Saturday, May 14, 2011

IEEE 802.11 Frame Types

IEEE 802.11 in the OSI Reference Model

The IEEE 802.11 architecture resides in the Data Link Media Access Control (MAC) sublayer and the Physical layer in the OSI reference model.

The Basic Service Set (BSS) and Extended Services Set (ESS) are the 2 available infrastructure modes of WLAN. Another mode of WLAN is ad-hoc mode.

Basic Service Set (BSS) is the basic building block of a WLAN. It is often being referred to as the coverage area of an access point. An access point acts as a master to control the wireless stations within a BSS. A BSS is identified by an SSID. The most basic BSS is Independent Basic Service Set (IBSS) or ad-hoc mode BSS, which comprised of 2 wireless clients; whereas the most basic infrastructure mode BSS is comprised of an access point and a wireless client.

The IEEE 802.11 WLAN specification defines various frame types than Ethernet for wireless communications, as well as managing and controlling wireless connections. The types of frames in the IEEE 802.11 specification are management, control, and data frames. Understanding the different IEEE 802.11 frame types is essential for analyzing and troubleshooting the operation of WLANs.

Every IEEE 802.11 WLAN frame contains the MAC addresses of the source and destination wireless stations, a Frame Control field that indicates the 802.11 protocol version, frame type, and various indicators (eg: whether WEP is enabled, power management is active, etc), a Sequence Control field, the frame body, and the Frame Check Sequence for error detection.

IEEE 802.11 Frame Format

The figure above shows the frame format of the IEEE 802.11 WLAN specification.
Below describes the subfields and flags in the Frame Control field:
Protocol Version Indicates the version of the 802.11 protocol. A receiving station uses this value to determine whether it supports the version of the protocol of the received frame.
Type and Subtype Determine the function of the frame – management, control, or data. The type and subtype fields for each frame type determine the specific function to perform.
To DS and From DS Indicates whether the frame is destined to or exiting from the distributed system (DS). All frames of wireless stations that are associated with an access point (infrastructure mode) will have one of the DS bits set. The interpretation of the Address fields depends on the setting of these bits.
More Fragments Indicates whether there are more subsequent fragments for a particular management or data frame are to follow. Control frames are not fragmented, hence this bit is always set to 0 for control frames.
Retry Indicates whether the management or data frame is being retransmitted.
Power Management Indicates whether the sending wireless station is in active or power-saving mode.
More Data Used to inform a wireless station which is in power-saving mode that the access point has more frames to send to it. Also used by an access points to indicate that additional broadcast or multicast frames are to follow. This bit is only being used in management and data frames; hence this bit is always set to 0 for control frames.
Protected Indicates whether encryption and authentication are used for the frame. Control frames may not be encrypted; hence this bit is always set to 0 for control frames.
Order Indicates that all received data frames must be processed in sequence.

Below shows how to interpret the To DS and From DS bits:
From DS = 0 From DS = 1
To DS = 0 All management, control, and data frames within an IBSS (ad-hoc). Data frames arrived at a wireless station (from AP) in an infra. WLAN.
To DS = 1 Data frames transmitted from a wireless station (to AP) in an infra. WLAN. Data frames on a wireless bridge (WDS, Wireless Distribution System).

The Duration/ID field is used in all control frames (except with the subtype of PS-Poll) to indicate the remaining duration needed to receive the next frame transmission.

Wireless stations may want to save battery power by turning off antennas. When the subtype is PS-Poll, it contains the association identity (AID) of the waking transmitting station, which indicates which BSS the station belongs to. Note: PS is referred to as Power Save.

An 802.11 frame may contain up to 4 Address fields. The general rule is that Address 1 indicates the receiver of a frame, Address 2 as the transmitter, and Address 3 for filtering by the receiver. Depends upon the type of frame, the 4 Address fields will contain a combination of the following address types:
BSS Identifier (BSSID) Used to uniquely identify each BSS (WLAN). When the frame is from a wireless station in an infrastructure BSS, the BSSID is the MAC address of the access point; when the frame is from a wireless station in an IBSS (ad-hoc) mode, the BSSID is a locally administered MAC address generated with a 46-bit random number, and is generated by the wireless station that initiated the IBSS.
Source Address (SA) Indicates the 48-bit MAC address of the source station that created and transmitted the frame (source of the transmission). Only 1 station can be the source of a frame.
Destination Address (DA) Indicates the 48-bit MAC address of the destination station to receive the frame (recipient).
Transmitter Address (TA) Indicates the 48-bit MAC address of the wireless interface that transmitted the frame onto the wireless medium. The TA is only being used in wireless bridging.
Receiver Address (RA) Indicates the 48-bit MAC address of the (immediate) wireless station which should receive and process the frame. If it is a wireless station, the RA is the DA. For frames destined to a node on an Ethernet network connected to an access point, the RA is the wireless interface of the access point, and the DA may be a node attached to the Ethernet.

Below shows the usage of the Address fields in data frames:
Function To DS From DS Address 1 (RX) Address 2 (TX) Address 3 Address 4
From AP 0 1 DA BSSID SA -
Note: Address 1 indicates the receiver; while Address 2 indicates the transmitter.

The Sequence Control field contains the following 2 subfields:
Fragment Number Indicates the number of each frame of a fragmented upper-layer packet. The 1st fragment will have a fragment number of 0, and each subsequent fragment of a fragmented packet increments the fragment number incremented by one.
Sequence Number Indicates the sequence number of each frame. It begins at 0 and incremented by 1 until 4095 and rollovers to zero and begins again (modulo-4096). All fragments of a fragmented packet as well as retransmitted frames will have the same sequence number.

Below lists the IEEE 802.11 management frames that allow wireless stations to establish and maintain communications:
Association Request The 802.11 association process allows an access point to synchronize and allocate resources for a wireless adapter. A wireless adapter begins the process by sending an Association Request frame to an access point. Upon receiving the Association Request frame, the access point is considered associated with the wireless adapter and would allocate an association ID and resources for the wireless adapter. An Association Request frame contains information such as the SSID of the WLAN the wireless client wishes to associate with and the supported data rates.
Association Response An access point would send an Association Response frame containing an acceptance or rejection notice to the wireless adapter requesting association. An Association Response frame contains information, eg: the association ID and the supported data rates.
Reassociation Request When a wireless adapter roams away from its currently associated access point after found another access point with a stronger beacon signal, the wireless adapter would send a Reassociation Request frame to the new access point. The new access point would then coordinate with the previous access point to forward the data frames meant for the wireless adapter that may still be in the buffer of the previous access point.
Reassociation Response An access point sends a Reassociation Response frame containing an acceptance or rejection notice to a wireless adapter requesting reassociation. Similar to the Association Response frame, the Reassociation Response frame contains information regarding an association – the association ID and the supported data rates.
Probe Request A wireless station sends a Probe Request frame when it would like to obtain information of another wireless station.
Ex: A wireless adapter sends a Probe Request frame to determine the access points that are within range.
Probe Response A wireless station receives a Probe Request frame would respond with a Probe Response frame that contains capability information, eg: the supported data rates.
Beacon An access point sends Beacon frames periodically to announce its presence and the services if offers using SSID, timestamp, and other access point parameters to wireless adapters that are within range. Wireless adapters continuously scan all 802.11 radio channels for beacon frames to choose the best access point to associate with. Beacon frames are also used to logically separate WLANs.
Disassociation A wireless station sends a Disassociation frame to another wireless station when it would like to terminate the association.
Ex: A wireless adapter that is shutting down gracefully can send a Disassociation frame to notify its associated access point that it is powering off. The access point can then remove the wireless adapter from the association table and release the allocated memory resources.
Authentication The 802.11 authentication process is where an access point accepts or rejects the identity of a wireless adapter. A wireless adapter begins the process by sending an Authentication frame that contains its identity to the access point. For open authentication, the access point responds with an Authentication frame as a response to indicate the acceptance or rejection; while for shared-key authentication, the access point responds with an Authentication frame containing challenge text, which the wireless client must response with an Authentication frame containing the encrypted version of the challenge text using the shared-key for the access point to verify its identity. WLAN authentication occurs at L2 and is authenticating devices instead of users. The authentication and association processes are occurred in sequence.
Note: Authentication occurs first and then followed by association.
Deauthentication A wireless station sends a Deauthentication frame to another wireless station in order to terminate a secure connection.

Below lists the IEEE 802.11 control frames that assist the delivery of data frames between wireless stations:

Request to Send (RTS) A station sends a RTS frame to another station as the 1st phase of the necessary 2-way handshake before transmitting a data frame.
Clear to Send (CTS) A station response to a RTS frame with the CTS frame to provide the clearance for the source station to transmit a data frame. The CTS frame contains a time value which would cause all nearby stations (including hidden stations) to hold off data transmission for a certain period of time necessary for the source station to transmit its frames.
Acknowledgement (ACK) A destination station would run an error checking process to detect the presence of errors upon received a data frame. The destination station would send an ACK frame to the source station if no errors are found. The source station will retransmit the frame if it doesn’t receive an ACK for the frame for a certain period of time.

Finally, data frames are used to carry upper layers data – packets.

Below shows the wireless client association process:
i) Access points send out beacons announcing the SSID and supported data rates.
ii) A wireless client scans all changes and sends out Probe Request frames to all access points within range.
iii) All access points within range reply with a Probe Response frame, and the wireless client listens for the responses from the access points.
iv) The wireless client associates with the access point with the strongest signal. Authentication and other security information are sent to the access point.
v) The access point accepts the association request and associated with the wireless client.
Note: 802.1X authentication could occur straight after the association process is completed.

The maximum Ethernet frame size is 1518 bytes whereas a wireless frame could be as large as 2346 bytes. Usually the WLAN frame size is limited to 1518 bytes as WLANs are often connected to and communicating with wired Ethernet networks.


  1. thnx ,, that was helpful
    i am doing a research about all that
    but there's one question
    what is the unassociated frames ??
    it is included in my research
    thnx again

  2. Hi Abduh, thanks for the comment, and glad that this helps. Sorry that I am not sure about unassociated frames. Thanks. :-)