Tuesday, 26 May 2015

Interframe Spaces (IFS)

Today I'll present Interframe Spaces (IFS). What is an IFS? The IFS is a quiet period that APs and STAs must wait before any 802.11 frame transmission.
There is several types of IFS, and starting form the shortest to longest, they are:

RIFS - Reduced Interframe Space
            Used only by 802.11n devices using MIMO; it proceeds data frames, and
            is used between frames of a Contention Free Burst, used when block
            acknowledgements are enabled. The length is always 2 microseconds.

SIFS - Short Interframe Space
            Used to determine the length of other IFSs. Commonly used IFS,
            whenever arbitration has been completed.
            Set to 10 micro seconds (b/g/n in 2.4GHz) and 16 mocroseconds (a/n/ac
            in 5GHz)

PIFS - PCF Interframe Space
            Used only with Channel Switch Announcement frame,
            which is one of the action frames from 802.11h. Equals to one slot time
            plus one SIFS.

DIFS - DCF Interframe Space
             Used to force ordinary data frames to stay quiet for enough time to
             allow higher-priority frames to have access to the channel. It's used
             before the arbitration process. Equals to a SIFS plus two slot times.
             Slot time:
             9 microseconds - a/n (5GHz) and g/n (2.4GHz, HT or ERP with short
             20 microseconds - b/g/n (2.4GHz, DSSS) and HT or ERP with long
             50 microseconds - FHSS
             Used only by APs and STAs that do not support QoS.

AIFS - Arbitration Interframe Space
             Used by APs and STAs that support 802.11e QoS. Used before the
             arbitration process. It's not a static value, it's value changes based on
             the priority level of the data, as based on 802.11e QoS:
             Voice & Video - 2 slot times
             Best Effort - 3 slot times
             Background - 7 slot times

EIFS - Extended Interframe Space
             Used to give APs and STAs a chance to retransmit after a failed frame
             reception. When APs or STAs hear a corrupt frame on the channel (FCS
             fails), they stay quiet for an EIFS. Set to SIFS plus DIFS plus the time it
             takes an Ack frame to transmit:
             364 microseconds - b/g/n (2.4GHz, DSSS)
             160 microseconds - a/n (5GHz), g/n (2.4GHz, OFDM)

Wednesday, 1 April 2015

Management Frame

Management frames form the skeleton of wireless networks. They allow wireless devices to form a network and manage the connection.

Management frames always have a standard 24-byte-long MAC header with three addresses, followed by a body of variable size

Management frames are sourced and dealt with at the MAC layer and never forwarded to the upper layers.
Management frames do not carry any upper-layer information. There is no MSDU encapsulated in the MMPDU frame body, 
which carries only layer 2 information fields and information elements. 

Information fields are fixed-length mandatory fields in the body of a management frame. 
Information elements are variable in length and are optional.

Management frames are always limited to the cell space; they are never relayed through an access point to the DS, from the DS, 
or from a station to another station. For this reason, management frames sent by access points always have the To DS and From DS 
fields set to 0.

Management Frames are used by STAs to join and leave a BSS

aka Management MAC Protocol Data Unit (MMPDU)

When 802.11n is in use, the header is extended to show the HT Control section.

Management frames are of type 00, and the many different subtypes:
  • Association Request (Subtype 0000 [0])
  • Association Response (Subtype 0001 [1])
  • Reassociation Request (Subtype 0010 [2])
  • Reassociation Response (Subtype 0011 [3])
  • Probe Request (Subtype 0100 [4])
  • Probe Response (Subtype 0101 [5])
  • Beacon (Subtype 1000 [8])
  • Announcement Traffic Indication Message (ATIM) (Subtype 1001 [9])
  • Disassociation (Subtype 1010 [10])
  • Authentication (Subtype 1011 [11])
  • Deauthentication (Subtype 1100 [12])
  • Action (Subtype 1101 [13])
  • Action no ack (Subtype 1110 [14])

All of the above subtypes will be discussed in the following posts.

Monday, 30 March 2015

As part of my preparation for CWAP exam, in the next couple of posts I will be discussing frames and frame formats.

In this post we'll look at a generic frame format and discuss its content.

A generic frame has the following format:

It consists of three distinct parts:
1. MAC Header
2. Frame Body
3. FCS (Frame Check Sequence)

MAC Header

MAC Header consist of several fields, not all of them are always present, though.

Frame Control Field

It's a 2 byte field that is always present, it contains the following fields:

  • Protocol Version (2 bits) is always set to 0
  • Type (2 bits) and Subtype (4 bits), together they identify the function of the frame.  
    • Type:
      • Management Frame (00)
      • Control Frame (01)
      • Data Frame (10)
      • Reserved (11)
    • Subtype the meaning of this field depends on the Type field value, the various subtypes will be discussed in separate posts
  •  To DS (1 bit) and From DS (1 bit)
    • To DS (To Distribution System) and From DS (From Distribution System); these fields work in tandem, and they represent the following:
      • To DS = 0, From DS = 0
        • Management or Control Frames
        • Direct frame from one STA to another STA (in IBSS)
        • Direct frame from one STA to another STA (in STSL 802.11z)
      •  To DS = 1, From DS = 0
        • Frame sent upstream, from STA to AP
      • To DS = 0, From DS = 1
        •  Frame sent downstream, from AP to STA
      • To DS = 1, From DS = 1
        • Data frame uses four address format (not defined by the standard, usually used with WDS i.e. WLAN bridges or mesh networks)
  •   More Fragments (1 bit)
    • If set to 1, more fragments to follow
    • Broadcast & Multicast frames are never fragmented
  • Retry (1 bit)
    • If set to 1, it indicates that the frame is being retransmitted
    • All Unicast frames have to be ACKed (or BlockACKed), if no ACK is received, the frame needs to be retransmitted
  • Power Management (1 bit)
    • STA informs AP that it goes into Power Save mode by setting this field to 1
  • More Data (1 bit)
    • If set to 1, it indicates more data frames are buffered on the AP destined for the STA
  • Protected Frame (1 bit)
    • if set to 1, it indicates the MSDU is encrypted
  • Order (1 bit)
    • Legacy, this field is rarely used

Duration/ID Field

This is a 2 byte field, the contents of this field vary with frame type and subtype, or whether the STA supports QoS capabilities:
  • In control frames of subtype PS-Poll, the field carries the association identifier (AID) of the STA that transmitted the frame in the 14 least significant bits, and the 2 most significant bits both set to 1. The value of the AID is in the range 1-2007
  • When a STA transmits a unicast frame, the Duration/ID uses bits 0-14 (bit 15 set to 0) to represent a value from 0 to 32,767. This value is used to reset NAV (Network Allocation Vector) timer, which is used by virtual carrier sense
MAC Layer Addressing

802.11 frames have up to four address fields in the MAC header. 802.11 frames typically use only three of the MAC address fields, but an 802.11 frame sent within a wireless distribution system (WDS) requires all four MAC addresses. Below are all possible options that can be used, depending on To DS and From DS values:

Sequence Control Field

Used by a receiving station to eliminate duplicate received frames and to reassemble fragments.

  • Fragment Number (4 bits)
    • Assigned to each fragment of an MSDU
    • The first, or only, fragment of an MSDU is assigned a fragment number of 0. Each successive fragment is assigned a sequentially incremented fragment number
    • The fragment number is the same in a transmission or any retransmission of a particular frame or fragment
    • Fragments are always sent in what is known as a fragment burst
  • Sequence Number (12 bits)
    • Assigned sequentially by the sending station to each MPDU and MMPDU
    • The sequence number can have a value of 0 to 4095
    • This sequence number is incremented after each assignment and wraps back to 0 when incremented from 4095
    • The sequence number for a particular MSDU is transmitted in every data frame associated with the MSDU. It is constant over all transmissions and retransmissions of the MSDU

QoS Control

The QoS Control field is a 16-bit field that identifies the Access Category to which the frame belongs as well as various other QoS-related, A-MSDU related, and mesh-related information about the frame that varies by frame type, subtype, and type of transmitting STA

  • Bits 0-3: TID/Access Class
    • AC_BK - UP (User Priority) 1,2
    • AC_BE - UP (User Priority) 0,3
    • AC_VI - UP (User Priority) 4,5
    • AC_VO - UP (User Priority) 6,7
  • Bit 4: 
    • AP: EOSP (End Of Service Period)
    • STA: 0 or 1
  • Bits 5-7: ACK Policy
    • Defines which acknowledgement policy is used after the delivery of the QoS Data frame. The four ACK policies used are: ACK, No ACK, No explicit ACK, and Block ACK. Some WLAN vendors have an optional configurable setting that does not require ACK frames after the delivery of voice or video frames. 
  • Bit 7: Reserved
  • Bits 8-15:
    • AP
      • TXOP Limit
      • AP PS Buffer State
    • STA
      • TXOP Duration Requested
      • Queue Size
Frame Body

Carries an MSDU (Upper-layer protocols)

Frame Check Sequence

This is a 4 byte field. If any portion of a unicast frame is corrupted, the CRC will fail, and the receiving 802.11 radio will not send an ACK frame to the transmitting 802.11 radio. If an ACK frame is not received by the original transmitting radio, the unicast frame is not acknowledged and will have to be retransmitted

There's much more details to this topic, if anyone is interested in diving deeper, an 802.11 standard would be a recommended resource.

Tuesday, 18 November 2014

I passed CWDP exam

I passed CWDP exam, time to prepare for CWAP now.

Improving network performance by disabling lower speed rates

One of the ways to improve overall network performance is to disable support for lower speed rates. Management frames are transmitted on the lowest basic speed rate, by default this rate is 1 Mbps.

One of the implications of sending frames on low speed rates is the fact that in free space, 1 Mbps signal can be received 14 times farther than 54 Mbps signal.
By changing the lowest basic rate from 1 Mbps to 5.5 or higher we can decrease the effective BSS (Basic Service Set) area that can be serving clients. It doesn't mean the coverage has been decreased, this is achieved by manipulating the Tx power of the access point (this technique will be discussed in a separate post).

By disabling lower basic speeds we effectively improve network airtime utilization, because sending a frame on 1 Mbps speed rate takes twice as long than sending the same frame on 2 Mbps, and eleven times longer than sending the same frame on 11 Mbps. This leaves more airtime to be available for other traffic.

The important fact is that by disabling the lower speeds on the AP (or wireless lan controller) we only prevent the AP/WLC from sending the frames on these speeds. What that means is that when a client sends a broadcast probe request (always on 1 Mbps) the AP will hear it, but it will respond back to the client with a probe response on it's lowest basic rate. The implication of it, is if the client can't operate on this speed it won't be able to connect to the network, for example if we disable speeds 1, 2, 5.5 and 11 Mbps, effectively we will prevent 802.11b clients from connecting to the network.

Let's examine another scenario, let's take a client that has already associated to the network, with a 5.5 Mbps set as a basic speed rate, it currently operates at 24 Mbps and is moving away from the AP. At some point, along with signal quality degrading, it will start switching down to a rate with less demanding modulation, to a point when it will have to switch to 2 Mbps rate (operating with QPSK modulation). At this stage, since the AP is not supporting this rate, the client will be kicked of the network.

Here's an example of how to disable speeds 1 and 2 Mbps on Cisco controller:

Another important fact is that broadcast and multicast frames are also send on the lowest mandatory (basic rates are sometimes called mandatory) rates. Some vendors, Cisco for example, send multicast frames on the highest mandatory rate. This is why on the above screenshot you can see two mandatory rates selected, 5.5 and 11 Mbps, broadcast and management frames will be sent with 5.5 Mbps  speed, and multicast frames will be sent with 11 Mbps speed.

By changing the mandatory speed rate we also decreasing the overall overhead of the wireless network. Every AP sends a beacon frame, advertising it's presence and capabilities, this frame is a broadcast frame, sent by default at about 100 ms interval.
Because this frame is a broadcast frame, it is sent at the lowest basic rate (1 Mbps by default). By disabling lower speeds, we are forcing the beacon frames to be sent at higher data rates, and at the same time decreasing protocol overhead and improving the overall performance of the wireless network.

Here's an example of how disabling 1 and 2 Mbps speed rates decreases the protocol overhead. For a network with 4 SSIDs per AP (where each AP is within a range of three other APs on the same channel) with default basic rate of 1 Mbps, the overhead is 38.70%. When speeds of 1 and 2 Mbps are disabled, leaving 5.5 Mbps as the lowest basic rate, the overhead is reduced to 8.42%.


For overhead calculations I used SSID overhead calculator, an incredibly useful tool created by Andrew von Nagy, that can be found on his website

Tuesday, 31 December 2013

DCF - Distributed Coordination Function

Distributed Coordination Function (DCF) - mandatory access method of 802.11 standard

Medium access method that utilizes multiple checks and balances to try to minimize collisions.
These checks and balances can also be thought of as several lines of defense.

HCF - Hybrid Coordination Function - specifies advanced QoS methods

Components of DCF:

  • Interframe Space (IFS)
  • Duration/ID Field
  • Carrier Sense
  • Random back-off timer

These above are checks and balances that work together at the same time to ensure that only one 802.11 radio is transmitting on the half-duplex medium.

Interframe Space (IFS):

IFS is a period of time that exists between transmissions of wireless frames
There are 6 types of IFS (from shortest to longest):

  • Reduced IFS (RIFS), highest priority
  • Short IFS (SIFS), second highest priority
  • PC IFS (PIFS), middle priority
  • DCF IFS (DIFS), lowest priority
  • Arbitration IFS (AIFS), used by QoS stations
  • Extended IFS (EIFS), used with retransmissions

Only ACK frames, data frames, and CTS frames may follow a SIFS.

ACK frame is the highest priority frame.

Two most common IFS are: SIFS and DIFS


Interframe spaces are all about what type of 802.11 traffic is allowed next.

Duration/ID field:

A value form 0 to 32,767. The value of the Duration/ID field indicates how long the RF medium will be busy before another station can contend for the medium.
It's a field in the MAC header of an 802.11 frame.

Carrier Sense:

The first step that an 802.11 CSMA/CA device needs to do to begin transmitting is to perform a carrier sense. This is a check to see whether the medium is busy.

Two ways of carrier sense:

  • Virtual Carrier Sense
  • Physical Carrier Sense

Virtual Carrier Sense:

Uses a timer mechanism known as the Network Allocation Vector (NAV).
The NAV timer maintains a prediction of future traffic on the medium based on Duration value seen in a previous frame transmission.

The listening station will use the NAV as a countdown timer, knowing that the RF medium should be busy until the countdown reaches 0.

When an 802.11 radio is not transmitting, it is listening.

A station cannot contend for the medium until its NAV timer is 0, nor can a station transmit on the medium if the NAV timer is set to a non zero value.

Physical Carrier Sense:

Physical carrier sensing is performed constantly by all stations that are not transmitting or receiving. When a station performs a physical carrier sense, it is actually listening to the channel to see whether any other transmitters are taking up the channel.

It has two purposes:

  • Determine whether a frame is inbound for a station to receive. If the medium is busy, the radio will attempt to synchronize with the transmission.
  • Determine whether the medium is busy before transmitting. This is known as a Clear Channel Assessment (CCA). The CCA involves listening for 802.11 RF transmission at the Physical Layer.
             The medium must be clear before a station can transmit.

Both virtual and physical carrier senses are always happening at the same time.
Virtual carrier sense is a Layer 2 line of defense, while Physical carrier sense is a Layer 1 line of defense.

Random Back-off Timer:

The station selects a random back-off value. The value is chosen from range of 0 to the initial contention window value. This value is then multiplied by slot time (it differs among different spread spectrum techniques). This back-off timer is used before a station can transmit.

Friday, 20 September 2013

Passed CWSP

I passed CWSP today, next ... CWDP.