Tuesday, 26 May 2015

Interframe Spaces (IFS)

Today I'll present Interframe Spaces (IFS). What is an IFS? The IFS is a quiet period that APs and STAs must wait before any 802.11 frame transmission.
There is several types of IFS, and starting form the shortest to longest, they are:

RIFS - Reduced Interframe Space
            Used only by 802.11n devices using MIMO; it proceeds data frames, and
            is used between frames of a Contention Free Burst, used when block
            acknowledgements are enabled. The length is always 2 microseconds.

SIFS - Short Interframe Space
            Used to determine the length of other IFSs. Commonly used IFS,
            whenever arbitration has been completed.
            Set to 10 micro seconds (b/g/n in 2.4GHz) and 16 mocroseconds (a/n/ac
            in 5GHz)

PIFS - PCF Interframe Space
            Used only with Channel Switch Announcement frame,
            which is one of the action frames from 802.11h. Equals to one slot time
            plus one SIFS.

DIFS - DCF Interframe Space
             Used to force ordinary data frames to stay quiet for enough time to
             allow higher-priority frames to have access to the channel. It's used
             before the arbitration process. Equals to a SIFS plus two slot times.
             Slot time:
             9 microseconds - a/n (5GHz) and g/n (2.4GHz, HT or ERP with short
             preamble)
             20 microseconds - b/g/n (2.4GHz, DSSS) and HT or ERP with long
             preamble
             50 microseconds - FHSS
             Used only by APs and STAs that do not support QoS.

AIFS - Arbitration Interframe Space
             Used by APs and STAs that support 802.11e QoS. Used before the
             arbitration process. It's not a static value, it's value changes based on
             the priority level of the data, as based on 802.11e QoS:
             Voice & Video - 2 slot times
             Best Effort - 3 slot times
             Background - 7 slot times

EIFS - Extended Interframe Space
             Used to give APs and STAs a chance to retransmit after a failed frame
             reception. When APs or STAs hear a corrupt frame on the channel (FCS
             fails), they stay quiet for an EIFS. Set to SIFS plus DIFS plus the time it
             takes an Ack frame to transmit:
             364 microseconds - b/g/n (2.4GHz, DSSS)
             160 microseconds - a/n (5GHz), g/n (2.4GHz, OFDM)

Wednesday, 1 April 2015

Management Frame

Management frames form the skeleton of wireless networks. They allow wireless devices to form a network and manage the connection.

Management frames always have a standard 24-byte-long MAC header with three addresses, followed by a body of variable size

Management frames are sourced and dealt with at the MAC layer and never forwarded to the upper layers.
Management frames do not carry any upper-layer information. There is no MSDU encapsulated in the MMPDU frame body, 
which carries only layer 2 information fields and information elements. 

Information fields are fixed-length mandatory fields in the body of a management frame. 
Information elements are variable in length and are optional.

Management frames are always limited to the cell space; they are never relayed through an access point to the DS, from the DS, 
or from a station to another station. For this reason, management frames sent by access points always have the To DS and From DS 
fields set to 0.

Management Frames are used by STAs to join and leave a BSS

aka Management MAC Protocol Data Unit (MMPDU)

When 802.11n is in use, the header is extended to show the HT Control section.


Management frames are of type 00, and the many different subtypes:
  • Association Request (Subtype 0000 [0])
  • Association Response (Subtype 0001 [1])
  • Reassociation Request (Subtype 0010 [2])
  • Reassociation Response (Subtype 0011 [3])
  • Probe Request (Subtype 0100 [4])
  • Probe Response (Subtype 0101 [5])
  • Beacon (Subtype 1000 [8])
  • Announcement Traffic Indication Message (ATIM) (Subtype 1001 [9])
  • Disassociation (Subtype 1010 [10])
  • Authentication (Subtype 1011 [11])
  • Deauthentication (Subtype 1100 [12])
  • Action (Subtype 1101 [13])
  • Action no ack (Subtype 1110 [14])

All of the above subtypes will be discussed in the following posts.

Monday, 30 March 2015

As part of my preparation for CWAP exam, in the next couple of posts I will be discussing frames and frame formats.

In this post we'll look at a generic frame format and discuss its content.

A generic frame has the following format:


It consists of three distinct parts:
1. MAC Header
2. Frame Body
3. FCS (Frame Check Sequence)

MAC Header

MAC Header consist of several fields, not all of them are always present, though.

Frame Control Field

It's a 2 byte field that is always present, it contains the following fields:


  • Protocol Version (2 bits) is always set to 0
  • Type (2 bits) and Subtype (4 bits), together they identify the function of the frame.  
    • Type:
      • Management Frame (00)
      • Control Frame (01)
      • Data Frame (10)
      • Reserved (11)
    • Subtype the meaning of this field depends on the Type field value, the various subtypes will be discussed in separate posts
  •  To DS (1 bit) and From DS (1 bit)
    • To DS (To Distribution System) and From DS (From Distribution System); these fields work in tandem, and they represent the following:
      • To DS = 0, From DS = 0
        • Management or Control Frames
        • Direct frame from one STA to another STA (in IBSS)
        • Direct frame from one STA to another STA (in STSL 802.11z)
      •  To DS = 1, From DS = 0
        • Frame sent upstream, from STA to AP
      • To DS = 0, From DS = 1
        •  Frame sent downstream, from AP to STA
      • To DS = 1, From DS = 1
        • Data frame uses four address format (not defined by the standard, usually used with WDS i.e. WLAN bridges or mesh networks)
  •   More Fragments (1 bit)
    • If set to 1, more fragments to follow
    • Broadcast & Multicast frames are never fragmented
  • Retry (1 bit)
    • If set to 1, it indicates that the frame is being retransmitted
    • All Unicast frames have to be ACKed (or BlockACKed), if no ACK is received, the frame needs to be retransmitted
  • Power Management (1 bit)
    • STA informs AP that it goes into Power Save mode by setting this field to 1
  • More Data (1 bit)
    • If set to 1, it indicates more data frames are buffered on the AP destined for the STA
  • Protected Frame (1 bit)
    • if set to 1, it indicates the MSDU is encrypted
  • Order (1 bit)
    • Legacy, this field is rarely used

Duration/ID Field

This is a 2 byte field, the contents of this field vary with frame type and subtype, or whether the STA supports QoS capabilities:
  • In control frames of subtype PS-Poll, the field carries the association identifier (AID) of the STA that transmitted the frame in the 14 least significant bits, and the 2 most significant bits both set to 1. The value of the AID is in the range 1-2007
  • When a STA transmits a unicast frame, the Duration/ID uses bits 0-14 (bit 15 set to 0) to represent a value from 0 to 32,767. This value is used to reset NAV (Network Allocation Vector) timer, which is used by virtual carrier sense
MAC Layer Addressing

802.11 frames have up to four address fields in the MAC header. 802.11 frames typically use only three of the MAC address fields, but an 802.11 frame sent within a wireless distribution system (WDS) requires all four MAC addresses. Below are all possible options that can be used, depending on To DS and From DS values:


Sequence Control Field

Used by a receiving station to eliminate duplicate received frames and to reassemble fragments.


  • Fragment Number (4 bits)
    • Assigned to each fragment of an MSDU
    • The first, or only, fragment of an MSDU is assigned a fragment number of 0. Each successive fragment is assigned a sequentially incremented fragment number
    • The fragment number is the same in a transmission or any retransmission of a particular frame or fragment
    • Fragments are always sent in what is known as a fragment burst
  • Sequence Number (12 bits)
    • Assigned sequentially by the sending station to each MPDU and MMPDU
    • The sequence number can have a value of 0 to 4095
    • This sequence number is incremented after each assignment and wraps back to 0 when incremented from 4095
    • The sequence number for a particular MSDU is transmitted in every data frame associated with the MSDU. It is constant over all transmissions and retransmissions of the MSDU

QoS Control

The QoS Control field is a 16-bit field that identifies the Access Category to which the frame belongs as well as various other QoS-related, A-MSDU related, and mesh-related information about the frame that varies by frame type, subtype, and type of transmitting STA

  • Bits 0-3: TID/Access Class
    • AC_BK - UP (User Priority) 1,2
    • AC_BE - UP (User Priority) 0,3
    • AC_VI - UP (User Priority) 4,5
    • AC_VO - UP (User Priority) 6,7
  • Bit 4: 
    • AP: EOSP (End Of Service Period)
    • STA: 0 or 1
  • Bits 5-7: ACK Policy
    • Defines which acknowledgement policy is used after the delivery of the QoS Data frame. The four ACK policies used are: ACK, No ACK, No explicit ACK, and Block ACK. Some WLAN vendors have an optional configurable setting that does not require ACK frames after the delivery of voice or video frames. 
  • Bit 7: Reserved
  • Bits 8-15:
    • AP
      • TXOP Limit
      • AP PS Buffer State
    • STA
      • TXOP Duration Requested
      • Queue Size
Frame Body

Carries an MSDU (Upper-layer protocols)

Frame Check Sequence

This is a 4 byte field. If any portion of a unicast frame is corrupted, the CRC will fail, and the receiving 802.11 radio will not send an ACK frame to the transmitting 802.11 radio. If an ACK frame is not received by the original transmitting radio, the unicast frame is not acknowledged and will have to be retransmitted


There's much more details to this topic, if anyone is interested in diving deeper, an 802.11 standard would be a recommended resource.