802.11 mac frames

frame format

It mainly consists of 3 parts:

1. mac heaad: including frame control (Frame Control), duration (Duration), address (Address), etc.
2. frame body: represents the data field. The length of this part of the content is variable, and the specific stored content is determined by the frame type (type) and subtype (sub type)
3. fcs (Frame Check Sequence, frame check sequence): used to ensure frame data integrity

MAC head

Frame control area

Length: 2 bytes in total, 16bit

Protocol Version

Represents the version number of an 802.11 MAC frame . The current value is 0.

Type和Subtype

These two fields are used to indicate the type of MAC frame . MAC frames in 802.11 can be divided into three types, namely control, data, and management, and each type of frame is used to complete different functions.

To DS和From DS

Only used in frames of data type. Indicates the source and destination addresses of the frame

More Fragments

Indicates whether the data is fragmented . Only data and management frame types are supported.

Retry

If the value is 1, it indicates that the packet is retransmitted .

Power Management

Indicates whether the STA sending the frame is in the active mode or in the power-saving mode . PM being 1 means that the STA will enter the PS state, otherwise it will enter the Active state.

The 802.11 specification defines two power-related states for STA : //Usually the ap has no ps mode, and the wired power supply

1. Active mode.
2. PS (Power Save) mode. In PS mode, the wireless device will turn off the transceiver (transceiver) to save power.
   Turn off the transceiver to save power while ensuring the continuity of data transmission:
   a) AP understands the power status of its associated STA. When STA is in ps mode, AP caches data and waits for STA to activate before sending the data to STA
   b) AP sends cached data regularly , STA will periodically accept in ps mode, when receiving cache data from ap, it will activate to enter Active mode and receive ap cache frame through PS-POLL control frame

Scenarios where the PM field is useless:
1. The management frame that the AP does not cache
2. The frame sent by the AP
3. The frame sent by the STA to an AP that has not yet been associated with it

More Data

PM field=1: AP has cached data . The AP buffers some data frames for those STAs in power saving mode, and the STAs periodically check whether there is data to receive.
More Data indicates the remaining cached data . That is, whether the buffer data STA of the ap has been obtained. If the value is 0, it indicates that the STA has received the data frame

Protected Frame

Indicates whether the data is encrypted .

Order

Indicates that the receiver must process the frame in order.

Duration/ID field

A total of 2 bytes 16bit,
its specific meaning varies according to Type and Subtype, and can be roughly divided into 2 categories:

1. For PS-POLL frames, this field indicates the value of AID. Among them, the last 2 bits must be 1, and the first 14 bits take a value from 1 to 2007. This is the meaning of the domain name ID
2. For other frames, it represents how long it will be before the arrival of the next frame, and the unit is microseconds. This is the meaning of the domain name Duration

Address area

IEEE 802.3[19] protocol, MAC address features :

1. The MAC address can be expressed in 6-byte hexadecimal
2. The composition of MAC address includes two parts. The digits 0 to 23 are the codes that the manufacturer applies to organizations such as the IETF to identify the manufacturer, also known as the "Organizationally Unique Identifier" (OUI). The last 24 digits are a unique number for all network cards manufactured by each manufacturer
3. The 48th bit is used to indicate whether this address is a multicast address or a unicast address, 0 is unicast, 1 is multicast
4. The 47th bit indicates whether the MAC address is globally unique or locally unique. Therefore, this bit is also called the G/L bit

The 802.11 MAC frame header contains five MAC address definitions :

1. BSSID
   is the mac address of the AP in the basic BSS.
   In IBSS, it is a local unique MAC address.
   For the MAC broadcast address, its name is wildcard BSSID .

2. Destination Address (DA)
   MAC packet final receiver

3. The source address (Source Address, SA)
   originally sent the address of the MAC packet

4. Send the STA address (Transmitter Address, TA)
   to send the MAC packet to the STA address in the WM

5. The receiving STA address (Receiver Address, RA)
   receiver is also an STA, so RA is the same as DA.
   If the receiver is not a wireless workstation, but such as a PC in the Ethernet, then DA is the MAC address of the machine, and RA is the MAC address of the AP (transit) . Indicates that the frame will be sent to the AP first, and then the AP will forward it to the PC.
   

Address1 receives

Address2 send

Address3 carries other information to help mac frame transmission

Sequence Control域

The length is 16 bits, the first 4 bits represent the fragment number (Fragment Number), and the last 12 bits are the frame sequence number (Sequence Number)
Sequence Number: STA will set a frame sequence number every time it sends a data frame. Note that control frames do not have a frame sequence number. Additionally, retransmitted frames do not use a new frame sequence number.
Fragment Number: Used to control fragmented frames. If the amount of data is too large, the MAC layer will send it in fragments. Each fragment frame has a corresponding fragment number

management frame

Format

The Frame Body in the management frame carries specific management information data. The 802.11 management information data can be roughly divided into two types:

1. Fixed-length field: Refers to information with a fixed length, and the specification is called Fixed Field
2. Information element: Refers to information of variable length. Obviously, there must be a parameter in this kind of information to indicate the final data length

fixed length field

Authentication Algorithm Number : the authentication type used in the authentication process
0: stands for Open System Authentication.
1: Represents Shared Key Authentication.
2: stands for fast BSS switching (Fast BSS Transition).
3: Represents SAE (Simultaneous Authentication of Equals). The method used for mutual authentication between two STAs is commonly used in Mesh BSS networks.
65535: represents the manufacturer's custom algorithm

Beacon Interval field : Indicates the interval between sending Beacon signals, in Time Units

Capability Information : It is used to declare what kind of function this network has

. ESS/IBSS: In the infrastructure network, the AP will set the ESS bit to 1 and the IBSS bit to 0. Conversely, in the IBSS, the STA sets the ESS bit to 0 and the IBSS bit to 1. In Mesh BSS, both bits are 0.
Privacy: If data confidentiality (data confidentiality) needs to be maintained during transmission, the AP sets this bit to 1, otherwise it is 0.
Spectrum Mgmt: If dot11SpectrumManagementRequired in the MIB corresponding to a certain device is true, this bit is 1. According to the description of dot11SpectrumManagementRequired in 802.11 MIB, it is related to the TPC (Transmission Power Control) and DFS (Dynamic Frequency Selection) functions introduced earlier.
Radio Measurement: If the value of dot11RadioMeasurementActivated in the corresponding MIB of a certain device is true, then this position is 1, which is used to indicate that the wireless network supports Radio Measurement Service

Reason Code : This field is 2 bytes long. Used to notify Diassociaton, Deauthentication and other operations (including DELTS, DELBA, DLS Teardown, etc.) of failure reasons

Status Code : This field is 2 bytes long and is used to feedback the processing result of an operation. 0 means success

information element

Element ID: Indicates different information element types
Length: Indicates the length of the Information field
Depending on the Element ID, Information contains different information

802.11 upper layer protocol encapsulation

RFC 1042 specifies the SNAPheader (Sub Network Access Protocol) conversion method, adding 4 fields between MAC headers and Type.

DSAP (Destination Service Access Point, target service access point).
SSAP (Source Service Access Point, source service access point).
Control (control field, the value is set to 0x03, representing Unnumbered Information, that is, unnumbered information).
OUI (fixed at 0x000000).