802.11 wireless frame protocol analysis (MAC architecture)
【1】Describe the 802.11 frame format
1. 802.11 frame
The maximum length of an 802.11 frame is 2346 bytes, and the results are as follows:
1.1 802.11 frame-Frame Control (control frame)
At the beginning of the 802.11 frame, it occupies 2 bytes and a total of 8 bits.
The beginning of all frames is the Frame Control bit with a length of two tuples, as shown in the figure below: The Frame Control bit contains the following bits.
Protocol (Protocol Version): In the above figure, the value of the protocol version is 0, because this is the only version currently, and other new versions may be released in the future.
Type: Used to distinguish frame types. (Data, control and management three types of frames)
The Type value of the management frame is 00.
The Type value of the control frame is 01.
The Type value of the data frame is 10.
Frame type 11 remains unused.
Subtype (subtype): This bit represents the subtype of the transmitted frame.
For example, the Type=01 and Subtype=1011 (RTS) of the RTS request frame;
Type=01 and Subtype=1100 (CTS) of the frame CTS allowed to be sent.
Type type and subtype type to specify the frame type used.
To DS and From DS: respectively indicate the frame sent by the wireless link to the wireless station (such as AP) and the frame sent by the wireless station to the wireless link.
More Fragments: Used to illustrate the situation where the long frame is fragmented, and whether there are other frames. If the upper layer packet is processed by MAC segmentation, except for the last segment, all other segments will set this bit to 1.
Retry: Sometimes it may be necessary to retransmit the frame. Any retransmitted frame will set this bit to 1 to help the receiving end eliminate duplicate frames.
Power Management: This bit is used to indicate and complete the current frame exchange process, the power management status of the sender.
1 indicates that the STA is in Power_save mode, and 0 indicates that the STA is in active mode.
More Data: More Data bit is only used to manage data frames, and this bit must be 0 in control frames.
Protected Frame (protected frame): 1 means that the frame body part contains encrypted data, and 0 means no encryption processing.
Order (Order): Frames and frame fragments can be transmitted in order, but the MAC of the sender and receiver must pay an additional price to strictly number the frame fragments. Once "strictly sequential" transmission is performed, this bit is set to 1.
1.2 802.11 frame-Duration/ID
The second bit in the 802.11 frame occupies 2 bytes, a total of 8 bits.
The Duration bit is used to record the NAV value of the network allocation vector.
The time limit for access to the medium is specified by NAV.
When the 15th bit is set to 0, the Duration/ID bit will be used to set NAV. This value represents the estimated microseconds of the medium used by the current transmission.
The workstation must monitor any frame headers received and update the NAV accordingly.
Any value exceeding the estimated media usage time will update the NAV and prevent other workstations from accessing the media
1.3 802.11 frame-Address
The address field contains different types of MAC addresses, and the type of address depends on the frame type.
Address 1 represents the address of the receiving end of the frame.
In some cases, the receiving end is the destination, but otherwise.
The destination is the workstation responsible for processing the network layer packets in the frame. The receiving end is the workstation responsible for decoding the radio into 802.11 frames.
If Address 1 is set as a broadcast or multicast address, you must also check the BSSID (Basic Service Combination Identification Number). Workstations will only respond to broadcast or multicast information from the same basic service set (BSS); those from different BSSs are ignored.
Address 2 is the address of the sender, used to send response information.
In some cases, the sender is the source address, but otherwise.
The source address refers to the workstation that generates the network layer protocol packets in the frame; the sender is responsible for sending the frame to the wireless link. Address 3 bits are used for filtering by base stations and transmission systems, but the usage of this bit depends on the type of network used.
Address 4 is generally not used, and only used in WDS (Wireless Distribution System).
1.4 802.11 frame—Seq-Ctl (sequence control bit)
This bit occupies 16 bits and is used to reorganize frame segments and discard duplicate frames. It consists of 4 bits of fragment number (fragment code) bits and 12 bits of sequence number (sequence number) bits.
The fragment number is used when the upper-layer packet is cut and processed, and the number of the first fragment is 0. After that, each segment is sequentially accumulated by 1 to facilitate frame reorganization. All frame segments will have the same sequence number. If the frame is retransmitted, the sequence number will not change.
The sequence number (sequence number) bit is equivalent to the counter of the transmitted frame taking the modulo of 4096. This counter starts from 0, and the MAC will accumulate 1 every time an upper-layer packet is processed.
If retransmission occurs, the sequence number remains unchanged, which facilitates frame processing and discards duplicate frames.
It is mainly to number the frames we send, and to select the retransmitted frames to ensure the correctness of the frames.
1.5 802.11 frame—Frame Body (frame body)
The Frame Body is called the data bit and is responsible for transmitting upper layer data (payload) between workstations.
802.11 frames can transmit up to 2312 bit groups of upper layer data
1.6 802.11 frame-FCS (Frame Check Sequence)
802.11 frames end with FCS, which allows workstations to check the integrity of the received frame.
On the Ethernet, if the FCS of the frame is wrong, it will be discarded immediately, otherwise it will be sent to the upper layer protocol for processing. On an 802.11 network, a frame that passes the integrity check needs to be sent by the receiver.
For example, the received data frame must be positively acknowledged, otherwise it must be retransmitted.
For frames that fail the FCS inspection, 802.11 does not provide a negative response mechanism; the workstation must wait for the response timeout before retransmission.
【2】Distinguish the three frame types and functions of 802.11
There are three main types of 802.11 frames:
2.1 Data frame
The data frame puts the data of the upper layer protocol in the frame body for transmission. Which bits are used depends on the type of the data frame.
Type: 10
Data Frame—To DS and From DS
DS (Distribution system) is a backbone network that forwards frames between access points, so it is usually called a backbone network. Generally can be understood as Ethernet.
SA refers to the source address, DA refers to the destination address, RA refers to the receiving end, and TA refers to the sending end.
BSSID: The range covered by an AP constitutes a BSS (Basic Service Set), and the BSSID (Basic Service Set Identifier) is used to identify the BSS and represents the MAC address of the AP's data link layer.
In the first picture, the source and the sender are both terminals, and the destination and receiver are both APs. The signal is sent from the terminal, and it is hoped to associate with the AP. The BSSID is used to filter STA connections other than this BSS.
In the second picture, the source and the sender are both terminals, the receiver is an AP, and the signal is sent from the wireless link to the AP, so ToDs is 1, and the send destination is the switch connected to the AP.
In the third picture, the source end is the switch connected to the AP, the sending end is the AP, and the signal is sent from the AP to the wireless link, so From DS is 1, the destination and the receiving end are STAs.
The fourth picture is the WDS model. The situation in the fourth column of the above table is only available in this model, that is, all four address bits are used. The WDS model has both wireless links to send signals to the AP, and APs to send signals to the wireless link, so both To DS and From DS are 1.
2.2 Control frame:
2.2.1 Control Frame—RTS (Request to Send)
When the AP sends data to a client, the AP will send an RTS message to the client. The format of the RTS frame is as follows:
The RTS frame can be used to gain control of the medium in order to transmit the frame.
Frame Control: Value is: 01
There is nothing special about the Frame Control bit.
The subtype bit of the frame is set to 1011, which represents the RTS frame.
In addition, it has the same bits as other control frames. Duration: The RTS frame will try to reserve the right to use the medium for use by the frame exchange program, so the sender of the RTS frame must calculate how much time it will take after the end of the RTS frame.
The number of microseconds required for transmission is calculated and placed in the Duration position. If the result of the calculation is not an integer, it will be corrected to the next integer microsecond.
Receiver Address: The address of the workstation that receives the RTS frame.
Transmitter Address: The address of the sender of the RTS frame.
2.2.2 Control Frame—CTS (Allow to Send)
After the destination client receives the RTS, it sends a CTS message, so that all devices within the coverage of the client will not send data within the specified time. The format of the CTS message is as follows:
Like the RTS frame, the CTS frame also silences nearby workstations to gain control of the medium.
Frame Control: Value: 01
The **subtype** bit of the frame is set to 1100, which represents a CTS frame.
Duration: When used to respond to RTS, the sender of the CTS frame will use the duration value of the RTS frame as the basis for calculating the duration.
RTS will reserve medium usage time for the entire RTS-CTS-frame-ACK exchange process. However, when the CTS frame is sent out, only other unframed or frame fragments and their responses are left to be transmitted.
The CTS frame sender will subtract the duration value of the RTS frame from the time required to send the CTS frame and the short frame interval thereafter, and then place the calculation result in the Duration bit of the CTS.
Receiver Address: The receiver of the CTS frame is the sender of the previous RTS frame, so the MAC will copy the sender address of the RTS frame to the receiver address of the CTS frame.
2.2.3 Control frame-ACK (acknowledgment)
For each unicast message sent, the receiver will send an ACK to confirm after successfully receiving the sent message.
The ACK frame is the positive acknowledgment required for MAC and any data transmission (including general transmission of frames and frame fragments before the RTS/CTS exchange).
The QoS extension function relaxes the requirement that individual data frames must be answered individually.
Frame Control: Value is: 01
The subtype bit of the frame is set to 1101, which represents an ACK frame.
Duration (duration): According to where the ACK signal is located during the entire frame exchange process, the duration will be set to 0 in the complete data frame and the last segment of a series of frame segments.
Receiver Address: The receiver address is copied from the sender frame to be answered.
2.2.4 Control Frame-PS-Poll
When the client wakes up in the point saving mode, it will send a PS-Poll frame to the AP to obtain any temporary storage frame. The frame format is as follows:
Frame Control: 01
The **subtype** bit of the frame is set to 1010, which represents a PS-Poll frame.
AID (connection identification code): PS-Poll frames will use the third and fourth bits of the MAC header to represent the connection identification code (association ID).
The connection identification code is a numerical value assigned by the base station to distinguish each connection. Putting this identification code into the frame allows the AP to find the frame temporarily stored for its client.
BSSID: This bit contains the BSSID of the BSS where the sender is currently located. This BSS is established from the currently connected AP.
Transmitter Address: This is the MAC address of the sender of the PS-Poll frame
2.3 Management Frame
The purpose of management frames is to provide relatively simple services to the network through the use of frames.
Type: 00
The management frame has the following types:
Beacon frame (beacon frame):
1. The Beacon frame mainly declares the existence of the network. The periodically transmitted beacons allow mobile workstations to exist in the network, thereby adjusting the parameters necessary to join the network.
2. In the infrastructure network, the access point is responsible for transmitting Beacon frames.
3. In the IBSS network, workstations send out Beacon frames in turn.
Probe Request, Probe Response frames:
1. The workstation scans the 802.11 network in the area through the Probe Request frame.
2. If the network probed by the Probe Request frame is compatible with it, the network will respond with a Probe Response frame.
Authentication frame, Deauthentication
1. The workstation authenticates through the shared secret key and the Authentication frame.
2. The Deauthentication frame is used to terminate the authentication relationship.
Association Request frame:
Once the workstation finds a compatible network and passes authentication, it will send an Association Request frame to try to join the network.
Disassociation frame:
Disassociation frame: used to terminate an association relationship.
Reassociation Request frame:
In the same ESS, when a workstation moving between different BSSs wants to use a distributed system (DS) again, it must re-associate with the network. The difference from the association request frame is that it contains the access point currently associated with the workstation address.
Association Response frame and Reassociation Response frame:
When the workstation tries to connect to the access point, the access point will reply with an Association Response frame or Reassociation Response frame. During the response, the access point will assign an Association ID (Association Identifier).