I put together this information to better understand the 802.11 frame as part of my study for the CWAP exam from “Carpenter, Tom. CWAP® Certified Wireless Analysis Professional Official Study Guide: CWAP-402 (. Certitrek Publishing. Kindle Edition.”
The Frame Control field
Frame Control Field: Identifies the frame type and subtype(management, control or data and the subtype (RTS, CTS)
The protocol “version” is set to 00 unless an incompatibility version is release, these bits can be used for notifications.
More Fragments subfield is used to indicate whether the current frame is part of a fragmented frame or not. When bit is set to 1, fragmentation is being used.
Fragmentation occurs based on the fragmentation threshold setting in the AP or client device. It is used to increase the probability that a transmitted frame will be received.
Retry: The Retry field is useful in tracking frame transmission errors. If a frame is transmitted and no ACK frame is returned then the transmitting STA will resend the frame using the content process. If the Retry Field is set to 1 the frame has been retransmitted.
The Power Management field is a 1 bit field indication whether power management is used by the STA. the Value of this field determines the mode in which the STA will operate after the completion of frame transmission.
On a AP is always set to 0 as it does not enter power save mode.
Also set to 0 in management frames that cannot be buffered and in frames sent to an AP by STA before it is associated. All other frames may use the bit, set to 1, to indicate the intention to enter power save mode so that the AP knows to buffer frames for that STA until it wakes.
The More Data field is used by the AP (or another STA in an IBSS) to indicate that more frames are buffered for that STA, so that it will not enter sleep mode.
When set to 1 it indicates that the AP or STA is holding more frames for the STA to which the current frame is targeted.
When a ST sends a frame to the AP and that frame includes the More Data ACK subfield of the QoS capability element set to 1, and the AP has frames buffered for the STA with Autpmatic Power Save Delivery (APSD) enable the4 AP will set the More Data field to 1 in the ACK frame that it sends back to that STA so that the STA knows the AP has frames buffered for it.
The Protected Frame field, which replaces older WEP field, indicate that the MSDU is encrypted in the frame if it is set to 1. when set to 0 no encryption is used at the 802.11 MAC sublayer.
The Order field is used for two purposes:
- It is set to 1 in a non-QoS data frame to indicate that it contains an MSDU.
- It is set to 1 in a QoS data or management frame to indicate that the frame contains an HT Control field. This allows processing by HT devices that are aware of the decoding of the HT Control field.
Duration/ID field is used for two purposes.
- It may contain the duration of the frame
- It may contain the association identifier (AID) of the STA that transmitted the frame.
When a PS-Poll frame is transmitted by a STA, the Duration/ID field contains the AID of the STA so that the AP knows that it is awake and can send buffered frames.
In both non-QoS and QoS data frames, it contains the duration of the frame.
In control frames it contains the duration of the frame exchange. When containing the duration, it is used to set the NAV timer for the CSMA/CA operations.
Address 1, 2, 3, and 4
802.11 general frame format specifies four address fields
Receive address: is always the immediate recipient of the Frame
Destination address is the ultimate target of the frame
Source address is always the original source of the frame,
Transmitter address is the address of the STA that transmitted the frame onto the medium.
The 16 bit Sequence control field is used with fragmentation and for the removal of duplicate frames should they occur. It is divided into a 4-bit fragment number and a 12 bit sequence number. When an MSDU is fragment, all fragments have the same sequence number and the fragment number is incremented by 1 (while starting at 0) for each frame until all fragments are delivered. Starts at 0 and is increment for each new frame or set of frames with fragmentation until it reaches 4095 , at which point it simply reset to 0 and begins again. The primary use of this analyse is the detection of fragmented frames and the analysis of in or out of sequence frame delivery.
The QoS control field is a 16 bit filed that identifies the category to which the frame belongs for queuing purposes.
The most important factor in this field for most analysis is the user priority (UP) information for the frame. In the standard, this is referenced as the traffic identifier (TID) subfield. Given that EDCA is implemented in QoS WLANs based on the wireless multi-media (WMM) certification by the WiFi alliance, the bits 0-3 in the QoS control field are mapped with possible values from 0 to 7. below table list the mapping of WMM access categories (ACs) to 802.1d tags
WWM operates based on queues created for various Acs. Example a STA will have a queue for AC-VO, another for ACV-VI, and so on . The highest priority queue gets to take advantage of a transmit opportunity (TxOP) before the lower priority queues.
The key to understanding the probabilistic priorities provided by WMM is the contention windows (CW) . Without WMM (o EDCA), the CW has a minimum value (aCWmin) of 0 and a maximum value (aCWmac) 1023. this changes the with WMM. Table below lists the default EDCA or WMM CW parameters
The above table makes it clear that random selection of a backoff timer from the CW will be a higher value more often than not for AC_BE and AC_BK frames than for AC_VO and AC_VI frames.
HT control field is used to specify various parameters related to the HT operations and VHT operations.
There is an HT variant and a VHT variant of the HT control field. The below table shows the HT Control field in 802.11-2012 standard before 802.11ac ratified.
Figure 3.13 shows the link adaptation control subfield details from 802.11-2012
Note that in the above figure, bit 0 is reserved. That is, of the 16bits in the Link Adaptation Control field, only 15 are used and the first bit is reserved.
The below figure shows the HT Control field in 802.11ac, that the format seems to have changed entirely from figure 3.12 however the format has not change nearly as much as it appears. The VHT subfield is simply utilising the reserved bit 0 from the Link Adaptation Control subfield as it existed in 802.11-2012 to determine the format of the next 29bits(now the HT Control Middle Subfield) in the HT Control field.
From these images, you can see that the VHT subfield now determines whether the HT Control Middle bits are formatted for HT communications (VHT=0) or VHT communications (VHT=1). This VHT subfield was simply a reserved field in pervious editions of the 802.11 standard.
The HT Control field is used for communications related to antenna selection and beamforming.
Contains the actual MSDU payload to transmitted. It incurs overhead if encryption is used and may include extra information in a mesh BSS. When mesh control field is include in the frame body. It is encrypted as part of the data.
TKIP/RCS incurs 20 bytes of overhead and CCMP/AES incurs 16 bytes of overhead.
Finale field is the frame check sequence field, which is a 4 byte or 32 bit field. It is calculated against the MAC header and frame body and is used to detected errors in communication
Carpenter, Tom. CWAP® Certified Wireless Analysis Professional Official Study Guide: CWAP-402 . Certitrek Publishing. Kindle Edition.