- 4.1 Understand frame encapsulation and frame aggregation
- 4.2 Identify and use MAC information in captured data for analysis
- 4.3 Validate BSS configuration through protocol analysis
- 4.4 Identify and analyze CRC error frames and retransmitted frames
4.1
Frame Encapsulation – The process of enclosing upper-layer information into the current layer delivery format
- Service Data Unit (SDU) – the amount of information whose identity is preserved when transferred
- Protocol data Unit (PDU) – a unit of data specified in a protocol and consisting of protocol control information and user data
- Each layer has its own SDU and PDU
LLC sublayer would have LSDU coming from the upper layer and encapsulate into a LPDU to hand off to the MAC sublayer
MAC sublayer would get its MSDU from the LPDU and encapsulate by adding the MAC header and FCS creating a MPDU and hand off to the PLCP sublayer
PLCP sublayer would take the MPDU in as PSDU and encapsulate by adding the PHY header to create a PPDU handing off to the PMD sublayer
LPDU -> MSDU -> MAC Header + FCS -> MPDU -> PSDU -> PHY Header -> PPDU -> PMD
MAC Header + MSDU (LPDU) + FCS = MPDU/PSDU
PHY Header + MPDU = PPDU
PPDUs contain MPDUs in every case
MPDUs do not always contain upper-layer info such as a beacon frame since it originates at layer 2
Frame Aggregation – process of combining multiple MSDUs and MPDUs into a single PPDU
First supported in 802.11n
A-MSDU combines multiple MSDUs into a single MPDU, contains multiple IP packets
A-MPDU combines multiple MPDUs into a single PPDU, uses one mac header and FCS
802.11n max size of 64kB
802.11AC max size of 1MB
4.2
4.2.1 Management, control, and data frames
Management Frames
- Type 00
- Manage the medium
- 14 types
- 0000 – Association Request
- 24 fields most of which contain BSS capabilities
- 0001 – Association Response
- Up to 31 fields also contains BSS info
- Response field to indicate success or fail
- Fail will contain reason
- Success will contain the AID
- 0010 – Reassociation Request
- Used in case of roaming
- Contains SRC and DST AP info
- 0011 – Reassociation Response
- Response from the DST AP when roaming
- 0100 – Probe Request
- Sent when client is requesting information
- Primary tool of active scanning
- Sent exclusively by the client
- 0101 – Probe Response
- Response of the AP to a probe request
- 0110 – Timing Advertisement
- Product of 802.11p
- Time sync
- 0111 – RESERVED
- 1000 – Beacon
- Like and unsolicited probe response
- Display the characteristics of the BSS
- 1001 – ATIM
- Tells the STA when it has frames for it while sleeping
- 1010 – Disassociation
- An end to an association
- Reason code provided
- 1011 – Authentication
- Initiated by the STA after the probe phase
- 1100 – Deauthentication
- And end to an authentication
- Reason code provided
- 1101 – Action
- Prompt for a specific action
- 1110 – Action No ACK
- And action frame requiring no ACK
- 1111 -RESERVED
- 0000 – Association Request
Control Frames
- Type 01
- Used to support the delivery of data, management, and extension frames
- Do not have a frame body
- Subtypes
- 0100 – Beamforming Report poll
- Solicits client to return information needed for beamforming
- 0110 – Control Frame Extension
- Used to increase the subtype space allowing additional variants
- DMG type
- Grant or Grant ACK
- 0111 – Control Wrapper
- Used to allow space for utilization of diverse HT functions
- 1000 – BA REQ
- Inform the block ACK is desired
- Requests a block ACK for a group of transmissions being completed
- No ack means a full retransmit
- 1001 – BA
- ACK for the BA
- Only usable in later PHYs
- 1010 – PS-Poll
- Sent from STA to AP
- Sent when STA wakes up and receives beacon frame
- 1011 – RTS
- Used to check if the medium is clear
- 1100 – CTS
- Reserves the medium for the STA to some degree
- 1101 – ACK
- Will follow every frame sent back and forth
- 1110 – CF-END
- Signals end of contention free period
- PCF which is not used
- 1111 – CF-END + CF-ACK
- Signals the end and ACKs the last frame sent
- 0100 – Beamforming Report poll
Data Frames
- Type 10
- Combination of data and any extra actions
- Subtypes
- 0000 – Data
- Basic data frame
- 0100 – Null Data
- Carries no data
- Primary usage is power save bit
- 1000 – QoS Data
- Carries QoS moarked frame data
- 802.11e
- Access catagories (ACs)
- Wi-Fi Multimedia (WMM)
- 0000 – Data
4.2.2 MAC Frame Format
General Frame Format
- MAC header that may include frame control, duration, addresses, optional sequence control, QoS control and HT control
- Variable length body, including frame subtype
- FCS
Frame Control Field
- 16 bits
- Fields
- Protocol Version – always 0 and used in case of major IEEE revisions
- Type and subtype – type is 2 bits and subtype is 4 bits
- To/From DS – each 1 bit in size describe the path of the frame
- To DS = 0, From DS = 0
- From STA to STA
- To DS = 1, From DS = 0
- From a STA connected to an AP sent to the DS
- To DS = 0, From DS = 1
- Frame exiting the DS or being sent from an AP
- To DS = 1, From DS = 1
- Mesh system data
- Indicative of a transmission between STAs in a mesh
- To DS = 0, From DS = 0
- More Fragments – single bit, used if there are more MSDUs
- Retry – one bit indicating if the frame has been retransmitted
- Power Management – 1 bit, indicates awake or sleeping
- More Data – 1 bit, used to indicate the STA has more data in the buffer
- Protected Frame – 1bit, set to 1 if body is encrypted
- HTC order – 1 bit, used for marking QoS in HT or higher data rate
Address Fields
- 6 octets (48 bytes)
- Represent the MAC address
- Optionally up to 4 fields
- Only 1/4 must be present
- Only 46 bits used for the address
- First bit used for individual or group such as broadcast/multicast
- The second Universal or local,universally administered or locally
- Universal is the burned in
- Local is one set by the Admin
- Four address fields
- SA – Source
- TA – Transmitter
- RA – Receiver
- DA – Destination
- RA is the only field always used, it’s the immediate recipient
- DA is the final destination
- SA is the source of the data
- TA is the STA tranmitting the frame but not always the SA
- CTS frames will only have ADD1/RA
- Management will have RA,TA and the BSSID in slot 3
- Data frames will have RA,TA and depending on conditions the SA and DA or BSSID
- ADD1 = RA
- ADD2 = TA
- ADD3 = BSSID, SA, or DA
- ADD4 = BSSID or SA
Frame Check Sequence (FCS)
- An error checking field
- Mathematical calculation that includes all fields of the mac header and frame body
- When the frame is received the values are calculated and if not matching the frame is considered corrupt
4.2.3 802.11 Management Frame Formats
Information Elements
- Beacon Frame
- Sent for each SSID
- Beacon Interval – time between beacons, default is 102.4ms, roughly 10 times per second
- Cabability Information – things like ESS vs IBSS, encryption type, if BA is available
- SSID – name of the network
- Supported Rates – data rates supported by the BSS
- Extended supported rates – shows supported rates just an extended section due to new higher rates
- Traffic Indication Map (TIM) – used to indicate the AID for STAs with frames buffered
- Country – indicates the region
- Robust security network information element RSN IE – indicates security used for group and individual communications
- HT capabilities and HT information – used to indicate the features and capabilities of 802.11n
- VHT capabilities and operation – 802.11ac features
- Vendor specific (WME) – wireless multimedia extensions. Commonly QoS related
Authentication
- Most often only 2 frames are sent
- 4 way hand shake for psk
Association and Reassociation
- Association sent by STA to AP prior to the authentication phase
- More information about the STA than the AP
- Response reflects the actual settings of the BSS
4.2.4 Data and QoS Data Frame Formats
- The size of the frames tell you the capacity and performance
- CRC errors at the AP may show clients are not following DRS and may need a firmware update
4.2.5 802.11 Control Frame Formats
Acknowledgement
- Sent to inform STA that data was received
- Without the ACK the transmitter assumes the frame was lost
RTS/CTS
Block Acknowledgement and related frames
4.3
4.3.1 Country code
- Indicates the regulatory domain
4.3.2 Minimum basic rate
- Must share 1 basic rate
4.3.3 Supported rates
- Supported rate of the BSS
4.3.4 Beacon intervals
- Time between beacons
4.3.5 WMM settings
- AC_VO voice
- AC_VI video
- AC_BE Best effort
- AC_BK background
4.3.6 RSN settings
- Carries security options
- Should be 00-0f-ac-04 for CCMP
4.3.7 HT and VHT operations
4.3.8 Channel width
4.3.9 Primary channel
4.3.10 Hidden or non-broadcast SSIDs