In this blog post lets take a closer look at the 802.11 Mac Header.

(1) Version / Protocol

The version field in the mac header identifies what wireless version of the protocol is being used. "0" identifies 802.11, WiFi as we know it today. The version / protocol field is 2 bits in length.

George Hint: Who knows what 802.11ax will look like. Perhaps .ax could be version 0 1.

802.11-2012 Standard: 8.2.4.1.2 Protocol Version field

The Protocol Version field is 2 bits in length and is invariant in size and placement across all revisions of this standard. For this standard, the value of the protocol version is 0. All other values are reserved. The revision level will be incremented only when a fundamental incompatibility exists between a new revision and the prior edition of the standard.

(2) Type

The type field in a mac header identifies the type of frame. There are three types of 802.11 frames, management, control, and data. The type field is 2 bits in length.

00 Management Frame

01 Control Frame

10 Data Frame

11 Reserved

In our example 00 is used to identify this as a management frame type.

(3) Subtype

The subtype field in a mac header identifies the specific frame subtype. Here are just a few subtype examples under the management frame type. The subtype field is 4 bits in length.

0000 = Association Request

0100 = Probe Request

1000 = Beacon

1010 = Disassociation

In our example 1000 is used to identify this as a Bacon frame subtype.

George Hint: If you're studying for any of the CWNP exams. You should be familiar with the type and subtypes of management, control, and data frames.

802.11-2012 Standard: 8.2.4.1.3 Type and Subtype fields

The Type field is 2 bits in length, and the Subtype field is 4 bits in length. The Type and Subtype fields together identify the function of the frame. There are three frame types: control, data, and management. Each of the frame types has several defined subtypes. In data frames, the most significant bit (MSB) of the Subtype field, b7, is defined as the QoS subfield.

(4) Frame Control Flags

It should be noted. Our example image of a management beacon (above) may not use the specific control flags. However, the purpose of this post is to share details of each flag for educational purposes.

George Hint: When troubleshooting a wireless network pay close attention to these flags. These flags provide a wealth of information about the frame transmission. Knowing the 802.11 Standard definition and real world deployment of these flags is very important.

(a) Non-Strict order - This field is used to indicate a frame ordering process typically used by upper layer applications. In my experience this ordering is never applied and the field is 0.

If this bit is flipped to 0 it indicates no ordering. If this bit is flipped to 1 it indicates specific ordering is in use. Note Omnipeek would reword this field to "Strict Order"

This field is 1 bit in length.

802.11-2012 Standard: 8.2.4.1.10 Order field

The Order field is 1 bit in length. It is used for two purposes:

— It is set to 1 in a non-QoS data frame transmitted by a non-QoS STA to indicate that the frame contains an MSDU, or fragment thereof, that is being transferred using the StrictlyOrdered service class.

— It is set to 1 in a QoS data or management frame transmitted with a value of HT_GF or HT_MF for the FORMAT parameter of the TXVECTOR to indicate that the frame contains an HT Control field.

Otherwise, the Order field is set to 0.



(b) Non-Protected Frame - This field is used to indicate if an MSDU is encrypted. If you have an open network this bit will be flipped to 0 when a data frame is carrying an MSDU. If you encrypt your WLAN with WEP, TKIP or CCMP expect your data frames carrying an MSDU to have this bit flipped to 1. Also if the frame doesn't carry an MSDU, like a control or management frame expect this frame to be marked as 0.

If this bit is flipped to 0 it indicates no encryption. If this bit is flipped to 1 it indicates the MSDU is encrypted. Note Omnipeek would reword this field to "Protected Frame"

This field is 1 bit in length.

802.11-2012 Standard 8.2.4.1.9 Protected Frame field

The Protected Frame field is 1 bit in length. The Protected Frame field is set to 1 if the Frame Body field contains information that has been processed by a cryptographic encapsulation algorithm. The Protected Frame field is set to 1 only within data frames and within management frames of subtype Authentication, and individually addressed robust management frames. The Protected Frame field is set to 0 in all other frames. When the Protected Frame field is equal to 1, the Frame Body field is protected utilizing the cryptographic encapsulation algorithm and expanded as defined in Clause 11. The Protected Frame field is set to 0 in Data frames of subtype Null Function, CF-ACK (no data), CF-Poll (no data), CF-ACK+CF-Poll (no data), QoS Null (no data), QoS CF-Poll (no data), and QoS CF-ACK+CF-Poll (no data) (see, for example, 11.4.2.2 and 11.4.3.1 that show that the frame body needs to be 1 octet or longer to apply the encapsulation).

(c) No More Data - This field is used to alert a client in power save mode not to return to a doze state, because the access point has buffered frames.

If this bit is flipped to 0 it indicates no buffered frames. If this bit is flipped to 1 it indicates to a client that more frames are buffered. Note Omnipeek would reword this field to "More Data"

This field is 1 bit in length.

802.11-2012 Standard 8.2.4.1.8 More Data field

The More Data field is 1 bit in length and is used to indicate to a STA in PS mode that more BUs are buffered for that STA at the AP. The More Data field is valid in individually addressed data or management type frames transmitted by an AP to a STA in PS mode. A value of 1 indicates that at least one additional buffered BU is present for the same STA.

The More Data field is optionally set to 1 in individually addressed data type frames transmitted by a CF- Pollable STA to the PC in response to a CF-Poll to indicate that the STA has at least one additional buffered MSDU available for transmission in response to a subsequent CF-Poll.

For a STA in which the More Data Ack subfield of its QoS Capability element is 1 and that has APSD enabled, an AP optionally sets the More Data field to 1 in ACK frames to this STA to indicate that the AP has a pending transmission for the STA.

For a STA with TDLS peer PSM enabled and the More Data Ack subfield equal to 1 in the QoS Capability element of its transmitted TDLS Setup Request frame or TDLS Setup Response frame, a TDLS peer STA optionally sets the More Data field to 1 in ACK frames to this STA to indicate that it has a pending transmission for the STA.

The More Data field is 1 in individually addressed frames transmitted by a mesh STA to a peer mesh STA that is either in light sleep mode or in deep sleep mode for the corresponding mesh peering, when additional BUs remain to be transmitted to this peer mesh STA.

The More Data field is set to 0 in all other individually addressed frames.

The More Data field is set to 1 in group addressed frames transmitted by the AP when additional group addressed bufferable units (BUs) remain to be transmitted by the AP during this beacon interval. The More Data field is set to 0 in group addressed frames transmitted by the AP when no more group addressed BUs remain to be transmitted by the AP during this beacon interval and in all group addressed frames transmitted by non-AP STAs.

The More Data field is 1 in group addressed frames transmitted by a mesh STA when additional group addressed BUs remain to be transmitted. The More Data field is 0 in group addressed frames transmitted by a mesh STA when no more group addressed BUs remain to be transmitted.

(d) Power Management - This field is used to alert an access point a client is going into a doze state to either save battery life or scan off channel to build a neighbor list. The access point then buffers frames for the client at the access point.

If this bit is flipped to 0 it indicates no doze state. If this bit is flipped to 1 it indicates a doze state.

This field is 1 bit in length.

802.11-2012 Standard: 8.2.4.1.7 Power Management field

The Power Management field is 1 bit in length and is used to indicate the power management mode of a STA. The value of this field is either reserved (as defined below) or remains constant in each frame from a particular STA within a frame exchange sequence (see Annex G). The value indicates the mode of the STA after the successful completion of the frame exchange sequence.

In an infrastructure BSS, the following applies:

The Power Management field is reserved in all management frames that are not bufferable management frames.

The Power Management field is reserved in all management frames transmitted by a STA to an AP with which it is not associated.

The Power Management field is reserved in all frames transmitted by the AP.

Otherwise, a value of 1 indicates that the STA will be in PS mode. A value of 0 indicates that the STA will be in active mode.

In an IBSS, the following applies:

The Power Management field is reserved in all management frames that are not bufferable management frames and that are not individually addressed Probe Request frames.

Otherwise, a value of 1 indicates that the STA will be in PS mode. A value of 0 indicates that the STA will be in active mode.

MBSS, the following applies:

A value of 0 in group addressed frames, in management frames transmitted to nonpeer STAs, and in Probe Response frames indicates that the mesh STA will be in active mode towards all neighbor mesh STAs. A value of 1 in group addressed frames, in management frames transmitted to nonpeer STAs, and in Probe Response frames indicates that the mesh STA will be in deep sleep mode towards all nonpeer mesh power STAs.

A value of 0 in individually addressed frames transmitted to a peer mesh STA indicates that the mesh STA will be in active mode towards this peer mesh STA A value of 1 in individually addressed frames transmitted to a peer mesh STA, except Probe Response frames, indicates that the mesh STA will be in either light sleep mode or deep sleep mode towards this peer mesh STA. When the QoS Control field is present in the frame, the Mesh Power Save Level subfield in the QoS Control field indicates whether the mesh STA will be in light sleep mode or in deep sleep mode for the recipient mesh STA as specified in 8.2.4.5.11.

The mesh power mode transition rules are described in 13.14.3.

(e) This is not a Re-Transmission - This field is used to indicate if a frame is a retransmission. This flag is probably the most viewed flag in the mac header. Many things can cause a frame to be retransmitted. High retransmission rates cause poor WiFi performance.

If this bit is flipped to 0 it indicates no retransmission. If this bit is flipped to 1 it indicates a retransmission.

George HInt: This is one of the more important indicators related to network performance in a mac header for troubleshooting.

This field is 1 bit in length.

802.11-2012 Standard: 8.2.4.1.6 Retry field

The Retry field is 1 bit in length and is set to 1 in any data or management type frame that is a retransmission of an earlier frame. It is set to 0 in all other frames. A receiving STA uses this indication to aid in the process of eliminating duplicate frames.

(f) Last or Unfragmented Frame - This field is used to indicate an MSDU or MMPDU is fragmented and will flip the bit to 1 indicating a fragmentation. Alerting the receiving station that a fragmented frame exist.

If this bit is flipped to 0 it indicates no more pending fragmented frames. If this bit is flipped to 1 indicates pending fragmented frames.

This field is 1 bit in length.

802.11-2012 Standard: 8.2.4.1.5 More Fragments field

The More Fragments field is 1 bit in length and is set to 1 in all data or management type frames that have another fragment of the current MSDU or current MMPDU to follow. It is set to 0 in all other frames.

(g) Not an (Exit from the Distribution System) - This field indicates a frame coming from the distribution system (DS), in other words the wired network.

(h) Not (To the Distribution System) - This field indicates a frame not going to the distribution system (DS), in other words the wired network.

There are a number of scenarios where both of these bits in combination have a variety of meanings. Note Omnipeek is playing with wording of this field.

If marked as a 1 = (Exit from the Distribution System)

If marked as a 1 = (To the Distribution System)

802.11-2012 Standard: 8.2.4.1.4 To DS and From DS fields

The meaning of the combinations of values for the To DS and From DS fields are shown in Table 8-2.

(5) Duration

The duration field in a mac header has a two different purposes. Omni peek shows this as duration, however it really is a duration / id field. This field is used to reset NAV timers for devices on channel. It is also used for legacy ps-polling and the use of the AID number.

George Hint: This is another field that can have an impact on performance. Check out my blog post: Problem#2 http://community.arubanetworks.com/t5/Technology-Blog/802-11-Packet-Capture-Skillz-To-Pay-The-Bills/ba-p/149414

802.11-2012 Standard: 8.2.4.2 Duration/ID field



The Duration/ID field is 16 bits in length. The contents of this field vary with frame type and subtype, with whether the frame is transmitted during the CFP, and with the QoS capabilities of the sending STA. The contents of the field are defined as follows:



a) In control frames of subtype PS-Poll, the Duration/ID field carries the association identifier (AID) of the STA that transmitted the frame in the 14 least significant bits (LSB), and the 2 most significant bits (MSB) both set to 1. The value of the AID is in the range 1–2007.



b) In frames transmitted by the PC and non-QoS STAs, during the CFP, the Duration/ID field is set to a fixed value of 32 768.



c) In all other frames sent by non-QoS STAs and control frames sent by QoS STAs, the Duration/ID field contains a duration value as defined for each frame type in 8.3.



d) In data and management frames sent by QoS STAs, the Duration/ID field contains a duration value as defined for each frame type in 8.2.5.



See 9.24.3 on the processing of this field in received frames.

The encoding of the Duration/ID field is given in Table 8-3.



The Duration/ID fields in the MAC headers of MPDUs in an A-MPDU all carry the same value.

NOTE—The reference point for the Duration/ID field is the end of the PPDU carrying the MPDU. Setting the Duration/ ID field to the same value in the case of A-MPDU aggregation means that each MPDU consistently specifies the same NAV setting.

(6) Address Fields

WiFi can have 4 mac address fields. Most frames use only the source transmitter (SA), receiver (RA) and access point BSSID. When WDS or MESH is used all four fields will be populated.

802.11-2012 Standard: 8.2.4.3 Address fields

8.2.4.3.1 General

There are four address fields in the MAC frame format. These fields are used to indicate the basic service set identifier (BSSID), source address (SA), destination address (DA), transmitting STA address (TA), and receiving STA address (RA). Certain frames may not contain some of the address fields.

Certain address field usage is specified by the relative position of the address field (1–4) within the MAC header, independent of the type of address present in that field. For example, receiver address matching is always performed on the contents of the Address 1 field in received frames, and the receiver address of CTS and ACK frames is always obtained from the Address 2 field in the corresponding RTS frame, or from the frame being acknowledged.

8.2.4.3.2 Address representation

Each Address field contains a 48-bit address as defined in 9.2 of IEEE Std 802-2001.

8.2.4.3.3 Address designation

A MAC sublayer address is one of the following two types:

a) Individual address. The address assigned to a particular STA on the network.



b) Group address. A multidestination address, which may be in use by one or more STAs on a given network. The two kinds of group addresses are as follows:

1) Multicast-group address. An address associated by higher level convention with a group of logically related STAs.



2) Broadcast address. A distinguished, predefined group address that always denotes the set of all STAs on a given LAN. All ones are interpreted to be the broadcast address. This group is predefined for each communication medium to consist of all STAs actively connected to that medium; it is used to broadcast to all the active STAs on that medium.



The address space is also partitioned into locally administered and universal (globally administered) addresses. The nature of a body and the procedures by which it administers these universal (globally administered) addresses is beyond the scope of this standard.

8.2.4.3.4 BSSID field

The BSSID field is a 48-bit field of the same format as an IEEE 802 MAC address. When dot11OCBActivated is false, the value of this field uniquely identifies each BSS. The value of this field, in an infrastructure BSS, is the MAC address currently in use by the STA in the AP of the BSS.

The value of this field in an IBSS is a locally administered IEEE MAC address formed from a 46-bit random number generated according to the procedure defined in 10.1.4. The individual/group bit of the address is set to 0. The universal/local bit of the address is set to 1. This mechanism is used to provide a high probability of selecting a unique BSSID.

The value of all 1s is used to indicate the wildcard BSSID. The wildcard value is not used in the BSSID field except where explicitly permitted in this standard. When dot11OCBActivated is true, the wildcard value shall be used in the BSSID field. When dot11OCBActivated is false and the BSSID field contains the wildcard value, the Address 1 (DA) field is also set to all 1s to indicate the broadcast address.

8.2.4.3.5 DA field

The DA field contains an IEEE MAC individual or group address that identifies the MAC entity or entities intended as the final recipient(s) of the MSDU (or fragment thereof) or A-MSDU, as defined in 8.3.2.1, contained in the frame body field.

8.2.4.3.6 SA field

The SA field contains an IEEE MAC individual address that identifies the MAC entity from which the transfer of the MSDU (or fragment thereof) or A-MSDU, as defined in 8.3.2.1, contained in the frame body field was initiated. The individual/group bit is always transmitted as a 0 in the source address.

8.2.4.3.7 RA field

The RA field contains an IEEE MAC individual or group address that identifies the intended immediate recipient STA(s), on the WM, for the information contained in the frame body field.

8.2.4.3.8 TA field

The TA field contains an IEEE MAC individual address that identifies the STA that has transmitted, onto the WM, the MPDU contained in the frame body field. The Individual/Group bit is always transmitted as a 0 in the transmitter address.

(7) Seq Number

This field used to eliminate duplicate received frames and to reassemble fragments.

George Hint: During trace analysis I pay close attention to these numbers to indicate flow of traffic and repeat of payloads.

802.11-2012 Standard: 8.2.4.4.2 Sequence Number field

The Sequence Number field is a 12-bit field indicating the sequence number of an MSDU, A-MSDU, or MMPDU. Each MSDU, A-MSDU, or MMPDU transmitted by a STA is assigned a sequence number. Sequence numbers are not assigned to control frames, as the Sequence Control field is not present.

Each fragment of an MSDU or MMPDU contains a copy of the sequence number assigned to that MSDU or MMPDU. The sequence number remains constant in all retransmissions of an MSDU, MMPDU, or fragment thereof.

(8) Frag Number

This field used to eliminate duplicate received frames and to reassemble fragments.

George Hint: During trace analysis I pay close attention to fragmented frames.

802.11-2012 Standard: 8.2.4.4.3 Fragment Number field

The Fragment Number field is a 4-bit field indicating the number of each fragment of an MSDU or MMPDU. The fragment number is set to 0 in the first or only fragment of an MSDU or MMPDU and is incremented by one for each successive fragment of that MSDU or MMPDU. The fragment number is set to 0 in the only fragment of an A-MSDU. The fragment number remains constant in all retransmissions of the fragment.