Troubleshooting WLAN issues with 802.11 Frames – #CWAP9

I have pen down a some troubleshooting scenarios which I’ve come across while studying for CWAP exam.

To begin with,

Management Frames > Foundation of how wireless radios detect, join and operate on WLAN.
Control Frames > Frames which control the delivery of Data frames.
Data Frames > Carry actual data payload from/to layers 3-7.

Some scenarios which frames can provide an insight for.

  • Client Roaming Observations – In some cases, there might be some issues with clients not able to perform seamless roaming or the roaming might be delayed when client moves from one AP to another. In some cases we may need to find which type of roaming method are supported by the AP to diagnose other issues. Let’s see how the frames can help.
    • To find the roaming handoff time from one AP to another we have to examine the frames from type > Reassociation Type to the completion of 4-way handshake. E.g. frame below
s 0.029712 
8 0.053240 
: 2. : 98 
: db:Sc 
- - -nnrr_h- 'h 
o ch&ge E 
7 cipher Spec, Fessaqe 
24 3 
  • Total roaming time can be calculated by subtracting the EAPOL M4 time (0.105180) with Reassociation Request Frame(.003857)= .101323 ~ approx. 101ms
  • Type of roaming method can be deduced from the Tagged Parameters set in 802.11 Wireless LAN section. Below example uses Over-the-air Fast BSS, value of 1 will denote it using Over-the-DS BSS.
Tag: Mobility Domain 
Tag Number: Mobility Domain (54) 
Tag length: 3 
Mobility Domain Identifier: øxcd64 
FT Capability and Policy: Oxøø 
Fast BSS Transition over DS: Oxø 
Resource Request Protocol Capability: 
  • Management Retries – Generally anything under 20% of Management retries in the network is considered OK or acceptable. There is no set vendor recommended management retry. In a prod environment it is bound to have certain % of retries even if the AP or Client placement/AP Tx Power/Interference and Channel settings are set to optimal. In any case anything over constant 20% retries could indicate some concerns in the WLAN environment which need investigation.
Total Retransmissions Across All Clients 
Mgmt Retre o.øax (408) 
Mgmt 439% (1212) —l 
Data Retre 083% 
vgmt Retries: 094% (408) 
Data Fran-— 15g3% (5039) — 
control 7702% (33,946)
IEEE 8ø2.11 Authentication, Flags: .R... 
Type/Subtype: Authentication (øxoøøb) 
Frame Control Field: exbøø8 
. .øø = Version: 0 
= Type: management frame (e) 
— Subtype: 11 
: øxe8 
. .øø = DS status: Not leaving DS or network is operating in AD—HOC mode (To DS 
More Fragments: This is the last fragment 
Retry: Frame is being retransmitted 
PWR MGT: STA wilt stay up 
. = More Data: No data buffered 
. = Protected flag: Data is not protected 
. = Order flag: Not strictly ordered 
: e From DS: e) 
.øøø eøøø eølø lløø = Duration: 44 microseconds 
Receiver address: Cisco_bf:a4:2e (øø: 
Destination address: Cisco_bf:a4:2e (eø:a7:42:bf:a4:2e) 
Transmitter address: 5e:a7:ec:a8:33:ab (5e:a7:ec:a8:33:ab) 
Source address: 5e:a7:ec:a8:33:ab (5e:a7:ec:a8:33:ab) 
BSS Id: 
= Fragment number: ø 
— Sequence number: 1 
eøøø eøøø eøøl -
  • We can also check this on the Wireshark IO graphs as below to highlight the management retries. Below network has lot of management retries and needs further investigation
Wireshark • 10 Graphs • airtool_2019-11-28_02.47.29.PM .pcap 
Wireshark 10 Graphs: .pcap 
HO Ver over the graph for details. 
Display Filter 
Time (s) 
Interval 10 sec 
Y Axis 
Y Field 
Graph Name 
Al packets 
TCP errors 
SMA Period 
Mouse O drags 
O zooms 
Copy tram v 
Time of day 
Log scale 
Save As...
  • Duration/ID field
    • 16 bits in length, used for virtual carrier-sense, legacy power management & contention-free period.

In the below RTS frame, the duration value is 2048ms. The radio is asking for permission to reserve airtime to pending transmission. The receive radio can allow or deny this request. But higher duration value can indicate the delays it is causing in allowing/denying the request. This can cause some weird behavior in client operation, may also cause disruption in network services. We have to closely check the change log on the WLAN environment. If this is a result of some WLAN controller/AP software update or other updates which may cause the issues. Also NOTE: Please check the device and not always high duration value can be a problem.

IEEE 8ø2.11 Request-to-send, Flags: ..... ...C 
Type/Subtype: Request—to—send (Oxøølb) 
v Frame Control Field: exb40e 
. .øø = Version: 0 
= Type: Control frame (1) 
= Subtype: 11 
. .øø = DS status: Not leaving DS or network is operating in AD—HOC mode (To DS: 
ø . — More Fragments: This is the last fragment 
— Retry: Frame is not being retransmitted 
- PWR MGT: STA wilt stay up 
. = More Data: No data buffered 
. — Protected flag: Data is not protected 
Order flag: Not strictly ordered 
.øøø løøø oøøø ooøø - 
Duration: 2ß48 microseconds 
Receiver address: App 92:ga) 
Transmitter address: 7a:8a:2ø:øf:bg:6f 
Frame check sequence: øx4d4e67bf (unverified] 
[FCS Status: Unverified] 
e From DS: e) 
  • Null Data Frames / Power Management

The null data frames are in fact not null as per their description. They can help in troubleshooting few WLAN issues. Null data is categorised under control frame. It is only transmitted from a STA/Client. The sole purpose is to carry power management frames controlled field. The power management bit will either be set to 0 or 1. Below are the examples.

STA = 0, it is informing AP that it(STA) is In active power state (awake) and transmission of frames from AP to STA should be normal.

IEEE 8ø2.11 Nun function (No 
Type/Subtype: Nutt function 
Frame Control Field: ex48e1 
. .øø = Version: e 
data), Flags: ...TC 
(No data) (øx0024) 
= Type: Data frame (2) 
= Subtype: 4 
. ..øl = DS status: Frame from STA to DS via an AP (To DS: 
= More Fragments: This is the last fragment 
Retry: Frame is not being retransmitted 
PWR MGT: STA will stay up 
More Data: No data buffered 
. = Protected flag: Data is not protected 
= Order flag: Not strictly ordered 
1 From DS: e) 
.øøø eøøø eølø lløø = Duration: 44 microseconds 
Receiver address: RuckusWi_cf:d2:7c (2c:5d:93:cf:d2:7c) 
Transmitter address: Apple_51:44:de (94:f6:d6:51:44:de) 
Destination address: (2c:5d: 93: cf :d2:7c) 
Source address: Apple_51:44:de (94: f6:d6:51:44:de) 
BSS Id: Ruckuswi_cf

STA =1, is informing AP that it is going offline and any frames that come into the AP from this STA should be buffered at the AP till the STA returns and sends a NULL frame of 0, active state.

IEEE 8ø2.11 Null function (No 
data), Flags: 
Type/Subtype: Nutt function 
(No data) (øx0024) 
Frame Control Field: ex4811 
. .øø = Version: e 
= Type: Data frame (2) 
= Subtype: 4 
. ..øl = DS status: Frame from STA to DS via an AP (To DS: 
= More Fragments: This is the last fragment 
Retry: Frame is not being retransmitted 
PWR MGT: STA will go to sleep 
More Data: No data buffered 
. = Protected flag: Data is not protected 
. = Order flag: Not strictly ordered 
1 From DS: e) 

PSM > Power Save Mode allows the client STA to go into sleep mode. It can essentially turn of the NIC functions including the radio thereby consuming less battery and conserving it. Some devices can benefit from this but there are some which may have aggressive power save mode options. So one needs to check the client driver details to troubleshoot any issues relating to client.

Some known issues with Power Management are described in below links

Another reason why client STA may inform AP about changing the bit to 1 is when it is roaming. Suppose client has reached the roaming limits of the AP it was connected to and wants to switch to the nearby one, in order to to this it may go off the channel sending the buffer frames signal to AP and resume its connection.


CCK – Complementary Code Keying
DSSS – Direct Sequence Spread Spectrum
OFDM – Orthogonal Frequency Divisional Multiplexing
FHSS – Frequency Hopping Spread Spectrum

There are various versions of WLAN standard developed to address different data rate and coverage requirements. IEEE 802.11b supports four data rates viz. 1 Mbps, 2 Mbps, 5.5 Mbps and 11 Mbps.
DSSS is used to provide support for 1 Mbps and 2 Mbps data rate.
CCK (to old for CWNA Exam) for 5.5 and 11 Mbps while OFDM is used for higher data rate applications.
OFDM is used in IEEE 802.11a, 11g, 11n, 11ac and 11ad versions. OFDM is employed along with MIMO to increase the data rate further.

CCK is the modulation form used in the 802.11b standard when operating in 5.5 Mbps or 11 Mbps. CCK was chosen because it uses the same approximate bandwidth as MOK and can use the same header and preamble of pre-existing 1 and 2 Mbps wireless networks, thus facilitating interoperability.

FHSS – RF carrier frequency is changed according to the Pseudo-random sequence(PRS or PN sequence). This PN sequence is known to both transmitter and Receiver and hence help demodulate/decode the information. Within one chip duration, RF frequency does not vary. Based on this fact there are two types of FHSS, fast hopped FHSS and slow hopped FHSS. Dwell time usually 400ms, amount of time that a system transmits on a frequency. Hop time is measurement of amount of time taken by transmitter to change from one frequency to another.

DSSS In DSSS, information bits are spread across both frequency and time planes, hence minimizes effect of interference as well as fading. Hence DSSS system prone to errors but at low level compare to FHSS systems. FHSS produces strong bursty errors. DSSS delivers capacity upto 11 Mbps while FHSS supports upto 3 Mbps. DSSS is very sensitive technology while FHSS is very robust technology. This is observed in harsh environment comprising large coverage, noises, collocated cells, multi-path and presence of bluetooth frequency waves etc. DSSS is ideal for point to point applications while FHSS can be used in point to multipoint deployment with excellent performance. 

OFDM  The idea of OFDM is to map complex data on to multiple narrow band subcarriers so that higher data rate can be achieved. The same is shown in the figure. As shown complex modulation scheme such as 16-QAM is first used to map binary data information into complex frequency domain vector form. 16-QAM maps 4 bits on each of the subcarrier. This bunch of subcarriers as per IFFT size are combined and given as input to IFFT block. This block converts frequency domain complex mapper data into time domain data vector. This vector is converted to analog form before being provided as input to RF converter before transmission into the air using antenna.  OFDM solves multipath issues.

CWNA , IEEE 802.11!

  • Hi IEEE 802.11 Key Concepts

Let’s get started with the IEEE 802.11 Journey synopsis. Standards are defined at physical and mac-sub layer(data-link). We are referring to different ways of transmitting data over the air. Also how our communication signal would deliver information. One of the original ones we’ve come across is FHSS (Frequency Hopping Spread Spectrum) and DSSS (Distributed Sequence Spread Spectrum).

In 2007, the IEEE consolidated 8 ratified amendments along with the original standard, creating a single document that was published as the IEEE standard 802.11-2007
The standard covers IEEE standard 802.11-1999, 802.11a.1999, 802.11b-1999, 802.11g-2003,802.11i-2004

802.11b (Sep 1999) is high rate DSSS – Based on 2.4GHz to 2.4835 GHz ISM band
802.11a (Sep 1999) is OFDM (Orthogonal Frequency Divisional Multiplexing) would operate in 5GHz frequency.  There are 3 U-NIII (Unlicensed National Information Infrastructure) frequency bands consisting of 12 channels.
802.11b (1999) – High Rate DSSS, operates in 2.4 GHz frequency. OFDM transmission type and supports BPSK (binary phase shift keying) and QPSK (Quadrature PSK) – 1 & 5.5Mbps and 2 & 11 Mbps. 
802.11g (June 2003) – Speeds upto 54Mbps/works similar to 802.11b in 2.4 GHz. Used a new technology called Extended Rate Physical (ERP) – ISM frequency band.
802.11i (Security) – From 1997 – 2004, not much defined in terms of security in the original 802.11 standard. Three key components of security solution – Data Privacy/Data Integrity/Authentication. This amendment defined a RSN (Robust Security Network).
802.11r-2008 (FT)-  Technology is more often referred to as fast secure roaming because it defines faster handoffs when roaming occurs between cells in WLAN using a strong security defined by RSN.
802.11w (Sep 2009) – IEEE Task Group was a way of delivering management frames in a security manner. Preventing the management frames from being able to be spoofed.802.11 – only on 2.4. Uses hi rate DSSS. It actually came out before 802.11a. Enabled 5.5 and 11Mbps data rates. 22MHz wide channels. Today these rates have become legacy rates. 
802.11n (October 2009) – also known as Wi-Fi 4 is an amendment that improves upon the previous 802.11 standards by adding multiple-input multiple-output antennas (MIMO). 802.11n operates on both the 2.4 GHz and the 5 GHz bands. Support for 5 GHz bands is optional. Its net data rate ranges from 54 Mbit/s to 600 Mbit/s
802.11ac (December 2013) – VTH (Very high throughput, wider channel (20MHz-160MHz) – also known as Wi-Fi 5 is an amendment to IEEE 802.11, published in December 2013, that builds on 802.11n.[28] Changes compared to 802.11n include wider channels (80 or 160 MHz versus 40 MHz) in the 5 GHz band, more spatial streams (up to eight versus four), higher-order modulation (up to 256-QAM vs. 64-QAM), and the addition of Multi-user MIMO (MU-MIMO). As of October 2013, high-end implementations support 80 MHz channels, three spatial streams, and 256-QAM, yielding a data rate of up to 433.3 Mbit/s per spatial stream, 1300 Mbit/s total, in 80 MHz channels in the 5 GHz band
802.11ax ( Sometime in 2019*)  – IEEE 802.11ax also known as Wi-Fi 6 is the successor to 802.11ac, and will increase the efficiency of WLAN networks. Currently in development, this project has the goal of providing 4x the throughput of 802.11ac at the user layer, having just 37% higher nominal data rates at the PHY layer.  More can be read here

While learning about 802.11 PHYs (Physical) I have come across this extremely useful table from cleartosend podcasts/posts as below