CWAP – MAC Sublayer and Functions

4.1

Frame Encapsulation – The process of enclosing upper-layer information into the current layer delivery format

  • Service Data Unit (SDU) – the amount of information whose identity is preserved when transferred
  • Protocol data Unit (PDU) – a unit of data specified in a protocol and consisting of protocol control information and user data
  • Each layer has its own SDU and PDU

LLC sublayer would have LSDU coming from the upper layer and encapsulate into a LPDU to hand off to the MAC sublayer

MAC sublayer would get its MSDU from the LPDU and encapsulate by adding the MAC header and FCS creating a MPDU and hand off to the PLCP sublayer

PLCP sublayer would take the MPDU in as PSDU and encapsulate by adding the PHY header to create a PPDU handing off to the PMD sublayer

LPDU -> MSDU -> MAC Header + FCS -> MPDU -> PSDU -> PHY Header -> PPDU -> PMD

MAC Header + MSDU (LPDU) + FCS = MPDU/PSDU

PHY Header + MPDU = PPDU

PPDUs contain MPDUs in every case

MPDUs do not always contain upper-layer info such as a beacon frame since it originates at layer 2

Frame Aggregation – process of combining multiple MSDUs and MPDUs into a single PPDU

First supported in 802.11n

A-MSDU combines multiple MSDUs into a single MPDU, contains multiple IP packets

A-MPDU combines multiple MPDUs into a single PPDU, uses one mac header and FCS

802.11n max size of 64kB

802.11AC max size of 1MB

4.2

4.2.1 Management, control, and data frames

Management Frames

  • Type 00
  • Manage the medium
  • 14 types
    • 0000 – Association Request
      • 24 fields most of which contain BSS capabilities
    • 0001 – Association Response
      • Up to 31 fields also contains BSS info
      • Response field to indicate success or fail
      • Fail will contain reason
      • Success will contain the AID
    • 0010 – Reassociation Request
      • Used in case of roaming
      • Contains SRC and DST AP info
    • 0011 – Reassociation Response
      • Response from the DST AP when roaming
    • 0100 – Probe Request
      • Sent when client is requesting information
      • Primary tool of active scanning
      • Sent exclusively by the client
    • 0101 – Probe Response
      • Response of the AP to a probe request
    • 0110 – Timing Advertisement
      • Product of 802.11p
      • Time sync
    • 0111 – RESERVED
    • 1000 – Beacon
      • Like and unsolicited probe response
      • Display the characteristics of the BSS
    • 1001 – ATIM
      • Tells the STA when it has frames for it while sleeping
    • 1010 – Disassociation
      • An end to an association
      • Reason code provided
    • 1011 – Authentication
      • Initiated by the STA after the probe phase
    • 1100 – Deauthentication
      • And end to an authentication
      • Reason code provided
    • 1101 – Action
      • Prompt for a specific action
    • 1110 – Action No ACK
      • And action frame requiring no ACK
    • 1111 -RESERVED

Control Frames

  • Type 01
  • Used to support the delivery of data, management, and extension frames
  • Do not have a frame body
  • Subtypes
    • 0100 – Beamforming Report poll
      • Solicits client to return information needed for beamforming
    • 0110 – Control Frame Extension
      • Used to increase the subtype space allowing additional variants
      • DMG type
      • Grant or Grant ACK
    • 0111 – Control Wrapper
      • Used to allow space for utilization of diverse HT functions
    • 1000 – BA REQ
      • Inform the block ACK is desired
      • Requests a block ACK for a group of transmissions being completed
      • No ack means a full retransmit
    • 1001 – BA
      • ACK for the BA
      • Only usable in later PHYs
    • 1010 – PS-Poll
      • Sent from STA to AP
      • Sent when STA wakes up and receives beacon frame
    • 1011 – RTS
      • Used to check if the medium is clear
    • 1100 – CTS
      • Reserves the medium for the STA to some degree
    • 1101 – ACK
      • Will follow every frame sent back and forth
    • 1110 – CF-END
      • Signals end of contention free period
      • PCF which is not used
    • 1111 – CF-END + CF-ACK
      • Signals the end and ACKs the last frame sent

Data Frames

  • Type 10
  • Combination of data and any extra actions
  • Subtypes
    • 0000 – Data
      • Basic data frame
    • 0100 – Null Data
      • Carries no data
      • Primary usage is power save bit
    • 1000 – QoS Data
      • Carries QoS moarked frame data
      • 802.11e
      • Access catagories (ACs)
      • Wi-Fi Multimedia (WMM)

4.2.2 MAC Frame Format

General Frame Format

  • MAC header that may include frame control, duration, addresses, optional sequence control, QoS control and HT control
  • Variable length body, including frame subtype
  • FCS

Frame Control Field

  • 16 bits
  • Fields
    • Protocol Version – always 0 and used in case of major IEEE revisions
    • Type and subtype – type is 2 bits and subtype is 4 bits
    • To/From DS – each 1 bit in size describe the path of the frame
      • To DS = 0, From DS = 0
        • From STA to STA
      • To DS = 1, From DS = 0
        • From a STA connected to an AP sent to the DS
      • To DS = 0, From DS = 1
        • Frame exiting the DS or being sent from an AP
      • To DS = 1, From DS = 1
        • Mesh system data
        • Indicative of a transmission between STAs in a mesh
    • More Fragments – single bit, used if there are more MSDUs
    • Retry – one bit indicating if the frame has been retransmitted
    • Power Management – 1 bit, indicates awake or sleeping
    • More Data – 1 bit, used to indicate the STA has more data in the buffer
    • Protected Frame – 1bit, set to 1 if body is encrypted
    • HTC order – 1 bit, used for marking QoS in HT or higher data rate

Address Fields

  • 6 octets (48 bytes)
  • Represent the MAC address
  • Optionally up to 4 fields
  • Only 1/4 must be present
  • Only 46 bits used for the address
    • First bit used for individual or group such as broadcast/multicast
    • The second Universal or local,universally administered or locally
      • Universal is the burned in
      • Local is one set by the Admin
  • Four address fields
    • SA – Source
    • TA – Transmitter
    • RA – Receiver
    • DA – Destination
  • RA is the only field always used, it’s the immediate recipient
  • DA is the final destination
  • SA is the source of the data
  • TA is the STA tranmitting the frame but not always the SA
  • CTS frames will only have ADD1/RA
  • Management will have RA,TA and the BSSID in slot 3
  • Data frames will have RA,TA and depending on conditions the SA and DA or BSSID
  • ADD1 = RA
  • ADD2 = TA
  • ADD3 = BSSID, SA, or DA
  • ADD4 = BSSID or SA

Frame Check Sequence (FCS)

  • An error checking field
  • Mathematical calculation that includes all fields of the mac header and frame body
  • When the frame is received the values are calculated and if not matching the frame is considered corrupt

4.2.3 802.11 Management Frame Formats

Information Elements

  • Beacon Frame
    • Sent for each SSID
    • Beacon Interval – time between beacons, default is 102.4ms, roughly 10 times per second
    • Cabability Information – things like ESS vs IBSS, encryption type, if BA is available
    • SSID – name of the network
    • Supported Rates – data rates supported by the BSS
    • Extended supported rates – shows supported rates just an extended section due to new higher rates
    • Traffic Indication Map (TIM) – used to indicate the AID for STAs with frames buffered
    • Country – indicates the region
    • Robust security network information element RSN IE – indicates security used for group and individual communications
    • HT capabilities and HT information – used to indicate the features and capabilities of 802.11n
    • VHT capabilities and operation – 802.11ac features
    • Vendor specific (WME) – wireless multimedia extensions. Commonly QoS related

Authentication

  • Most often only 2 frames are sent
  • 4 way hand shake for psk

Association and Reassociation

  • Association sent by STA to AP prior to the authentication phase
  • More information about the STA than the AP
  • Response reflects the actual settings of the BSS

4.2.4 Data and QoS Data Frame Formats

  • The size of the frames tell you the capacity and performance
  • CRC errors at the AP may show clients are not following DRS and may need a firmware update

4.2.5 802.11 Control Frame Formats

Acknowledgement

  • Sent to inform STA that data was received
  • Without the ACK the transmitter assumes the frame was lost

RTS/CTS

Block Acknowledgement and related frames

4.3

4.3.1 Country code

  • Indicates the regulatory domain

4.3.2 Minimum basic rate

  • Must share 1 basic rate

4.3.3 Supported rates

  • Supported rate of the BSS

4.3.4 Beacon intervals

  • Time between beacons

4.3.5 WMM settings

  • AC_VO voice
  • AC_VI video
  • AC_BE Best effort
  • AC_BK background

4.3.6 RSN settings

  • Carries security options
  • Should be 00-0f-ac-04 for CCMP

4.3.7 HT and VHT operations

4.3.8 Channel width

4.3.9 Primary channel

4.3.10 Hidden or non-broadcast SSIDs

4.4

Related Posts