Part 2 Issue with deploying enterprise wireless in the mining industry


This is continuing on form Part 1 which can be found in the below link

Issue of deploying Enterprise wireless in the Mining environment Part 1


The aim of this blog is to highlight some of the common issues that I have faced when designing and installing enterprise wireless network in the mining industry.

Wireless technology deployed on sites is Cisco.

A picture paints a thousand words, so I am going use them as part of my explanations.

AP Placement:


Picture: one CAT795F dump truck in a 8 bay garage

Picture above, highlights many issues I face with Antenna selection and AP placement.

  • Overhead mobile cranes systems, can dislodge APs or cause shadow zones
  • Heavy vehicles (massive tonka trucks), just big RF killers
  • Reflective insulation on walls and roofs, antenna selection and AP placement consideration need to be taken into account

Part 3 will doing into the specific of AP placement.




Picture: CAT797B dump truck (RF Killer)



Picture 2: Cable trays

Running data and power cabling can be a very costly exercise given the size of the locations. Equipment is required to be hire such as scaffolding mobile elevated work platforms which is also required for AP installation. Hire equipment needs to be mine rated and requires permits and license to operate.

Existing cable trays are used for LV and HV cabling so alternate paths are need for data. Some areas have fibre but any spares reserved for production equipment.



Picture: Coal wash plant (washing machine on steroids)

Certain locations where client devices may operate are extremely problematic for RF propagation and AP installation, sometimes the customer may need to be educated and shown an alternate solution as ubiquitous coverage is not always  possible in certain environments as well considering the cost.


Picture: Water plant

  • AP’s require maintenance, due to getting covered in material$$$
  • AP’s require engineered mounting brackets due to locations shaking and vibrating24/7
  • AP life span is reduce due chemicals and material in area.

Some site contain locations that  are rather old and contain asbestos which can be a headache for the installation of cabling and AP’s


Locations can be remote with no connection back to the main site, so a P2P link sometimes is required, but over time the link stops working and you discover that the mine has decided to put a massive stock of ore which once use to be road that now blocks the link.

Rogue Networks

Mine site use wireless mesh network for there production networks and mobile fleets, technologies suchs as Rajant and TropOS are the most common I have seen, which can operate up 4watts.


Picture: Rajant Breacrumbs Antennas installing workshop

Apart form the ACI and CCI issue they can cause, some locations  have business SSID being broadcast over the mesh network. When a fleet vehicle enters a non-production are it can cause client connectivity issues given the EIRP and client behaviour. A simple solution would be to remove it from SSID form the meshed network but nothing is simple.

Contracting company’s  install there on wireless networks, most of the time its with the default 80MHz wide channels.


Mice eating newly installed fibres, this occurs often over the winter period. To install mice traps etc. requires approval which can be difficult depending on sitemice eat fibre.PNG

Picture: Mice have chewed fibre( notice the paw prints and mice shit).


Part 3 will address AP placement and considerations  to provide wireless coverage based


Part 1: Issue of deploying Enterprise wireless in the Mining environment

The purpose of this blog post is to highlight some of the issues that I have faced over the past 6 years of trying to deploy enterprise and non enterprise wireless solutions in the mining industry.

Given the need for mobility,  guest access  and the demand for increased productivity, I have seen a dramatic increase in enterprise wireless networks being deployed in the mining industry.

dit.PNGPicture: Coal Mine

The mining industry is  a complex harsh beast. There are extremes of both hot and cold weather,  shift work, long 12-14hr days in environments where safety keeps you alive. Locations  are remote, some of the mines are hundreds or thousand of miles from the nearest town. Aside from the work environment, there are a great deal of  challenges and hoops one must jump through before even getting on to site.

For instance one cannot simply walk around with their Laptop and collect information easily, compared to an office environment ( love those surveys)

Each mine site has different access and safety requirement before you can enter  site and subsequent areas.

Things  that are common:

  • Site and area specific Personal Protective equipment (PPE)
    • Depending on the PPE requirements can make it rather difficult to conduct a WSS .
      • At minimum it is always
        • Hard hat
        • Eye glasses
        • Ear protection
        • Gloves( sometimes you have 2-3 different pairs)
        • High visibility clothing , long sleeved and pants
        • Steel cap lace up boots (some sites have specific boots to wear that are issued in location)
        • at worst, I have had to wear a full face respiratory system in the hot Australian summer  (could not see shit).
  • Site and  area specific inductions
    • These can  be 1hr to a full  day depending on the area.
  • Safety inductions
    •  Sometimes require additional first aid training
    •  Electric safety awareness induction
    • Working at heights( (some roof heights are 30m+)
  • Work permits
    •  May be required to sign on or have to have  you own specific work permit generated. this again is time consuming as it requires approvals.

Once you have the basic out of the way,  you maybe able (I stress “maybe”  as you still need  approval by the on shift superintendent or supervisor) to enter the area and 99% time it is under escort.

In my experience floor plans provided are never correct.  Most of the time I have to draw them up or use evacuation plans located near fire exits (sometimes they are correct).

  • Given the time constraints and environment an APoS is not able too be performed in most cases


Picture: Heavy Vehicle workshop

  • Restricted areas:
    • production outage can cause millions of dollars per hour.   Miners will not stop working  so I  can walk around and collect some data points on a production piece equipment. All the time you stick to the designated walk way and collect what information you can.
  • Information gathering can be a serious issue as some sites do not let you take photos. So note pad and pen is all you have and given these environments are  extremely dirty, muddy and wet,  you need to ensure you look after (Zip lock bag) your gear. There is limited chance of  a second bite of the cherry if you forget to get the switch model number/details and communications cabinet number.


Picture: Dusty areas


Picture: standard comms cabinet out in the field (not one of mine)

  • Damage to equipment
    • As mentioned before these environments are dirty and  can be depending  extremely hot or cold  depend on the time of year. Your equipment is your life line, and it will get dirty. So far I have been lucky(or unlucky) and so far only damaged the screen on my Surface Pro 4. Still was able to use it complete WSS. Everything I have is stored in Pelican cases.


Picture: Pelican cases of equipment

case 3.PNG

Picture: Tripod


Picture: couple of Pelican casse when they were brand new.


Picture: Damaged SP4 but still could charge on, used an iPad screen protector to keep it together.

Once you have completed the survey and collected all your required information, next comes the joy of trying to design the wireless network based on the environment and  wireless criteria.

Which I will discuss in my next blog post

RF basic’s part 1

Radio Waves

  • Radio waves consist of
    • Electric field (E)
    • Magnetic field (H)
    • the E field is at 90 degrees to the H field
      • this is know as electromagnetic  wave

Electromagnetic wave (EM)

  • travel at the speed of light 300 meters pre second
  • Radio waves like light are a form of electromagnetic radiation


  • Happens when a wave hits a denser reflective medium


  • Happen when a wave travel from less dense to more dense medium or vice versa


  • Happens when wave hits object and bends partially around it
    • leave a blind spot or shadow zone


  • The measure of the number of complete cycles in 1 second
  • the base unit is measured in Hertz (Hz)
  • therefore 1 cycle in 1 second = 1Hz , 4 cycles in 1 second = 4Hz
  • frequency is a measure of time


  • Wavelength is a measure of distance
  • it is a measurement in meters of 1 complete cycle
  • the lower the frequency the longer the wavelength and vice versa
  • the shorter the wavelength the higher the engery

Formula for frequncy

  • f=c/λ
  • f= frequency
  • λ=wavelength
  • c= speed of light

Formula for wavelength

  • λ=c/f






Wireless Design steps (CWDP) overview

The folowing Information is from “Carpenter, Tom.  CWDP Certified Wireless Design Professional Official Study Guide. Certitrek Publishing. Kindle Edition. I put this in a blog post as part of my study for the CWDP exam  and  it is excellent information to have on hand

Wireless design steps (High-level)

First the problems with not designing a wireless network  properly

  • Insufficient wireless coverage: without sufficient coverage dead spots(no signal) and low data rates occur (take longer to perform user wireless requirements)
  • Insufficient capacity: not designing a wireless network based on the support clients (IPADS, Laptops, smartphones) and the their required TCP/IP throughput requirements
    • With sufficient coverage and insufficient capacity the WLAN still fails.
  • No scalability
  • Lack of require functionality: focusing only the RF and miss the need capabilities on the network, such as the required configurations need on the Cisco wireless LAN controller

Problem with cookie cutter designs

  • Increase hardware cost
  • Poor performance


The Wireless Design process is similar to most  methodologies.

  • Define
    • Requirements analysis
    • Understand solution and customer needs
  • In-depth knowledge of WLAN technology
  • In-depth knowledge of Wired LAN technology
  • Information gathering
  • Pre-site survey checklists
  • Design
    • Wireless site surveys and the design of the WLAN
    • Determine AP locations
    • Wired-infrastructure services, power provisioning, AP settings, controller settings, QoS, etc.
    • BoM 
  • Implement
    • Configure and installe
    • Configure infrastructure
    • DNS, DHCP etc.
    • Provision power and network access
    • Configure and install AP’s
  • Validate
  • Ensure the it meets the requirements in the define phase. Many times have implement some form of automatic channel management to help with issues such’s as AP power , and channel management, this is not replacement for a validation survey
  • The validation process is basically an active site survey performed after the installation. And the following should be verified:
  • Coverage : Ensures that a sufficient signal is available in all required areas
  • Capacity: Ensures that the WLAN can provide the needed throughput defined in the requirements, channel and AP power requirements
  • Capabilities: Include features like fast secure roaming, guest registration, on boarding, security etc.

The Validate phase is critical as we  can make adjustments to channels to reduce potential interference issues.  Adjust power requirements of AP’s

CWDP Certified Wireless Design Professional Official Study Guide. Certitrek Publishing.   kindle Edition.

CWNP (CWAP, CWSP, & CWDP) Certifications worth it

Is it worth undertaking the time and effort to achieve any of the CWNP Professional certification such’s as CWAP, CWSP and CWDP?

YES it is, without a doubt worth it.

After I complete my CWNA, I was wondering what certification track to embark on next, I was looking into CCNP wireless as I already hold a CCNA Wireless, and the company I work for is a Cisco shop.

However I decided to embark on the CWDP certification, as I was currently doing a great deal of wireless site surveys and designs, I also was very luck to have the opportunity to work on a project with a 2x CCIE and CWNE, which motivated me to not only study for my CWDP but also achieve the other 2 certifications and go for my CWNE, as he offered to endorse me, ( part of the application process to become a CWNE requires 3x endorsement one of which is highly recommend to be current CWNE) after 7 months of study I pass all 3 CWNP exams first time with 85% pass on all of them.

The order I completed the exams was CWDP , CWAP and CWSP this is not the most recommend way to complete the exams but suited my strengths and interests which is what I suggest.

The study time line is as follows

  • CWDP: just under 2 months
  • CWAP: just over 3 months
  • CWSP: just over 2 months

I spent on average 2-3hrs a day studying for these exams, while juggling university studies, family and work life.

my average Mon-Friday day consisted of the following while studying

  • 3:50am wake Up (caffeine lots of it)
  • 4:00am study  CWNP study
  • 5:00am  Exercise
  • 5:45am family/work routing
  • 7:00am study CWNP on train 50mins
  • 12:00pm lunch study CWNP 15mins
  • 4:30pm study on strain 50mins
  • 7:30pm study on CWNP and uni
  • 9:30pm Bed


  • 5:00am wake Up (caffeine lots of it)
  • 5:15am study CWNP study
  • 8am-6:30pm family time/ go to the gym for 1hr
  • 7pm Uni study
  • 9:30pm Bed

when I had university assignments and exams coming up my daily routine was different as well life, work and kids always make things interesting but the above is the average.

The CWNP study guides are excellent and some of the best I have read. Exams as straight forward and if you know the material the question wont trick you up like some exams.

I actually found the CWSP exam the hardest out of all them, most say they find the CWAP the hardest, but for me it was not the case.

I can honestly say I really enjoyed studying for the CWNP certifications, as there is nothing worse  than having to read something you couldn’t give a rats ass about.

The knowledge and skills I learnt from this have greatly assisted me with in ever aspect of my job as a Wireless network engineer and I recommend the certifications to anyone.

Now that I have completed the CWNP track I will be applying for my CWNE which deserve a blog post on its own.

Wireless QoS (CWAP)

The following information is taken as part of my study for the CWAP exam from “Carpenter, Tom. CWAP® Certified Wireless Analysis Professional Official Study Guide: CWAP-402 (. Certitrek Publishing. Kindle Edition.”

QoS for a wireless networks is based on the 802.11e (QoS) amendment that is part of 802.11-2012 standard,  It implemented a layer 2 QoS solution for the wireless link. It is responsibility of the wired devices (AP’s or controllers) to convert the 802.11e markings to 802.1p and /or DSCP marking for communications on the wired side.

The 802.11e (QoS) mentions the use of  the following access methods  for QoS frames called Enhanced distributed coordination access (EDCA) and (HCCA) HCF controlled channel access, as of today HCCA is not used.

EDCA defines four access categories, based on the eight user priorities that are mapped to CoS values for the wired side.

The four access categories from lowest priority to highest priority are:

  • AC_BK (Background),
  • AC_BE (Best Effort),
  • AC_VI (Video), and
  • AC_VO (Voice).

Frames with the highest-priority access category have the lowest backoff (timer) values and therefore are more likely to get a transmit opportunity.

Screen Shot 2017-11-29 at 7.11.28 pm.pngNow EDCA  does not provide guarantee access to the wireless medium but provides a probabilistic prioritisation( frames should be prioritised for delivery but still contend for the medium).The reason for this is  802.11 wireless is  a half-duplex medium , before a device can transmit it must check to see if the medium is busy or in use. All wireless Stations (devices) including AP’s must contend for the wireless medium, It uses CSMA/CA (Collision avoidance)  which is a  bunch of mechanism and values used to decrease the chance that two stations will try to transmit at the same time. Once it has determine the medium is available, it is able to transmit, if the medium is busy or a collision occurs it resets its timers and starts the contention process again. So regardless of priority it cannot always gain access to the medium before a lower priority frame.

Where we can get really unstuck is that wireless is an unlicensed, uncontrolled  medium so the above issue can become a really problem in a high density( multiple devices and 802.11 networks) environment so correct wireless design and regularly monitoring is critical.

Please note the certain vendors do implement their own proprietary QoS settings but the contention process is still the same.


Carpenter, Tom. CWAP® Certified Wireless Analysis Professional Official Study Guide: CWAP-402 . Certitrek Publishing. Kindle Edition.


Configuring CISCO DHCP Option 60 & 43 for Cisco Lightweight AP’s

The aim of this blog is to document the steps required I took to configure Cisco DHCP Option 60 & 43, as I had never done it before. If I was going to implement just one for a deployment it would be Option 43 (step 13) which also can be configured on Cisco Switches.


All the Guide,steps  and information listed below can be found at

My lab  setup is as listed below

  • Windows 2008 R2 server running a DHCP server
  • AP Management DHCP scope is /24
  • WLC 2504 model  with an IP address
  • cisco 3702i AP


  • WLC is configured
  • Console connection to LAP
  • LAP is able to ping WLC 
  • DHCP server is configured with AP Management IP address scope
  • LAP has received IP address from DHCP server


Option 60: Configuration

Screen Shot 2017-11-14 at 11.26.17 am.png

Screen Shot 2017-11-14 at 11.26.30 am.png

Screen Shot 2017-11-14 at 11.26.38 am.png

Screen Shot 2017-11-14 at 11.42.42 am.png

Screen Shot 2017-11-14 at 11.26.51 am.png

Screen Shot 2017-11-14 at 11.27.00 am.png

Screen Shot 2017-11-14 at 11.27.10 am.png

Screen Shot 2017-11-14 at 11.27.16 am.png

Screen Shot 2017-11-14 at 11.27.24 am.png

Screen Shot 2017-11-14 at 11.27.30 am.png

Screen Shot 2017-11-14 at 11.27.39 am.png

Screen Shot 2017-11-14 at 11.27.45 am.png


Option 43:configuration

Screen Shot 2017-11-14 at 11.27.51 am.png

Screen Shot 2017-11-14 at 11.44.52 am.png


Screen Shot 2017-11-14 at 11.42.59 am.png

Screen Shot 2017-11-14 at 11.43.05 am.png




Wireshark 802.11 Frame

I put together this information to better understand the 802.11 frame as part of my study for the CWAP exam from “Carpenter, Tom. CWAP® Certified Wireless Analysis Professional Official Study Guide: CWAP-402 (. Certitrek Publishing. Kindle Edition.”

The Frame Control field

Frame Control Field: Identifies the frame type and subtype(management, control or data and the subtype  (RTS, CTS)

The protocol “version” is set to 00 unless an incompatibility version is release, these bits can be used for notifications.

Screen Shot 2017-10-27 at 5.26.31 pm.png

DS Status:

Screen Shot 2017-10-27 at 5.26.38 pm.png

More Fragments:

Screen Shot 2017-10-27 at 5.26.48 pm.png

More Fragments subfield is used to indicate whether the current frame is part of a fragmented frame or not. When bit is set to 1, fragmentation is being used.

Fragmentation occurs based on the fragmentation threshold setting in the AP or client device. It is used to increase the probability that a transmitted frame will be received.

Retry: The Retry field is useful in tracking frame transmission errors.  If a frame is transmitted and no ACK frame is returned then the transmitting STA will resend the frame using the content process. If the Retry Field is set to 1 the frame has been retransmitted.

Screen Shot 2017-10-27 at 5.26.54 pm.png

The Power Management field is a 1 bit field indication whether power management is used by the STA. the Value of this field determines the mode in which the STA will operate after the completion of frame transmission.

On a AP is always set to 0  as it does not enter power save mode.

Also set to 0 in management frames that cannot be buffered and in frames sent to an AP by STA before it is associated.  All other frames may use the bit, set to 1, to indicate the intention to enter power save mode so that the AP knows to buffer frames for that STA until it wakes.

Screen Shot 2017-10-27 at 5.26.59 pm.png


The More Data field is used by the AP (or another STA in an IBSS) to indicate that more frames are buffered for that STA, so that it will not enter sleep mode.

When set to 1 it indicates that the AP or STA is holding more frames for the STA to which the current frame is targeted.

When a ST sends a frame to the AP and that frame includes the More Data ACK subfield of the QoS capability element set to 1, and the AP has frames buffered for the STA with Autpmatic Power Save Delivery (APSD) enable the4 AP will set the More Data field to 1 in the ACK frame that it sends back to that STA so that the STA knows the AP has frames buffered  for it.

Screen Shot 2017-10-27 at 5.27.04 pm.png

The Protected Frame field, which replaces older WEP field, indicate that the MSDU is encrypted in the frame if it is set to 1. when set to 0 no encryption is used at the 802.11 MAC sublayer.


Screen Shot 2017-10-27 at 5.27.11 pm.png

The Order field is used for two purposes:

  • It is set to 1 in a non-QoS data frame to indicate that it contains an MSDU.
  • It is set to 1 in a QoS data or management frame to indicate that the frame contains an HT Control field. This allows processing by HT devices that are aware of the decoding of the HT Control  field.

Screen Shot 2017-10-27 at 5.27.18 pm.png

Duration/ID field is used for two purposes.

  • It may contain the duration of the frame
  • It may contain the association identifier (AID) of the STA that transmitted the frame.

Screen Shot 2017-10-27 at 5.27.24 pm.png

When a PS-Poll frame is transmitted by a STA, the Duration/ID field contains the AID of the STA so that the AP knows that it is awake and can send buffered frames.

In both non-QoS and QoS data frames, it contains the duration of the frame.

In control frames it contains the duration of the frame exchange. When containing the duration, it is used to set the NAV timer for the CSMA/CA operations.


Address 1, 2, 3, and 4

802.11 general frame format specifies four address fields

Screen Shot 2017-10-27 at 5.27.36 pm.png

Screen Shot 2017-10-27 at 5.27.29 pm.png

Receive address: is always the immediate recipient of the Frame

Destination address is the ultimate target of the frame

Source address is always the original source of the frame,

Transmitter address is the address of the STA that transmitted the frame onto the medium.


The 16 bit Sequence control field is used with fragmentation and for the removal of duplicate frames should they occur. It is divided into a 4-bit fragment number and a 12 bit sequence number. When an MSDU is fragment, all fragments have the same sequence number and the fragment number is incremented by 1 (while starting at 0) for each frame until all fragments are delivered. Starts at 0 and is increment for each new frame or set of frames with fragmentation until it reaches 4095 , at which point it simply reset to 0 and begins again. The primary use of this analyse is the detection of fragmented frames  and the analysis of in  or out of sequence frame delivery.

Screen Shot 2017-10-27 at 5.27.41 pm.png


The QoS control field is a 16 bit filed that identifies the category to which the frame belongs for queuing purposes.

Screen Shot 2017-10-27 at 5.27.57 pm.png

The most important factor in this field for most analysis is the user priority (UP) information for the frame. In the standard, this is referenced as the traffic identifier (TID) subfield. Given that EDCA is implemented in QoS WLANs based on the wireless multi-media  (WMM) certification by the WiFi alliance, the bits 0-3 in the QoS control field are mapped with possible values from 0 to 7. below table list the mapping of WMM access categories (ACs) to 802.1d tags

Screen Shot 2017-10-27 at 5.28.02 pm.png


WWM operates based on queues created for various Acs. Example a STA will have a queue for AC-VO, another for ACV-VI, and so on . The highest priority queue gets to take  advantage of a transmit opportunity  (TxOP) before the lower priority queues.


The key to understanding the probabilistic priorities provided by WMM is the contention windows (CW) . Without WMM (o EDCA), the CW has a minimum value (aCWmin) of 0 and a maximum value (aCWmac) 1023. this changes the with WMM. Table below lists the  default EDCA or WMM CW parameters

Screen Shot 2017-10-27 at 5.28.09 pm.png

The above table makes it clear that random selection of a backoff timer from the CW will be a higher value more often than not for AC_BE and  AC_BK frames than for AC_VO and AC_VI frames.

HT Control

HT control field is used to specify various parameters related to the HT operations and VHT operations.


There is an HT variant and a VHT variant of the HT control field. The below table shows the HT Control field in 802.11-2012 standard before 802.11ac ratified.

Screen Shot 2017-10-27 at 5.28.14 pm.png

Figure 3.13 shows the link adaptation control subfield details from 802.11-2012

Note that in the above figure, bit 0 is reserved. That is, of the 16bits in the Link Adaptation Control field, only 15 are used and the first bit is reserved.

The below figure shows the HT Control field in 802.11ac, that the format seems to have changed entirely from figure 3.12 however the format has not change nearly as much as it appears. The VHT subfield is simply utilising the reserved bit 0 from the Link Adaptation Control subfield as it existed in 802.11-2012 to determine the format of the next 29bits(now the HT Control Middle Subfield) in  the HT Control field.

Screen Shot 2017-10-27 at 5.28.20 pm.png

From these images, you can see that the VHT subfield now determines whether the HT Control Middle bits are formatted for HT communications (VHT=0) or VHT communications (VHT=1). This VHT subfield was simply a reserved field in  pervious editions of the 802.11 standard.

The HT Control field is used for communications related to antenna selection and beamforming.
Frame Body

Contains the actual MSDU payload to transmitted. It incurs overhead if encryption is used and may include extra information in a mesh BSS. When mesh control field is include in the frame body. It is encrypted as part of the data.

TKIP/RCS incurs 20 bytes of overhead and CCMP/AES incurs 16 bytes of overhead.


Finale field  is the frame check sequence field, which is a 4 byte or 32 bit field. It is calculated against the MAC header and frame body and is used to detected errors in communication


Carpenter, Tom. CWAP® Certified Wireless Analysis Professional Official Study Guide: CWAP-402 . Certitrek Publishing. Kindle Edition.

Wireshark 802.11 Management frames

The following information is taken from Carpenter, Tom. CWAP® Certified Wireless Analysis Professional Official Study Guide: CWAP-402 . Certitrek Publishing. Kindle Edition.  as part of my studies for the CWAP exam so that I can better understand wireless management frames.

Management Frames: are those used to manage access to the WLAN, announce information about it and perform certain actions. The Following wireshark captures show and explain the type of management frames used:


Beacon:  is a management frame (0) subtype(8) used to announce information about the BSS by the AP.

Screen Shot 2017-10-27 at 5.15.48 pm.png

Beacon frames by default are transmitted by the AP every 100 time units(TU’s), or at the same interval for STA’s in an IBSS. The default TU is 1024mircosecond or 102.4 milliseconds (ms). Beacon intervals can be adjust but do very little length the Tus with the exception with high SSID count in networks. Beacon frames contain a great deal of information

Beacon frames serve many purpose including

  • Announce the existing of a BSS
  • Provide information required by client STAs to determine ability to connect to the BSS
  • Provide power management information related to buffered frames
  • Indicate the security required to participate in the BSS
  • Provide signal strength information to client STA’s to select the best AP’s for connections
  • Quickly identify the existing AP’s and the SSID’s they server using a Wi-Fi scanner or protocol analyser


The following Wireshark commands  are used for filitering  beacon frames

To filter on beacon frames: wlan.fc.type_subtype==0x08

To filter out beacon frames: wlan.fc.type_subtype!=0x08

Beacon frame timing beacons are sent at a target beacon transmission time(TBTT).they are configured by default to be transmitted every 100TUs, at times the beacon frame cannot be sent every 100TUs due to other frames that are on the WM but will be sent as soon as possible after 100TUs

Beacon frames must contend for the WM like other frames.

Probe request and probe response frames

Probe request:  is a management frame (0) subtype(4) used by the client to locate a BSS based on an SSID to which they may connect

Screen Shot 2017-10-27 at 5.15.59 pm.png

Probe Response: is a management frame (0) subtype(5) used by the AP to respond to a client probe request

Screen Shot 2017-10-27 at 5.16.13 pm.png

Probe request and probe response frames are used for active scanning. The STA sends a probe request and the AP responds with a Probe Response. If  STA sends a Probe Request with a broadcast SSID, all Aps respond with a Probe response on the Channel. This allows a STA to immediately request  listing of all AP’s available without wiating for Beacon  Frames.

To filter on Probe request and Probe response: wlan.fc.type_subtype==0x4 or wlan.fc.type_subtype==0x5

To filter out probe request and probe responses wlan.fc.type_subtype!=0x4 and wlan.fc.type_subtype_!=0x5


Association Request and Association Response

Association request: is a management frame (0) subtype(0)used to association with an AP and begin communication through it.

Screen Shot 2017-10-27 at 5.16.32 pm.png

Association Response: is a management frame(0) subtype (1)

Screen Shot 2017-10-27 at 5.16.38 pm.png

Disassociation: is a management frame (0) subtype(10)used to remove an association from an AP.

Screen Shot 2017-10-27 at 5.16.44 pm.png

Association and Disassociation  Frames: Association request and response process is a simple four frame exchange (authentication request, ACK, authentication response, ACK) used to enter the authenticated and associated state with the AP. After achieving this state, the STA may either use the network(open system authentication with no added security) or begin the 802.1X/EAP authentication process if used on the WLAN.

The disassociation frame is used to change from the authenticated and associated state to the authenticated not associated state. Disassociation frames are very simple,. They contain a reason for disassociation, vendor-specific informationm, and an integrity check when management frame protection is in used. The deuathentication frame is similar and uses the same basic structure. These two frames are in the managemnt category and are both considered announcement frames. The conecpt of an announcement or notifiacation frame is that the receiver cannot reject ther request(unless management frame protection is enablke and the security checks fail.) the receiver simply processes the requrest and either dissassociates or deauthenticates the STA.

To filter on association request and association response frames in Wireshark, use the following filter: wlan.fc.type_subtype = = 0x0 or wlan.fc.type_subtype = = 0x1

To filter out association request and association response frames in Wireshark, use the following filter: wlan.fc.type_subtype != 0x0 or wlan.fc.type_subtype != 0x1

Reassociation Request and Response frames

Reassociation request: is a management frame (0) subtype(2)

Screen Shot 2017-10-27 at 5.16.56 pm.png

Reassociation response: is a management frame (0) subtype(3)

Screen Shot 2017-10-27 at 5.17.06 pm.png

Reassociating Request  and response frames are used to roam to anther AP within the extend service set (ESS) or to reconnect to an AP from which the STA has briefly disconnected, the AP must still contain authentication information about the STA. the reassociation request  frame is acknowledged frame and works in concert with the reassociation response frame, which simply allows the association or disallows it.

The reassociation response frame will also include an association ID(AID) for the STA and a status code indicating a reassociation success or failure, and includes additional option fields are referenced in IEEE802.11-2012.

To filter on reassociation request and reassociation response frames in Wireshark, use the following filter: wlan.fc.type_subtype = = 0x2 or wlan.fc.type_subtype = = 0x3

To filter out reassociation request and reassociation response frames in Wireshark, use the following filter: wlan.fc.type_subtype != 0x2 or wlan.fc.type_subtype

Authentication and deauthentication frames:

Authentication: is a Management frame(0) subtype(11) used to authenticate to an AP to prepare for association or roaming

Screen Shot 2017-10-27 at 5.17.24 pm.png

Deauthenticaion: is a management frame (0) subtype(12)used to remove the AID  and deauthenticate with the AP.

Screen Shot 2017-10-27 at 5.17.37 pm.png

Authentication and deauthentication frames:  Authentication frames are used to enter the authenticated state with an AP. Once frame is sent from the STA to the AP and another is sent back from the AP to the STA.

Deauthentication frame are used to end the authentication stat with the AP. The can be sent in either direction to remove the authentication state. If a deauthentication(deauth) frame is transmitted, it removes the STA from the associated stat, as a STA cannot be associate if it is not authenticated.

To filter on authentication frames: wlan.fc.type_subtype==0xb

To filter out authentication frames: wlan.fc.type_subtype!=0xb

802.11w introduced management frame protection which protects deauth frames as well as disassociation, QoS action and Radio measurement action frame. Thie protection is the same as that for data frames in that the Frame

Action Frames

Action: is a management frame (0) subtype(13)used for spectrum management, fast BSS transition and other actions taken within a BSS

Screen Shot 2017-10-27 at 5.17.52 pm.png

Carpenter, Tom. CWAP® Certified Wireless Analysis Professional Official Study Guide: CWAP-402 . Certitrek Publishing. Kindle Edition.

Wireshark 802.11 Control frames

Complied this Information as part of my study for the CWAP exam from “Carpenter, Tom. CWAP® Certified Wireless Analysis Professional Official Study Guide: CWAP-402 (. Certitrek Publishing. Kindle Edition.”

Control Frames: Are use to control access to the medium for STAs that are connect to an AP or the WLAN. Below is the Wireshark captures control frame subtypes

Acknowledgement (ACK): is a control frame (1) subtype (13) used to signal receipt of a frame.

Screen Shot 2017-10-27 at 5.00.27 pm.png

ACK Frames are sent immediately after data and management frames to inform the transmitter that the frame was received. Without an ACK frame, the transmitter assumes the frame was lost due to corruption  and will retransmits the frame. At each retransmission, the random backoff timer length is increased until it reaches it maximum of 1023. this prevents a STA from consuming excessive airtime without doing the right thing-lowering the data rate so that the frame can get through

The ACK frame contains  the frame control, duration RA and the FCS subfields.

The ACK frame may be involved in a communication where more fragments are to come. It will set the druation field vaue based on the following

Duration value of pervious frame  + ACK time + SIFS time

To filter on RTS/ CTS frames in Wireshark, use the following filter: wlan.fc.type_subtype = = 0x1b or wlan.fc.type_subtype = = 0x1c

To filter out RTS/ CTS frames in Wireshark, use the following filter: wlan.fc.type_subtype != 0x1b or wlan.fc.type_subtype =! 0x1c

BlockAckReqq Frame: is a control frame(1) subtype (8)that is used to request block acknowledgement

Screen Shot 2017-10-27 at 5.00.35 pm.pngBlockAck Frame:  is a control frame (1) subtype (9)Block acknowledgement for multiple frames in a bust

Screen Shot 2017-10-27 at 5.00.41 pm.png

Rquest to Send (RTS) and Clear to send (CTS) frames

Screen Shot 2017-10-27 at 5.00.52 pm.pngRequest to Send (RTS): is a control frame (1) subtype (11) used to request the target STA to send a CTS frame.

Screen Shot 2017-10-27 at 5.00.52 pm.png

Clear to Send(CTS): is a control frame (1) subtype(12) used to clear the medium for transmission of another frame.

Screen Shot 2017-10-27 at 5.01.03 pm.pngRTS and CTS frames: are used to clear the medium for transmission of larger frames. In enviroments with many collisions(typically detected with high retry rates), it can improve efficiency to enable RTS/CTS for communications. The RTD frame is transmitted by the STA desiring to send a larger frame. The CTS frame is sent back as a  response .

Below is the RTS and CTS frame  structure.

Screen Shot 2017-10-27 at 5.01.12 pm.png

The duration field in RTS.CTS frames is very important. In RTS frame it is a time in microseconds represented by

Data or management frame duration + CTS duration + one ACK duration + three SIFS

This formula allows the medium to be cler for the entire duration of the data frame transmission. The CTS response frame has a duration in microseconds represent by:

Value of the duration field from the preceding RTS frame -CTS duration – one SIFS.

CTS-to-Self is a CTS frame sent without a preceding RTS frame. It is called this as the RA field is set to its own address, but all STA within range will hear the frame and set their NAV timers accordingly from the duration field of the CTS frame. The Duration field of a CTS-to-Self frame is represent by

Data or management frame duration + two SIFS +one ACK

The formal assumes the data or management frame requires an ACK . If it does not, simply remove the ACK to determine the duration field value.

To filter on RTS/ CTS frames in Wireshark, use the following filter: wlan.fc.type_subtype = = 0x1b or wlan.fc.type_subtype = = 0x1c

To filter out RTS/ CTS frames in Wireshark, use the following filter: wlan.fc.type_subtype != 0x1b or wlan.fc.type_subtype =! 0x1c

Control Wrapper:  Control frame(1) subtype(7) used to carry other control frames while including an HT Control field.

Screen Shot 2017-10-27 at 5.01.18 pm.pngPS-Poll Frames

Screen Shot 2017-10-27 at 5.01.23 pm.png

Are used to notify the AP that the client STA is awake and available for buffered frames. PS-Poll frames use the format shown below

Screen Shot 2017-10-27 at 5.01.30 pm.png

STAs indicate the power save mode using the  Power management (PM) bit in the Frame Control field. When a STA is in PM mode( PM bit = 1), it alternates between awake and dozing states. In this case the AP buffers all unicast traffic destined to the PS STA. When one STA in the BSS is in PS mode, all group address traffic is also buffered until after the DTIM beacon. The client wakes up at every listen interval (a client Setting) to listen for Beacon frames. In Beacon frames, the client checks AID 0 (for group traffic) and its own unique AID to check for buffered data. If it finds buffered data (indicated by a 1 bit for its AID,) its sends a PS-Poll frame requesting that the AP sends unicast buffered traffic one frame at a time. The data sent by the AP to the STA has more data bit set to 1 if there is more buffered data. If so the client will send a new PS-Poll each time. Of there are no more buffered frames, the client STA may return to sleep.

Trigger frames are data frames that are acknowledged by the AP. One of the important enhancements of WMM as allowing a data frame to be a trigger frame.  In this way, the client can send data to the AP while also triggering delivery of the AP’s buffered frames for the client. When the AP has multiple buffered frames for the client, the data frames can be sent during an EDCA transmit opportunity (TxOP) burst with interleaved ACKs. WMM-PS address the inefficiencies of legacy PS while adding enhancement for performance offered by WMM.

The 802.11 specification defines both scheduled(for either contention-free or contention-based access) unscheduled service periods, but the WMM-PS program uses only unscheduled service periods. The terms delivery- and trigger-enabled relate to a client STA’s ability to trigger(with a data frame) the downlink delivery of buffered frames.

WMM-PS has multiple advantages over legacy power save, including:

■ No need to wait for Beacon frames. Application requirements can dictate how often the STA will wake up.

■ Downlink frames can be sent in a burst instead of requiring a separate trigger frame for each downlink frame.

■ The trigger frame can be a data frame instead of requiring a PS-Poll control frame.

■ Applications experience lower latency when power-saving features are used.

■ The client spends more time sleeping, thus it has better power save efficiency.

To filter on PS-Poll frames in Wireshark, use the following filter: wlan.fc.type_subtype = = 0x1a

To filter out PS-Poll frames in Wireshark, use the following filter: wlan.fc.type_subtype != 0x1a

Carpenter, Tom. CWAP® Certified Wireless Analysis Professional Official Study Guide: CWAP-402 (. Certitrek Publishing. Kindle Edition.