Monday, 30 March 2015

As part of my preparation for CWAP exam, in the next couple of posts I will be discussing frames and frame formats.

In this post we'll look at a generic frame format and discuss its content.

A generic frame has the following format:


It consists of three distinct parts:
1. MAC Header
2. Frame Body
3. FCS (Frame Check Sequence)

MAC Header

MAC Header consist of several fields, not all of them are always present, though.

Frame Control Field

It's a 2 byte field that is always present, it contains the following fields:


  • Protocol Version (2 bits) is always set to 0
  • Type (2 bits) and Subtype (4 bits), together they identify the function of the frame.  
    • Type:
      • Management Frame (00)
      • Control Frame (01)
      • Data Frame (10)
      • Reserved (11)
    • Subtype the meaning of this field depends on the Type field value, the various subtypes will be discussed in separate posts
  •  To DS (1 bit) and From DS (1 bit)
    • To DS (To Distribution System) and From DS (From Distribution System); these fields work in tandem, and they represent the following:
      • To DS = 0, From DS = 0
        • Management or Control Frames
        • Direct frame from one STA to another STA (in IBSS)
        • Direct frame from one STA to another STA (in STSL 802.11z)
      •  To DS = 1, From DS = 0
        • Frame sent upstream, from STA to AP
      • To DS = 0, From DS = 1
        •  Frame sent downstream, from AP to STA
      • To DS = 1, From DS = 1
        • Data frame uses four address format (not defined by the standard, usually used with WDS i.e. WLAN bridges or mesh networks)
  •   More Fragments (1 bit)
    • If set to 1, more fragments to follow
    • Broadcast & Multicast frames are never fragmented
  • Retry (1 bit)
    • If set to 1, it indicates that the frame is being retransmitted
    • All Unicast frames have to be ACKed (or BlockACKed), if no ACK is received, the frame needs to be retransmitted
  • Power Management (1 bit)
    • STA informs AP that it goes into Power Save mode by setting this field to 1
  • More Data (1 bit)
    • If set to 1, it indicates more data frames are buffered on the AP destined for the STA
  • Protected Frame (1 bit)
    • if set to 1, it indicates the MSDU is encrypted
  • Order (1 bit)
    • Legacy, this field is rarely used

Duration/ID Field

This is a 2 byte field, the contents of this field vary with frame type and subtype, or whether the STA supports QoS capabilities:
  • In control frames of subtype PS-Poll, the field carries the association identifier (AID) of the STA that transmitted the frame in the 14 least significant bits, and the 2 most significant bits both set to 1. The value of the AID is in the range 1-2007
  • When a STA transmits a unicast frame, the Duration/ID uses bits 0-14 (bit 15 set to 0) to represent a value from 0 to 32,767. This value is used to reset NAV (Network Allocation Vector) timer, which is used by virtual carrier sense
MAC Layer Addressing

802.11 frames have up to four address fields in the MAC header. 802.11 frames typically use only three of the MAC address fields, but an 802.11 frame sent within a wireless distribution system (WDS) requires all four MAC addresses. Below are all possible options that can be used, depending on To DS and From DS values:


Sequence Control Field

Used by a receiving station to eliminate duplicate received frames and to reassemble fragments.


  • Fragment Number (4 bits)
    • Assigned to each fragment of an MSDU
    • The first, or only, fragment of an MSDU is assigned a fragment number of 0. Each successive fragment is assigned a sequentially incremented fragment number
    • The fragment number is the same in a transmission or any retransmission of a particular frame or fragment
    • Fragments are always sent in what is known as a fragment burst
  • Sequence Number (12 bits)
    • Assigned sequentially by the sending station to each MPDU and MMPDU
    • The sequence number can have a value of 0 to 4095
    • This sequence number is incremented after each assignment and wraps back to 0 when incremented from 4095
    • The sequence number for a particular MSDU is transmitted in every data frame associated with the MSDU. It is constant over all transmissions and retransmissions of the MSDU

QoS Control

The QoS Control field is a 16-bit field that identifies the Access Category to which the frame belongs as well as various other QoS-related, A-MSDU related, and mesh-related information about the frame that varies by frame type, subtype, and type of transmitting STA

  • Bits 0-3: TID/Access Class
    • AC_BK - UP (User Priority) 1,2
    • AC_BE - UP (User Priority) 0,3
    • AC_VI - UP (User Priority) 4,5
    • AC_VO - UP (User Priority) 6,7
  • Bit 4: 
    • AP: EOSP (End Of Service Period)
    • STA: 0 or 1
  • Bits 5-7: ACK Policy
    • Defines which acknowledgement policy is used after the delivery of the QoS Data frame. The four ACK policies used are: ACK, No ACK, No explicit ACK, and Block ACK. Some WLAN vendors have an optional configurable setting that does not require ACK frames after the delivery of voice or video frames. 
  • Bit 7: Reserved
  • Bits 8-15:
    • AP
      • TXOP Limit
      • AP PS Buffer State
    • STA
      • TXOP Duration Requested
      • Queue Size
Frame Body

Carries an MSDU (Upper-layer protocols)

Frame Check Sequence

This is a 4 byte field. If any portion of a unicast frame is corrupted, the CRC will fail, and the receiving 802.11 radio will not send an ACK frame to the transmitting 802.11 radio. If an ACK frame is not received by the original transmitting radio, the unicast frame is not acknowledged and will have to be retransmitted


There's much more details to this topic, if anyone is interested in diving deeper, an 802.11 standard would be a recommended resource.

No comments:

Post a Comment