How did I Decipher 802.11 Frames! #CWAP-2

Main Objective: To successfully transfer every bit of information(data) from one device to another.


Let us now go through the basics of the frame header and the components. I have captured a simple beacon (management) frame using Wireshark.

I will briefly explain each of the fields. Notice the number in the bracket refers to the bytes. For memory 1 Byte = 8 bits. 🙂

802.11 Beacon frame capture
Frame Control Field dissection

Frame Control > 16 bits | 2 Bytes – contains 11 subfields as displayed in the above examples. Considering the amount of valuable information contained in 802.11 Frame Control sub-fields is mind-boggling

Protocol Version (2 bits): For now, always set to 0 by default. Changes in the version are expected in the future.

Type: Management (0,0), Data(1,0), Control(0,1), Extension Frame(1,1)*only available with 802.11D

Sub Type (4 bits): There are different kinds of management, control and data frames. Therefore the 4-bit Subtype field is required to differentiate. The above examples have Beacon & ACK subtypes.

To DSif set to “1” – Frame going from STA > Distribution System (DS)
From DSif set to “1” – Frame going from DS > STA

To DS = 0, From DS = 0  > Management or Control frames where it does not go to DS, Can be STA to STA communication in an ADHOC/IBSS setup.
To DS =0, From DS = 1 > Downstream traffic from AP to the STA.
To DS =1, From DS = 0 > Upstream traffic from STA to AP
To DS =1, From DS = 1 > Data frame using 4 MAC header format, usually occurs in WDS or Mesh Network

More Fragments – If set to “1” it is usually preceded by another fragment of current MSDU or MMPDU to follow.

Retry – 0 or 1. 1 is for retransmissions. Lot of 1’s may indicate a network with a lot of retry rate due to some issue. The issues can impact the performance by increased application/network latency thereby degrading user experience.

Power Management – if set to “1”, STA is using power save mode.

More Data: if set to “1” it indicates that the AP or STA is holding more frames for the STA to which the current frame is targeted.

Protected Frame – if set to “1” it indicates payload is encrypted.

Order – If set to “1” in any non-QoS data frame when a higher layer has requested that the data be sent using strictly ordered CoS, which tells the receiving STA to process the frames in order.

Duration/ID > 2 Bytes | 16 bits – May be used for 2 purposes, it may contain the duration of the frame. Secondly, it may contain association identifier (AID) of the STA that transmitted the frame.

Address 1,2,3 and 4: Each address contains 6bytes/48 bits of data.

SA > Source Address
DA > Destination Address
TA > Transmitting Address
RA > Receiving Address

Sequence Control Field (2 Bytes/16 bits): Divided into 4-bit fragment number and a 12-bit sequence number. Used when MSDUs are fragmented. 802.11-2016 allows for fragmentation of frames.

QoS Control Field: (2 Bytes/16 bits): Only used in MAC header of QoS frames. Sometimes referred to as WMM (Wi-Fi Multimedia) which provides traffic prioritization.

HT Control Field (4 bytes/32 bits): Parameters related to HT & VHT operations. Only used in Management + QoS control frames.

Frame Body: Contains the actual MSDU payload to be transmitted.

FCS: (Frame check sequence field 4Bytes/32 Bits) – Final field on the frame header. Also known as Trailer as the word says. Used to detect errors in communication.

CWAP 403 – Start >

I will be summarising each chapter on the Certitrek Publishing – Official Study Guide for CWAP 403 Exam.

I’ve learned plenty of concepts from the first chapter – 802.11 – The Protocol. This is one of the chapters which you have to read and learn. One may not learn the contents of this chapter directly while working or experience this in his/her day today. Following the posts should give you a fair idea of what the chapter entails and get close to fulfilling the exam requirements. You still have to go through the book multiple times and revise the concepts discussed in the CWNA exam to fully grasp the knowledge required for this exam.

OSI Layers

(APSTNDP) – For the purpose of our CWAP exam we will be concentrating our efforts on layer 1-4 only. More so we have to aim at learning layers 1 and 2 as IEEE 802.11 is focussed around them.

IEEE 802.3(Ethernet) & 802.11 (WLAN) operate primarily at Layers 1 & 2 of the OSI model. The Internet Engineering Task Force (IETF) operates at Layer 3 & 4.

Layer 4 is typically TCP/UDP. TCP is a connection-oriented protocol that uses a 3-way handshake, whereas UDP is a connectionless protocol typically used in time-sensitive applications where occasionally dropping packets is better than waiting.

Layer 3 is typically IP with the exception of WAN related protocols like HDLC, ATM, Frame Relay, etc.

Layer 2 (Data Link layer) – This is subdivided into MAC(lower) + LLC (upper). Frames are organized and meaningful collection of bits that are prepended and appended to upper-layer data within the network communications. When Network layer 3 sends data to the Data-Link layer (2), the data is handed off to the LLC and becomes known as MSDU (MAC Service Data Unit). The MSDU consists of data payload that contains the IP packet + some LLC data. When LLC sends the MAC service data unit info to the MAC sublayer, the MAC header information gets added in a MAC Protocol Data Unit (MPDU).

Layer 1 (PHY) – Physical Medium can be RF, Light Waves, Fibre cables. Capabilities include encoding, modulation, demodulation, timing & signals. This layer is subdivided into PLCP (Physical Layer Convergence protocol – Upper) & PMD (Physical Medium Dependent). The PLCP sublayer prepares the frame for transmission by taking the frame from the MAC sublayer and creating the PLCP Protocol Data Unit (PPDU).

802.11 Physical Layers

Protocol Year (adopted) Frequency Channel Width (MHz) MIMO PHY
802.11az Late 2021 60 GHz      
802.11ay 2020 60 GHz 8000 MU-MIMO EDMG
802.11ax Late 2019 2.4 or 5GHz 20,40,80, 160 MU-MIMO HEW
802.11ac wave2 2015 5 GHz 20,40,80, 160 MU-MIMO VHT
802.11ac wave1 2014 5 GHz 20,40,80 SU-MIMOVHT
802.11n 2009 2.4 or 5 GHz 20,40 SU-MIMOHT
802.11g 2003 2.4 GHz 20 N/A ERP
802.11a 1999 5 GHz 22 N/A OFDM
802.11b 1999 2.4 GHz 20 N/A HR-DSSS
802.11 Prime 1997 2.4 GHz 22 N/A DSSS

Modulation is the process of imposing bits on a transmission medium. I have detailed the keying methods useful in understanding the basics of Modulation here. Also, refer to for numbers related to Modulation and Coding. We will be exploring in detail about this in the forthcoming chapters which entail about PHY Layers and Technologies.

Troubleshooting Methods

The industry troubleshooting methods e.g. from Cisco, Microsoft or CompTIA are not tested on the CWAP exam. The CWAP exam objectives list the following troubleshooting actions.

  • Define the Problem
  • Identify the Scale of the Problem
  • Identity Probable Causes
  • Capture and Analyze the Data (Most of the CWAP concentrated here)
  • Observe the Problem
  • Choose appropriate Remedial Steps.
  • Document the Problem and Resolution.

Special Thanks to Rasika as I’ve learned a lot from his blogs.

Summary of the 802.11 Mac Header

Network Layer – IP header is added.
Data Link Layer – MAC header is added.
Physical Layer – PHY header is added.

Data is eventually transmitted as individual bits at the Physical layer.

BIT > 0/1, Octet > Byte of data.
Data Link Layer – LLC (802 based networks), MAC

MAC Service Data Unit > When network layer sends data to the Data Link layer, the data is handed off to the LLC and becomes MSDU

MSDU = IP Packet + Some LLC Data.

Only 802.11 Data Frames carry MSDU – Ratification 802.11n-2009, introduced A-MSDU

MSDU = 2304 Octets, A-MSDU = up to 7935 Octets.

MAC Protocol Data Unit > When the LLC sublayer sends MSDU to the MAC sublayer, the MAC header info is added to identify it.

MPDU = MAC Header + Frame Body(MSDU) + FCS (Trailer)
A-MPDU > transmissions are created by transmitting multiple MPDUs as one PHY frame as opposed to A-MSDU transmissions, which are created by passing MSDUs down the PHY layer as single MPDU.

Physical Layer comprises of PLCP & PMD – PLCP prepares the frame for transmission by taking the frame MAC sublayer and creating the PLCP Protocol Data Unit.

PPDU = PLCP + Frame from Mac Layer.

PLCP Service Data Unit > Pretty much like MPDU at PHY layer.


CCK – Complementary Code Keying
DSSS – Direct Sequence Spread Spectrum
OFDM – Orthogonal Frequency Divisional Multiplexing
FHSS – Frequency Hopping Spread Spectrum

There are various versions of WLAN standard developed to address different data rate and coverage requirements. IEEE 802.11b supports four data rates viz. 1 Mbps, 2 Mbps, 5.5 Mbps and 11 Mbps.
DSSS is used to provide support for 1 Mbps and 2 Mbps data rate.
CCK (to old for CWNA Exam) for 5.5 and 11 Mbps while OFDM is used for higher data rate applications.
OFDM is used in IEEE 802.11a, 11g, 11n, 11ac and 11ad versions. OFDM is employed along with MIMO to increase the data rate further.

CCK is the modulation form used in the 802.11b standard when operating in 5.5 Mbps or 11 Mbps. CCK was chosen because it uses the same approximate bandwidth as MOK and can use the same header and preamble of pre-existing 1 and 2 Mbps wireless networks, thus facilitating interoperability.

FHSS – RF carrier frequency is changed according to the Pseudo-random sequence(PRS or PN sequence). This PN sequence is known to both transmitter and Receiver and hence help demodulate/decode the information. Within one chip duration, RF frequency does not vary. Based on this fact there are two types of FHSS, fast hopped FHSS and slow hopped FHSS. Dwell time usually 400ms, amount of time that a system transmits on a frequency. Hop time is measurement of amount of time taken by transmitter to change from one frequency to another.

DSSS In DSSS, information bits are spread across both frequency and time planes, hence minimizes effect of interference as well as fading. Hence DSSS system prone to errors but at low level compare to FHSS systems. FHSS produces strong bursty errors. DSSS delivers capacity upto 11 Mbps while FHSS supports upto 3 Mbps. DSSS is very sensitive technology while FHSS is very robust technology. This is observed in harsh environment comprising large coverage, noises, collocated cells, multi-path and presence of bluetooth frequency waves etc. DSSS is ideal for point to point applications while FHSS can be used in point to multipoint deployment with excellent performance. 

OFDM  The idea of OFDM is to map complex data on to multiple narrow band subcarriers so that higher data rate can be achieved. The same is shown in the figure. As shown complex modulation scheme such as 16-QAM is first used to map binary data information into complex frequency domain vector form. 16-QAM maps 4 bits on each of the subcarrier. This bunch of subcarriers as per IFFT size are combined and given as input to IFFT block. This block converts frequency domain complex mapper data into time domain data vector. This vector is converted to analog form before being provided as input to RF converter before transmission into the air using antenna.  OFDM solves multipath issues.