may be used when the number of radio chains exceed the number of spatial streams, it tx a single data stream across 2 spatial streams.) for extra robust-ness, this field is set to 1, otherwise will be 0.
  • Group ID
    • Frames to AP > group ID =0
    • Frames sent to STA Client > group ID = 63
  • Number of space-time streams
    • Starts from 0, e.g. if field is set to 3, then there are 4 space time streams.
  • Partial AID
    • Last 9 bits of the BSSID.
  • Transmit power save forbidden
    • Field will be 0, if AP in network allows client to power off radios when they have opportunity to transmit frames. Otherwise will be 1.
  • Short GI – Field set to 1 for 400ns, 0 for otherwise.
  • Short GI disambiguation – Extra symbol may be required denoting 1 or 0 for not required.
  • Coding – Field is 0 when convolutional coding is used to protect the data field, 1 when LDPC is used.
  • LDPC Extra Symbol – Field is set to 1 if extra symbol is required.
  • MCS – MCS Index value of the payload.
  • Beamformed – If matrix is applied to the transmission, the bit is set to 1 otherwise set to 0.
  • CRC – Error correction
  • Tail – 6 zeros are included to terminate the convolutional coder that protects the Signal A field.

SIGNAL B

  • Used to setup the data rate, as well as tune in the MIMO reception.
  • VHT Signal B Length (17, 19 or 21 Bits)
  • Reserved bits – Set to 1.
  • Tail bits
< IEEE 802.11ac Figure 22-19—VHT-SIG-A2 structure > 
32 
83 
84-87 
SU VHT-MCS/MU[1-3] coding 
SU VHT-MCS 
eam 
Formed 
Formed 
Rese rved 
Variable 
818-823 
BIO-B17 
u 
Composite Name 
SU Name 
MU Name 
Bits 
8 us 
L-STF 
BO-BI 
Composite Name 
SU Name 
MU Name 
Bits 
Coding 
OFDM PHY Modulation 
MU[2] 
Coding 
MUC3] 
Rese rved 
Coding 
VHT Modulation 
Bus 
L-LTF 
83 
4us 
VHT 
L-SIG 
84 ag 
8 us 
VHT-SIG-A 
NSTS 
MUCO] 
NSTS 
Bus 
BIO-B2 
NSTS/Partial AID 
Partial AID 
822 
823 
MU[I] 
NSTS 
MU[2] 
N STS 
MUC3] 
N STS 
< IEEE 802.1 lac Figure 22-18— 
VHT-SIG 
-Al structure >

Air Magnet Pro can help you scan through the PHY frames

The MAC

Frame aggregation was introduced in 802.11n, 802.11ac however adds an interesting new take on the aggregation. All frames transmitted use the aggregated MPDU (A-MPDU) format. Even the single frame transmitted in one shot is transmitted as aggregate frame.

Table 3-1. Size comparisons of transmissions for different 802.11 PHYs 
Attribute 
MSDU (MAC payload) size 
MPDU (MAC frame) size 
A-MSDU (aggregate MAC payload) 
sue 
PSDU (PLO payload) size 
PPDU frame) size 
802.11a 
2,304 
Implied by maximum MSDU 
Size 
Not used with 802.1 la 
4,095 bytes 
Implied by maximum PSDU 
size 
802.11n 
2,304 
Implied by A-MSDU size 
7,935 
65,535 bytes 
5.484 ms (mixed mode) or 10 
ms (greenfield mode) 
802.1 lac 
2,304 
11,454 
Implied by maximum 
MPDU size 
bytes 
5.484 ms

Management Frames

  • VHT Capabilities Information element.
v VHT Capabilities Info: 
ØxØ39179b1 
. . .01 
= Maximum MPDU Length: 7 991 
00.. = Supported Channel Width Set: Neither 160MHz nor 80+80 supported (OXO) 
. 1 = Rx LDPC: Supported 
1. = Short Gl for Supported 
.0.. 
= Short GI for 160MHz and 80+80MHz: Not supported 
1... = Tx STBC: Supported 
. = Rx ST BC: 1 Spatial Stream Supported (Oxl) 
. . .01 
. 1... = SU Beamformer Capable: Supported 
...1 
. = SU Beamformee Capable: Supported 
. = Beamformee STS Capability: 4 (Ox3) 
. 011. . 
= Number of Sounding Dimensions: 2 (Oxl) 
.01 
= MU Beamformer Capable: Not supported 
. = MU Beamformee Capable: Supported 
. ..Ø. = TXOP PS: Not supported 
.0.. 
. = +HTC—VHT Capable: Not supported 
.. 11 1... . .. 
. . = Max A-MPDU Length Exponent: 1 048 575 
. = VHT Link Adaptation: No Feedback (OXO) 
...o 
= Rx Antenna Pattern Consistency: Not supported 
= Tx Antenna Pattern Consistency: Not supported 
00.. = Extended NSS BW Support:
  • VHT Operations Information element
v Tag: VHT Operation 
Tag Number: VHT Operation (192) 
00 = Basic 
ll.. = Basic 
11 = Basic 
= Basic 
= Basic 
= Basic 
= Basic 
= Basic 
Tag length: 5 
v VHT Operation Info 
Channel Width: 20 MHz or 40 
Channel Center Segment 0: 
Channel Center Segment 1: 
Basic MCS Map: Oxfffc 
. ll.. 
.. 11 
. ll.. 
.. 11 
ll.. 
MHz 
1 
2 
3 
4 
5 
6 
7 
8 
SS: 
SS: 
SS: 
SS: 
SS: 
SS: 
SS: 
MCS 
Not 
Not 
Not 
Not 
Not 
Not 
Not 
0-7 (OXO) 
Suppo r ted 
Suppo r ted 
Suppo r ted 
Suppo r ted 
Suppo r ted 
Suppo r ted 
Suppo r ted

NOTE: Greenfield mode was offered with 802.11n. The efficiency gains from greenfield mode were often lost because airtime-devouring CTS-to self

messages were required before transmitting in the greenfield mode. As a result, greenfield mode was removed from 802.11ac.

Beamforming Basics

  • As 802.11ac beamforming is based on explicit channel measurements, both the transmitter and receiver must support it.
  • Any device that shapes its transmitted frames is called beamformer, receiver of such frames is called beamformee.
  • The AP initiates frame exchange with the STA, which helps it to measure the channel. The result of the channel measurement is a derivation of the steering matrix.
  • Steering Matrix describes how to setup each element of transmitter’s antenna system to precisely overlap transmissions to reach farther.
  • To steer transmissions in a particular direction, a beamformer will subtly alter what is transmitted by each array. A simple phase shift can alter/steer the transmission.

Null Data Packet (NDP) – Standardizes beamforming methods. 802.11ac method of beamforming is termed as null data packet sounding. Sounding is the term used to denote the process  performed by the transmitter to acquire channel state information (CSI) from each of the different users by sending training symbols and waiting for the receivers to provide explicit feedback containing a measure of the channel.

VHT beamformer shall initiate a sounding feedback sequence by transmitting VHT NDP announcement frame followed by a VHT NDP after a SIFS.

Beam 
rormer 
formec 
for mec 
NDP 
-=ment 
Frame 
F 
Frame 
Beamfcgm— I 
•ing Relx»rt r 
Fr ame S 
Beunfu•u• 
—ing 
IS Frmne 
. 1. AVHT

SU Beamforming

  • Begins with the beamformer sending a NDP announcement packet followed by NDP. The NDP has fixed known format. The beamformee receives the NDP, analyzes it and computes back in form of feedback matrix. The feedback matrix is sent in reply to the NDP in the form of compressed beamforming frame (CBF).
SIFS 
NDP 
Announcement 
Beamformer 
Compressed 
Beamtorming 
Beamfor mee 
SIFS

MU Beamforming

  • As opposed to Tx to one device, MU-MIMO Aps are capable of simultaneously transmitting data to multiple device groups.
  • The key distinction between them is that with MU-MIMO beamforming and beamformer requires a response from all beamformees in order to conclude channel sounding.
  • The CBF packet is 802.11 action frame which contains a channel matrix that specifies the CSI for each client. The CBF is the largest contributor to the overhead caused by MU-MIMO transmission and is size is determined by
    • Channel Width
    • Number of radio chain pairs
    • Bit count of each CSI unit
SIFS 
Beamformer 
Beamformee 1 
Be amforming 
Bea 
SIFS 
mforming 
Report poll 
ieai\ 
SIFS 
Beamformee 2 
Beamformee 3 
SIFS 
Compressed 
Beam f 
SIFS

Recommended Reading

Cisco 802.11ax White Paper
Wifi Certified 6 Highlights
802.11 Framing in Detail
802.11ac Channel Planning
802.11ac VHT PHY
Research Paper on VHT MU-MIMO
802.11ac – A Survival Guide

802.11n | HT Operations #CWAP10

The blog post will cover the topics related to High Throughput Throughput technologies in conjunction with the exam objectives laid down for CWAP-403 exam. 802.11 Frame Exchanges cover 25% of the knowledge domain required for the exam. Analysing HT & VHT transmission methods are one of the sub topics under this section. I will be focusing on the HT/802.11n type in this blog, apparently it has gone a little longer than i thought. There are certain section which might take further reading from 802.11n Survival Guide if you are keen.

802.11n ~ High Throughput

  •  Ratified Sep 2009
  • Clause 20 technology, backward compatible with HR-DSSS (Clause 18), OFDM (Clause 17).
  • Can be used for both 2.4GHz & 5GHz bands.

MIMO Enhancements

  • Transmit Beamforming (TxBF) – Tx(Transmitter) Radios multiple antenna can transmit in the best direction of the Rx (Receiver).
  • Spatial Multiplexing (SM) – Tx multiple radios at the same time with each unique stream containing different data.
  • Space-Time Block Coding(STBC) – Transmitting redundant copies of data stream from different antenna thereby increasing the signal quality.
  • Antenna Selection (ASEL) – Increase signal diversity by dynamic selection of antennas.

Spatial Multiplexing

  • Takes advantage of multipath (when signal tends to reflect, scatter, diffract or refract).
  • Multiple streams follow different paths to the receiver because of the space between the transmitting antenna is known as spatial diversity and is also called as spatial multiplexing.
  • When using SM, both Tx and Rx should participate and be MIMO systems.
FIGURE 10.2 
-123456789“ 
MuItiple spatial streams 
мно 
-123456789“ 
ммо 
c]ient

HT Channels

  • Use 20 MHz OFDM channels.(NON-HT)
    • Each 20MHz OFDM channel contains 64 subcarriers which are each 312.5 KHz wide and can be separately modulated.
    • First 6 & Last 5 sub carriers are null as they act like guard band for the channel + center subcarrier is also null. This leaves 52 subcarriers.
    • Out of 52, 48 transmit data while 4 used in dynamic calibration between Tx and Rx.
  • 20MHz OFDM channels (HT)
    • Each 20MHz OFDM channel has 56 subcarriers, 52 transmit data, 4 are used for calibration between Tx and Rx.
  • 40 MHz Channels
    • Use 114 OFDM subcarriers, 108 transmit data, 6  are used for calibration.
    • A 40MHz channel doubles the frequency bandwidth available for transmission of the data.
    • A 40MHz channel used by HT radios essentially 2x 20MHz OFDM channels bonded together.
Table 3-1. Channel description attributes 
+25, +53 
PHY standard 
80111a/g 
80111n,20MHz 
80111n,40MHz 
Subcarrier range Pilot subcarriers 
-26t0+26 
-28t0+28 
-57 to +57 
+7, +21 
+7, +21 
Subcarriers (total/data) 
52 total, 48 usable 
56 total, 52 usable 
114 total, 108 usable

Modulation and Coding Scheme (MCS Index)

  • Value that describes the number of spatial streams, modulations (BPSK, QPSK, 16-QAM or 64-QAM and further) and error correction code used in Tx.
  • 802.11n supports equal modulation, in which all SS are transmitted in same manner, and unequal modulation, in which the spatial streams may be modulated differently.
  • 802.11n defines 77 different combinations of modulation and coding.
  • There are 8 mandatory MCS for 20 MHz HT channels.
TABLE 10.1 
MCS index 
Mandatory modulation and coding schemes—20 MHz channel 
Data rates 
Spatial 
streams 
Modulation 
BPSK 
OPSK 
OPSK 
16-QAM 
16-QAM 
64-OAM 
64-OAM 
64-OAM 
800 ns Gl 
6.5 Mbps 
13.0 Mbps 
19.5 Mbps 
26.0 Mbps 
39.0 Mbps 
52.0 Mbps 
58.5 Mbps 
65.0 Mbps 
400 ns Gl 
7.2 Mbps 
14.4 Mbps 
21.7 Mbps 
28.9 Mbps 
43.3 Mbps 
57.8 Mbps 
65.0 Mbps 
72.2 Mbps

Guard Interval (GI)

  • The GI is the space between the symbols being transmitted.
  • May be confused with IFS, the GI is there to eliminated inter-symbol interference where is referred to as ISI.
  • ISI happens when echoes from one symbol interfere with another.
  • A good rule of thumb specifies that GI should be 4x the highest multipath delay spread. When 802.11a was designed, designers used conservative value of 200ns for the delay speed, and choose to make the GI 800ns.

HT PHY

I’ve discussed this topic in details under this blog post.

Wi-Fi Alliance

  • Before the 802.11n amendment was ratified, the HT technology was already being certified and sold. The Wi-Fi alliance had developed a vendor certification program called Wi-Fi CERTIFIED 802.11n draft 2.0. The Cert Program as name suggested, certified products against the amendment. Draft 2.0 supports a max data rate of 300Mbps which is half max data rate specified in ratified document.
  • Details about the Wi-Fi certified “n” features can be found here

HT Control Field

  • The 802.11n amendment adds a new field in 802.11 MAC header, called the HT Control Field. It is 4 octets long and follows QoS control field in 802.11 MAC header.
  • Any MPDU that contains an HT control field is referred to as +HTC MPDU.

The Order Bit – The 802.11n amendment uses the existing but relatively unused order bit in the Frame Control field of the MAC header to indicate the presence of an HT Control Field in QoS data & management frames. Original purpose of this bit was to indicate that data muse be sent using a strict ordered class of service.

Control Wrapper Frame – is/are described using the carried frame name + HTC, for example RTS+HTC or CTS+HTC

HT Control Field Format – figure below shows the format of HT Control field. (Honestly some of the stuff went way over my head but might have to figure this out by looking at a few pcaps & studying them :|)

Link Adaptation Control (16 bits)

  • TRQ – Training Request > Set to 1 to request the responder to transmit a sounding PPDU. Set to 0 to indicate that the responder is not requested to transmit a sounding PPDU.
  • MAI (MCS Request (MRQ) or ASEL Indicator) – When set to “14”, it is an ASEL indicater which indicates that you would interpret the MFB/ASELC subfield as an ASEL command.
  • MFSI – MCS Feedback Sequence Identifier- A MCS Feedback (MFB) frame is sent in response to a MCS Request.
  • MFB/ASELC – MCS feedback and Antenna Selection Command -When ASEL indicator is present, the MFB/ASELC subfield interpreted as ASELC subfield. Otherwise it is interpreted as MFB subfield. A value of 127 indicates that no feedback is present

Calibration Position (2 bits)

  • Set to 0 indicates this is not a calibration frame.
  • Set to 1 indicates calibration start.
  • Set to 2 indicates sounding response.
  • Set to 3 indicates sounding complete.

Calibration Sequence – Each of the four packets within the calibration exchange will have the same sequence number.

CSI/Steering – When using sounding frames to transmit feedback about the channel, the Channel State
Information (CSI)/Steering subfield identifies the type of feedback being used.

NDP Announcement – indicates that an NDP will be transmitted after the frame. It is set to 1 to indicate that an NDP will follow; otherwise, it is set to 0. NDP are used to send sounding PPDU when no other data needs to be transmitted. If a frame transmitted that require an immediate response and also has the TRQ=1 (request for sounding PPDU) then receiver can either transmit the MPDU response withing a sounding PPDU or send the response MPDU with the NDP Announcement bit set to 1, indicating that NDP will be transmitted following the current PPDU.

Reverse Direction Protocol – 802.11n amendment which improves the efficiency of data transfer between STAs.

HT Action Frames & Information Elements

Information Elements

HT Capabilities, HT Operations, 20/40 BSS Coexistence & Overlapping BSS Scan Parameters,

HT Capabilities Element

  • Can be seen in Beacon, Probe Req/Response, Association Req/Response & Reassoc Req/Response.
  • You can figure out the MCS values supported by the 802.11n AP from this section in the pcap.
  • Determine A-MPDU parameters

HT Operation Element

  • STA operation within an HT BSS environment.
  • Found in Beacon, Reassociation Response, and Probe Response frames transmitted by an AP.

HT information elements

  • Primary Channel, Secondary Channel Offset and STA channel width.
    – When the Supported Channel Width Set subfield is equal to 1(as in above), indicating a 20/40 MHz BSS, then the Primary Channel field indicates the primary channel number.
    – Secondary Channel – Directly above or below the primary channel.
  • Protection Mechanisms – To ensure backward compatibility with older 802.11 a/b/g radios, an HT access point will operate in one of four protection modes. 00 in above pcap example.
  • RIFS mode – The 802.11e QoS amendment introduced the capability for a transmitting radio to send a burst of frames during a transmit opportunity (TXOP). (prohibited in above pcap case).
  • Basic MCS Set – Last in Operations element, similar to MCS set field in HT Capabilities Element.

For Further Reading

Troubleshooting WLAN issues with 802.11 Frames – #CWAP9

I have pen down a some troubleshooting scenarios which I’ve come across while studying for CWAP exam.

To begin with,

Management Frames > Foundation of how wireless radios detect, join and operate on WLAN.
Control Frames > Frames which control the delivery of Data frames.
Data Frames > Carry actual data payload from/to layers 3-7.

Some scenarios which frames can provide an insight for.

  • Client Roaming Observations – In some cases, there might be some issues with clients not able to perform seamless roaming or the roaming might be delayed when client moves from one AP to another. In some cases we may need to find which type of roaming method are supported by the AP to diagnose other issues. Let’s see how the frames can help.
    • To find the roaming handoff time from one AP to another we have to examine the frames from type > Reassociation Type to the completion of 4-way handshake. E.g. frame below
s 0.029712 
8 0.053240 
: 2. : 98 
: db:Sc 
-2a:gS 
TLS VI 
- - -nnrr_h- 'h 
2<37 
o ch&ge E 
7 cipher Spec, Fessaqe 
24 3 
2427 
Appl
  • Total roaming time can be calculated by subtracting the EAPOL M4 time (0.105180) with Reassociation Request Frame(.003857)= .101323 ~ approx. 101ms
  • Type of roaming method can be deduced from the Tagged Parameters set in 802.11 Wireless LAN section. Below example uses Over-the-air Fast BSS, value of 1 will denote it using Over-the-DS BSS.
Tag: Mobility Domain 
Tag Number: Mobility Domain (54) 
Tag length: 3 
Mobility Domain Identifier: øxcd64 
FT Capability and Policy: Oxøø 
Fast BSS Transition over DS: Oxø 
Resource Request Protocol Capability: 
exo
  • Management Retries – Generally anything under 20% of Management retries in the network is considered OK or acceptable. There is no set vendor recommended management retry. In a prod environment it is bound to have certain % of retries even if the AP or Client placement/AP Tx Power/Interference and Channel settings are set to optimal. In any case anything over constant 20% retries could indicate some concerns in the WLAN environment which need investigation.
     
Total Retransmissions Across All Clients 
Mgmt Retre o.øax (408) 
Mgmt 439% (1212) —l 
Data Retre 083% 
vgmt Retries: 094% (408) 
Data Fran-— 15g3% (5039) — 
control 7702% (33,946)
IEEE 8ø2.11 Authentication, Flags: .R... 
Type/Subtype: Authentication (øxoøøb) 
Frame Control Field: exbøø8 
løll 
Flags 
. .øø = Version: 0 
= Type: management frame (e) 
— Subtype: 11 
: øxe8 
. .øø = DS status: Not leaving DS or network is operating in AD—HOC mode (To DS 
More Fragments: This is the last fragment 
Retry: Frame is being retransmitted 
PWR MGT: STA wilt stay up 
. = More Data: No data buffered 
. = Protected flag: Data is not protected 
. = Order flag: Not strictly ordered 
: e From DS: e) 
(exø) 
.øøø eøøø eølø lløø = Duration: 44 microseconds 
Receiver address: Cisco_bf:a4:2e (øø: 
Destination address: Cisco_bf:a4:2e (eø:a7:42:bf:a4:2e) 
Transmitter address: 5e:a7:ec:a8:33:ab (5e:a7:ec:a8:33:ab) 
Source address: 5e:a7:ec:a8:33:ab (5e:a7:ec:a8:33:ab) 
BSS Id: 
= Fragment number: ø 
eeøø 
— Sequence number: 1 
eøøø eøøø eøøl -
  • We can also check this on the Wireshark IO graphs as below to highlight the management retries. Below network has lot of management retries and needs further investigation
Wireshark • 10 Graphs • airtool_2019-11-28_02.47.29.PM .pcap 
Wireshark 10 Graphs: .pcap 
1200 
1000 
800 
600 
400 
200 
HO Ver over the graph for details. 
40 
80 
Display Filter 
tcp.analysis.f... 
wlan.fc.retry... 
Color 
120 
Time (s) 
Style 
Line 
Line 
Interval 10 sec 
160 
Y Axis 
Packets 
Packets 
Packets 
200 
Y Field 
Enabled 
o 
n 
Graph Name 
Al packets 
TCP errors 
Retries 
240 
SMA Period 
None 
None 
None 
Mouse O drags 
O zooms 
Copy tram v 
n 
Time of day 
n 
Log scale 
Close 
Reset 
Save As...
  • Duration/ID field
    • 16 bits in length, used for virtual carrier-sense, legacy power management & contention-free period.

In the below RTS frame, the duration value is 2048ms. The radio is asking for permission to reserve airtime to pending transmission. The receive radio can allow or deny this request. But higher duration value can indicate the delays it is causing in allowing/denying the request. This can cause some weird behavior in client operation, may also cause disruption in network services. We have to closely check the change log on the WLAN environment. If this is a result of some WLAN controller/AP software update or other updates which may cause the issues. Also NOTE: Please check the device and not always high duration value can be a problem.

IEEE 8ø2.11 Request-to-send, Flags: ..... ...C 
Type/Subtype: Request—to—send (Oxøølb) 
v Frame Control Field: exb40e 
. .øø = Version: 0 
= Type: Control frame (1) 
= Subtype: 11 
løll 
Flags: 
øxoo 
. .øø = DS status: Not leaving DS or network is operating in AD—HOC mode (To DS: 
ø . — More Fragments: This is the last fragment 
— Retry: Frame is not being retransmitted 
- PWR MGT: STA wilt stay up 
. = More Data: No data buffered 
. — Protected flag: Data is not protected 
Order flag: Not strictly ordered 
.øøø løøø oøøø ooøø - 
Duration: 2ß48 microseconds 
Receiver address: App 92:ga) 
Transmitter address: 7a:8a:2ø:øf:bg:6f 
Frame check sequence: øx4d4e67bf (unverified] 
[FCS Status: Unverified] 
e From DS: e) 
(exø)
  • Null Data Frames / Power Management

The null data frames are in fact not null as per their description. They can help in troubleshooting few WLAN issues. Null data is categorised under control frame. It is only transmitted from a STA/Client. The sole purpose is to carry power management frames controlled field. The power management bit will either be set to 0 or 1. Below are the examples.

STA = 0, it is informing AP that it(STA) is In active power state (awake) and transmission of frames from AP to STA should be normal.

IEEE 8ø2.11 Nun function (No 
Type/Subtype: Nutt function 
Frame Control Field: ex48e1 
. .øø = Version: e 
data), Flags: ...TC 
(No data) (øx0024) 
eløø 
Flags: 
= Type: Data frame (2) 
= Subtype: 4 
øxel 
. ..øl = DS status: Frame from STA to DS via an AP (To DS: 
= More Fragments: This is the last fragment 
Retry: Frame is not being retransmitted 
PWR MGT: STA will stay up 
More Data: No data buffered 
. = Protected flag: Data is not protected 
= Order flag: Not strictly ordered 
1 From DS: e) 
(øxl) 
.øøø eøøø eølø lløø = Duration: 44 microseconds 
Receiver address: RuckusWi_cf:d2:7c (2c:5d:93:cf:d2:7c) 
Transmitter address: Apple_51:44:de (94:f6:d6:51:44:de) 
Destination address: (2c:5d: 93: cf :d2:7c) 
Source address: Apple_51:44:de (94: f6:d6:51:44:de) 
BSS Id: Ruckuswi_cf

STA =1, is informing AP that it is going offline and any frames that come into the AP from this STA should be buffered at the AP till the STA returns and sends a NULL frame of 0, active state.

IEEE 8ø2.11 Null function (No 
data), Flags: 
...P...TC 
Type/Subtype: Nutt function 
(No data) (øx0024) 
Frame Control Field: ex4811 
. .øø = Version: e 
eløø 
Flags: 
= Type: Data frame (2) 
= Subtype: 4 
øxll 
. ..øl = DS status: Frame from STA to DS via an AP (To DS: 
= More Fragments: This is the last fragment 
Retry: Frame is not being retransmitted 
PWR MGT: STA will go to sleep 
More Data: No data buffered 
. = Protected flag: Data is not protected 
. = Order flag: Not strictly ordered 
1 From DS: e) 
(øxl)

PSM > Power Save Mode allows the client STA to go into sleep mode. It can essentially turn of the NIC functions including the radio thereby consuming less battery and conserving it. Some devices can benefit from this but there are some which may have aggressive power save mode options. So one needs to check the client driver details to troubleshoot any issues relating to client.

Some known issues with Power Management are described in below links

https://www.dell.com/support/article/nz/en/nzbsd1/sln285293/change-the-intel-advanced-wi-fi-adapter-settings-to-improve-slow-performance-and-intermittent-connections?lang=en

https://www.intel.com/content/www/us/en/support/articles/000005645/network-and-i-o/wireless-networking.html

Another reason why client STA may inform AP about changing the bit to 1 is when it is roaming. Suppose client has reached the roaming limits of the AP it was connected to and wants to switch to the nearby one, in order to to this it may go off the channel sending the buffer frames signal to AP and resume its connection.

How to capture WLAN Frames? #CWAP8

This blog post will focus on tools I’ve used for performing Wireless Frame Captures. I’ve been largely dependent on Macbook for capturing the wireless frames. I would highly suggest you for sourcing a Macbook for frame capture as Windows PC option involves getting a third party WLAN pcap which is not cheap. Thank you Apple for making it possible to capture frames natively on Mac.

The Hardware

  • Macbook Pro

Other Utilities Required/Recommended.

  • Wireshark is available as free tool to download. It is highly recommended to optimize it using the wireless configuration profiles available at Metageek. This is our primary tool for capturing and analyzing the frames.

It is recommended to add (Absolute Time, Relative Time & Delta Time) values on the Wireshark as it is important when analyzing the wireless frame analysis. In roaming scenarios, one may need to acquire the time it took for a client to move between one AP to another.

  • Airtool is also available for free. This tool is not mandatory but good to have. Since it is free, then why not? It helps capture frames on few mouse clicks and helping you easily move them analyze them on wireshark or via online (Packets)
  • Packets (Arista) – Phenomenal tool for analyzing the frames. Birds eye view of various frame types in the wireless environment, management retries, problem clients etc. Free account available up to 100MB of pcap (more than sufficient for your CWAP studies).
  • WiFi Explorer – Highly Recommended if you can purchase, the professional version costs around $20 USD. Can really help with identifying the WLAN discovery and metrics of the environment.
  • If you own an iPhone or iPad, one can configure Wi-FI Diagnostics on the phone. Thanks for George Stefanick for explaining it so nicely.

802.11 Frame Exchanges – Security #CWAP7

802.11 Frame Exchanges section account for 25% of syllabus for CWAP-403 exam. Potentially around 15 questions out of 60 in the exam can be expected from this section. This blog post focuses on the “security” component of 802.11 Frame Exchange. I will be focusing on other sections in the subsequent posts in the next week or two. Let’s begin!

Authentication

1st step required to connect to 802.11 BSS. Both authentication and association must occur in order to successfully pass wireless traffic over to the AP and further. IEEE 802.11i-2004 defines RSNA. Open System & Shared Key Authentication are Prior to RSNA (Pre-RSNA) methods. The 802.11 authentication merely establishes an initial connection between the client and the access point, basically validating or authenticating that the STA is a valid 802.11 device.

  • Open System Authentication > Allows any device to authenticate and then attempt to communicate with the AP. The STA can communicate only its Wired Equivalent Privacy(WEP) keys match the AP
  • Shared Key Authentication > Not used anymore. Requires static WEP key configured on STA and AP.

Open System authentication and association between client STA and AP occurs prior to 802.1x/EAP authentication exchange between client STA and Radius server.

WLAN Encryption Methods

  • WEP
    • Pre-RSNA
    • Weak / Vulnerable / No Protection against replay attacks
    • Open/Shared Authentication
  • TKIP (Temporal Key Integrity Protocol) (RSN)
    • Uses dynamically created encryption keys as opposed to static keys.
    • 128-bit temporal key can either be a pairwise transient key (PTK) or group temporal key (GTK) used to encrypt
    • WPA-PSK & WPA-Enterprise
    • Can be vulnerable against certain attacks.
  • CTR with CBC-MAC Protocol (CCMP) (RSN)
    • CTR – Counter mode is used for data confidentiality
    • CBC MAC(Cipher-block chaining message authentication code) is used for integrity.
    • Used with AES block cipher suite with 128 bit key
  • SAE (Simultaneous Authentication of Equals)
    • Uses SAE known as Dragonfly Key Exchange, with forward secrecy feature
    • WPA3 Personal – 128 Bit SAE, Enterprise – 192 bit SAE
    • Not Vulnerable to KRACK attacks and offline dictionary attacks.

The info that is protected by these L2 encryption methods is data found in layers of 3-7. L2 encryption methods are used to provide data privacy for 802.11 data frames. These methods encrypt MSDU payload of an 802.11 data frame.

Security Protocols WEP TKIP (WPA) CCMP (WPA2) OWE (Opportunistic Wireless Encryption)
Cipher RC4 RC4 AES AES-GCM & Elliptical Curve Cryptography
Key 40/104 bits 128 bits 128 bits 192 bits
Authentication N/A IEEE 802.1X/EAP/PSK IEEE 802.1X/EAP/PSK WPA3 Personal / Enterprise
Data integrity CRC32 MIC CCMP Secure Hash Algorithm-2 for each input
IV Length 24 bits 48 bits 48 bits 24 bits

RSNA (Robust Security Network Association)
First published & ratified as IEEE 802.11i-2004, defined stronger encryption and better authentication methods. Now part of 802.11-2007 standard. Association between two stations is referred to as RSNA which means the two radios should share dynamic encryption keys that are unique between those two radios. CCMP/AES s mandatory, TKIP RC4 is optional. All client stations have to undergo a unique RSNA process called the 4-way handshake.

FIGURE 9.12 
Key 1 
RSNA within a BSS 
Group temporal key (GTK) 
Key 2 
Key 4 
Key 3 Access Point 
4-Way Handshake 
Keyl Key 4 
Key2 Key4 
Keys 1, 2, and 3 encrypt 
unicast traffic 
Key 4 encrypts 
broadcast/multicast traffic 
Key3 Key4

The RSN information element field is found in 4 management frames: beacon, probe, association request and reassociation request frames. Client STA use the association request frame & reassociation request (in case of roaming to/from) to inform the AP about their security capabilities.

FIGURE 9.18 
Association 
Client STA 
Reassociation 
Client station RSN security capabilities 
Association request frame 
RSN information element: 
Client STA security capabilities 
1) CCMP/AES encryption 
2) 802.1X authentication 
Association response frame 
Success! - Welcome to the BSS! 
Access Point 
Original AP 
Roaming Client STA 
Reassociation request frame 
RSN information element: 
New AP 
Client STA security capabilities 
1) CCMP/AES encryption 
2) 802.1X authentication 
Reassociation response frame 
Success! - Welcome to the new BSS!

RSN information element – AES(CCMP) used in the below frame example.

v Tag: RSN Information 
Tag Number: RSN Information (48) 
Tag length: 20 
RSN Version: 1 
Group Cipher Suite: (leee 802.11) AES (CCM) 
Pairwise Cipher Suite Count: 1 
Pairwise Cipher Suite List (leee 802.11) AES (CCM) 
Auth Key Management (AOI) Suite Count: 1 
Auth Key Management (AKM) List (leee 802.11) WPA 
RSN Capabilities: 
— RSN Pre—Auth capabilities: Transmitter does not support pre—authentication 
0. — RSN No Pairwise capabilities: Transmitter can support WEP default key 0 simultaneously with Pairwise key 
..ø. 
10.. = RSN PTKSA Replay 
10 = RSN GTKSA Replay 
. 0.. = Management Frame 
= Management Frame 
= Joint Multi—band 
= PeerKey Enabled: 
Counter capabilities: 4 replay counters per PTKSA/GTKSA/STAKeySA (Ox2) 
Counter capabilities: 4 replay counters per PTKSA/GTKSA/STAKeySA (Ox2) 
Protection Required: False 
Protection Capable: False 
RSNA: False 
False

802.1X

The 802.1X standard is port-based access control standard which provides an authorization framework that allows or disallows traffic to pass through port thereby granting access to the network resources.  802.1X can be implemented in either wireless/wired environments. The L2 protocol called EAP (Extensible Authentication Protocol) is used and consists of 3 major components of this framework.

  • Supplicant > Client STA
  • Authenticator > AP or WLAN Controller.
  • Authentication Server > Usually Radius(NPS), ISE (Cisco)
FIGURE 9.23 
comparison-autonomous access point and WLAN controller 
Autonomous AP 
(authenticator) 
Client station 
(supplicant) 
RADIUS server 
(authentication server) 
Network resources 
802. IX—Autonomous AP 
Lightweight 
Client station 
(supplicant) 
WLAN controller 
(authenticator) 
RADIUS server 
(authentication server) 
Network resources 
802. IX—WLAN Controller

EAP

Defined in IETF RFC 2284 and ratified in the IETF RFC 3748, provides support to many authentication methods.

  • L2 Protocol
  • Two way authentication also called as mutual authentication.
  • EAP messages are encapsulated in EAP over LAN (EAPOL)
  • Five major types of EAPOL messages as shown below
TABLE 9.1 
Packet type 
0000 0000 
0000 0001 
0000 0010 
0000 0011 
0000 0100 
EAPOL messages 
Name 
EAP-Packet 
EAPOL-Start 
EAPOL-Logoff 
EAPOL-Key 
EAPOL- Encapsulated - 
ASF-Alert 
Description 
This is an encapsulated EAP frame. The majority 
of EAP frames are EAP-Packet frames. 
This is an optional frame that the supplicant 
can use to start the EAP process. 
This frame terminates an EAP session and 
shuts down the virtual ports. Hackers some- 
times use this frame for DOS attacks. 
This frame is used to exchange dynamic keying 
information. For example, it is used during the 
4-Way Handshake. 
This frame is used to send alerts, such as 
SNMP traps to the virtual ports.
FIGURE 9.27 
Supplicant 
Generic EAP exchange 
Authentication 
Authenticator 
1 802.11 association 
2 EAPoL-start 
EAP-requesVidentity 
4 EAP-response/identity (username) 
EAP-challenge-request 
8 EAP-challenge-response 
EAP-success 
server 
Controlled and 
Access 
uncontrolled 
blocked 
ports blocked 
3 
7 
11 
5 
9 
Uncontrolled port opens 
RADIUS-access-request 
RADIUS-access-challenge 
RADIUS-access-request 
RADIUS-access-accept 
Access 
granted 
6 
10 
Dynamic encryption keys created 
12 
4-Way Handshake 
13 Controlled port opens

EAP Protocols

The stronger and more commonly deployed methods of EAP use TLS (Transport Layer Security) or TLS-tunneled authentication. EAP-MD5 and EAP-LEAP have only 1 supplicant identity making them weaker EAP types. EAP-TLS uses 2 supplicant identities – outer and inner identity. The outer identity is effectively a bogus username and can be seen clear text, and then inner identity is the true identity protected with TLS tunnel.  Table describes all the protocols with their characteristics.

802.1X EAP Types Feature / Benefit MD5 Message Digest 5 TLS Transport Level Security TTLS Tunneled Transport Level Security PEAP (WIDELY USED) Protected Transport Level Security FAST Flexible Authentication via Secure Tunneling LEAP Lightweight Extensible Authentication Protocol
Client-side certificate required no yes no no no (PAC) no
Server-side certificate required no yes yes yes no (PAC) no
WEP key management no yes yes yes yes yes
Rogue AP detection no no no no yes yes
Provider MS MS Funk Software MS Cisco Cisco
Authentication Attributes One way Mutual Mutual Mutual Mutual Mutual
Deployment Difficulty Easy Difficult (because of client certificate deployment) Moderate Moderate Moderate Moderate
Wi-Fi Security Poor Very High High High High High when strong passwords are used.

4-Way Handshake

802.11-2007 standard requires EAPOL-Key frames be used to exchange cryptographic information between STA supplicants and the authenticator, which is usually an AP. EAPOL key frames are used for the implementation of three different frames exchanges: 4-way handshake, group key exchange & peerkey handshake. 4 way handshake is the final process used to generate pairwise transient keys (PMK / GTK) for the encryption of unicast transmissions and the group temporal key for encryption of broadcast/multicast transmissions.

The 4-way handshake uses pseudorandom functions, it hashes various inputs to derive a value (PRF). The PMK is one of the inputs combined with other inputs to create the pairwise transient key (PMK). Some of the other inputs used by the PRF are called nonces. A nonce is a random numerical value that is generated one time only. In the case of 4-way handshake, a nonce is associated with the  PMK. Two nonces are created in 4-way handshake – authenticator nonce (anonce), supplicant nonce (snonce).

PTK = PRF (PMK + anonce + snonce + aa(Authenticator Mac)+ spa (Supplicant Mac).

M1 – Message 1

  • Authenticator sends EAPOL-Key frame containing “anonce” to supplicant
  • With this info,  supplicant have all the necessary input to generate PTK using PRF

M2 – Message 2

  • Supplicant sends an EAPOL-Key frame containing “snonce” to the authenticator
  • Authenticator has all the inputs to create PTK
  • Supplicant also sends RSN IE capabilities to Authenticator & MIC (message integrity code)

M3 – Message 3

  • If necessary, Authenticator will derive GTK from GMK
  • Authenticator sends EAPOL-key frame containing “anonce”, RSN-IE and a MIC.
  • GTP (encrypted with PTK) delivered to the supplicant.
  • Message to supplicant to install temporal keys.

M4 – Message 4

  • Supplicant sends final EAPOL-key frame to authenticator to confirm temporal keys have been installed.

Group Key Handshake

The 802.11-2007 standard also defines a two-frame handshake that is used to distribute a new group temporal key to client STA that have already obtained a PTK and GTK in a pervious 4-way handshake. The GKH is used only to issue a new group temporal key to client STA that have previously formed security associations. Effectively GKH is identical to M3/M4 in 4 way handshake.

Fast BSS Transition (FT)

Published in 2008, 802.11r – technical name for standardized fast secure roaming. An Amendment to improve handoff from one AP to another. The handoff is the same with or without 11r, the device is what ultimately decides when and where to roam.  802.11r are often discussed in context with WLAN controller architecture. Mobility domain is a group of AP that belong to the same ESS where the client STA can roam in a fast and secure manner. FT BSS transitions can happen over-the-air or over-the-DS (Distribution System).

FIGURE 9.33 
Fast BSS transition information element 
Element ID 
Length 
Octets: 
MIC 
Control 
2 
MIC 
16 
ANonce 
32 
SNonce 
32 
Optional 
Parameter(s) 
Variable

FT over-the-air (AP to AP, Same Controller)

  1. Client associates with AP1 and requests to roam to AP2
  2. Client sends a FT authentication request to AP2 and receive FT authentication response from AP2.
  3. Client sends FT reassociation request to AP2 and receives FT re-association response from AP2.
  4. Client completes the roaming from AP1 > AP2

FT over-the-air (AP-CONTROLLER|CONTROLLER-AP)(Inter-Controller)

  1. Step 1 & 2 similar to above steps.
  2. WLC1 ends PMK and mobility message to WLC-2 about the roaming client that uses mobility infrastructure.
  3. Client completes the roaming from AP1 > AP2
Tag: Mobility Domain 
Tag Number: Mobility Domain (54) 
Tag length: 3 
Mobility Domain Identifier: øxcd64 
FT Capability and Policy: exøø 
ø = Fast BSS Transition over DS: exø 
= Resource Request Protocol Capability: 
v Tag: Fast BSS Transition 
Tag Number: Fast BSS Transition (55) 
Tag length: 88 
MIC control: øxeeøø 
øxe 
eøøø eøøø 
= Element Count: e 
MIC: eøøøooøøøøeeøøøeoøøøooøøøøooøøøe 
ANonce: øeoøøøøooøøøooøøøooøøøøooøøøooøøøooøøøøooøøøooøøm 
SNonce: cc1f8ga18b7615afa146b8249a7311283587dd66ca57eeeg„. 
Subelement ID: PMK—Rø key holder identifier (ROKH—ID) (3) 
Length: 4 
PMK-RO key holder identifier (ROKH-ID): cea814øa

FT over-the-DS (AP to AP, Same Controller)

  1. Client Associates to AP1 and requests to roam to AP2
  2. Client sends a FT authentication request to AP1 and receives a FT authentication response from AP1
  3. The controller sends the pre-authentication info to AP2 as the AP are member of same controller.
  4. Client sends a FT re-association request to AP2 and receives a FT re-association response from AP2.
  5. Client completes its roaming

FT over-the-DS (AP to AP, Different Controller)

  1. Step 1 and 2 are similar to above steps.
  2. WLC-1 sends PMK and mobility message to WLC-2 about the roaming client
  3. Client completes its roam from AP1 to AP2.
Tag: Mobility Domain 
Tag Number: Mobility Domain (54) 
Tag length: 3 
Mobility Domain Identifier: øxcd64 
FT Capability and Policy: Oxø1 
Fast BSS Transition over DS: Oxl 
Resource Request Protocol Capability: 
Tag: Fast BSS Transition 
Tag Number: Fast BSS Transition (55) 
Tag length: 88 
MIC control: øxeeøø 
øxo 
eøøø eøøø 
= Element Count: e 
MIC: eøøøooøøøøooøøøooøøøooøøøøooøøøo 
ANonce: øeoøøøøooøøøooøøøooøøøøooøøøooøøøooøøøøooøøøooøø„. 
SNonce: f71ebøf1ef1b8725392f92f2979186ed912676cb6cb5cb53-. 
Subelement 
Length: 4 
PMK-RØ key 
ID: PM-Re key holder identifier (ROKH-ID) (3) 
holder identifier (ROKH—ID): cea814øa

Recommended Readings

PHY Layer – CWAP#5

This chapter accounts for 10% of the Knowledge Domain in the CWAP exam. Approx. 6/60 questions!

Exam Moment from the Book : It is not important, for the CWAP exam, that you know all the details of the variations of the PHY preambles; however, you should know that the preamble adds extra overhead to the communications and that older devices may introduce a preamble that reduces performance overall and forces all devices in the BSS to communicate based on that long preamble.

CS/CCA

Carrier Sense > State of STA where it is ready to transmit or receive packets/signals

Clear Channel Assessment > Identify whether the channel is unused and available prior to the packet transmission

Transmit (Tx) > Upon checking if the wireless medium is available the STA needs to transmit a frame which is enabled by CS/CCA process. Unlike ethernet the wireless frames cannot transmit and receive the frames at the same time.

Receive (Rx) > The transmitting STA will precede the data portion of the frame with a preamble.  It contains a binary strings that the receiving station can identify and synchronise with , essentially alerting the receiving station to the transmission. The preamble also includes a Start Frame Delimiter field, which the receiving station uses to identify the beginning of the frame. An ACK frame Is sent with the entire frame is received.

Upper : Physical Layer Convergence Procedure (PLCP) 
Lower : Physical Medium Dependant (PMD) 
MSDU (MAC service Data Unit) 
MPDU + MSDU 
MAC header and trailer are added,'removed 
creates PLC? Protocol Data Unit (PPDIJ) from MAC sublayer. 
MPDU is handed down to the PHY referred as PLCP Service 
Data Unit (PLC?) 
PMD modulates and transmits the data as bits.

PMD > transmits the data as RF modulated 1s and 0s. When receiving , the PMD listens to the RF and passes the received data up to the PLCP sublayer.
PLCP Protocol Data Unit> When PLCP receives PSDU, it then prepares PPDU. PLCP adds a preamble + PHY header to the PSDU.

PLCP Preamble > String of 0/1 bits that are used to synchronise incoming transmissions. IEEE 802.11-2007 standard defines 3 different PPDUs.

Long PPDU > 144 bit PLCP Preamble, 128 bit Sync field + 16 bit Start of Frame Delimiter (SFD).

Short PPDU > 72 bit PLCP Preamble, 56 bit Sync field and 16 bit SFD

OFDM PLCP Preamble >10 short symbols + 2 long symbols

PLCP Header > Long & Short PLCP Headers are both 48 bits log and contain 4 fields (Signal(8) + Service(8) + Length(16) + CRC(16).

PPDIJ 
PLC? Preamble 
PLC? Header 
PSDU 
OFDM PLC? 
Long PPDIJ 
Short PPDIJ 
Long Header 
Short Header

802.11n PPDUs

FIGURE 2.5 
Greenfield 
802.11n PPDU formats 
L-STF 
L-STF 
GFSTF 
L-LTF 
L-LTF 
HT-LTFI 
I-SIG 
I-SIG 
HT-SIG 
HT-SIG 
HT-LTFI 
L=Legacy (non-HT) 
STF=Short Training held 
LTF=Long Training Field 
SIG-Signal 
HT=High Throughput 
GF=Greenfield

Non-HT Legacy PPDU

  • Consists of Preamble(Short/Long symbols)
  • Mandatory for 802.11n radios and transmissions can occur in only 20MHz channels.
  • Effectively same format used by legacy 802.11a/g radios.


HT-Mixed PPDU

  • 802.11n amendment
  • Likely be most commonly used format as it supports HT + Legacy 802.11a/g.
  • Transmission can occur in both 20MHz and 40MHz channels

HT-Greenfield PPDU

  • 2nd of the two new PPDU formats defined by 802.11n.
  • Not compatible with legacy 802.11 radios, only the HT Radios can communicate with this format.
  • Can transmit using 20MHz and 40MHz fields.

Data Field

The data field portion of PPDU is the PSDU. In easy terms, the data field is the 802.11 MAC frame.

How did I Decipher 802.11 Frames! #CWAP-2

Main Objective: To successfully transfer every bit of information(data) from one device to another.

802.11 MAC HEADER

Let us now go through the basics of the frame header and the components. I have captured a simple beacon (management) frame using Wireshark.

I will briefly explain each of the fields. Notice the number in the bracket refers to the bytes. For memory 1 Byte = 8 bits. 🙂

802.11 Beacon frame capture
Frame Control Field dissection

Frame Control > 16 bits | 2 Bytes – contains 11 subfields as displayed in the above examples. Considering the amount of valuable information contained in 802.11 Frame Control sub-fields is mind-boggling

Protocol Version (2 bits): For now, always set to 0 by default. Changes in the version are expected in the future.

Type: Management (0,0), Data(1,0), Control(0,1), Extension Frame(1,1)*only available with 802.11D

Sub Type (4 bits): There are different kinds of management, control and data frames. Therefore the 4-bit Subtype field is required to differentiate. The above examples have Beacon & ACK subtypes.

To DSif set to “1” – Frame going from STA > Distribution System (DS)
From DSif set to “1” – Frame going from DS > STA


To DS = 0, From DS = 0  > Management or Control frames where it does not go to DS, Can be STA to STA communication in an ADHOC/IBSS setup.
To DS =0, From DS = 1 > Downstream traffic from AP to the STA.
To DS =1, From DS = 0 > Upstream traffic from STA to AP
To DS =1, From DS = 1 > Data frame using 4 MAC header format, usually occurs in WDS or Mesh Network
.

More Fragments – If set to “1” it is usually preceded by another fragment of current MSDU or MMPDU to follow.

Retry – 0 or 1. 1 is for retransmissions. Lot of 1’s may indicate a network with a lot of retry rate due to some issue. The issues can impact the performance by increased application/network latency thereby degrading user experience.

Power Management – if set to “1”, STA is using power save mode.

More Data: if set to “1” it indicates that the AP or STA is holding more frames for the STA to which the current frame is targeted.

Protected Frame – if set to “1” it indicates payload is encrypted.

Order – If set to “1” in any non-QoS data frame when a higher layer has requested that the data be sent using strictly ordered CoS, which tells the receiving STA to process the frames in order.

Duration/ID > 2 Bytes | 16 bits – May be used for 2 purposes, it may contain the duration of the frame. Secondly, it may contain association identifier (AID) of the STA that transmitted the frame.

Address 1,2,3 and 4: Each address contains 6bytes/48 bits of data.

SA > Source Address
DA > Destination Address
TA > Transmitting Address
RA > Receiving Address
BSSID >

Sequence Control Field (2 Bytes/16 bits): Divided into 4-bit fragment number and a 12-bit sequence number. Used when MSDUs are fragmented. 802.11-2016 allows for fragmentation of frames.

QoS Control Field: (2 Bytes/16 bits): Only used in MAC header of QoS frames. Sometimes referred to as WMM (Wi-Fi Multimedia) which provides traffic prioritization.

HT Control Field (4 bytes/32 bits): Parameters related to HT & VHT operations. Only used in Management + QoS control frames.

Frame Body: Contains the actual MSDU payload to be transmitted.

FCS: (Frame check sequence field 4Bytes/32 Bits) – Final field on the frame header. Also known as Trailer as the word says. Used to detect errors in communication.

CWAP 403 – Start >

I will be summarising each chapter on the Certitrek Publishing – Official Study Guide for CWAP 403 Exam.

I’ve learned plenty of concepts from the first chapter – 802.11 – The Protocol. This is one of the chapters which you have to read and learn. One may not learn the contents of this chapter directly while working or experience this in his/her day today. Following the posts should give you a fair idea of what the chapter entails and get close to fulfilling the exam requirements. You still have to go through the book multiple times and revise the concepts discussed in the CWNA exam to fully grasp the knowledge required for this exam.

OSI Layers

(APSTNDP) – For the purpose of our CWAP exam we will be concentrating our efforts on layer 1-4 only. More so we have to aim at learning layers 1 and 2 as IEEE 802.11 is focussed around them.

IEEE 802.3(Ethernet) & 802.11 (WLAN) operate primarily at Layers 1 & 2 of the OSI model. The Internet Engineering Task Force (IETF) operates at Layer 3 & 4.

Layer 4 is typically TCP/UDP. TCP is a connection-oriented protocol that uses a 3-way handshake, whereas UDP is a connectionless protocol typically used in time-sensitive applications where occasionally dropping packets is better than waiting.

Layer 3 is typically IP with the exception of WAN related protocols like HDLC, ATM, Frame Relay, etc.

Layer 2 (Data Link layer) – This is subdivided into MAC(lower) + LLC (upper). Frames are organized and meaningful collection of bits that are prepended and appended to upper-layer data within the network communications. When Network layer 3 sends data to the Data-Link layer (2), the data is handed off to the LLC and becomes known as MSDU (MAC Service Data Unit). The MSDU consists of data payload that contains the IP packet + some LLC data. When LLC sends the MAC service data unit info to the MAC sublayer, the MAC header information gets added in a MAC Protocol Data Unit (MPDU).

Layer 1 (PHY) – Physical Medium can be RF, Light Waves, Fibre cables. Capabilities include encoding, modulation, demodulation, timing & signals. This layer is subdivided into PLCP (Physical Layer Convergence protocol – Upper) & PMD (Physical Medium Dependent). The PLCP sublayer prepares the frame for transmission by taking the frame from the MAC sublayer and creating the PLCP Protocol Data Unit (PPDU).


802.11 Physical Layers

Protocol Year (adopted) Frequency Channel Width (MHz) MIMO PHY
802.11az Late 2021 60 GHz      
802.11ay 2020 60 GHz 8000 MU-MIMO EDMG
802.11ax Late 2019 2.4 or 5GHz 20,40,80, 160 MU-MIMO HEW
802.11ac wave2 2015 5 GHz 20,40,80, 160 MU-MIMO VHT
802.11ac wave1 2014 5 GHz 20,40,80 SU-MIMOVHT
802.11n 2009 2.4 or 5 GHz 20,40 SU-MIMOHT
802.11g 2003 2.4 GHz 20 N/A ERP
802.11a 1999 5 GHz 22 N/A OFDM
802.11b 1999 2.4 GHz 20 N/A HR-DSSS
802.11 Prime 1997 2.4 GHz 22 N/A DSSS

Modulation is the process of imposing bits on a transmission medium. I have detailed the keying methods useful in understanding the basics of Modulation here. Also, refer to mcsindex.com for numbers related to Modulation and Coding. We will be exploring in detail about this in the forthcoming chapters which entail about PHY Layers and Technologies.

Troubleshooting Methods

The industry troubleshooting methods e.g. from Cisco, Microsoft or CompTIA are not tested on the CWAP exam. The CWAP exam objectives list the following troubleshooting actions.

  • Define the Problem
  • Identify the Scale of the Problem
  • Identity Probable Causes
  • Capture and Analyze the Data (Most of the CWAP concentrated here)
  • Observe the Problem
  • Choose appropriate Remedial Steps.
  • Document the Problem and Resolution.

Special Thanks to Rasika as I’ve learned a lot from his blogs.

Summary of the 802.11 Mac Header

Network Layer – IP header is added.
Data Link Layer – MAC header is added.
Physical Layer – PHY header is added.


Data is eventually transmitted as individual bits at the Physical layer.

BIT > 0/1, Octet > Byte of data.
Data Link Layer – LLC (802 based networks), MAC

MAC Service Data Unit > When network layer sends data to the Data Link layer, the data is handed off to the LLC and becomes MSDU

MSDU = IP Packet + Some LLC Data.

Only 802.11 Data Frames carry MSDU – Ratification 802.11n-2009, introduced A-MSDU

MSDU = 2304 Octets, A-MSDU = up to 7935 Octets.

MAC Protocol Data Unit > When the LLC sublayer sends MSDU to the MAC sublayer, the MAC header info is added to identify it.

MPDU = MAC Header + Frame Body(MSDU) + FCS (Trailer)
A-MPDU > transmissions are created by transmitting multiple MPDUs as one PHY frame as opposed to A-MSDU transmissions, which are created by passing MSDUs down the PHY layer as single MPDU.

Physical Layer comprises of PLCP & PMD – PLCP prepares the frame for transmission by taking the frame MAC sublayer and creating the PLCP Protocol Data Unit.

PPDU = PLCP + Frame from Mac Layer.

PLCP Service Data Unit > Pretty much like MPDU at PHY layer.
PLCP = PPDU + PSDU