Detailed 802.11 frame format and classification

One, frame type

There are three main types of 802.11 frames:

Management frame

Its main function is to maintain the communication between the access point and the wireless client. The management frame frame has the following subtypes:

• Authentication

• De-authentication

• Association Request

• Association Response

• Reassociation Request

• Reassociation Response

• Disassociation

• Beacon

• Probe Request

• Probe Response

Control frame

The control frame is responsible for the data exchange between the client and the access point, and the type is:

• Request to Send (RTS)
• Clear to Send (CTS)
• Acknowledgment (ACK）

Data Frame

The main types of frames that carry transmitted data are:

• DHCP
• TCP
• HTTP
• EAPOL-Key
• 802.11 Flag
• and many more

2. 802.11 frame format

The maximum length of an 802.11 frame is 2346 bytes, and the results are as follows:

2.1 802.11 frame-Frame Control

At the beginning of the 802.11 frame, it occupies 2 bytes and a total of 8 bits.
The beginning of all frames is the Frame Control bit with a length of two tuples, as shown in the figure below: The Frame Control bit contains the following bits.

• Protocol (Protocol Version) In the
  above figure, the value of the protocol version is 0, because this is the only version currently, and other new versions may be released in the future.

• Type:
  The Type value of the management frame is 00.
  The Type value of the control frame is 01.
  The Type value of the data frame is 10.

• Subtype (subtype):
  This bit represents the subtype of the transmitted frame.
  
  

• To DS and From DS
  respectively represent the frame sent by the wireless link to the wireless station (such as AP) and the frame sent by the wireless station to the wireless link.

• More Fragments (more fragments) is
  used to explain the situation of the long frame is fragmented, whether there are other frames. If the upper layer packet is processed by MAC segmentation, except for the last segment, other segments will set this bit to 1.

• Retry (retry)
  sometimes may need to retransmit the frame. Any retransmitted frame will set this bit to 1 to assist the receiver in eliminating duplicate frames.

• Power Management
  This bit is used to indicate and complete the current frame exchange process, the power management status of the sender.
  1 indicates that the STA is in Power_save mode, and 0 indicates that the STA is in active mode.

• More Data (remaining data)
  More Data bit is only used to manage data frames, and this bit must be 0 in control frames.

• A value of 1 for Protected Frame
  means that the frame body contains encrypted data, and a value of 0 means that no encryption is performed.
  

• Order (order)
  frames and frame fragments can be transmitted in sequence, but the MAC of the sender and receiver must pay an extra price to strictly number the frame fragments. Once "strictly sequential" transmission is performed, this bit is set to 1.
   

2.2 Duration/ID 位

The second bit in the 802.11 frame occupies 2 bytes, a total of 8 bits.
The Duration bit is used to record the NAV value of the network allocation vector.
The time limit for accessing the medium is specified by NAV.

When the 15th bit is set to 0, the Duration/ID bit will be used to set NAV. This value represents the estimated microseconds of the medium used by the current transmission.
The workstation must monitor any frame headers received and update the NAV accordingly.
Any value exceeding the estimated media usage time will update the NAV and prevent other workstations from accessing the media

2.3 802.11 frame-Address

The address field contains different types of MAC addresses, and the type of address depends on the frame type.

For example:

• Address 1
  represents the address of the receiving end of the frame.
  In some cases, the receiving end is the destination, but otherwise.
  The destination is the workstation responsible for processing the network layer packets in the frame. The receiving end is the workstation responsible for decoding the radio into 802.11 frames.
  If Address 1 is set as a broadcast or multicast address, you must also check the BSSID (Basic Service Combination Identification Number). Workstations will only respond to broadcast or multicast information from the same basic service set (BSS); those from different BSSs are ignored.
• Address 2
  The address of the sender, used to send response information.
  In some cases, the sender is the source address, but otherwise.
  The source address refers to the workstation that generates the network layer protocol packets in the frame; the sender is responsible for sending the frame to the wireless link.
• Address 3
  Address 3 bits are used for filtering by base stations and transmission systems, but the usage of this bit depends on the type of network used.
• Address 4
  Address 4 is generally not used, and only used in WDS (Wireless Distribution System).
   

2.4 802.11 frame—Seq-Ctl (sequence control bit)

This bit occupies 16 bits and is used to reorganize frame segments and discard duplicate frames. It is composed of 4 bits of fragment number (fragment code) bits and 12 bits of sequence number (sequence number) bits.

• The fragment number is used when the upper-layer packet is cut and processed, and the number of the first fragment is 0. After that, each segment is sequentially accumulated by 1, to facilitate frame reorganization. All frame segments will have the same sequence number. If the frame is retransmitted, the sequence number will not change.

• The sequence number (sequence number) bit is equivalent to the counter of the transmitted frame taking a modulo of 4096. This counter starts from 0, and the MAC will accumulate 1 every time an upper-layer packet is processed.
  If retransmission occurs, the sequence number remains unchanged, which facilitates frame processing and discards duplicate frames.
  It is mainly to number the frames we send, and to select the retransmitted frames to ensure the correctness of the frames.

2.5 802.11 frame-Frame Body (frame body)

The Frame Body is called the data bit and is responsible for transmitting upper layer data (payload) between workstations.
802.11 frames can transmit up to 2312 bit groups of upper layer data. The

Frame Body contains information such as SSID, Channel, TX, RX, etc.

2.6 802.11 frame-FCS (Frame Check Sequence)

802.11 frames end with FCS, which allows workstations to check the integrity of the received frame.
On the Ethernet, if the FCS of the frame is wrong, it will be discarded immediately, otherwise it will be sent to the upper layer protocol for processing. On 802.11 networks, frames that pass the integrity check still need to be sent by the receiver.
For example, the received data frame must be positively acknowledged, otherwise it must be retransmitted.
For frames that fail the FCS inspection, 802.11 does not provide a negative response mechanism; the workstation must wait for the response timeout before retransmission.

Three, frame type breakdown

1. Management frame

The fixed bits and information elements contained in the main body of the management frame are used to convey information. There are several management frames responsible for
various maintenance functions of the link layer.

Beacon (beacon) frame

• Beacon frame is a very important maintenance mechanism, mainly used to announce the existence of a certain network.
• The beacons sent regularly can let mobile workstations know the existence of the network and adjust the parameters necessary to join the network.
• In a basic network, the base station must be responsible for sending Beacon frames. The range of the Beacon frame is the basic service area. In a basic network, all communication must pass through the base station, so the workstation cannot be too far away, and the beacon cannot be received if it is occupied.

Probe request frame

• The mobile station will use the Probe Request frame to scan which 802.11
  networks are currently in the area
• The Probe Request frame contains two bits: SSID and Supported Rates (the rate supported by the mobile station).
  The workstation that receives the Probe Request frame will determine whether the other party can join the network. In order to get along well, mobile workstations must
  support all the data rates required by the network, and indicate the network they want to join with the SSID. The SSID can be set to
  the SSID of a specific network , or set to the SSID of any compatible network. The driver that allows the network card to join any network will
  use the broadcast SSID (Broadcast Service Set ID) in Probe Requests.

Detection response (probe response) frame

• If the network probed by the Probe Request frame is compatible with it, the network will respond with a Probe Response frame.
  The workstation that sent the last Beacon frame must be responsible for responding to the received detection information. In a basic network,
  the workstation responsible for answering is the base station. In IBSS, workstations will send Beacon signals to each other in turn.
  The workstation that sends the Beacon signal must be responsible for sending Probe Response frames until the next Beacon is sent.
  The format of the Probe Response frame is shown in Figure 4-53. Some of these bits are mutually exclusive; this rule also applies to Probe Response and Beacon frames
• Probe Response frame contains all the parameters Beacon frame, the mobile station can adjust the cut according to the desired network
  to the Probe Response frame parameters · TIM element can be excluded, because the stations are not already connected, it is not necessary to know
  channel which is connected to the base station Scratch frame

IBSS data pending indication notification information (ATIM) frame

There is no base station in HISS, so it is impossible to rely on the base station to temporarily store frames. If the workstation in the IBSS
temporarily stores the frame for the receiver in the dormant state , it will send an ATIM frame during the delivery period to notify the other party that there is information waiting, as shown in Figure 4-54.

Disassociation and deauthentication (Disassociation and Deauthentication)

• The Disassociation frame is used to terminate a connection relationship.
• The Deauthentication frame is used to terminate an authentication relationship.
• Both include a fixed bit, Reason Code , as shown in Figure 4-55. Of course, the Frame Control bits are different from each other because different types of management frames have different sub-types. The 802.11 revision does not need to change this format, but several revisions have added new reason codes.
  

Connection requirements (Association Request)

Once the mobile workstation finds a compatible network and passes identity authentication, it will send an Association Request (connection
request) frame to try to join the network. The format of the Association Request frame is shown in Figure 4-56.

• The Capability Information bit is used to indicate the type of network that the mobile station wants to join. Before accepting the
  connection request, the base station will verify whether the Capability Information, SSID, and (Extended) Supported Rated
  bits meet the network parameters. In addition, the base station will also record the Listen Interval (listening interval; that is,
  how often the mobile workstation listens to the Beacon frame to monitor the TIM information). Workstations that support spectrum management have power
  and channel performance information elements, and workstations that support security protection have RSN information elements.

Reconnect (Reassociation Request)

• Mobile workstations located in the same extended service area but wandering between different basic service areas
  must reconnect to the network if they want to use the transmission system again. If the workstation temporarily leaves the range covered by the base station, it must be reconnected when it wants to rejoin it later. As shown in Figure 4-57.
• The difference between an association request and a reassociation request
  is that the latter contains the address of the base station to which the mobile station is currently connected. Having this information allows the old and new base stations to communicate with each other
  and transfer connection data. Handover items include frames temporarily stored by previously connected base stations.

Connection response and reconnection response (Association Response and Reassociation Response)

• When the mobile station tries to connect to the base station, the base station will reply with an Association Response or
  Reassociation Response frame, as shown in Figure 58. The difference between the two lies in
  the subtype bit recorded in the Frame Control bit. All bits are necessary. During the response process, the base station will assign an Association ID (connection identification code), and the way of assigning varies depending on the implementation.

Authentication

• In the early stage of 802.11 network development, workstations used shared keys and the Authentication frame shown in Figure 4-59 for
  authentication. As of 802.11i, although shared key authentication remains in the standard, it cannot be compatible with the new security mechanism
  . If the workstation uses shared key authentication, it will not allow the use of more reliable security protocols
• Different identity authentication algorithms can exist at the same time. The Authentication Algorithm Number
  bit is used to select the algorithm. The entire authentication process may contain several steps (related to the algorithm used), so
  each frame in the authentication process has its sequence number. The usage of Status Code and Challenge Text varies by algorithm

Action

• 802.11h adds support for Action frame to trigger measurement actions. These frames will be
  described in detail in section 8.8 <Spectrum Management>

2. Control frame

The control frame mainly assists the transmission of the data frame. They can be used to monitor the access of the wireless medium (but not the medium itself)
and provide reliability at the MAC level.

RTS (request to send)

RTS frames can be used to gain control of the medium in order to transmit "large" frames. As for how big it is called: it is defined by
the RTS threshold in the network card driver . Media access rights can only be reserved for unicast frames, while broadcast and multicast frames only need to be sent. The format of the RTS frame is shown in Figure 4-13. Like all control frames, RTS frames only contain headers. The body of the frame does not contain any data, and FCS (Frame Check Code) follows the header.

The MAC header of RTS consists of four bits:

• Frame Control
  There is nothing special about the Frame Control bit. The subtype (subtype) bit of the
  frame is set to 1011, which represents the RTS frame. In addition, it has the same bits as other control frames. (In the 802.11 specification, the most efficient bit is the last
  bit, so in the subtype bit, the 7th bit represents the most efficient bit.)
• Duration (Duration) The
  RTS frame will try to reserve the right to use the medium for use by the frame exchange program. Therefore, the sender of the RTS frame must calculate how much time it will take after the end of the RTS frame. Figure 4-14 illustrates the entire exchange process, which requires a total of three SIFS, a CTS, and the final ACK, plus the time required to send the first frame or frame segment. (The fragmentation burst will use subsequent frame fragments to update the Duration bit.) The number of microseconds required for transmission is calculated and placed in the Duration bit. If the result of the calculation is not an integer, it will be corrected to the next integer microsecond.
  
  Address 1 bit; Receiver Address (receiver address)
  The address of the workstation that receives the large frame.
  Address -2 bit: Transmitter Address (transmitter address)
  The address of the transmitter of the RTS frame.

CTS (allow to send)

The CTS frame has two purposes, and its format is shown in Figure 4-15. At first, the CTS frame was only used to respond to the RTS frame. If there is
no RTS before, no CTS will be generated. Later, the CTS frame was 802．The 11g protection mechanism is used to avoid interference with older workstations. This protection mechanism and other 802.11g data

CTS frame MAC header consists of three bits:

• 
  The subtype bit of the Frame Control frame is set to 1100, which represents a CTS frame.
• When Duration (duration) is
  used to respond to RTS, the sender of the CTS frame will use the duration value of the RTS frame as the basis for calculating the duration.
  RTS will reserve medium usage time for the entire RTS-CTS-frame-ACK exchange process. However, when the CTS frame is sent,
  only other unframed or frame fragments and their responses are left to be transmitted. The CTS frame sender will subtract the duration value of the RTS frame from
  the time required to send the CTS frame and the short frame interval thereafter, and then place the calculation result in the Duration bit of the CTS. Figure 4-16 shows the
  relationship between CTS duration and RTS diratopm.
  
• Address 1 bit: Receiver Address (receiver address)
  The receiver of the CTS frame is the sender of the previous RTS frame, so the MAC will copy the sender address of the RTS frame to
  the receiver address of the CTS frame. The CTS frame used in the 802.118 protection operation will be sent to the workstation that sends the RTS, and
  is only used to set the NAV.

ACK (acknowledgment)

The ACK frame (Figure 4-17) is the
positive acknowledgment required for MAC and any data transmission (including general transmission of frames and frame fragments before the RTS/CTS exchange ). The QoS extension function relaxes the requirement that individual data frames must be answered individually.

The MAC header of the ACK frame consists of three bits:

• 
  The subtype bit of the Frame Control frame is set to 1101, which represents an ACK frame.
• Duration (duration)
        according to where the ACK signal is located in the entire frame exchange process, the value of duration can be set in two ways. In the complete
  data frame and the last segment of a series of frame segments, duration will be set to 0. The data sender will set
  the More Fragments bit in the Frame Control bit to 0, indicating that the data transmission has ended.
  If the More Fragments bit is 0, it means that the entire transmission has been completed and there is no need to extend the control of the wireless channel,
  so the duration will be set to 0.
         If the More Fragments bit is 1, it means there are still frame fragments still being sent. At this time, the usage
  of the Duration bit is the same as the Duration bit in the CTS frame. The time required to send the ACK and the short frame interval will be
  subtracted from the duration recorded in the latest frame segment . If it is not the last ACK frame, the calculation method of duration is similar to the calculation method of CTS duration
  . In fact, the 802.11 specification calls the duration setting in the ACK frame a virtual CTS.
• Address 1 bit: Receiver Address (receiver address) The
  receiver address is copied from the sender frame to be answered. Technically speaking, it is
  copied from the Address 2 bits of the response frame . The response is mainly for data frames, management frames and PS-Poll frames.
  

PS-Poll (one poll in power saving mode)

When a mobile station wakes up from the power saving mode, it will send a PS-Poll frame to the base station to obtain any temporary storage frames. The format of the PS-Poll frame is shown in Figure 4-19.

The MAC header of the PS-Poll frame consists of four bits:

• 
  The subtype bit of the Frame Control frame is set to 1010, which represents a PS-Poll frame.
• AID (connection identification code)
  PS-Poll frames will use the third and fourth bits of the MAC header to represent the association ID (association ID). The connection
  identification code is a value assigned by the base station to distinguish each connection. Putting this identification code into the frame allows the base station to find the frame temporarily stored for it (mobile workstation).
• Address 1: BSSID
  This bit contains the BSSID of the BSS where the sender is currently located. This BSS is established from the currently connected AP.
• Address 2 bits: Transmitter Address (transmitter address)
  This is the MAC address of the transmitter of the
  PS-Poll frame. The PS-Poll frame does not contain the duration information, so the NAV cannot be updated. However, all
  stations that receive Ps-Poll frames will update the NAV with a short frame interval plus the time required to send the ACK signal. This automatic adjustment mechanism makes
  the base station less likely to collide with the mobile base station when sending ACK signals.

【Connection Identification Code (AID) In ​​the PS-Poll frame, the Duration/ID bit is the connection identification code, not
the value used by the virtual carrier detection function. When the mobile station is connected to the base station, the base station will assign a value from the range of 1-2,007 as the connection identification code (AID)]

Fourth, the status and level of the frame

The types of frames that can be sent vary depending on the connection status and identity authentication status. The workstation may be authenticated or not, it may be connected or not yet connected. The combination of these two variables has three possible states, and the result constitutes the 802.11 network development level:

1. Initial state; not authenticated and not yet connected
2. Authenticated but not yet connected
3. Authenticated and connected

Each state corresponds to the development stage of the 802.11 connection. At the beginning, the mobile workstation is in state 1, and only in state 3 can it send data through the transmission system. (IBSS does not include a base station and does not need to be connected, so it will only stay in state 2.) The overall state diagram of 802.11 frame transmission is shown in Figure 4-60.

Frames can be divided into three levels. In state 1, level 1 frames can be transmitted; in state 2, level 1 and 2 frames
can be transmitted ; in state 3, level 1, 2 and multi-level frames can be transmitted.

Level 1 frame

Level 1 frames can be transmitted in any state, and it allows 802.11 workstations to perform basic operations. In IBSS, control frames are mainly used to follow CSMA/CA rules and send frames. The workstation will also use the level 1 frame to find the basic network and perform identity authentication with it. Table 4-11 lists the various frames belonging to level 1.

Level 2 frame

The workstation can only send level 2 frames after being authenticated, and the level 2 frames can only be used in state 2 and state 3. Level 2 frames are mainly used to manage connections. After the line or reconnection is successful, the workstation will enter state 3; if the connection fails, the workstation will still be in state 2. When the workstation receives a level 2 frame from an unauthorized station, it will respond with a Deauthentication frame and push the other party back to state 1. Table 4-12 lists all level 2 frames.

Level 3 Frames
The timing of the use of Level 3 frames is after the workstation is successfully authenticated and connected to the base station. Once the workstation enters state 3, it
can use the transmission system services or communicate with objects outside the range of the base station. In state 3 , Workstations can also use PS-Poll frames to enjoy the power-saving services provided by the base station. The table lists different types of level 3 frames.

If the received frame comes from a verified but not yet connected workstation, the base station will It will respond with a Disassociation frame, forcing the workstation to return to state 2. If the workstation that sent the frame has not been authenticated, the base station will respond with a Deauthentication frame, forcing the workstation to return to state 1.