Nihonjin シワクマル Sivakumar's Blog: 802.11 Frames

Current 802.11 standards define "frame" types for use in transmission of data as well as management and control of wireless links.

Frames are divided into very specific and standardized sections. Each frame has a MAC header, payload and FCS. Some frames may not have payload portion. First 2 bytes of MAC header is a frame control field that provides detailed information about the frame. The sub fields of the frame control field is presented in order.

* Protocol Version: It is two bits in size and represents the protocol version. Currently used protocol version is zero. Other values are reserved for future use.

* Type: It is two bits in size and helps to identify the type of WLAN frame. Control, Data and Management are various frame types defined in IEEE 802.11.
* Sub Type: It is four bits in size. Type and Sub type are combined together to identify the exact frame.

* ToDS and FromDS: Each is one bit in size. They indicate whether a data frame is headed for a distributed system. Control and management frames set these values to zero. All the data frames will have one of these bits set. However communication within an IBSS network always set these bits to zero.

* More Fragment: The More Fragmentation bit is set most notably when higher level packets have been partitioned and will be set for all non-final sections. Some management frames may require partitioning as well.

* Retry: Sometimes frames require retransmission, and for this there is a Retry bit which is set to one when a frame is resent. This aids in the elimination of duplicate frames.

* Power Management: The Power Management bit indicates the power management state of the sender after the completion of a frame exchange. Access points are required to manage the connection and will never set the power saver bit.

* More Data: The More Data bit is used to buffer frames received in a distributed system. The access point uses this bit to facilitate stations in power saver mode. It indicates that at least one frame is available and addresses all stations connected.

* WEP: The WEP bit is modified after processing a frame. It is toggled to one after a frame has been decrypted or if no encryption is set it will have already been one.

* Order: This bit is only set when the "strict ordering" delivery method is employed. Frames and fragments are not always sent in order as it causes a transmission performance penalty.

The next two bytes are reserved for the Duration ID field. This field can take one of three forms: Duration, Contention-Free Period (CFP), and Association ID (AID).

An 802.11 frame can have up to four address fields. Each field can carry a MAC address. Address 1 is the receiver, Address 2 is the transmitter, Address 3 is used for filtering purposes by the receiver.

* The Sequence Control field is a two-byte section used for identifying message order as well as eliminating duplicate frames. The first 4 bits are used for the fragmentation number and the last 12 bits are the sequence number.
* An optional two-byte Quality of Service control field which was added with 802.11e.
* The Frame Body field is variable in size, from 0 to 2304 bytes plus any overhead from security encapsulation and contains information from higher layers.
* The Frame Check Sequence (FCS) is the last four bytes in the standard 802.11 frame. Often referred to as the Cyclic Redundancy Check (CRC), it allows for integrity check of retrieved frames. As frames are about to be sent the FCS is calculated and appended. When a station receives a frame it can calculate the FCS of the frame and compare it to the one received. If they match, it is assumed that the frame was not distorted during transmission.[18]

Management Frames allow for the maintenance of communication. Some common 802.11 subtypes include:

* Authentication frame: 802.11 authentication begins with the WNIC sending an authentication frame to the access point containing its identity. With an open system authentication the WNIC only sends a single authentication frame and the access point responds with an authentication frame of its own indicating acceptance or rejection. With shared key authentication, after the WNIC sends its initial authentication request it will receive an authentication frame from the access point containing challenge text. The WNIC sends an authentication frame containing the encrypted version of the challenge text to the access point. The access point ensures the text was encrypted with the correct key by decrypting it with its own key. The result of this process determines the WNIC's authentication status.
* Association request frame: sent from a station it enables the access point to allocate resources and synchronize. The frame carries information about the WNIC including supported data rates and the SSID of the network the station wishes to associate with. If the request is accepted, the access point reserves memory and establishes an association ID for the WNIC.
* Association response frame: sent from an access point to a station containing the acceptance or rejection to an association request. If it is an acceptance, the frame will contain information such an association ID and supported data rates.
* Beacon frame: Sent periodically from an access point to announce its presence and provide the SSID, and other parameters for WNICs within range.
* Deauthentication frame: Sent from a station wishing to terminate connection from another station.
* Disassociation frame: Sent from a station wishing to terminate connection. It's an elegant way to allow the access point to relinquish memory allocation and remove the WNIC from the association table.
* Probe request frame: Sent from a station when it requires information from another station.
* Probe response frame: Sent from an access point containing capability information, supported data rates, etc., after receiving a probe request frame.
* Reassociation request frame: A WNIC sends a reassociation request when it drops from range of the currently associated access point and finds another access point with a stronger signal. The new access point coordinates the forwarding of any information that may still be contained in the buffer of the previous access point.
* Reassociation response frame: Sent from an access point containing the acceptance or rejection to a WNIC reassociation request frame. The frame includes information required for association such as the association ID and supported data rates.

Control frames facilitate in the exchange of data frames between stations. Some common 802.11 control frames include:

* Acknowledgement (ACK) frame: After receiving a data frame, the receiving station will send an ACK frame to the sending station if no errors are found. If the sending station doesn't receive an ACK frame within a predetermined period of time, the sending station will resend the frame.
* Request to Send (RTS) frame: The RTS and CTS frames provide an optional collision reduction scheme for access point with hidden stations. A station sends a RTS frame to as the first step in a two-way handshake required before sending data frames.
* Clear to Send (CTS) frame: A station responds to an RTS frame with a CTS frame. It provides clearance for the requesting station to send a data frame. The CTS provides collision control management by including a time value for which all other stations are to hold off transmission while the requesting stations transmits.

----------------------

Management Frames

Management frames establish communications between stations and access points. They support Power Management and Contention Free modes. MAC management frames are also called MAC Management Protocol Data Units (MMPDUs). Management frames provide such services as authentication, association, and reassociation. Management frame bodies are never relayed through an access point. Instead they are “sourced” (generated) and sunk (read and disposed of) at the MAC layer, and therefore are never passed to the distribution system service or LLC. The Address 4 field is never used in an MMPDU. Unicast MMPDUs may be acknowledged, retransmitted, and fragmented^[1]. Figure 6.1 depicts the common format of all management frames.

Figure 6.1: MMPDU Frame Structure

Association Request Frame

A station will send an Association Request frame to an access point if it wants to associate with that access point. This frame exchange sequence ends successfully with an acknowledgement. A station becomes associated with an access point after the access point responds with an acceptance.

Figure 6.2: Association Request Frame Body Contents

Association Response Frame

After an access point receives an Association Request frame and acknowledges it, the access point will send an Association Response frame to indicate whether or not it is accepting the association with the requesting station. This second frame exchange sequence ends successfully with an acknowledgment. The Association Response frame provides the status (acceptance or rejection) and an AID (if the association was accepted).

Figure 6.3: Association Response Frame Body Contents

Reassociation Request Frame

A station will send a Reassociation Request frame to an access point if it already associated to the ESS and wants to reassociate to the ESS through another access point. This frame exchange sequence is ended successfully with an acknowledgment. A reassociation may occur if a station moves out of range from one access point and within range of another access point. The station will need to reassociate (not merely associate) with the new access point so that the new access point knows that it will need to negotiate the forwarding of data frames from the old access point and update its association table. Notice in Figure 6.4 that the Current AP Address (old AP address) fixed field is part of the Reassociation Frame.

Figure 6.4: Reassociation Request Frame Body Contents

Reassociation Response Frame

After an access point receives a Reassociation Request frame, the access point will send a Reassociation Response frame to indicate whether or not it is accepting the reassociation with the sending station. This frame exchange sequence is ended successfully with an acknowledgment. Reassociation is dependent on authentication with/through the new access point. If the reassociation is successful, the new access point will indicate this status in the status code element and include a unique AID for this station to use if operating in Power Save Poll mode.

Figure 6.5: Reassociation Response Frame Body Contents

Probe Request Frame

A station sends a Probe Request frame to obtain information from another station or access point. For example, a station may send a Probe Request frame to determine whether a certain access point is available. Mobile stations use Probe Request frames as part of the active scanning process.

Figure 6.6: Probe Request Frame Body Contents

Probe Response Frame

If a station or access point receives a Probe Request frame, the station will respond to the requesting station with a Probe Response frame containing specific parameters about itself. All access points and the station which last generated the beacon frame (if operating as an IBSS) can respond to probe requests with Probe Response frames.

Figure 6.7: Probe Response Frame Body Contents

Beacon Frame

An access point (or mobile station in an Ad Hoc network) periodically sends a beacon frame at a rate based on the aBeaconPeriod parameter in the MIB. The beacon provides synchronization among stations of a BSS, and includes a timestamp that all stations within its BSS use to update what 802.11 defines as a timing synchronization function (TSF) timer. The TSF is basically a station’s internal 802.11 clock. The Probe Response frame and beacon frame are identical, except that the beacon also carries the traffic indication map (TIM) information element.

If the access point supports the Point Coordination Function, then it uses a beacon frame to announce the beginning of a contention-free period. If the network is an independent BSS (that is, it has no access points), all stations periodically send beacons for synchronization purposes.

Figure 6.8: Beacon Frame Body Contents

ATIM Frame

In an IBSS a station with frames buffered for other stations sends an Announcement Traffic Indication Message (ATIM) frame to each of these stations during the ATIM window, which immediately follows a beacon transmission in Ad Hoc mode. The station that sent the ATIM then transmits the buffered frames to the applicable recipients during a data window. The transmission of the ATIM frame alerts stations in powersave mode to stay awake long enough to solicit and receive their respective frames. The ATIM frame body is null.

Disassociation Frame

If a station or access point wants to terminate an association, it will send a Disassociation frame to the other station that is part of the association. A single Disassociation frame sent to the broadcast address by an access point can terminate associations with more than one station at a time.

Figure 6.9: Disassociation Frame Body

Authentication Frame

A station sends an Authentication frame to an access point that it wants to authenticate with. The authentication process consists of the transmission of two or four authentication frames, depending on the type of authentication being implemented, Open System or Shared Key respectively. If Shared Key, the third authentication frame of the four is WEP encrypted. Each authentication frame requires an acknowledgment.