Some references are: https://www.cnblogs.com/hunaiquan/p/5566779.html
1 Introduction
There are three main types of 802.11 frames: data frames, control frames, and management frames
2. Data Frame
The data frame will put the data of the upper layer protocol in the frame body to be transmitted.
Data frames can be classified according to function: contention-base service, two data frames without contention service.
Frame Control
Duration
The Duration field is used to record the value of the Network Allocation Vector (NAV). The setting of the Duration field of the data frame must follow four specifications.
1.无竞争周期所传递的任何帧必须将Duration字段的设定为32768
2.目的地为广播或组播地址的帧(Address 1字段设定了组位)的持续时间为0。
3.如果Frame Control字段中的More Fragment位为0,表示该帧已无其余片段。最后的帧片段只需为本身的确认预定媒介使用权,之后就可以恢复基于竞争的访问了。
4.如果Frame Control字段中的More Fragment位为1,表示该帧其后还有帧片段。因此Duration字段便会被设定为传送2个确认加上3个短帧间隔及下一个帧片段所需的时间。
Addressing and DS bits
The number and function of the address field depend on which DS (distributed system) bit is set. Only the wireless bridge (wireless bridge) will use the fourth address field.
Type subject of data frame
Data
Frames with subtype Data will only be transmitted during contention-based access cycles
Null
Data frame encapsulation
IBSS frame
There are three types of address fields used in IBSS. The first address represents received (receiving end), but also the destionation (destination) address in the IBSS network. The second address is the source address.
The subtype of the IBSS data frame is either data or Null, the latter is only used to inform the current power management status.
Transmit frames from the access point (From AP)
The first address represents the receiver (receiver) that receives the frame in the wireless network, that is, the destination of the frame.
The second address stores the transmitter address. In an infrastructrue (infrastructure) network, the sending address is the BSSID.
Note: The access point cannot use power saving mode
Frames in WDS
When the access point is deployed as a wireless bridge (or WDS), four address fields are used.
3. Control Frame
Control frames are mainly used to assist the transfer of data
RTS (Request to Send)
The MAC header of RTS consists of 4 fields: Frame Control; Duration (duration); Address 1 field (receiver address); Address 2 field (sender address)
CTS (Clear Send)
The MAC header of the CTS frame consists of three fields: Frame Control; Duration (duration); Address 1 field (receiver address)
ACK (acknowledge)
The MAC header of the ACK frame is composed of three fields: Frame Control; Duration (duration); Address 1 field (receiver address)
PS-Poll (Power Saving-Polling)
The MAC header of the PS-Poll frame is composed of 4 fields: Frame Control; AID (associated identifier); Address 1 field (BSSID); Address 2 field (transmit terminal address)
Note: The PS-Poll frame does not contain duration information, so the NAV cannot be updated. However, all workstations that receive PS-Poll frames will update the NAV at short interframe intervals plus the time required to transmit the ACK signal. This automatic adjustment mechanism is that when an access point transmits an ACK signal, it is not easy to conflict with the mobile station
4. Management Frame
All management frames have the same header
Frame body
If most of the data in the frame body uses a fixed-length field, it becomes a fixed field; if the field length is not fixed, it is called an information element. The so-called information element refers to a data blob with a variable length. Each data block is marked with type number and size, and the data fields of various information elements have specific interpretations.
Authentication Algorithm Number
The authentication algorithm number field occupies 2 bytes. This field represents that before the association occurs, only two values are currently defined, and the other values are reserved for future versions.
Authentication Transaction Sequence Number
The authentication process is divided into several steps, including the challenge from the access point and the response from the mobile workstation attempting to associate. The Authentication Transaction Sequence Number field consists of 2 bytes and is used to track the progress of authentication. The value of this field is between 1-65535, and its value cannot be 0.
Beacon interval
Beacon signals are used to announce the existence of 802.11 networks. In addition to the BSS parameter information, the Beacon frame also contains information about the buffer frame of the access point. The length of the Beacon interval field is 16 bits, which is used to set how many time units between Beacon signals. The time unit is usually abbreviated as TU, which stands for 1024 microseconds.
Capability information
The Capability Information field is 16 bits long. When transmitting the Bencon signal, it is used to inform the network of what performance it has. The Capability Information field can also be used in Probe Requeset and Probe Response frames. In this field, each bit represents a tag corresponding to a special function of the network.
ESS / IBSS (Extended Service Set / Independent Basic Service Set)
这两个位彼此互斥(mutually exclusive)。接入点会将ESS设定为1,而将IBSS字段设定为0,表示接入点属于infrastructure(基础结构型)网络的一部分。IBSS中的工作站则会将ESS字段设定为0,而将IBSS字段设定为1。
Privacy
将Privacy位设定位1,代表需要使用WEP以维持机密性。在infrastructure网络中,发送端为接入点。在IBSS里,Beacon信号必须由IBSS中的某个工作站负责。
Short Slot Time (short preamble)
802.11规定新增此字段是为了支持告诉直接序列扩展物理层。将至设定为1,代表此网络目前使用短前导码,0代表不使用此选项,并且在该BSS中禁止使用短前导码。802.11g规定使用短前导码,因此在根据802.11g标准所构建的网络中,此字段必然被设定为1.
PBCC (Packet Binary Convolutional Code)
802.11b规范新增此字段是为了支持高速直接序列扩频物理层。将之设置为1,代表此网络目前使用封包二进制回旋码调制机制。0代表不使用此选项并且在该BSS中禁止使用封包二进制回旋码。
Channel Agility (excited channel conversion)
此字段加入802.11b规范是为了支持告诉直接序列扩频物理层。将之设置为1,代表此网络使用机动信道转换选项。0代表不使用
Short Slot Time
此位设定位1,代表使用802.11g的DSSS-OFDM帧构造(frame construction)选项
Contention-free polling (no competition-polling) bit
工作站与接入点使用这两个位(CF-Pollable与CF-Poll Request)当作标签。这些标签的意义如下
Current AP Address (address of current access point)
Mobile stations can use the Current AP Address field to indicate the current associated MAC address. The purpose of this field is to facilitate association and reassociation.
Listen interval == Beacon interval
When the workstation is associated with the access point, the Listen Interval will be recorded. Listen interval allows the mobile station to indicate how long the access point must buffer frames for it. The longer the listening interval, the more memory the access point must use to buffer frames.
Association ID
Association ID is a 16-bit field. When a workstation is associated with an access point, it will be given an association identifier to assist in control and management. Although the number of available identifiers for the association identifier is 14, only 1-2007 can be used. In order to be compatible with the Duration / ID field of the MAC header, the two most important bits are set to 1.
Timestamp
The Timestamp field can be used to synchronize workstations in the BSS. The BSS live timer will periodically transmit the currently usable us. When the counter reaches the maximum value, it starts counting from the beginning.
Reason Code
When the other party is not suitable to join the network, the workstation will send a Disassociation or Deauthentication frame as a response. These frames contain a Reason Code field with a length of 16 bits. Indicates that the other party's approach is wrong. Table 4-5 lists the reasons for the reason codes.
Status Code
5. Management frame information elements
Information element (information element) is a variable-length component of the management frame. Information elements usually contain an EllenmentID (element identifier) field, a length field and a field of uncertain length.
6. Service Set Identifier Service Set Identity (SSID)
Some documents treat SSID as a network name because network administrators usually specify the SSID as a string. In fact, SSID is just a string of bytes, used to indicate the BSSID of the network. Some products require that this string must be an ASCII string ending in null (ie, 0), although the standard does not specifically regulate this.
The length of the SSID is between 0 and 32 bytes. If not specified at all, this special case is called broadcast SSID; broadcast SSID is only used for Probe Request frames, and the workstation can use this to find all 802.11 networks in the area.