802.11 uses the typical packet structure we have seen before with headers, payload data, frame identifiers, and so on. Starting with the PHY frame organization, we have three fields: a preamble, which assists in the synchronization phase, a PLCP header, which describes the packet configuration and characteristics such as data rates, and the MPDC MAC data.
Each IEEE 802.11 specification has a unique preamble and is structured by the number of symbols (described later) and not by the number of bits for each field. Examples of the preamble structures are as follows:
- 802.11 a/g: Preamble includes a short training field (two symbols) and a long training field (two symbols). These are used by the subcarriers for timing sync and frequency estimation. Additionally, the preamble includes a signal field that describes the data rate, length, and parity. The signal determines how much data is being transmitted in that particular frame.
- 802.11 b: Preamble will use either a long sequence of 144 bits or a short sequence of 72 bits. The header will include signal rate, service modes, length of data in microseconds, and a CRC.
- 802.11n: Has two operating modes: Greenfield (HT) and mixed (non-HT). Greenfield can only be used where no legacy systems exist. Non-HT mode is a compatibility mode with 802.11a/g systems and delivers no better performance than a/g. Greenfield mode allows for higher speed transport.
The following illustration is the 802.11 PHY and link layer packet frame structure:
The MAC frame structure is shown in the preceding figure. The MAC frame contains the plurality of representative fields. The frame control (FC field) subfields are detailed as follows:
- Protocol version: Indicates version of the protocol used.
- Type: WLAN frame as control, data, or management frame type.
- Subtype: Further delineation of frame type.
- ToDS and FromDS: Data frames will set one of these bits to 1 to indicate if the frame is headed to a distribution system. IBSS ad hoc network.
- More fragments: If a packet is divided into many frames, then every frame except the last will have this bit-set.
- Retry: Indicates a frame was resent and assists in resolving duplicate frames being transmitted.
- Power management: Indicates the power state of the sender. APs cannot set this bit.
- More data: An AP will use this bit to assist when STAs are in a power save mode. This bit is used to buffer frames in a distribution system.
- Wired equivalent privacy: Set to a 1 when a frame is decrypted.
- Order: If a strict order mode is used in the network this bit will be set. Frames may not be sent in-order and strict order mode forces in-order transmission.
Moving up the MAC frame from the frame control field, we first examine the duration/connection ID bit:
- Duration/connection ID: Indicates duration, contention-free period, and association ID. The association ID is registered during Wi-Fi initial handshaking.
- Address fields: 802.11 can manage four MAC addresses in the following order:
- Address 1: Receiver
- Address 2: Transmitter
- Address 3: Used for filtering
- SC: Sequence control is a 16-bit field for message order.
The 802.11 protocol has several types of frames represented by the type and subtype fields. There are three fundamental types: management frames, control frames, and data frames.
Management frames provide network administration, security, and maintenance. The following table defines the types of management frames:
Frame name |
Description |
Authentication frame |
An STA will send an authentication frame to an AP, which responds with its own authentication frame. Here, the shared key is sent and verified using a challenge response. |
Association request frame |
This is transmitted from an STA to request an AP to synchronize. It contains the SSID the STA wants to join and other information for synchronization. |
Association response frame |
Transmitted from an AP to a STA contain and acceptance or rejection message to an association request. If accepted, an association ID will be sent in the payload. |
Beacon frame |
This is the periodic beacon broadcast from an AP. Includes the SSID. |
Deauthentication frame |
Transmitted from a STA wishing to leave a connection from another STA. |
Disassociation frame |
Transmitted from a STA wishing to terminate a connection. |
Probe request frame |
Broadcast from an STA to another STA. |
Probe response frame |
Transmitted from an AP in response to a probe request. Contains information such as supported data rates. |
Reassociation frame |
Used when an STA loses signal strength with one AP but finds another AP associated with the network using a stronger signal. The new AP will attempt to associate with the STA and forward information stored in the original AP buffer. |
Reassociation response frame |
Transmitted from the AP with acceptance or rejection to a reassociation request. |
The next major frame type is the control frame. Control frames help exchange data between STAs:
Frame name |
Description |
Acknowledgement frame (ACK) |
A receiving STA will always ACK received data if no errors have occurred. If the sender does not receive an ACK after a fixed time, the sender will resend the frame. |
Request to rend frame (RTS) |
This is part of the collision avoidance mechanism. An STA will begin by sending an RTS message if it wishes to transmit some data. |
Clear to send frame (CTS) |
STA response to an RTS frame. Request STA can now send the data frame. This is a form of collision management. A time value is used to hold off transmissions from other STAs with the requesting STA transmits. |
The final frame type is the data frame. This is the bulk of the data-carrying function of the protocol.