As shown in the below figure, 802.11 MAC header has 9 major fields
- 2 Byte – Frame Control
- 2 Byte – Duration/ID
- 4×6 Byte – Address 1 – 4
- 2 Byte – Sequence Control
- 2 Byte – QoS control
- 4 Byte – HT Control (only for 802.11n frames)
Therefore max size of MAC header would be 36 bytes (802.11n) & 32 bytes (802.11a/b/g). Below show a sample wireless frame & highlighted the major fields of MAC header. As you can see this frame uses only 3 Address fields (Not every frame uses all 4 address fields, this is used when DS to DS frame exchange like in wireless bridge ).
Here is an ACK frame. As you can see it only use 1 Address field. Also it does not have Sequency or QoS control fields (QoS control field available only on QoS Data frames)As you can see above all wireless frames does not have same size MAC headers. Let’s see “Frame Control” information in detail. As you can see below it contain 11 subfields within “Frame Control” field.
1. Protocol Version (2-bits)
This field is simply used to indicate which protocol version of 802.11 is being used by the frame. This is always set to “0” as currently one version of 802.11 technology exist.
2. Type (2-bits)
There are 3 types (Management, Control, Data) of wireless frames defined in the standard. Below shows the bit value of “Type” field respect to each different type of frames.
00– Management Frame
01– Control Frame
10– Data Frame
3. Subtype (4-bits)
There are many different kinds of management, control & data frames. Therefore 4-bit Subtype field is required to differentiate them. Here are few examples of different subtypes (CWAP Official Study Guide – Page 79)
5. From DS (1-bit)
When it set to “1” that indicate data frame is going from Distribution System (DS) to client station (STA)
Also this To DS & From DS field combination (00, 01,10 & 11) indication different scenarios
To DS=0, From DS=0
– It can be management or control frames where it does not go to DS
– Station to Station communication in IBSS
– STSL: Station to Station Link where data frame exchange direct client to client.
To DS=0, From DS=1
– Downstream traffic from AP to a client station.
To DS=1, From DS=0
– Upstream traffic from a client station to an AP.
To DS=1, From DS=1
Data frames uses four address format.Usually occurs when Wireless Distribution System (WDS) in use, like Wireless Bridge or Mesh Network.
6. More Fragments (1-bit)
If this bit is set to “1” that indicate thta frame (data or management type) have another fragment of the current MSDU or current MMPDU to follow. MAC layer fragments only those frame having unicast receiver address & never fragments broadcast or multicast frames (as those never get acknowledged)
7. Retry (1-bit)
If Retry bit set to “1” in either a management frame or data frame, the Tx radio is indicating that the frame being sent is a “retransmission”. If a Tx station did not receive an ACK for a unicast frame, then frame will be retransmitted. In certain cases where ACK is not used (eg in RTS/CTS frame exchange, CTS server as ACK). Excessive L2 retransmissions affect WLAN performance in two ways.
- Increases overhead resulting decreasing throughput
- impact timely delivery of application traffic (affect voice/video services
Typically most data applications operate in environment upto 10% retransmissions without any noticeable degradation in performance. However time sensitive applications like VoIP required less than 5% retransmissions. Using a wireless protocol analyzer you can see retransmissions rate in a given environment (below taken from OmniPeek Analyzer)
8. Power Management (1-bit)
When a client station in “Power Save mode” it will shutdown some of the transceivers components for a period of time to conserve power.The station indicates that it is using Power Save mode by changing the value of Power Save mode bit to 1. As you can see below “Null ” data frames used to inform AP about client in Power Save mode.9. More Data (1-bit)
When a client associate to an AP, client receives an association identifier (AID). AP use this AID to keep track of stations associated to the AP & members of BSS. If AP is buffering data for a station in Power Save mode, when AP transmit its next beacon, the AID of the station will be seen in a field called “traffic indication map– TIM“. When station receives the beacon during the awake state, it checks to see wether its AID is set in TIM, indicating buffered unicast frame waits. If so station will remain awake & will send a PS-Poll frame to the AP. Then AP will send buffered unicast frame to station. To indicate there are more frames AP will set “More Data” field to 1, so station can awake to receive all of those frames. Below diagram (page 85 – CWAP study guide) summarize this process.
10. Protected Frame (1-bit)
This field is used to indicate whether the MSDU payload of a data frame is encrypted.Below shows a Data frame where payload is encrypted indicated by setting protected bit to “1”. When client informed AP that it is on Power Save mode, then AP buffer all that client’s 802.11 frames.
It can be 1 in management frame type authentication when it used shared key authentication. Below shows the 3rd authentication frame used in that exchange where cleartext is encrypted using WEP (see this post for more detail)11. Order (1-bit)
If it set to “1” in any non-QoS data frame when a higher layer has requested that the data be sent using a strictly ordered class of service, which tells the receiving station the frames must be processed in order. This field is set to “0” in all other frames.
1. CWAP Official Study Guide – Chapter 3
1. CWAP – MAC Header:Addresses
2. CWAP – MAC Header:QoS Control
3. CWAP – MAC Header:Duration/ID