10-25-2010 01:20 AM - edited 02-03-2022 10:47 AM
802.11 frames : A starter guide to learn wireless sniffer traces
All lines in italic and smaller caracters refer to Contention-Free systems and are never implemented in 99% of the wireless devices, so of little importance.
Type value |
Type description |
Subtype value |
Subtype description |
Wireshark display filter |
00 |
Management |
0000 |
Association Request |
wlan.fc.type_subtype == 0x00 |
00 |
Management |
0001 |
Association Response |
wlan.fc.type_subtype == 0x01 |
00 |
Management |
0010 |
Reassociation Request |
wlan.fc.type_subtype == 0x02 |
00 |
Management |
0011 |
Reassociation Response |
wlan.fc.type_subtype == 0x03 |
00 |
Management |
0100 |
Probe Request |
wlan.fc.type_subtype == 0x04 |
00 |
Management |
0101 |
Probe Response |
wlan.fc.type_subtype == 0x05 |
00 |
Management |
0110-0111 |
Reserved |
|
00 |
Management |
1000 |
Beacon |
wlan.fc.type_subtype == 0x08 |
00 |
Management |
1001 |
ATIM |
wlan.fc.type_subtype == 0x09 |
00 |
Management |
1010 |
Disassociation |
wlan.fc.type_subtype == 0x0A |
00 |
Management |
1011 |
Authentication |
wlan.fc.type_subtype == 0x0B |
00 |
Management |
1100 |
Deauthentication |
wlan.fc.type_subtype == 0x0C |
00 |
Management |
1101 |
Action |
wlan.fc.type_subtype == 0x0D |
00 |
Management |
1110-1111 |
Reserved |
Type value |
Type description |
Subtype value |
Subtype description |
Wireshark display filter |
|
01 |
Control |
0000-0111 |
Reserved |
||
01 |
Control |
1000 |
Block Ack Request |
wlan.fc.type_subtype == 0x18 |
|
01 |
Control |
1001 |
Block Ack |
wlan.fc.type_subtype == 0x19 |
|
01 |
Control |
1010 |
PS-Poll |
wlan.fc.type_subtype == 0x1A |
|
01 |
Control |
1011 |
RTS |
wlan.fc.type_subtype == 0x1B |
|
01 |
Control |
1100 |
CTS |
wlan.fc.type_subtype == 0x1C |
|
01 |
Control |
1101 |
ACK |
wlan.fc.type_subtype == 0x1D |
|
01 |
Control |
1110 |
CF-end |
wlan.fc.type_subtype == 0x1E |
|
01 |
Control |
1111 |
CF-end + CF-ack |
wlan.fc.type_subtype == 0x1F |
|
Type value |
Type description |
Subtype value |
Subtype description |
Wireshark display filter |
|
10 |
Data |
0000 |
Data |
wlan.fc.type_subtype == 0x20 |
|
10 |
Data |
0001 |
Data + CF-ack |
wlan.fc.type_subtype == 0x21 |
|
10 |
Data |
0010 |
Data + CF-poll |
wlan.fc.type_subtype == 0x22 |
|
10 |
Data |
0011 |
Data +CF-ack +CF-poll |
wlan.fc.type_subtype == 0x23 |
|
10 |
Data |
0100 |
Null |
wlan.fc.type_subtype == 0x24 |
|
10 |
Data |
0101 |
CF-ack |
wlan.fc.type_subtype == 0x25 |
|
10 |
Data |
0110 |
CF-poll |
wlan.fc.type_subtype == 0x26 |
|
10 |
Data |
0111 |
CF-ack +CF-poll |
wlan.fc.type_subtype == 0x27 |
|
10 |
Data |
1000 |
QoS data |
wlan.fc.type_subtype == 0x28 |
|
10 |
Data |
1001 |
QoS data + CF-ack |
wlan.fc.type_subtype == 0x29 |
|
10 |
Data |
1010 |
QoS data + CF-poll |
wlan.fc.type_subtype == 0x2A |
|
10 |
Data |
1011 |
QoS data + CF-ack + CF-poll |
wlan.fc.type_subtype == 0x2B |
|
10 |
Data |
1100 |
QoS Null |
wlan.fc.type_subtype == 0x2C |
|
10 |
Data |
1101 |
Reserved |
wlan.fc.type_subtype == 0x2D |
|
10 |
Data |
1110 |
QoS + CF-poll (no data) |
wlan.fc.type_subtype == 0x2E |
|
10 |
Data |
1111 |
Qos + CF-ack (no data) |
wlan.fc.type_subtype == 0x2F |
|
11 |
Reserved |
0000-1111 |
Reserved |
||
-Association request is sent by a station to associate to a BSS.
-Association response is sent in response to an association request
-Reassociation request is sent by a station changing association to another AP in the same ESS (so roaming between APs, or reassociating with the same AP)
-Reassociation response is the response to the reassociation request
-Probe request is sent by a station in order to “scan” for an SSID
-Probe response is sent by each BSS participating to that SSID
-Beacon is a periodic frame sent by the AP (or stations in case of IBSS) and giving information about the BSS
-ATIM is the traffic indication map for IBSS (in a BSS, the TIM is included in the beacon)
-Disassociation is sent to terminate the association of a station
-Authentication is the frame used to perform the 802.11 authentication (and not any other type of authentication)
-Deauthentication is the frame terminating the authentication of a station.
-Action is a frame meant for sending information elements to other stations (when sending in a beacon is not possible/best)
-PS-Poll is the Power-save poll frame polling for buffered frames after a wake-up from a station
-RTS is the request-to-send frame
-CTS is the clear-to-send frame (often response to RTS)
-ACK is the acknowledge frame sent to confirm receipt of a frame.
-Data frame is the basic frame containing data
-Null frame is a frame meant to contain no data but flag information
-QoS data is the QoS version of the data frame
-QoS null is the QoS version of the null frame
Here is what a general frame looks like. We will show what the frame control field contains and then explain the addresses fields.
Here is the frame control field detailed:
1.1 Protocol version field: 2 bits field that is currently set to 0 in 2007 revision of the standard. It will be incremented whenever a new revision of the standard comes out and shows fundamental incompatibility with previous versions.
1.2 and 1.3 Type and Subtype fields: Type is 2 bit long and Subtype is 4 bits long. The type indicates whether the frame is control, management or data and the subtype defines the frame more precisely. For values, please refer the to chunk “frame types”.
1.4 and 1.5 To DS and From DS: The following table show the meaning of these fields combinations.
To DS and From DS values |
Meaning |
To DS=0, From DS=0 |
A frame sent between two stations not being APs in a BSS or IBSS. It is also the case for all management and control frames (directly sent to the AP and not the DS) |
To DS=0, From DS=1 |
A frame sent by a station for an AP (destined to the DS) |
To DS=1, From DS=0 |
A frame exiting the DS for a station. |
To DS=1,From DS=1 |
Only frame using all four addresses fields. Seen in Wireless DS (mesh, repeater, …) where an AP sends a frame to another AP, it is exiting the DS and destined to the DS at the same time in that situation. |
What’s the point of these DS fields? They are useful to identify the addresses fields (see later here) and they can also help in tricky situations. For example, you see on both wired and wireless side a WLCCP frame with STA being the source and broadcast destination. It could be the station sending it or the AP but as it is broadcast, it appears on both sides and you don’t know. The DS fields will tell you the truth here.
1.6 More fragments: Bit set as 1 when more fragments are to follow. See in other chunk.
1.7 Retry: This bit is set as 1 when the frame is a retransmission of an earlier frame.
1.8 Power management field: Set as 1 when station will to sleep and 0 when station will stay awake. See in other chunk.
1.9 More Data: Used in power save mode to indicate to the station that more frames are buffered on the AP. See in other chunk.
1.10 Protected Frame: This bit is set as 1 with data frames and “authentication” management frames to indicate that the body of the frame can only be read if decrypted. This field used to be called “WEP encrypted” in earlier revisions.
1.11 Order field: This bit is set as 1 with non-QoS frames where the order of frames must be kept.
That’s it for the control field. Let’s review the general frame format again and explain the addresses fields:
2. Duration/ID: This field is an ID in PS-Poll mode, it then contains the Association ID of the station. In Qos and non-Qos frames, it has a duration meaning different in these two cases. It can basically be considered as the duration necessary to send the frame and the ACK. It helps other stations to wait for the right amount of time before checking the medium again.
3. The 4 addresses field can have different meanings as well. Here are the meanings :
Destination Address (DA) : Final recipient of the frame
Source Address (SA) : Original source of the frame
Receiver Address (RA) : Immediate receiver of the frame.
Transmitter Address (TA) : Immediate sender of the frame.
-ToDS=0,FromDS=0 situation. The frame is sent by a station to another station. The transmitter is the original source and the receiver is the end destination. So :
Address 1=RA/DA (identical)
Address 2=TA/SA (identical)
Address 3=BSSID
Address 4=n/a
-ToDS=0,FromDS=1 situation. The frame is being forwarded by an AP typically. In this case, the AP is the transmitter but not the original source. So :
Address 1=RA/DA (identical = end station)
Address 2=TA/BSSID (transmitter is the AP, it is also the BSSID by the way)
Address 3=SA (original station sending the frame)
Address 4=n/a
-ToDS=1,FromDS=0 situation. The frame is being sent from a station to the DS. Here the receiver will be typically the AP which is maybe not the final destination. So:
Address 1=RA/BSSID (receiver is the AP which is the BSSID)
Address 2=TA/SA (original station sending)
Address 3=DA (end station)
Address 4=n/a
-ToDS=1,FromDS=1 situation. The frame is sent from an AP to another. So the first AP is the transmitter but not the original source. The second AP is the receiver but not the destination.
Address 1=RA (end AP)
Address 2=TA (first AP)
Address 3= DA (end station)
Address 4=SA (original station)
4. Sequence control field: This field contains a 4 bit fragment number and 12 bit sequence number that helps in reconstituting multi-fragments frame as well as eliminate duplicate and mis-ordered frames.
5. Frame Check Sequence : CRC at the end of the frame to check its integrity. It is a basic check that can be seconded by another frame integrity check field depending on encryptions used.
With this document, you will find some sniffer traces attached. They are examples of DS bit set or not set in real scenarios. You will find below some comments about each traces.
If you wonder where to check the DS bits, go in the 802.11 header, frame control and then the flag bits.
0-0.pcap: This trace shows a series of frames containing 0 in both DS bits. This reflects a situation where a station (intel mac address) is joining an ESS (Airespace Mac addr). The frames are sent from the station directly to the access point and are not intended to the DS since the station didn’t join yet. Same goes for the other way, when the AP is sending a frame, the frame goes to a station and does not come from the DS but the AP itself. So all frames shown have 0 in “from DS” and “to DS”.
Another good examples are the RTS/CTS frames, those frames are directed from a station to another and to intended to the DS.
1-0.pcap: This trace is just moments after the previous trace in time. The station is going through the EAPOL exchange. There we can see that the frames sent by the station are “to the DS” and the frames sent back to the station are “from the DS”. All Data frames follow this logic (mostly) of being “to DS” when sent by the station and “from DS” when sent by the AP.
1-1.pcap: A first look at this trace would let you think that we are seeing a retransmission. However, a look at the DS bits shows you that the first frame is sent by the client. The second by an AP to the client. And most important, the third is from an AP to another AP. This is then a “repeater AP” situation! And nothing to do with a retransmission because of packet loss …
Nice job Nicolas.
Good job Nico.
If you can update the images that will be great because they do not appear in place.
It seems they were removed or renamed in their source locatoin.
Regards,
Amjad
Thanks for the valuable information, Nico.
I tried to capture a frame contains from DS and to DS in 1-1.
Can you guide me the process. WDS is implemented in my setup. Hanging in which interface i need to sniff and analyze. ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: