Friday, March 2, 2018

Chapter 2 - Inter Frame Space (IFS)


Shortest to Longest: RIFS, SIFS, PIFS, DIFS, AIFS, EIFS

Mnemonic to help remember: Really Super Powerful Dog Ate Everything

***EXAM*** The above (Shortest to longest) could be on the exam. The below are notes from my CWDP notes

SIFS (Shortest Inter Frame Space) - Used with all of the coordination functions. SIFS is the shortest of the IFS for 802.11-2007. Used prior to ACK and CTS frames. As well as in between MPDU's of a fragment burst. For 802.11n a shorter IFS (RIFS) was introduced.

RIFS (Reduced Inter Frame Space) - Introduced with 802.11n to help improve efficiency for transmissions that do not require a SIFS to a single receiver. Such as a transmission burst (CFB-Contention Free Burst.) 802.11n uses RIFS and Block ACK. RIFS is *only* used when Block ACK is enabled. When Block ACK are used data frames of a CFB can be sent continuously without stopping for an ACK. At the end of the CFB, the TX STA will send a BAR (Block ACK Request) and will/should receive a single Block ACK (BA)

DIFS (Distributed Inter Frame Space) - When a STA wants to transmit a data frame (MPDU) or a management frame (MMPDU) for the first time in a DCF (Distributed Coordination Function) network, the duration of the DIFS must be observed after the previous frames completion. DIFS are longer than SIFS and PIFS.
DIFS = SIFS + 2x SlotTime
SlotTime for 802.11a/n/ac (5 GHz) = 9μS
SlotTime for 802.11g/n (2.4 GHz – HT or ERP) = 9μS with short preamble
SlotTime for 802.11g/n (2.4 GHz – HT or ERP) = 20μS with long preamble
SlotTime for 802.11b/g/n (2.4 GHz – DSS ) = 20μS

EIFS (Extended Inter Frame Space) - EIFS are used by STA's that have received a frame that contained errors. By using the longer IFS, the transmitting station will have enough time to recognize the frame was no received correctly before the receiving station commences transmission. If, during the EIFS duration the STA receives a frame correctly (regardless of intended recipient), it will resume using DIFS or AIFS, as appropriate. 
 - EIFS does Have a drawback. STA's near to the AP can cause problems for STA's further away from the AP. This is because STA's close to the AP are using higher data rates, and as such higher modulation mechanisms. The STA's further away cannot demodulate these, and due to this interpret it as a corrupted frame. Making it stay quiet for the EIFS. Providing the near STA's to use DIFS or AIFS and giving it priority and getting more opportunity to transmit while the far station will remain quiet.
EIFS (in DCF) = SIFS + DIFS + ACK_Tx_Time
EIFS 802.11b/g/n devices using DSS = 364μS
EIFS 802.11g/n devices using OFDM = 160μS
EIFS 802.11a/n devices (5GHz) = 160μS
EIFS (in EDCA) = SIFS + AIFS[AC] + ACK_Tx_Time

AIFS (Arbitration Inter Frame Space) - The AIFS shall be used by QoS STAs to transmit all data frames (MPDUs), all management frames (MMPDUs), and the following control frames: PS-Poll, RTS, CTS (when not transmitted as a response to the RTS), BlockAckReq, and BlockAck (when not transmitted as a response to the BlockAckReq).
The number of slot times used in the AIFS is called the Arbitration Inter Frame Space Number (AIFSN). 802.11e specifies 4 access categories (AV_VO : Voice, AC_VI : Video, AC_BE : Best Effort & AC_BK : Background). Voice & Videocategory use 2 slottimes by default. Best Effort category use 3 slottimes where as Background traffic use 7 slottimes by default.
Below is the formula to calcluate AIFS for a given Access Category (AC)
AIFS[AC] = AIFSN[AC] × SlotTime + SIFSTime

Chapter 3 - Security Communications Brief


WPA and WPA2

It's important to remember that these are certifications by the WiFi Alliance and not from the 802.11 standard. This means that they validate that a device uses portions of the security that 802.11 provides. They both come in two forms, Personal and Enterprise. Personal is known as Pre Shared Key because it uses a PSK.

WPA has been depreciated and as such its use should be as well. It used TKIP/RC4 and again, as such, TKIP/RC4 should no longer be used either.

The Enterprise version of both WPA and WPA2 both use the 802.1x framework for authentication and key management. This framework has three primary components.
1.) Supplicant (Client STA)
2.) Authenticator (AP or Controller)
3.) Authentication Server (This is normally your RADIUS server)

The EAPoL protocol is used for communication between the Supplicant and Authenticator, and RADIUS is used between the Authenticator and the Authentication Server.

The process looks something like this

  • Client Authenticates and Associates to an AP
  • Open System Authentication takes place
  • EAP Authentication using the RADIUS server
  • 4-way handshake generates encryption keys for STA and AP
  • Encrypted communications commence.
     
Carpenter, Tom. CWAP: Certified Wireless Analysis Professional: Official study guide: Edition CWAP-402. Certitrek Publishing, 2016.


RADIUS

RADIUS - Remote Authentication Dial-In User Service

RADIUS Process
  1. Access Request - Username/Password or Certificate
  2. Access Challenge
  3. Access Accept/Reject

Chapter 3 - Important 802.11 Frames


We touched a bit on these in the "Type" field but this portion of the chapter goes into them a bit deeper

Beacon Frames - We touched on these in Chapter 2 as well as other assorted places. These are used to announce BSS's for STA's that are looking for something to connect to. Beacons are transmitted (by default) every 100 time units (TU's.) A TU is typically 1024 microseconds which, when you do the math means that every 102.4 milliseconds a Beacon is being transmitted. Remember that a Beacon frame is transmitted for *every* SSID being broadcast. As such, the more SSID's you have, the more Beacon overhead you are creating. Beacon Frames are a Management Frame and as such, use the Management Frame Format. It should be noted that Beacon Frames contain a lot of information about the SSID and radio being used to broadcast it. Some of the most important of this information is the SSID name itself, the capabilities of the device (there are a few things here) and supported rates.

Beacons are sent at a target beacon transmission time (TBTT) which by default is every 100 Tus. That said, with how heavily utilized the wireless medium is, that target is often not possible, and the beacon will be sent as soon as possible after the 100 TU's has passed. It's important to remember that Beacon frames have to wait for the air to be clear before transmission as well.

Beacon filter in wireshark
wlan.fc.type_subtype == 0x08

To filter beacon frames *out* of the display use the Wireshark filter
Wlan.fc.type_subtype != 0x08

Probe Request and Probe Response Frames

Remember in active scanning, a STA will send a Probe Request, which will be answered with a Probe Response by an AP. If the probe request is sent with a broadcast SSID, any and all AP's on that channel being probed will respond with a Probe Response. Thus allowing STA's to quickly gather a view of all of the SSID's available on that channel.

Probe Request and Response Wireshark Filter
Wlan.fc.type_subtype == 0x4 *OR* wlan.fc.type_subtype == 0x5

To filter out Probe Request/Response Frames
Wlan.fc.type_subtype != 0x4 and
Wlan.fc.type_subtype != 0x5

Remember that just because a client is connected does not mean that it will stop probing. Client roaming algorithms will have a certain threshold where they will begin probing for a better AP. For example last I knew Apple iOS devices would start their probe requests at -67dBm. Now that doesn't mean that it will automatically move to something that’s stronger than -67dBm. That could result in flapping from AP to AP. Instead it requires the new AP to have a stronger connection of a certain threshold. In the iOS case (again last I knew) the new AP had to be 8dB stronger than the AP that the STA is currently connected to. That means that even if the STA had a -72dBm connection, it would  not roam unless the new AP had a signal strength of -64dBm or stronger. Unfortunately these roaming algorithms are unique to the devices. So the probing threshold and roaming threshold of each client may vary. Its important to keep this in mind when designing.

Authentication and Deauthentication Frames

Authentication frames are frames used by STA's to enter into the Authenticated State with an AP. To do so, a STA sends a single frame to the AP, which will answer back with a single frame of its own. This is the method that WPA2 uses

Deauthentication frames are used to remove a STA from an authenticated state. This can be done by either the STA or the AP. Remember that an STA cannot be associated if its not authenticated

Wireshark filter for Authentication frames
Wlan.fc.type_subtype == 0xb

To filter them out
Wlan.fc.type_subtype !=0xb

Association and Disassociation Frames

These frames are used for the STA to enter into an associated state after they have been authenticated. It's done through a four-frame exchange
-Authentication request
-ACK
-Authentication response
-ACK

From this point if Open System Auth is being used, then the STA can begin to use the network. If they are using 802.1X, then that process will begin at this point.

Disassociation frames will remove STA from an associated state, placing it into an Authenticated not associated state. Disassociation frmaes will include a reason for the disassociation, a smattering of vendor-specific information, and an integrity check if/when management frame protection is in use.

Wireshark Filter
Wlan.fc.type_subtype == 0x0 or 0x1

To filter them out
Wlan.fc.type != 0x0 or 0x1

Reassociation Request and Response Frames

These are used when roaming from one AP to another within the same ESS. They can also be used to reconnect to an AP which the STA was briefly connected. Only if the AP still has authentication information about the STA however. Request frames contain a plethora of information.

Wireshark filters
Wlan.fc.type_subtype == 0x2 or 0x3

To filter them out
Wlan.fc.type_subtype != 0x2 or 0x3

Request to Send (RTS) and Clear to Send (CTS) Frames

These are used to clear the PHY for the transmission of "larger" frames. When a STA wants to send a larger frame it sends a RTS. A CTS is used to respond.

Both frame types include a duration field, which is very important as it lets everyone know how long the air will be busy. The duration of a request field is made up by the data *or* management frame duration + CTS duration + one ACK duration + three SIFS

The CTS response frame also has a duration that’s measured in microseconds made up of the value of the duration field of the RTS frame - CTS duration - one SIFS

CTS-to-Self is a CTS frame that is sent without a RTS frame before it. These frames have the RA field set as their own address. These are helpful because all STAs within range will hear the frame and set their NAV timers using the duration field from the CTS frame. This is made up by the Data or management frame duration + two SIFS + one ACK

Wireshark filters for RTS/CTS frames
Wlan.fc.type_subtype == 0x1b or 0x1c

To filter them out
Wlan.fc.type_subtype != 0x1b or 0x1c

ACK Frames

These are sent to inform the transmitting device that the frame was received and are sent immediatily following data and management frames. If an ACK frame is not returned then the transmitter assumes the frame was lost and will retransmit the frame. With each retransmission the random backoff timer length is increased with a maximum of 1023. This maximum backoff timer length keeps STA's from continuously retransmitting without shifting to a lower data rate. As the book points out, its fair better to send a frame at 54Mbps and have it be received than it is to send it five times at 150Mbps before its received.

An ACK frame is a fairly simple frame. Consisting of only Frame Control, Duration, RA, and FCS subfields. It actually uses the address of the STA that sent the acknowledged frame in the RA subfield and not the address of the STA sending the ACK Frame.

Wireshark Filter
Wlan.fc.type_subtype == 0x1d

To filter them out
Wlan.fc.type_subtype != 0x1d

Null Data and PS-Poll Frames

These are used to notify an AP that the STA is awake and now able to receive frames. These are called Null Data frames since they are simply a Data frame containing no data.

Wireshark filter
Wlan.fc.type_subtype == 0x24

PS-Poll is short for Power Save Poll. These frames are also used to notify the AP that the client is awake and available for buffered frames. These include an AID.

STAs using power management will set their PM bit to 1, meaning that it will go in and out of awake and dozing states. When dozing the AP will buffer any traffic that is destined for the STA.

Client devices have a Listen Interval at the end of which the client will wake up and listen for Beacon Frames. If the client hears a beacon with its AID containing a 1 bit it will send a PS-Poll frame requesting that the AP send it its buffered data. Which it will do one frame at a time. If there is more data the More Data bit will be set to 1. Each time the client will send a new PS-Poll until there are no more buffered frames at which point the Client STA can return to a sleep state.

Rather than send a PS-Poll back to the AP to request each individual frame that is buffered, clients can also flip the PM bit to 0. This will cause the AP to send all of its buffered data down to the STA as if it was a normal client. Once this transmission is complete, it will flip its PM bit back to 1 and go back to sleep. This is *not* a 802.11 standard operation, but is an operation that is used by many client devices which reduced a lot of unnecessary airtime eaten up by the PS-Poll frames.

In a WMM Power Save queue frames are downloaded using a Trigger-and-delivery mechanism. WMM-PS is set for each AC separately. This allows for more frequent data transmission for those applications that require them.

Trigger frames are actually data frames that are ACK'd by the AP. This means that a STA can send data to the AP while at the same time triggering the delivery of any buffered frames that the AP may have for the client device.

If the AP has multiple buffered frames for the client, the AP can send those frames during an EDCA transmit opportunity that has interleaved ACK's. Meaning that a burst of frames can be sent down rather than individual.

PS-Poll Wireshark filter
Wlan.fc.type_subtype == 0x1a

To filter them out
Wlan-fc-type_subtype !=0x1a

Chapter 3 - 802.11 Frame Types


Management Frames - These frames are aptly named since they are used to help manage the air. They do so by announcing  information regarding the WLAN, and also have certain actions that they can perform. Below is a list of management frames and a description to go along with them.
  • Beacon - This is used by the AP to advertise information about the BSS
  • Probe - This is used by clients so that they can actually find a BSS/SSID to connect to.
  • Association - A client uses an association frame to go associate to an AP and therefore start communicating through it.
  • Disassociation - The opposite of association.
  • Reassociation - If a client is already associated to an AP, it can reassociate to another AP on the same ESS.
  • Authentication - These frames come prior to association and are used to authenticate a STA to an AP.
  • Deauthentication - The opposite of authentication.
  • Action - These frames can trigger various actions within the cell they are being broadcast on.

Control Frames - You might be sitting there thinking… wait, whats the difference between Management and Control. Don't those two words mean vaguely the same thing? Well, you're not wrong. But you can differentiate it as - Management frames mangage the WLAN, where Control frames orchestrate the air itself. Take a look at some of the common Control Frame types below and I think you'll understand what I'm saying.
  • ACK - These are your normal ACKs, acknowledging the receipt of a frame
  • RTS - Request To Send
  • CTS - Clear to Send - These frames are used to clear the PHY for the transmission of another frame.
  • BlockAckReq - This is a type of frame used to request a block ACK
  • BlockAck - Rather then send an ACK for every individual frame, a BlockAck can acknowledge multiple frames that were sent in a row.
  • Control Wrapper - These are frames that include an HT Control Frame while carrying other Control Frames as well

Data Frames - For the most part these carry data. They will have a the entire header for whatever MAC/PHY is being used, and then the MSDU. There are however some "Null Data" frames, that quite literally mean there is 0 data contained. These are used for various control functions relating to power management. Further, there are data frames that do not have QoS and use standard DCF, as well as QoS Data frames, which utilize EDCA.

PCF Frames - As we've noted a couple of times, PCF isn't actually in use. However this frame type is documented in the standard. The book calls out the fact that for the exam you should know that the 802.11n standard brought with it the ability to use a CF-End frame to show that despite owning the TxOP it has no more data to send.

Chapter 3 - 802.11ac Frame Fields


802.11ac Frame Format

Carpenter, Tom. CWAP: Certified Wireless Analysis Professional: Official study guide: Edition CWAP-402. Certitrek Publishing, 2016.


Duration/ID - As implied by its name, this field actually has two purposes. The first is that it can contain the duration of the frame itself. The duration is used to set the NAV timer by other clients. The AID is used when PS-Poll frames are transmitted to tell the AP that the transmitting STA is awake and that it can send any buffered frames the STA has waiting.

Address 1, 2, 3, 4 - Depending on if the frame is being transmitted with an IBSS, from an AP to a STA, STA to an AP, or as part of a mesh network, these addresses can indicated different things as shown below.

Carpenter, Tom. CWAP: Certified Wireless Analysis Professional: Official study guide: Edition CWAP-402. Certitrek Publishing, 2016

In the table above RA is the Receiver Address, and DA is the Destination Address. TA is the Transmitting Address, and SA is the Source Address. It may seem like some of these are redundant. However remember that the MAC address of the AP radio is often going to be different than the BSSID. Or in the case of a mesh, the RA is the next "hop" in the mesh, where the DA is the intended final recipient of the frame.

Sequence Control - This is a 16-bit field that’s used to help orchestrate fragmented frames in a transmission to help alleviate duplicate frames in the case that they arrive. It's made up of two parts. First is the 4-bit fragment number and second is a 12-bit sequence number. The sequence number remains the same for every fragmented MSDU, giving each frame making up that fragmented MSDU the same sequence number *but* a different fragment number. This allows the receiving device to know what MSDU the frame is from, and if it has already received that piece of the puzzle and know what order they should go in as sometimes they can be received out of order. The Sequence numbers start at 0, and for every fragmented MSDU that needs breaking up and transmitting, it goes up by 1 until it reaches 4095 and then it just starts again.

QoS Control - This is another 16-bit field that classifies the frames category for queuing. The first three bits in this field map to a value of 0 to 7 which signifies the 802.11e User Priority (UP) for the frame. This field is also called the Traffic Indicator (TID). Remember that the eight UP's map to the 4 Access Cateories (AC) set forth by the WiFi Alliances WMM Certification. Also remember that The lower the number, the lower the priority. For example 1 and 2, are AC_BK (WMM Background) which is the lowest prioity. Fun fact, the lowest of the numbers (0) maps to Best Effort which is a step above Background. This is because in making the mapping, they wanted it to be backwards compatible with non-QoS devices, but not completely hamstring them just because they weren't QoS capable.

HT Control - This 16-it field specifies certain HT and VHT capabilities. Such as antenna selection and beamforming.

Frame Body - This field contains the actual payload (MSDU) that’s being transmitted. When the field is encrypted, it will add overhead to the field. Either 20 or 16 bytes of overhead depending on if TKIP/RC4 (20 bytes) or CCMP/AES (16 bytes) is being used.

FCS - Frame Check Sequence - This field is used to detect if there have been issues in the communication of the frame. A Cyclic Redundancy Check (CRC) is used over the entire MAC Header and Frame Body. The receiving STA will run a CRC and should come up with the same FCS to determine if anything has gone wrong during transmission.

Chapter 3 - 802.11ac Frame Fields - Frame Control


802.11ac Frame Format

Carpenter, Tom. CWAP: Certified Wireless Analysis Professional: Official study guide: Edition CWAP-402. Certitrek Publishing, 2016.



Frame Control - The first part of the frame is the Frame Control field, and understandably since it sets a number of incredibly important parameters about the frame. We'll touch on a the individual fields of the Frame Control field below. First though, here is a picture of what the Frame Control field looks like and what its components are.
 Carpenter, Tom. CWAP: Certified Wireless Analysis Professional: Official study guide: Edition CWAP-402. Certitrek Publishing, 2016.

Protocol Version - This is always set to 00. This is to indicate if there is an incompatible version, but as of right now,  no incompatible versions exist.

Type - This defines the frame type, whether the frame is a management, control, or data frame, and what the subtype is. List of Frame Types and Subtypes are below, along with their associated bits.

Type
Bits
Subtype
Bits
Management
00
Beacon
1000
Management
00
Association Request
0000
Management
00
Association Response
0001
Management
00
Authentication
1011
Management
00
Deauthentication
1100
Management
00
Action
1101
Management
00
Action NO ACK
1110
Control
01
Control Wrapper
0111
Control
02
Block ACK Request
1000
Control
03
Block ACK Request
1001
Control
04
PS-Poll
1010
Control
05
RTS
1011
Control
06
CTS
1100
Control
07
ACK
1101
Data
10
Standard Data Frame
0000
Data
10
Null Data Frame
0100
Data
10
QoS Data
1000
Data
10
QoS Null Data Frame
1110


To DS/From DS - These are one bit each and determine where the frame is coming from, and where it is going to. Whether its going from a STA to an AP, or from an AP and destined for a STA, or, in the case of an IBSS, going from one STA to another STA.

Carpenter, Tom. CWAP: Certified Wireless Analysis Professional: Official study guide: Edition CWAP-402. Certitrek Publishing, 2016.


More Fragments - This subfield indicates whether the current frame being transmitted is part of a fragmented frame. Remember that frames can be fragmented if its size is over that of the fragmentation threshold (default of 2346). Basically it takes a large frame and breaks it into smaller pieces. Although this can lower speed and add overhead, it also increases the probability that the frame will actually be received in a dirty RF environment. Further, if a retry does take place, it will normally only have to resend a single fragmented frame. Rather than the entire large frame.

Retry Field - Retries occur when the transmitting station sends a frame, but does not receive an ACK. It will then resend the frame (when it can get back on the air) and this resent frame will have the Retry Field set to 1. This is useful for a number of reasons. For the receiving device it eliminates duplicate frames. It also has the added benefit of being helpful in tracking the amount of retries in the environment to see if there are any issues. A WiFi protocol analyzer will often have a report that can hone in on this bit to provide you reports on the retry amount/percentage.

Power Management Field - When power management is used by a STA, this field is set to 1. Indicating the mode that the STA will be in after if its finished transmitting the frame. With this in mind, AP's will never transmit with this bit on since they don’t enter Power Save mode. When an AP receives a frame from an STA with this bit set to 1 it knows that it needs to buffer subsequent data destined for that STA since it's in a power save mode. Once the STA wakes up, it will transmit all buffered data down to it.

More Data - This could also be called the "STAY AWAKE!" field. When this field is set to 1 it indicates that the AP has more frames buffered for a STA. Therefore the STA doesn't go to sleep before receiving all the data the AP has buffered for it.

Protected Frame Field - If the field is set to 1 it means that the MSDU is encrypted. If it is set to 0 it means that there is no MAC sublayer encryption being used.

Order Field - In a non-QoS Frame this is set to 1 to indicated that the frame includes an MSDU. It is also set to 1 in a QoS data or management frame to show that the frame also contains an HT Control field. This gives HT capable devices the heads up to decode the HT Control field.

Chapter 3 - Ethernet Frame Format Notes


Most Significant Bit (MSB) - Also known as the high order bit. These are the left-most bit, or bits. A great example that the book uses is that in a PS-Poll frame, the Duration/ID field carries either the Duration, or the AID (association identifier.) If the MSB's are set to 11 then the following bits represent the AID. If the single MSB is set to 0 then the following bits will be the duration of the frame.

Least Significant Bit (LSB) - This is the right most bit since its (normally) going to be in the furthest right position. Fun factoid the book points out that I never realized in my years of binary. This is the bit that determines if the value will be even or odd… don't know how I never realized that before.

Most Significant Bit First (MSBF) - Pretty straightforward, when receiving the MSB will come in first and the LSB will be last.

Least Significant Bit First (LSBF) - The opposite of MSBF with the least significant bit coming in first. Which is what 802.11 and 802.3 use

Octet - 8-bit Byte

In an octet the least significant is denoted as b0 and the MSB is denoted as b7

802.3 frame diagram


Carpenter, Tom. CWAP: Certified Wireless Analysis Professional: Official study guide: Edition CWAP-402. Certitrek Publishing, 2016.


Preamble - Just because a frame is getting sent on the wire doesn’t mean that it doesn’t need a preamble. This is to alert the receiving device that a frame is incoming and to synchronize it so that the timing is… well, synchronized. The ethernet preamble is 7 repeating octets of 10101010 - This is how they would be received, which, remember is Least Significant Bit First, so the first bit is actually the left-most bit.

SFD - The SFD comes right after the Preamble is a single octet that’s 10101011. The pattern might look vaguely similar, and its because its basically the same as the preamble pattern, only with its MSB being a 1 rather than a 0. This 11 pattern rather than the preambles 10, tells the receiver that the MAC frame is incoming.

Destination Address (DA) and Source Address (SA) -  These are the MAC addresses of the receiver and the transmitter respectively. You'll notice that above it says that the are 6 octets (48-bits) a piece. Which would make sense since MAC addresses are 48-bits long. However!!! Did you know that really only 46 of those bits are unique? The remaining two are for I/G (individual address or group address) and for U/L (globally administered address or locally administered address)
  • These bits are the two LSB's in the first octet of the MAC address (U/L = b1 and I/G = b0). So when you are looking at a MAC address they are the two right most bits in the first octet which his in the OUI section.
  • Broadcast address consists of the 46-bit address being made up of all ones.

By Inductiveload, modified/corrected by Kju - SVG drawing based on PNG uploaded by User:Vtraveller. This can be found on Wikipedia here., CC BY-SA 2.5-2.0-1.0, https://commons.wikimedia.org/w/index.php?curid=1852032

Type/Length Field - Nowadays this is mostly used to dictate the type of client protocol, however it could also specify the length of the MAC Client Data. The most commonly used ethertypes are IPv4, ARP, LLDP, and EAP over LAN

Data Field - This is the actual payload from the upper layers. The maximum payload size is 1500 bytes, however you will see 1518 bytes noted, but this is including the DA/SA, Length/Type, and FCS fields, which all add up to 18 bytes.

FCS - This is used to check the integrity of the frame. It contains a cyclic redundancy check value. Its important to note that the CRC bits in the FCS field (say that 5 times fast) are actually transmitted with the MSB first. Which is different from the rest of the ethernet frame which is transmitted with the LSB first and ending with the MSB.

Extension - This field is used when the frame would be less than a full slot time in the PHY being used. Essentially it adds padding to ensure that a frame fills a slot time.