802.11 Protocol Deep Dive - Part 1

802.11 Protocol Deep Dive - Part 1


802.11 is a protocol for defining a set of media access controls and physical layer specifications for implementing the a wireless LAN access.  What is most commonly known as wireless technology.  802.11 technology has its origins in a 1985 ruling by the U.S. Federal Communications Commission that released the ISM band for unlicensed use.  

The industrial, scientific and medical (ISM) radio bands are radio bands (portions of the radio spectrum) reserved internationally for the use of radio frequency (RF) energy for industrial, scientific and medical purposes other than telecommunications.  The ISM bands share allocations with unlicensed and licensed operations; however, due to the high likelihood of harmful interference, licensed use of the bands is typically low.  With the ability to operate on the ISM radio bands without the need of a licensed operate made these radio frequencies perfect for home devices that could broadcast and receive wireless signals.

The 802.11 protocol was developed and still maintained by the group known as the Institute of Electrical  and Electronic Engineers (IEEE).  The IEEE is a group of individuals that are leading scientists and engineers of each of their relevant fields. The group of individuals come together to design and implement standards that are used in nearly all current technology.  The IEEE is split into various committees.  Group 802 has the responsibility of designing the Local Area Network (LAN) and Metropolitan Area Network (MAN) standards.  The IEEE specifications map the 2 lowest OSI layers that contain the physical and link layers. The link layer is further subdivided into 2 sub-layers called Logical Link Control (LLC) and Media Access Control (MAC).  Therefore the 802 group is further divided into smaller subsections.  For example the group 802.3 is responsible for designing standards for ethernet connections.  As you can see where I am going with this, the 11th subsection is responsible for designing the standards of Wireless LAN (WLAN) and Mesh (WiFi Certification).  

802.11 was the legacy protocol, but as revisions and new implementations were introduced IEEE appended an alpha character to the end of each new iteration.  You might have heard of these when you are purchasing a wireless router or AP that has abgn support.  I will not be listing all iterations of the different 802.11 protocol, but understanding different limitations or advantages might come up in later blog posts. Any differences or limitations will be discussed at that time.  

802.11 MAC Header

The entirety of this initial blog post will be a deep dive into the structure of a typical 802.11 packet.  Due to the nature and complexity of this subject the blog post will be split up into smaller more manageable portions.  The screenshot below shows the full packet, and an exploded view of the Frame Control portion.  

Frame Control

To begin with the first subsection of the packet we will be analyzing the frame control.  The frame control portion is represented in the screenshot above along the bottom of the screenshot.  The first field is the protocol version which will define the version of 802.11 protocol that is being used for the remainder of the packet.  In most cases this will be a value of 0 (zero) in order to specify the 802.11 standard.  

The next fields are the type and subtype fields.  These fields will determine the overall function of the frame.  There are three different type of fields which are control, data, and management.  For each of the type frames there are multiple subtypes which specify the function to perform for its associated frame type.

Control Type

The first type we will be discussing is the control frame. The control frames are short messages that are used to inform other devices when to start and stop transmitting or whether a connection has degraded and disconnected.  The value used for control frames is 1 and can be combined with subtypes to provide more specific actions.  The following are a list of different control frame subtypes: reserved, control wrapper, block ACK, PS-Poll, RTS, CTS, ACK, CF End, CF End + CF-Ack.  You can see by the screenshot below demonstrating an ACK packet.  The type is set to 1 which is a control frame, and the subtype is 13 which is an ACK packet.

Management Type

802.11 management frames enable stations to establish and maintain communications. Management packets are used to support authentication, association, and synchronization. Some common management type frames are: association request/response, probe request, authentication, deauthentication. There are other management frames which will be covered in more depth in future posts.  

Data Type

The data frames are the last type we will be discussing, and always come after the connection has already been established between the mobile station and the AP. During analysis or discovery of data we will always be looking for this type of packet frame.  These frames transport data packets from higher layers, such as web pages, printer control data, etc., within the body of the frame. We will be discussing later in this series on digging through the data frames for information retrieval.  

After discussing the different types and subtypes we will return to the frame control subsection.  The next two fields inside the frame control are the To DS and From DS.  DS stands for distribution system which is typically what the access point (AP) will be connected to.  These two fields will help the frame determine if it is entering or exiting the DS.  As you can see from the screenshot below this is an example of a frame that is coming from the DS as indicated by the value 1.  

The More Frag value can be set in order to inform the receiver that more fragments of data will be sent following the current packet.  The more fragments field is 1 bit in length and is set to 1 in all data or management type frames that have another fragment of the current MAC service data unit (MSDU) or current MAC management protocol data unit (MMPDU) to follow. It is set to 0 in all other frames.  We will discuss the MSDU and MMPDU in later posts.

The retry field will be set if for some reason the packet needs to be retransmitted. The Retry field is 1 bit in length and is set to 1 if any data or management type frame that is a retransmission of an earlier frame. It is set to 0 in all other frames. A receiving STA uses this indication to aid in the process of eliminating duplicate frames.

The power management field is 1 bit in length and is used to alert an access point a client is going into a doze state to either save battery life or scan off channel to build a neighbor list. The access point then buffers frames for the client at the access point. If this bit is flipped to 0 it indicates no doze state. If this bit is flipped to 1 it indicates a doze state.

There is an additional data field which will allow the AP to instruct the STA that more data is coming.  This will keep the STA from returning to a doze or power saving state.  

Next is the WEP frame which will indicate whether encryption and authentication are used within the packet.  More commonly known as the Protected frame now, which instructs the AP or the receiver that the data is encrypted.  

The final frame is the order frame which indicates if the strictly-ordered service.  In most cases this frame value is not set.  This field is used to indicate a frame ordering process typically used by upper layer applications. Typically, this field will not be set to anything other than 0 (zero).  

In the next blog post we will move further into the 802.11 technologies.  Until next time!

Ryan Villarreal

About Ryan Villarreal