CWAP – MAC Sublayer and Functions

• 4.1 Understand frame encapsulation and frame aggregation
• 4.2 Identify and use MAC information in captured data for analysis
• 4.3 Validate BSS configuration through protocol analysis
• 4.4 Identify and analyze CRC error frames and retransmitted frames

4.1

Frame Encapsulation – The process of enclosing upper-layer information into the current layer delivery format

• Service Data Unit (SDU) – the amount of information whose identity is preserved when transferred
• Protocol data Unit (PDU) – a unit of data specified in a protocol and consisting of protocol control information and user data
• Each layer has its own SDU and PDU

LLC sublayer would have LSDU coming from the upper layer and encapsulate into a LPDU to hand off to the MAC sublayer

MAC sublayer would get its MSDU from the LPDU and encapsulate by adding the MAC header and FCS creating a MPDU and hand off to the PLCP sublayer

PLCP sublayer would take the MPDU in as PSDU and encapsulate by adding the PHY header to create a PPDU handing off to the PMD sublayer

LPDU -> MSDU -> MAC Header + FCS -> MPDU -> PSDU -> PHY Header -> PPDU -> PMD

MAC Header + MSDU (LPDU) + FCS = MPDU/PSDU

PHY Header + MPDU = PPDU

PPDUs contain MPDUs in every case

MPDUs do not always contain upper-layer info such as a beacon frame since it originates at layer 2

Frame Aggregation – process of combining multiple MSDUs and MPDUs into a single PPDU

First supported in 802.11n

A-MSDU combines multiple MSDUs into a single MPDU, contains multiple IP packets

A-MPDU combines multiple MPDUs into a single PPDU, uses one mac header and FCS

802.11n max size of 64kB

802.11AC max size of 1MB

4.2

4.2.1 Management, control, and data frames

Management Frames

• Type 00
• Manage the medium
• 14 types
  • 0000 – Association Request
    • 24 fields most of which contain BSS capabilities
  • 0001 – Association Response
    • Up to 31 fields also contains BSS info
    • Response field to indicate success or fail
    • Fail will contain reason
    • Success will contain the AID
  • 0010 – Reassociation Request
    • Used in case of roaming
    • Contains SRC and DST AP info
  • 0011 – Reassociation Response
    • Response from the DST AP when roaming
  • 0100 – Probe Request
    • Sent when client is requesting information
    • Primary tool of active scanning
    • Sent exclusively by the client
  • 0101 – Probe Response
    • Response of the AP to a probe request
  • 0110 – Timing Advertisement
    • Product of 802.11p
    • Time sync
  • 0111 – RESERVED
  • 1000 – Beacon
    • Like and unsolicited probe response
    • Display the characteristics of the BSS
  • 1001 – ATIM
    • Tells the STA when it has frames for it while sleeping
  • 1010 – Disassociation
    • An end to an association
    • Reason code provided
  • 1011 – Authentication
    • Initiated by the STA after the probe phase
  • 1100 – Deauthentication
    • And end to an authentication
    • Reason code provided
  • 1101 – Action
    • Prompt for a specific action
  • 1110 – Action No ACK
    • And action frame requiring no ACK
  • 1111 -RESERVED

Control Frames

• Type 01
• Used to support the delivery of data, management, and extension frames
• Do not have a frame body
• Subtypes
  • 0100 – Beamforming Report poll
    • Solicits client to return information needed for beamforming
  • 0110 – Control Frame Extension
    • Used to increase the subtype space allowing additional variants
    • DMG type
    • Grant or Grant ACK
  • 0111 – Control Wrapper
    • Used to allow space for utilization of diverse HT functions
  • 1000 – BA REQ
    • Inform the block ACK is desired
    • Requests a block ACK for a group of transmissions being completed
    • No ack means a full retransmit
  • 1001 – BA
    • ACK for the BA
    • Only usable in later PHYs
  • 1010 – PS-Poll
    • Sent from STA to AP
    • Sent when STA wakes up and receives beacon frame
  • 1011 – RTS
    • Used to check if the medium is clear
  • 1100 – CTS
    • Reserves the medium for the STA to some degree
  • 1101 – ACK
    • Will follow every frame sent back and forth
  • 1110 – CF-END
    • Signals end of contention free period
    • PCF which is not used
  • 1111 – CF-END + CF-ACK
    • Signals the end and ACKs the last frame sent

Data Frames

• Type 10
• Combination of data and any extra actions
• Subtypes
  • 0000 – Data
    • Basic data frame
  • 0100 – Null Data
    • Carries no data
    • Primary usage is power save bit
  • 1000 – QoS Data
    • Carries QoS moarked frame data
    • 802.11e
    • Access catagories (ACs)
    • Wi-Fi Multimedia (WMM)

4.2.2 MAC Frame Format

General Frame Format

• MAC header that may include frame control, duration, addresses, optional sequence control, QoS control and HT control
• Variable length body, including frame subtype
• FCS

Frame Control Field

• 16 bits
• Fields
  • Protocol Version – always 0 and used in case of major IEEE revisions
  • Type and subtype – type is 2 bits and subtype is 4 bits
  • To/From DS – each 1 bit in size describe the path of the frame
    • To DS = 0, From DS = 0
      • From STA to STA
    • To DS = 1, From DS = 0
      • From a STA connected to an AP sent to the DS
    • To DS = 0, From DS = 1
      • Frame exiting the DS or being sent from an AP
    • To DS = 1, From DS = 1
      • Mesh system data
      • Indicative of a transmission between STAs in a mesh
  • More Fragments – single bit, used if there are more MSDUs
  • Retry – one bit indicating if the frame has been retransmitted
  • Power Management – 1 bit, indicates awake or sleeping
  • More Data – 1 bit, used to indicate the STA has more data in the buffer
  • Protected Frame – 1bit, set to 1 if body is encrypted
  • HTC order – 1 bit, used for marking QoS in HT or higher data rate

Address Fields

• 6 octets (48 bytes)
• Represent the MAC address
• Optionally up to 4 fields
• Only 1/4 must be present
• Only 46 bits used for the address
  • First bit used for individual or group such as broadcast/multicast
  • The second Universal or local,universally administered or locally
    • Universal is the burned in
    • Local is one set by the Admin
• Four address fields
  • SA – Source
  • TA – Transmitter
  • RA – Receiver
  • DA – Destination
• RA is the only field always used, it’s the immediate recipient
• DA is the final destination
• SA is the source of the data
• TA is the STA tranmitting the frame but not always the SA
• CTS frames will only have ADD1/RA
• Management will have RA,TA and the BSSID in slot 3
• Data frames will have RA,TA and depending on conditions the SA and DA or BSSID
• ADD1 = RA
• ADD2 = TA
• ADD3 = BSSID, SA, or DA
• ADD4 = BSSID or SA

Frame Check Sequence (FCS)

• An error checking field
• Mathematical calculation that includes all fields of the mac header and frame body
• When the frame is received the values are calculated and if not matching the frame is considered corrupt

4.2.3 802.11 Management Frame Formats

Information Elements

• Beacon Frame
  • Sent for each SSID
  • Beacon Interval – time between beacons, default is 102.4ms, roughly 10 times per second
  • Cabability Information – things like ESS vs IBSS, encryption type, if BA is available
  • SSID – name of the network
  • Supported Rates – data rates supported by the BSS
  • Extended supported rates – shows supported rates just an extended section due to new higher rates
  • Traffic Indication Map (TIM) – used to indicate the AID for STAs with frames buffered
  • Country – indicates the region
  • Robust security network information element RSN IE – indicates security used for group and individual communications
  • HT capabilities and HT information – used to indicate the features and capabilities of 802.11n
  • VHT capabilities and operation – 802.11ac features
  • Vendor specific (WME) – wireless multimedia extensions. Commonly QoS related

Authentication

• Most often only 2 frames are sent
• 4 way hand shake for psk

Association and Reassociation

• Association sent by STA to AP prior to the authentication phase
• More information about the STA than the AP
• Response reflects the actual settings of the BSS

4.2.4 Data and QoS Data Frame Formats

• The size of the frames tell you the capacity and performance
• CRC errors at the AP may show clients are not following DRS and may need a firmware update

4.2.5 802.11 Control Frame Formats

Acknowledgement

• Sent to inform STA that data was received
• Without the ACK the transmitter assumes the frame was lost

RTS/CTS

Block Acknowledgement and related frames

4.3

4.3.1 Country code

• Indicates the regulatory domain

4.3.2 Minimum basic rate

• Must share 1 basic rate

4.3.3 Supported rates

• Supported rate of the BSS

4.3.4 Beacon intervals

• Time between beacons

4.3.5 WMM settings

• AC_VO voice
• AC_VI video
• AC_BE Best effort
• AC_BK background

4.3.6 RSN settings

• Carries security options
• Should be 00-0f-ac-04 for CCMP

4.3.7 HT and VHT operations

4.3.8 Channel width

4.3.9 Primary channel

4.3.10 Hidden or non-broadcast SSIDs

4.4