Chapter 4 - 802.11 Management frames
802.11 Management frames
- All 802.11 management frames have a standard header of 24 Bytes.
- They contain:
- Frame control
- Sequence control
- There are only 3 address fields in the MMPDU header
- The 802.11n mac header contains an additional HT Control field right after the sequence field
- The type of management frame is decided by looking at the subtype field.
- Check out Table 4.1 in the study guide for a detailed table containing the subtypes
- The Type is always 0 for all the management frames.
- The Management frames never make it into the DS.
- Used by the APs to advertise the SSID/connection capabilites through the BSS
- By Default it's sent approximately once every 100 ms
- When an AP sends a beacon, if the network is busy, it can't send it immediately. So there will be some delay.
- But if 1 beacon frame gets delayed, then the next beacon is sent according to the original schedule, not 100Ms after the delayed beacon frame is sent.
- The Beacon frame is also used as a timestamp which is used by the STAs to sync to the AP
- Beacons carry both mandatory as well as vendor dependant IEs. Therefore the Beacon size varies
Probe Requets Frame
- This is used in active scanning
- It has the following elements
- Supported rates
- Request information
- Extended supported rates - This is present when there are more than 8 supported rates.
- Vendor specific info
- The client sends the probe request (broadcast if the SSID is unknown, directed if the SSID is already known) on a channel and waits for a small period of time for the probe response.
- If it DOES NOT receive any response, it immediately shifts to the next channel and does the same thing.
- In case of directed Probe requests, the SSID value is 0
- The probe request message can also contain Request Information Elements(RIEs)
- It's very similar to the beacon frame.
- Sent at the lowest common rate
- The differences are
- Beacon contains a TIM field, probe response does not
- Beacon contains the QOS Capability Informatione element
- Probe response also contains the requested information elements that the STA requested through the probe-request frame.
- The differences are
- They are unicast
- Unlike the probe/association phases where different frames are used for request and response, autentication uses the same frame for both
- The purpose of authentication is to ensure the STA has the proper 802.11 properties to join the WLAN
- Authentication can either be
- Open (most used). 2 message exchange
- Shared key. 4 message exchange
Association Request frame
- The purpose is for the STA to join the cell and obtain the AID
- If there are L2 security mechanisms configured for a WLAN, then they are negotiated after association takes place. ( Ex: WPA,WPA2+PSK , WPA2 )
- Association request frame is unicast
- It tells the AP about it's capabilities , the SSID that it wants to join .
- It tells the AP it's characteristics so that the AP can communicate correctly with the client.
- This is the repsponse returned to the client along with a status code and the AID(between 1 and 2007)
- After association, either side can terminate the connection using this frame
- Ex: Used in roaming
- The Disassociation frame has a reason code field also
- During roaming, this frame is used in order to keep the Authentication status, which will help faster roam when the client roams back to the old AP
- Sent when all communication is terminated
- Ex: AP has to reboot, a station stops it's wifi communication
- Also contain the reason code
Reassociation Request frame
- Used when a station is already associated to an AP in the same ESS and now wantes to associate to another AP
- It can also be used when a STA leaves and rejoins the cell after a short while
- Why not proceed with a simple association request frame? It’s because the logic is that the new access point should contact the old access point and move the parameters for the station from the old AP to the new one. A station can be associated to only one AP at a time. It is therefore the responsibility of the new AP to inform the old AP about the roam and disassociate the station from the old AP.
- A station can be authenticated to several APs as long as it's only associated to one.
Reassociation Response frame
- Very similar to the association response frame
- With association request/response, the
station gets an AID on the local AP. With reassociation request/response, the station details have to be moved from the old AP to the new AP.
Information Elements and Fields
- A field is a section of the frame body that has a fixed size and has a static size
- IE is a section of the frame body that can be of fixed or variable size depending on its content. It's even possible that it might not be present.
Management Frame Fields
- Timestamp Field
- Found in beacons and probe responses
- Represents the number of microseconds the AP has been active
- STAs use this value to adjust their own clock
- Beacon Interval Field
- Number of time units between target beacon transmission times (TBTTs)
- Capability Information Field
- Exists in several management frames
- Subfields are
- Indicates whether the beacon is coming from an AP or not.
- IBSS indicates if the beacon is coming from an IBSS station or not
- Privacy Subfield
- Set if data confidentiality is required for all data frames.
- The mechanism used to protect the data is determined by using other fields(RSN field)
- Short Preamble
- Channel Agility Subfield
- Spectrum Management subfield
- Set if the device implements DFC and TPC for the affected 5Ghz channels.
- QOS Subfield
- Shows whether the AP supports QoS
- It doesn't tell any more information. That has to be obtained from other QoS fields in the header.
- Short Slot time subfield
- Introduced by 802.11E
- When set, the AP supports the 802.11E APSD feature. Otherwise it supports the legacy power save method.
- DSSS-OFDM subfield
- Listen Interval Field
- Found in frames sent from STA to AP
- Tells the AP how often a station in power save mode wakes up to listen to beacon management frames.
- Expressed in beacon interval units
- Status Code
- Indicates success or failure of a requested operation.
- Association ID
- Reason code
Management Frame Information Elements
- Extended Capabilities field
- Extension of the capability information field.
- Ex: 802.11n uses this
- Extension of the capability information field.
- SSID Element
- Found in Beacons, probe requests, association requests, reassociation requests.
- In cases where the AP supports multiple BSSIDs, the vendors might implement it in such a way that multiple beacons are sent , with a shorter TBTT interval.
- Supported Rates Element & Extended Supported Rates Element
- Any station wanting to join a cell must support all the basic/mandatory rates.
- Atleats 1 mandatory rate has to be set and this is the broadcast rate also.
- ERP Element
- Present only in 802.11g networks
- This holds the bits like Non_ERP_Station present and the USE_protection bits. The non_ERP_present bit is turned to as soon as a non-erp client associates to the AP.
- The non_ErP_present bit is set to 1, only if the AP detects a non-ERP station in it's BSS
- The Use_protection bit is set to 1, if the AP detects a management frame from a neighboring cell , either having the use_protection bit set to 1, or only supporting non-ERP rates .
- RSN IE
- Already studied about this here
- BSS Load element
- Indicates how many stations are associated to the AP and the percentage of time the medium was busy,etc
- EDCA parameter Element
- . In most QoS-enabled networks, this feld is not used, and the same information is provided through the WMM or the WME vendor-specifc element.
- Direct Sequence Parameter Set Element
- indicates the current channel
- Traffic Indication Map Element
- In the case of a DTIM beacon, When the frst bit of the Bitmap Control feld is set to 1, the AP has multicast or broad-cast buffered. When this frst bit is set to 0, there is no buffered broadcast or multicast.
- Country Element
- Instead of having to update all drivers of all wireless devices every time regulations change in a country, the 802.11 standard introduced the idea, via the amendment 802.11d, to send the local regulatory values from the AP. The Country feld defnes the country of operation, along with the allowed channels and maximum transmit power
(to be continued...)