This is the landing page for all the wireless related posts on my blog. Majority of the content is towards my study for wireless related certifications like CWNP. The name ‘It Depends!’ is given as it is the majority of the answers or responses to the wireless queries
for 10% of the CWAP knowledge domain areas, approx. 6/60 questions
Medium Contention :Protocols that allow large number of devices to effectively share the wireless channel. All AP & STAs will contend with each other on a common transmission medium.
CSMA / CA - The AP/STAs (802.11) use carrier
sense multiple access with collision avoidance as opposed to collision
detection used by the Ethernet (802.3) realm.
devices must avoid multiple devices transmitting simultaneously over a shared
medium which can cause failed transmissions. Wireless mediums cannot detect
collision but find ways to avoid them. Collision handling is not straight
forward and may be time consuming at times. Hence one of the reasons that
802.11(WLANs) have much lower throughput-to-data rate ratio than 802.3(Wired
uses DCF (Distributed Coordination Function) for non-QoS WLANs & HCF (Hybrid Coordination Function) for QoS
WLANs using EDCA (Enhanced Distributed Channel
two carrier sense protocols used by the
stations to indicate whether a channel is busy or idle.
- Physical Carrier Sense, also known as CCA (Clear Channel Assessment)
- Virtual Carrier Sense, also known as NAV (Network Allocation Vector)
& non-QoS use either of the above protocols for transmitting data.
CCA (Layer 1) > Identify
whether the channel is unused and available prior to the packet transmission.
- Channel Occupied = State of Busy ~ Energy Detection Levels.
- Channel Clear = State of Idle
802.11 modulation, if the AP or STA is too far away to detect any transmission
at requisite energy level, the CCA may go into the idle state even though the
channel is still occupied.
NAV (Layer 2) > is a timer that counts down
toward zero(0). When a device has a NAV value greater than zero, the device
says quiet. Once the NAV = 0, the medium is considered clear.
discussed earlier, CCA may fail to keep other devices on the channel quiet (Too
far transmitting device, obstruction, interference), the design of the NAV
keeps APs and stations quiet.
value in the 802.11 header set the NAV values for AP and STAs.
vital for the AP and STA to stay with the RSSI data range in order to
successfully demodulate a transmitted frame so that the Duration/ID field in
the header can be accurately set.
When 2 or
more STAs begin frame transmission at the same time in the idle environment,
collisions are bound to happen. Hence we have additional medium contention
protocols beyond CCA & NAV. These protocols must keeps AP and STAs quiet
like CCA/NAV & also allow differentiated medium access.
the quiet period that AP & STA must wait before any 802.11 frame
- If the contention has been completed, then a reduced IFS (RIFS) or short IFS (SIFS) will be used. Most cases it is SIFS but RIFS is only used between consecutive frames transmitted by 802.11n device.
- If the contention/arbitration is not determined, then arbitration IFS (AIFS) or DCF IFS (DIFS) will be used. The AIFS is used for WLANs that support 802.11e QoS, and the DIFS is used for WLANs that do not support 802.11e QoS.
- If an AP or STA has received a corrupted frame as defined by having an incorrect FCS, then extended IFS will be used.
- PCF IFS (PIFS) is part of PCF and therefore not used in real world. (May be ignored for CWAP prep!)
- 802.11 FHSS network use 50ms slot time.
- Steps involved for a STA to go through before starting the frame transmission in the wireless medium (Source : 802.11 Arbitration CWNP White Paper)
- Foundation of all IFSs.
- 10ms for 802.11b/g/n (2.4GHz)
- 16ms for 802.11a/n (5GHz).
- It is used after
contention/arbitration is completed. Exception being 802.11n device using
MIMO to transmit frames then RIFS is used.
- Simplest IFS to understand.
- Length is always the same 2ms.
- Only for devices which use 802.11n/MIMO.
- It precedes for only "data" frame.
- Designed to force AP and STA with ordinary data in the queue to stay quiet for enough time to allow QoS frames to have access to the channel.
- It is used when arbitration process has not yet completed.
- DIFS is equal to length of SIFS + 2 slot times. Slot times are quiet periods, similar to IFS.
- They are equal to 9ms for 802.11a/n/ac operating in 5GHz and 802.11g/n with 2.4GHz.
- The 20ms slot is used if the HT or ERP is used with long preamble and 802.11b/g/n 2.4 GHz DSSS.
- The short preamble is default setting when HT or ERP is used.
- Designed to give AP and STA a chance to retransmit after a failed frame.
- This happens when AP/STA failed to receive ACK after transmission.
- EIFS = SIFS + DIFS plus the time taken acknowledge the frame to transmit.
- 802.11b/g/n(2.4GHz) using DSSS= 364ms, 802.11a/n(5GHz) & 802.11g/n (2.4GHz) = 160ms. EIFS is the longest of the IFS.
Near/Far Problem : STA closer to AP may cause
problem to STA at far. When data is transmitted between AP and nearby STAs they
can use higher data rate than far stations. (This is why STA dynamically switch
their data rates downward when moving away from the AP). The frame therefore
will appear to be corrupt even though it was successfully transmitted. The far
STA have to stay quiet for an EIFS at the beginning of the arbitration process,
while the near STA will be allowed to use the shorter DIFS.
PIFS > Equal to one slot time + 1 SIFS and
it is designed to give AP the chance to send the beacon in order to begin the
CFP (Contention Free Period). In real-world the PIFS is only used with Channel
Switch Announcement frame, which is one of the Action frames from 802.11h.
mechanism which prevents collision by differentiating 802.11 channel access is
the Random Backoff. Unlike the IFS, the random backoff is not static. It is the
period of time that changes based on a random number chosen by AP or STA.
STA stay quiet during the random backoff by randomly choosing a number of slot
times and then counting down until the number of slot times equal to zero.
Transmission resumes after slot time equals zero.
- For the random backoff to work, there must be an upper and lower limit to the number of slot times that ca be chosen.
- The lower limit is always 0. The upper limit for the random backoff is equal to the contention window (CW).
- The CW is derived from the equation 2x – 1, where x is a value that increments with each failed frame. For DSSS-based networks, x starts at 5, which results in a CW of 31. For OFDM-based networks, x starts at 4, which results in a CW value of 15. For both DSSS and OFDM-based networks, the x value stops incrementing at 10, which results in a CW value of 1023.
- Failed frames cause the contention window to grow exponentially. More quiet time means a less efficient channel thus causing latency and throughput issues.
- Used by QoS enabled STA to transmit all data, management, PS-Poll, RTS, CTS (when not transmitted as response to RTS), Block Ack Req and Block Ack (when not transmitted as a response to Block Ack Req).
- Slot times in AIFS is called as AIFSN (slot number).
- 802.11e specifies Voice (AV_VO), Video (AV_VI), Background (AV_BK) & Best Effort (AV_BE).
- Video and Voice = 2 Slot times
- Best Effort = 3 Slot times
- Background = 7 Slot times
- Calculate AIFS for a given Access Category = AIFSN[AC] x Slot Time x SIFSTime
- Transmit Opportunity or TXOP is the amount of time a STA can send frames when it has won contention for the wireless medium. This is in relation to EDCA (Enhanced Distributed Channel Access).
- When a STA sends QoS data, it must first contend for the access to the wireless medium.
- STAs perform CCA and determine if the channel is idle. It must have its NAV set to 0. Then it must wait for the appropriate InterFrame Spacing.
- Then it would wait for the contention window to complete. CW has 4 categories as discussed in the previous section. Each category has different TXOP.
This chapter accounts for 10% of the Knowledge Domain in the CWAP exam. Approx. 6/60 questions!
Exam Moment from the Book : It is not important, for the CWAP exam, that you know all the details of the variations of the PHY preambles; however, you should know that the preamble adds extra overhead to the communications and that older devices may introduce a preamble that reduces performance overall and forces all devices in the BSS to communicate based on that long preamble.
Carrier Sense > State of STA where it is ready to transmit or receive packets/signals
Clear Channel Assessment > Identify whether the channel is unused and available prior to the packet transmission
Transmit (Tx) > Upon checking if the wireless medium is available the STA needs to transmit a frame which is enabled by CS/CCA process. Unlike ethernet the wireless frames cannot transmit and receive the frames at the same time.
Receive (Rx) > The transmitting STA will precede the data portion of the frame with a preamble. It contains a binary strings that the receiving station can identify and synchronise with , essentially alerting the receiving station to the transmission. The preamble also includes a Start Frame Delimiter field, which the receiving station uses to identify the beginning of the frame. An ACK frame Is sent with the entire frame is received.
PMD > transmits the data as RF modulated 1s and 0s. When receiving , the PMD listens to the RF and passes the received data up to the PLCP sublayer.
PLCP Protocol Data Unit> When PLCP receives PSDU, it then prepares PPDU. PLCP adds a preamble + PHY header to the PSDU.
PLCP Preamble > String of 0/1 bits that are used to synchronise incoming transmissions. IEEE 802.11-2007 standard defines 3 different PPDUs.
Long PPDU > 144 bit PLCP Preamble, 128 bit Sync field + 16 bit Start of Frame Delimiter (SFD).
Short PPDU > 72 bit PLCP Preamble, 56 bit Sync field and 16 bit SFD
OFDM PLCP Preamble >10 short symbols + 2 long symbols
PLCP Header > Long & Short PLCP Headers are both 48 bits log and contain 4 fields (Signal(8) + Service(8) + Length(16) + CRC(16).
Non-HT Legacy PPDU
- Consists of Preamble(Short/Long symbols)
- Mandatory for 802.11n radios and transmissions can occur in only 20MHz channels.
- Effectively same format used by legacy 802.11a/g radios.
- 802.11n amendment
- Likely be most commonly used format as it supports HT + Legacy 802.11a/g.
- Transmission can occur in both 20MHz and 40MHz channels
- 2nd of the two new PPDU formats defined by 802.11n.
- Not compatible with legacy 802.11 radios, only the HT Radios can communicate with this format.
- Can transmit using 20MHz and 40MHz fields.
field portion of PPDU is the PSDU. In easy terms, the data field is the 802.11
I am attempting to put a mind map of WLAN issues. I will look forward at expanding each one of the classifications in the revisions of this blog.
Read more link text
This post covers the important 802.11 Frames which can help in performing the analysis and troubleshoot any issues related to WLAN networks. I have referenced Wireshark filters for the ease of each frame.
Beacon (1000, Subtype : 8) (wlan.fc.type_subtype == 0x08)
- Used to announce the Basic Service Set (BSS) for the Client (STAs).
- Transmitted by AP every 100 time units. 1 TU = 1024 microseconds. Default is 102.4 m/s
- To reduce any potential overhead, TU values might need adjustment in some cases where multiple SSIDs exist on AP radio.
Probe Request and Probe Response (0100, 0101 Subtype : 4 & 5) (wlan.fc.type_subtype == 0x4 or wlan.fc.type_subtype ==0x5)
- Used for active scanning
- STAs send the probe request, AP sends the probe response.
- Amount of probing may be able to be reduced by adjusting the roaming aggressiveness on the client.
- Probe request are sent to broadcast address (DA - ff:ff:ff:ff:ff:ff:ff)
- Directed probe request are when STA sending probe request may specify the SSID they are looking, like in example below.
- The SSID value can also be set to 0, SSID field is present, but empty. This is called Wildcard SSID or null probe request, e.g. below
- Probe requests are always sent on the lowest supported data rates. In above examples they are sent at 1 Mb/s.
- Probe response contain the requested information elements that may have been requested by the probing station. .e.g. below
Authentication & Deauthentication Frames (1011, subtype :11, 12) (wlan.fc.type_subtype == 0xb, wlan.fc.type_subtype==0xc)
- Used to authenticate to an AP to prepare association or roaming
- Used to remove the AID (Authentication ID) and deauthenticate with an AP.
- Frame body consists of
- Authentication Algorithm Number - 0 for Open System and 1 for Shared Key
- Authentication Transaction Sequence Number - Indicate current status of progress
- Status Code - 0 for Success,1 for Unspecified failures
- Challenge Text Used in Shared Key Authentication frame 2 & 3
and Disassociation Frames (0000, subtype =0)(0001 subtype =1) wlan.fc.type_subtype==0 or wlan.fc.type_subtype==10
- Simple 4-frame exchange (authentication request, ACK, authentication response & ACK) used to enter the authenticated and associated state with the AP.
- After Association STA may either use the network (open system authentication) or begin the 802.1x/EAP authentication process if used.
- The Disassociation frame is used to change from authenticated/associated state to "authenticated not associated state". They contain a reason for disassociation. In case of below frame the reason code is unspecified reason.
Request and Response Frames - (0010, subtype : 2) (0011, subtype : 3) (wlan.fc.type_subtype == 0x2 or wlan.fc.type_subtype ==0x3)
- These frames are used to roam to another AP within the ESS (extended service set) or to reconnect after brief disconnection.
- The reassociation response frame will also include an AID for the STA and the status code indicating the reassociation success or failure.
RTS / CTS - (1011, Subtype : 11), (1100, Subtype : 12) (wlan.fc.type_subtype == 0x2 or wlan.fc.type_subtype ==0x3)
- RTS and CTS frames are used to clear the medium for transmission of larger frames.
- The Duration Field in RTS/CTS is very important.
- SIFS (Short Interframe Space) - Amount of time in m/s required for a wireless interface to process a received frame and to respond with resoonse frame.
- RTS duration = SIFS(3) + CTS + Data + ACK(1)
- CTS duration = SIFS(2) + Data + ACK(1)
- CTS-to-self > is another method of performing NAV (Network Allocation Vector) distribution that use only CTS frames. It is used strictly as a protection mechanism for mixed mode environment.
Frames (ACK)(1011, Subtype : 13) (wlan.fc.type_subtype == 0x1d)
- These frames are sent right after data/management frames to inform(ack) the transmitter.
- With ACK frame, the transmitter assumes the frame was lost due to the corruption from interface or some other issue, and so retransmits the frame.
- ACK frame includes Frame Control, Duration, RA and FCS subfields
- Duration Field value is set to : Duration Value of previous frame + ACK(1) + SIFS(1)
Data & PS-Poll Frames (0100 Subtype : 4) (wlan.fc.type_subtype
== 0x24) or (wlan.fc.type_subtype == 0x1a)
- Null Data Frames are used to notify an AP that the STA is awake and able to receive the frames.
- It is simply a data frame with no date in the Frame Body field.
- PS-Poll on the other hand are used to notify the AP that the client STA is awake and available for buffered frames.
- STA indicate the power save mode using the Power Management bit the Frame Control field. When a STA is in PM mode = 1 it alternates between awake and sleep states.
- AP may send buffered data frames to the client in two ways.
- If the data belongs to legacy power-save queue, transmission follows the legacy power save.
- If the data belongs to WMM Power Save queue, data frames are downloaded according to a trigger-and-delivery mechanism.
Links for this Post :
Main Objective: To successfully transfer every bit of information(data) from one device to another.
802.11 MAC HEADER
Let us now go through the basics of the frame header and the components. I have captured a simple beacon (management) frame using Wireshark.
I will briefly explain each of the fields. Notice the number in the bracket refers to the bytes. For memory 1 Byte = 8 bits. 🙂
Frame Control > 16 bits | 2 Bytes - contains 11 subfields as displayed in the above examples. Considering the amount of valuable information contained in 802.11 Frame Control sub-fields is mind-boggling
Protocol Version (2 bits): For now, always set to 0 by default. Changes in the version are expected in the future.
Type: Management (0,0), Data(1,0), Control(0,1), Extension Frame(1,1)*only available with 802.11D
Sub Type (4 bits): There are different kinds of management, control and data frames. Therefore the 4-bit Subtype field is required to differentiate. The above examples have Beacon & ACK subtypes.
To DS - if set to "1" - Frame going from STA > Distribution System (DS)
From DS - if set to "1" - Frame going from DS > STA
To DS = 0, From DS = 0 > Management or Control frames where it does not go to DS, Can be STA to STA communication in an ADHOC/IBSS setup.
To DS =0, From DS = 1 > Downstream traffic from AP to the STA.
To DS =1, From DS = 0 > Upstream traffic from STA to AP
To DS =1, From DS = 1 > Data frame using 4 MAC header format, usually occurs in WDS or Mesh Network.
More Fragments - If set to "1" it is usually preceded by another fragment of current MSDU or MMPDU to follow.
Retry - 0 or 1. 1 is for retransmissions. Lot of 1's may indicate a network with a lot of retry rate due to some issue. The issues can impact the performance by increased application/network latency thereby degrading user experience.
Power Management - if set to "1", STA is using power save mode.
More Data: if set to "1" it indicates that the AP or STA is holding more frames for the STA to which the current frame is targeted.
Protected Frame - if set to "1" it indicates payload is encrypted.
Order - If set to "1" in any non-QoS data frame when a higher layer has requested that the data be sent using strictly ordered CoS, which tells the receiving STA to process the frames in order.
Duration/ID > 2 Bytes | 16 bits - May be used for 2 purposes, it may contain the duration of the frame. Secondly, it may contain association identifier (AID) of the STA that transmitted the frame.
Address 1,2,3 and 4: Each address contains 6bytes/48 bits of data.
SA > Source Address
DA > Destination Address
TA > Transmitting Address
RA > Receiving Address
Sequence Control Field (2 Bytes/16 bits): Divided into 4-bit fragment number and a 12-bit sequence number. Used when MSDUs are fragmented. 802.11-2016 allows for fragmentation of frames.
QoS Control Field: (2 Bytes/16 bits): Only used in MAC header of QoS frames. Sometimes referred to as WMM (Wi-Fi Multimedia) which provides traffic prioritization.
HT Control Field (4 bytes/32 bits): Parameters related to HT & VHT operations. Only used in Management + QoS control frames.
Frame Body: Contains the actual MSDU payload to be transmitted.
FCS: (Frame check sequence field 4Bytes/32 Bits) - Final field on the frame header. Also known as Trailer as the word says. Used to detect errors in communication.Read more link text