Friday, March 2, 2018

Chapter 3 - 802.11ac Frame Fields

802.11ac Frame Format

Carpenter, Tom. CWAP: Certified Wireless Analysis Professional: Official study guide: Edition CWAP-402. Certitrek Publishing, 2016.

Duration/ID - As implied by its name, this field actually has two purposes. The first is that it can contain the duration of the frame itself. The duration is used to set the NAV timer by other clients. The AID is used when PS-Poll frames are transmitted to tell the AP that the transmitting STA is awake and that it can send any buffered frames the STA has waiting.

Address 1, 2, 3, 4 - Depending on if the frame is being transmitted with an IBSS, from an AP to a STA, STA to an AP, or as part of a mesh network, these addresses can indicated different things as shown below.

Carpenter, Tom. CWAP: Certified Wireless Analysis Professional: Official study guide: Edition CWAP-402. Certitrek Publishing, 2016

In the table above RA is the Receiver Address, and DA is the Destination Address. TA is the Transmitting Address, and SA is the Source Address. It may seem like some of these are redundant. However remember that the MAC address of the AP radio is often going to be different than the BSSID. Or in the case of a mesh, the RA is the next "hop" in the mesh, where the DA is the intended final recipient of the frame.

Sequence Control - This is a 16-bit field that’s used to help orchestrate fragmented frames in a transmission to help alleviate duplicate frames in the case that they arrive. It's made up of two parts. First is the 4-bit fragment number and second is a 12-bit sequence number. The sequence number remains the same for every fragmented MSDU, giving each frame making up that fragmented MSDU the same sequence number *but* a different fragment number. This allows the receiving device to know what MSDU the frame is from, and if it has already received that piece of the puzzle and know what order they should go in as sometimes they can be received out of order. The Sequence numbers start at 0, and for every fragmented MSDU that needs breaking up and transmitting, it goes up by 1 until it reaches 4095 and then it just starts again.

QoS Control - This is another 16-bit field that classifies the frames category for queuing. The first three bits in this field map to a value of 0 to 7 which signifies the 802.11e User Priority (UP) for the frame. This field is also called the Traffic Indicator (TID). Remember that the eight UP's map to the 4 Access Cateories (AC) set forth by the WiFi Alliances WMM Certification. Also remember that The lower the number, the lower the priority. For example 1 and 2, are AC_BK (WMM Background) which is the lowest prioity. Fun fact, the lowest of the numbers (0) maps to Best Effort which is a step above Background. This is because in making the mapping, they wanted it to be backwards compatible with non-QoS devices, but not completely hamstring them just because they weren't QoS capable.

HT Control - This 16-it field specifies certain HT and VHT capabilities. Such as antenna selection and beamforming.

Frame Body - This field contains the actual payload (MSDU) that’s being transmitted. When the field is encrypted, it will add overhead to the field. Either 20 or 16 bytes of overhead depending on if TKIP/RC4 (20 bytes) or CCMP/AES (16 bytes) is being used.

FCS - Frame Check Sequence - This field is used to detect if there have been issues in the communication of the frame. A Cyclic Redundancy Check (CRC) is used over the entire MAC Header and Frame Body. The receiving STA will run a CRC and should come up with the same FCS to determine if anything has gone wrong during transmission.

No comments:

Post a Comment