Chapter 3 - Important 802.11 Frames

We touched a bit on these in the "Type" field but this portion of the chapter goes into them a bit deeper

Beacon Frames - We touched on these in Chapter 2 as well as other assorted places. These are used to announce BSS's for STA's that are looking for something to connect to. Beacons are transmitted (by default) every 100 time units (TU's.) A TU is typically 1024 microseconds which, when you do the math means that every 102.4 milliseconds a Beacon is being transmitted. Remember that a Beacon frame is transmitted for *every* SSID being broadcast. As such, the more SSID's you have, the more Beacon overhead you are creating. Beacon Frames are a Management Frame and as such, use the Management Frame Format. It should be noted that Beacon Frames contain a lot of information about the SSID and radio being used to broadcast it. Some of the most important of this information is the SSID name itself, the capabilities of the device (there are a few things here) and supported rates.

Beacons are sent at a target beacon transmission time (TBTT) which by default is every 100 Tus. That said, with how heavily utilized the wireless medium is, that target is often not possible, and the beacon will be sent as soon as possible after the 100 TU's has passed. It's important to remember that Beacon frames have to wait for the air to be clear before transmission as well.

Beacon filter in wireshark
wlan.fc.type_subtype == 0x08

To filter beacon frames *out* of the display use the Wireshark filter

Wlan.fc.type_subtype != 0x08

Probe Request and Probe Response Frames

Remember in active scanning, a STA will send a Probe Request, which will be answered with a Probe Response by an AP. If the probe request is sent with a broadcast SSID, any and all AP's on that channel being probed will respond with a Probe Response. Thus allowing STA's to quickly gather a view of all of the SSID's available on that channel.

Probe Request and Response Wireshark Filter

Wlan.fc.type_subtype == 0x4 *OR* wlan.fc.type_subtype == 0x5

To filter out Probe Request/Response Frames

Wlan.fc.type_subtype != 0x4 and

Wlan.fc.type_subtype != 0x5

Remember that just because a client is connected does not mean that it will stop probing. Client roaming algorithms will have a certain threshold where they will begin probing for a better AP. For example last I knew Apple iOS devices would start their probe requests at -67dBm. Now that doesn't mean that it will automatically move to something that’s stronger than -67dBm. That could result in flapping from AP to AP. Instead it requires the new AP to have a stronger connection of a certain threshold. In the iOS case (again last I knew) the new AP had to be 8dB stronger than the AP that the STA is currently connected to. That means that even if the STA had a -72dBm connection, it would  not roam unless the new AP had a signal strength of -64dBm or stronger. Unfortunately these roaming algorithms are unique to the devices. So the probing threshold and roaming threshold of each client may vary. Its important to keep this in mind when designing.

Authentication and Deauthentication Frames

Authentication frames are frames used by STA's to enter into the Authenticated State with an AP. To do so, a STA sends a single frame to the AP, which will answer back with a single frame of its own. This is the method that WPA2 uses

Deauthentication frames are used to remove a STA from an authenticated state. This can be done by either the STA or the AP. Remember that an STA cannot be associated if its not authenticated

Wireshark filter for Authentication frames

Wlan.fc.type_subtype == 0xb

To filter them out

Wlan.fc.type_subtype !=0xb

Association and Disassociation Frames

These frames are used for the STA to enter into an associated state after they have been authenticated. It's done through a four-frame exchange

-Authentication request

-ACK

-Authentication response

-ACK

From this point if Open System Auth is being used, then the STA can begin to use the network. If they are using 802.1X, then that process will begin at this point.

Disassociation frames will remove STA from an associated state, placing it into an Authenticated not associated state. Disassociation frmaes will include a reason for the disassociation, a smattering of vendor-specific information, and an integrity check if/when management frame protection is in use.

Wireshark Filter

Wlan.fc.type_subtype == 0x0 or 0x1

To filter them out

Wlan.fc.type != 0x0 or 0x1

Reassociation Request and Response Frames

These are used when roaming from one AP to another within the same ESS. They can also be used to reconnect to an AP which the STA was briefly connected. Only if the AP still has authentication information about the STA however. Request frames contain a plethora of information.

Wireshark filters

Wlan.fc.type_subtype == 0x2 or 0x3

To filter them out

Wlan.fc.type_subtype != 0x2 or 0x3

Request to Send (RTS) and Clear to Send (CTS) Frames

These are used to clear the PHY for the transmission of "larger" frames. When a STA wants to send a larger frame it sends a RTS. A CTS is used to respond.

Both frame types include a duration field, which is very important as it lets everyone know how long the air will be busy. The duration of a request field is made up by the data *or* management frame duration + CTS duration + one ACK duration + three SIFS

The CTS response frame also has a duration that’s measured in microseconds made up of the value of the duration field of the RTS frame - CTS duration - one SIFS

CTS-to-Self is a CTS frame that is sent without a RTS frame before it. These frames have the RA field set as their own address. These are helpful because all STAs within range will hear the frame and set their NAV timers using the duration field from the CTS frame. This is made up by the Data or management frame duration + two SIFS + one ACK

Wireshark filters for RTS/CTS frames

Wlan.fc.type_subtype == 0x1b or 0x1c

To filter them out

Wlan.fc.type_subtype != 0x1b or 0x1c

ACK Frames

These are sent to inform the transmitting device that the frame was received and are sent immediatily following data and management frames. If an ACK frame is not returned then the transmitter assumes the frame was lost and will retransmit the frame. With each retransmission the random backoff timer length is increased with a maximum of 1023. This maximum backoff timer length keeps STA's from continuously retransmitting without shifting to a lower data rate. As the book points out, its fair better to send a frame at 54Mbps and have it be received than it is to send it five times at 150Mbps before its received.

An ACK frame is a fairly simple frame. Consisting of only Frame Control, Duration, RA, and FCS subfields. It actually uses the address of the STA that sent the acknowledged frame in the RA subfield and not the address of the STA sending the ACK Frame.

Wireshark Filter

Wlan.fc.type_subtype == 0x1d

To filter them out

Wlan.fc.type_subtype != 0x1d

Null Data and PS-Poll Frames

These are used to notify an AP that the STA is awake and now able to receive frames. These are called Null Data frames since they are simply a Data frame containing no data.

Wireshark filter

Wlan.fc.type_subtype == 0x24

PS-Poll is short for Power Save Poll. These frames are also used to notify the AP that the client is awake and available for buffered frames. These include an AID.

STAs using power management will set their PM bit to 1, meaning that it will go in and out of awake and dozing states. When dozing the AP will buffer any traffic that is destined for the STA.

Client devices have a Listen Interval at the end of which the client will wake up and listen for Beacon Frames. If the client hears a beacon with its AID containing a 1 bit it will send a PS-Poll frame requesting that the AP send it its buffered data. Which it will do one frame at a time. If there is more data the More Data bit will be set to 1. Each time the client will send a new PS-Poll until there are no more buffered frames at which point the Client STA can return to a sleep state.

Rather than send a PS-Poll back to the AP to request each individual frame that is buffered, clients can also flip the PM bit to 0. This will cause the AP to send all of its buffered data down to the STA as if it was a normal client. Once this transmission is complete, it will flip its PM bit back to 1 and go back to sleep. This is *not* a 802.11 standard operation, but is an operation that is used by many client devices which reduced a lot of unnecessary airtime eaten up by the PS-Poll frames.

In a WMM Power Save queue frames are downloaded using a Trigger-and-delivery mechanism. WMM-PS is set for each AC separately. This allows for more frequent data transmission for those applications that require them.

Trigger frames are actually data frames that are ACK'd by the AP. This means that a STA can send data to the AP while at the same time triggering the delivery of any buffered frames that the AP may have for the client device.

If the AP has multiple buffered frames for the client, the AP can send those frames during an EDCA transmit opportunity that has interleaved ACK's. Meaning that a burst of frames can be sent down rather than individual.

PS-Poll Wireshark filter

Wlan.fc.type_subtype == 0x1a

To filter them out

Wlan-fc-type_subtype !=0x1a