HT Control Field

The 802.11n adds a new field to the 802.11 MAC header, called the HT Control field. The HT Control field is 4 octets long and follows the QoS Control field in the 802.11 MAC header, as show in the following pictures.

above pictures from CWAP

Wireless Radio and Battery Life

A wireless radio can perform one of four activities. It can be

• Asleep
• Idle and awake
• Receiving 
• Transmitting 

The goal of 802.11 power management, then, is to have wireless radios perform low-power activities, such as sleeping, as much as possible while performing high-power activities, such as transmitting, as little as possible. 

In 802.11, there are active mode and power save mode. 

Active mode : Stations and APs operate with the assumption that the station is always available to transmit and receive data

Power save mode: The AP is sleeping and unable to receive frame transmissions. 

When a station is in Power Save mode, it vacillates between one of two power stats, the doze state - saving the most battery life, and awake stat - either be idle, receiving, or transmitting. 

Every power management method is illustrated in the following steps and figures:

1. Before a station goes into the doze state, it sends a frame - null data frame, to indicate AP that power management is enabled. 

2. Once the station indicates that it is in Power Save mode, AP begins to buffer all frames destined to that station.

3. When the station goes into the awake state, it sends a frame to the AP in order to begin the data retrieval process.

4. When AP has finished sending all buffered data to the station, the station goes into the doze stat. 

802.11 power management 

802.11 power managment is the power management method from the original 80.11 standard. This affects the third and fourth steps of the basic power management.

Third Step. 

Fourth Step

Fifth Step

802.11e Unscheduled Automatic Power Save Delivery

U-APSD is the power management method from the 802.11e amendment.  It is part of the WMM-Power Save certification from Wi-Fi and is also required for 802.11n

above pictures from CWAP

Block Acknowledgement

A Block ACK improves channel efficiency by aggregating several acknowledgements into one single acknowledgement frame. As shown in the following picture, the originator requests all the outstanding QoS data frames by sending a block acknowledgement request (BlockAckReq) frame.

Block ACK frame is shown by the following picture.

Action Frame - Channel Switch Announcement

Channel Switch Announcement element was used for the AP to inform the cell that all stations had to move to another channel because radar was detected on the current frequency. This Channel Switch Announcement is present in beacons and probe responses and announces a future switch.

The following pictures show structure and elements of Channel Switch Announcement.

above pictures from CWAP

Reference from Action Frame post, we could know that Category is set to 0, and action value is set to 4. By using New Channel Number, the AP informs the cell about the next channel. The channel switch count can be set to 0 to indicate that the change will occur any time after the present beacon was sent. It can be set to 1 to show that the jump will occur just before the next beacon.

For example, AP to inform the cell that all stations had to move to another channel because radar was detected on the current frequency.

Why design a special frame if the information element is already present in beacons and probe responses ? The AP can send the Channel Switch Action frame between beacons to any station that may not have received the beacon or to instruct a client that it should not send traffic until the switch occurs.

Action Frames

Action frames are a type of management frame used to trigger an action in the cell. By using this frame, ACP can tell clients, or the client can tell AP, "I need you to do this or that" or "This is what is going to happen".

The following pictures show frame structure and elements in action frame.

Above pictures from CWAP

Extended Rate PHY (ERP) Element

The ERP element is present only on 2.4Ghz networks supporting 802.11g and is present in beacons and probe response.

ERP is essential to the operation of 802.11b/g/n networks. 

The Non_Present bit is set to 1 if at least one of the following conditions

• A Legacy 802.11b client associates to the cell
• A neighboring cell is detected, allowing only nonERP data rates. This detection is expected to occur by receiving a beacon from the neighboring cell.
• Any other management frame is received from a neighboring cell supporting only nonERP data rates.

The UseProtection bit is set to 1 as soon as nonERP client is associated to the cell. 

The nonERP present bit is set to 1 only if the AP detects a non-ERP station in the cell. If the AP detects a beacon from a neighboring AP having the UseProtectioin bit set to 1, there may be a nonERP station in neighboring cell that can impact the traffic of the local cell clients in the direction of this neighbor, even if the local AP does not hear the nonERP client directly.

A common misconception is that 802.11g radios revert to 802.11b data rates when the pro- tection mechanism is used. In reality, ERP (802.11g) radios still transmit data at the higher ERP-OFDM rates. However, when an HR-DSSS (802.11b) station causes an ERP (802.11g) BSS to enable the protection mechanism, a large amount of RTS/CTS or CTS-to-self over- head is added prior to every ERP-OFDM data transmission. The aggregate data throughput loss is caused by the extra overhead and not by using slower 802.11b rates. A data rate of 54 Mbps usually will provide about 18–20 Mbps of aggregate throughput when protection is not enabled. After protection is enabled, even though the ERP STA may be transmit- ting frames at ERP rates, the overhead of protection will likely reduce the aggregate data throughput to below 13 Mbps and possibly as low as 9 Mbps. 

Traffic Indication Map (TIM) Element

Traffic Indication Map is present only in beacon. The TIM element contains information useful for clients in low-power mode.

Besides the classical element ID and length, the TIM contains two types of elements: The virtual bitmap and DTIM information. 

The DTIM is not present in all beacons and all TIMs. The beacon will contain a TIM that will also be a DTIM (Delivery Traffic Indication Message). AP uses the beacon frames DTIM information to inform the cell if it has broadcasts or multicasts frames buffered. Stations in low power mode should wake up at least for every beacon that is a DTIM. The DTIM does not have to be in every beacon but can, for example, occur every two to five beacons.

When a DTIM shows that there is broadcast or multicast traffic buffered at the AP level, all stations stay awake. Just after sending the beacon announcing that buffered broadcast or multicasts that AP contends for the medium and then forwards the buffered broadcast or multicast to the cell. All stations recevied it and then can go back to sleep if needed. 

The first bit of the bitmap control field is used to announce the presence of multicast or broadcast traffic buffered on the AP. 

When Bitmap Control field is set to 1, the AP has multicast or broadcast buffered. When this first bit is set 0, there is no buffered broadcast or multicast. 

Reassociation Request / Response Frame

Reassociation Request frame can be sent only by the client to access point and is used when the client is already associated to the ESS and wants to associate to another access point.

The follow pictures show the reassociation request frame format and Elements

above the pictures from CWAP

In this logic, the client leaves the coverage area of an access point and needs to associate to another access point offering the same SSID. This roaming station goes through the authentication phase with the new access point, then sends a reassoication request mentioning the old AP MAC address, and finally joins to the new AP, getting a new AID. 

Why not proceed with a simple association request frame?  It is because the logic is that the new access point should contact the old access point and move the parameters for the station from the old AP to the new one. 

A client can be authenticated to server access points, as long as it is associated to only one of them. 

An AP uses the reassociation response frame in response to a reassociation request frame. The reassociation response contains the elements

Above pictures from CWAP

The difference between association frame and re-assoication frame is 

 - With association request/response, the client gets an AID on the local AP

 - WIth reassociation request/response, the client have to move from the old AP to the new AP. 

Disassociation Frame and Deauthentiation Frame

Once a station is associated to an AP, either side can terminate the association at any time by sending a disassociation frame (see the following picture). A station would send such a frame, for example, because it leaves the cell to roam to another AP. An AP could send this frame for example because the station tries to use invalid parameters or for reasons related to the AP itself (configuration change, and so on).

above picture from CWAP 

The disassociation frame DA can be the unicast MAC address of the station to disassociate or a broadcast address if the AP needs to disassociate all the stations in its cell. When the disassociation frame is unicast, it is acknowledged by the receiving station. Broadcast frames are not acknowledged.

A disassociated station is still authenticated. It can try to reassociate by sending a new association request frame, keeping its authenticated status. For this reason, disassociation frames are typically used when parameters change and the station or the AP needs to renegotiate the communications parameters. A station roaming to another cell may also choose to use a disassociation frame, to be able to keep its authenticated status and accelerate the process when roaming back to the same cell before its authentication timeout expires.





The station or AP can also send a deauthentication frame. This frame is used when all communications are terminated, for example, because the AP has to reboot or because the station stops its WiFi communications. It is also used when a frame is received before authentication has completed

Here is the complete list of  reason code as per IEEE 802.11-2012 standard.

Association Request and Response Frames

If the 802.11 authentication phase completes with a Success result, the station movies to the association phase. The purpose of this exchange is for the station to join the cell and obtain a cell member identifier (AID). The association frame is a unicast management frame and is always acknowledged.

The following picture and table show the frame format and elements for the association request. 

above pictures from CWAP

wlan.fc.type_subtype == 0x0000

After association request, AP will sent association response to the client. The following picture and table show the frame format and elements for the association response.

above pictures from CWAP

If AP returns the association response frame as Status Code = Successful, the AP communicates an association ID, which is the station identifier on the access point. The AID value is an integer between 1 and 2007. Although the field is 2 bytes long, only the 14 less significant bits are used (the others are set to 1). In reality, you would probably never see 2,007 stations associated to a single AP.

The overhead required to maintain the cell state with so many stations would create so

many collisions that the associations could never reach this number.

wlan.fc.type_subtype == 0x0001

Authentication Frame

The purpose of the authentication from authentication frame is to validate the device type, in other words, verify that the requesting station has proper 802.11 capabilities to join the cell.

The following picture shows authentication format

The authentication Algorithm number field value describes which authentication systems is used. 0 for is Open System and 1 is for Shared Key. 

In the authentication exchange, the 2-byte Authentication Transaction Sequence Number field indicates the current state of progress through the multi-step transaction. Depending on the exchange, the result of the authentication phase can be a successful authentication or a failure. The last frame of the authentication sequence contains the status code. 0 is Success, 1 is unspecified failure, and 2–9 are reserved values.

wlan.fc.type_subtype == 0x000b