DCR Wireless: Chapter 3 - 802.11ac Frame Fields

Friday, March 2, 2018

Chapter 3 - 802.11ac Frame Fields - Frame Control

802.11ac Frame Format

Carpenter, Tom. CWAP: Certified Wireless Analysis Professional: Official study guide: Edition CWAP-402. Certitrek Publishing, 2016.

Frame Control - The first part of the frame is the Frame Control field, and understandably since it sets a number of incredibly important parameters about the frame. We'll touch on a the individual fields of the Frame Control field below. First though, here is a picture of what the Frame Control field looks like and what its components are.

Carpenter, Tom. CWAP: Certified Wireless Analysis Professional: Official study guide: Edition CWAP-402. Certitrek Publishing, 2016.

Protocol Version - This is always set to 00. This is to indicate if there is an incompatible version, but as of right now, no incompatible versions exist.

Type - This defines the frame type, whether the frame is a management, control, or data frame, and what the subtype is. List of Frame Types and Subtypes are below, along with their associated bits.

Type	Bits	Subtype	Bits
Management	00	Beacon	1000
Management	00	Association Request	0000
Management	00	Association Response	0001
Management	00	Authentication	1011
Management	00	Deauthentication	1100
Management	00	Action	1101
Management	00	Action NO ACK	1110
Control	01	Control Wrapper	0111
Control	02	Block ACK Request	1000
Control	03	Block ACK Request	1001
Control	04	PS-Poll	1010
Control	05	RTS	1011
Control	06	CTS	1100
Control	07	ACK	1101
Data	10	Standard Data Frame	0000
Data	10	Null Data Frame	0100
Data	10	QoS Data	1000
Data	10	QoS Null Data Frame	1110

To DS/From DS - These are one bit each and determine where the frame is coming from, and where it is going to. Whether its going from a STA to an AP, or from an AP and destined for a STA, or, in the case of an IBSS, going from one STA to another STA.

Carpenter, Tom. CWAP: Certified Wireless Analysis Professional: Official study guide: Edition CWAP-402. Certitrek Publishing, 2016.

More Fragments - This subfield indicates whether the current frame being transmitted is part of a fragmented frame. Remember that frames can be fragmented if its size is over that of the fragmentation threshold (default of 2346). Basically it takes a large frame and breaks it into smaller pieces. Although this can lower speed and add overhead, it also increases the probability that the frame will actually be received in a dirty RF environment. Further, if a retry does take place, it will normally only have to resend a single fragmented frame. Rather than the entire large frame.

Retry Field - Retries occur when the transmitting station sends a frame, but does not receive an ACK. It will then resend the frame (when it can get back on the air) and this resent frame will have the Retry Field set to 1. This is useful for a number of reasons. For the receiving device it eliminates duplicate frames. It also has the added benefit of being helpful in tracking the amount of retries in the environment to see if there are any issues. A WiFi protocol analyzer will often have a report that can hone in on this bit to provide you reports on the retry amount/percentage.

Power Management Field - When power management is used by a STA, this field is set to 1. Indicating the mode that the STA will be in after if its finished transmitting the frame. With this in mind, AP's will never transmit with this bit on since they don’t enter Power Save mode. When an AP receives a frame from an STA with this bit set to 1 it knows that it needs to buffer subsequent data destined for that STA since it's in a power save mode. Once the STA wakes up, it will transmit all buffered data down to it.

More Data - This could also be called the "STAY AWAKE!" field. When this field is set to 1 it indicates that the AP has more frames buffered for a STA. Therefore the STA doesn't go to sleep before receiving all the data the AP has buffered for it.

Protected Frame Field - If the field is set to 1 it means that the MSDU is encrypted. If it is set to 0 it means that there is no MAC sublayer encryption being used.

Order Field - In a non-QoS Frame this is set to 1 to indicated that the frame includes an MSDU. It is also set to 1 in a QoS data or management frame to show that the frame also contains an HT Control field. This gives HT capable devices the heads up to decode the HT Control field.