Tags
Beacon frames are used by the access points (and stations in an IBSS) to communicate throughout the serviced area the characteristics of the connection offered to the cell members. This information used by clients trying to connect to the network as well as clients already associated to the BSS.
Beacons are sent periodically at a time called Target Beacon Transmission Time (TBTT)
1 TU = 1024 microseconds
Beacon interval =100 TU (100x 1024 microseconds or 102.4 milliseconds)
Here is the frame format of a Beacon frame.
Below shows a beacon frame capture. In the frame body section there are few mandatory fields & few optional fields. Here are the mandatory fields in a Beacon frame.
1. Timestamp (8 byte)
2. Beacon Interval (2 byte)
3. Capability info (2 byte)
4. SSID (variable size)
5. Supported Rates (variable size)
Here is a brief description of each field of a Beacon Frame. If size of the IE specified withing bracket, those elements are fixed length. Other elements are variable in size.
1. Timestamp (8 byte):
A value representing the time on the access point, which is the number of microseconds the AP has been active.When timestamp reach its max (2^64 microsecond or ~580,000 years) it will reset to 0. This field contain in Beacon Frame & Probe Response frame.
2. Beacon Interval (2 byte)
Beacon Interval field represent the number of time units (TU) between target beacon transmission times (TBTT). Default value is 100TU (102.4 milliseconds)
3. Capability Information (2 byte)
This field contains number of subfields that are used to indicate requested or advertised optional capabilities.
4. SSID
Present in all Beacons, probe requests, probe responses,association request & re-association requests. Element ID is 0 for the SSID IE. SSID could have maximum of 32 characters.
5. Supported Rates
This is present in Beacons, Probe Req, Probe Res, Association Req, Association Res, Reassociation Req and Reassociation Response. It is 8 octet field where each octet describe a single supported rate. Last bit (7th) of each octet indicate whether the data rate is “basic rate or mandatory” or “supported rate”. If 7th bit value is 1 it indicate a basic rate where as if value is 0 indicate a supported rate. The next 7 bit (0-6) specify the data rate value in units of 500kbps.
Eg. 6 Mbps (12 x500kbps units) Basic Rate value represent as 10001100
7th bit =1 (to indicate basic rate)
0-6th = 001100 (value 12 to indicate 6 Mbps)
Here is a expansion of a “Supported Rate” field of a Beacon. It has Element ID, Length & Supported Rates fields. At least one mandatory rate must be set by AP & any station wanting to join the cell must support all basic rates. Given example shows a default setting of 802.11a radio where 6 Mbps, 12Mbps & 24Mbps set as “Basic Rates” to ensure joining station understand all modulation techniques (ie BPSK-6,9 Mbps QPSK-12,18 Mbps QAM-24Mbps & higher)
6. FH parameter set
Used by legacy Frequency Hopping (FH) stations
7. DS Parameter (2 byte)
Present with beacon frame generated by stations using Clause 15, 18 or 19 PHY or if the beacon sent using one of the rates defined by one of the clause.
8. CF Parameter (8 byte)
Used with PCF, unused in real networks
9. IBSS parameter (4 byte)
Present only within beacon frames generated by stations in IBSS (or Add-Hoc network)
10. TIM (Traffic Indication Map)
Present only within beacon frames generated by APs. TIM element contains information useful for stations in low-power mode. The AP uses Delivery Traffic Indication Map (DTIM) to inform the cell if it has broadcast or multicast frames buffered. DTIM is not present in all beacons and all TIMs.
As you can see below it has following fields
a. Element ID (1 byte)
b. Length (4 byte)
c. DTIM Count (1 byte)- how many beacon frames(including current one) appear before next DTIM. Value 0 indicate current TIM is a DTIM
d. DTIM Period (1 byte) – number of beacon interval between successive DTIMs
e. Bitmap Control (1 byte) – if 1st bit=1, buffered multicast/broadcast data at AP, if 1st bit=0, no multicast/broadcast data at AP.
f. Partial Virtual Bitmap (1-251 byte) – represent stations in low power mode for which AP has traffic buffered.
11. Country
Each country has regulatory bodies that limit the channels or power levels allowed in their regulatory domain. It defines the country of operation along with the allowed channels & maximum transmit power. This is not a mandatory field in a beacon.
12-13. FH Parameters & FH Pattern table (used by Legacy FH stations)
14. Power Constraint (3 byte)
This element is related to 802.11h. This is for UNII2 & UNII-2 extended (CH52,56,60,64 & CH100-139) where spectrum is used for other purposes like civilian airport radar, weather radar. So to avoid interference with those systems AP should operate max power specified by these constraint fields.
15. Channel Switch (6 byte)
This is also related to 802.11h. When a radar blast is detected, all stations must leave the affected channel. The AP can set to announce to the cell which is the next channel.
16. Quite (8 byte)
Another element related to 802.11h where an AP can request a quiet time during which no station should transmit in order to test the channel for the presence of radars.
17. IBSS DFS – used with 802.11h in IBSS
18. TPC Report (4 byte)
This element is also related to 802.11h. TPC Report element contain Transmit Power & Link Margin information, usually sent in response to a TPC Request element. Below shows the “TPC Report” element of a beacon frame.
19. ERP Information ( 3 byte)
ERP element is present only on 2.4GHz network supporting 802.11g & it is present in beacon & probe responses. The non-ERP_Present bit set to 1 in following conditions
a. A nonERP station (legacy 802.11 or 802.11b) associate to the cell
b. A neighboring cell is detected, allowing only nonERP data rates
c. Any other management frame (except probe request) is received from neighboring cell supporting only nonERP data rates.
20. Extended Supported Rates
Extended Support Rates element specifies the supported rates not carried in the Supported Rates Element. It is only required if there are more than 8 supported rates.
21. RSN– Robust Secure Network
RSN information element used to indicate Authentication Cipher, Encryption Cipher & other RSN capability of stations. In the below RSN IE, it shows AP support 802.1X & 802.11r FT as Authentication Suites. Also it use AES as pairwise cipher (for unicast traffic) & group cipher (for broadcast/multicast)
22. BSS Load
This element is used only when QoS is supported & often called QBSS load element. It provides information on the cell load, from the AP point of view. It has following subfields
a. Station Count – How many stations are currently associated
b. Channel Utilization – % of time that AP sensed medium was busy (normalized 0-255)
c. Available Admission Capacity–
23. EDCA Parameter Set
This element also used in when QoS is supported. In most QoS enabled network this field is not used, instead same information provided via WMM or WME vendor specific elements.
24. QoS capability
This element is used only when QoS is supported. It is used as a replacement to the EDCA parameter element when EDCA parameter is not present.
25-32,34-36. Vendor Specific
33. Mobility Domain
If AP supporting 802.11r (Fast Transition BSS), it will use Mobility Domain IE to indicate that. Below shown a MDIE of a beacon which supports FT-over-the-DS.
37. HT Capability
Used in 802.11n.
38. HT Operation
Used with 802.11n
39. 20/40 BSS Coexistence
40. Overlapping BSS Scan Parameters.
41. Extended capabilities
42. VHT Capabillity
Used with 802.11ac
43. VHT Operation
Used with 802.11ac
44. VHT Transmit Power Envelop
Used with 802.11ac
References
1. CWAP Official Study Guide – Chapter 4
mrn-cciew 
Hello Rasika,
how can I remove TIM information from beacon only for a specific WLAN on a WLC??
Thank you!
This is not configurable.
By the way what’s the reason behind it
HTH
Rasika
Pingback: How do wifi clients detect APs? | DL-UAT
Pingback: How do wifi clients detect SSIDs from APs? | DL-UAT
Ive disabled B mode support on a router, and i still see 1(B), 2(B),5.5(B)and 11(B) as a supported rate. The B mode client doesn’t see the SSID.
Can you explain why disabling B mode does?
I also notice it had rates for 6(B) and 12(B), making them mandatory too. So if the rates are mandatory for something the client can’t do , does that means the can’t see the SSID?
Even if u disable mode “B” in your router rest of modes ‘g’ and ‘n’ have back ward compatibility so it will show in your beacon.
Pingback: Wireless Question of Day Answers | Kannan Wireless
hi do legacy systems have dot11SpectrumManagementRequired attribute?
Where are you capturing these packets. I am trying to do the same in wireshark but it seems in ubuntu, latest version of wireshark is not showing the Radio measurement field in capability info. But in the capability info value I can see radio measurement enable. Also in response the mobile devices which supports radio measurement are sending radio measurement bit enabled and devices not supporting are not enabling the same bit.
In wireshark, I can see Capabilities Information : 1401 in beacon packet which shows that AP supports radio measurement. In the bit description of capability info bits just below, I can see some bits like 1: ESS capabilities, 1: Short Slot time etc. But I can’t see any Radio Measurement field there as shown by you in your packet capture screenshot.
Please suugest.
Thanks,
Ankur Saxena
I capture these over the air
Hi, is it possible to assign different sleeping/ wakeup interval for different stations (legacy station / .ax capable stations) ?
Hi,do you know about the QosI see some APs’ Qos info are 10001001,but mine AP’s Qos info is 10000110.And i do not know how to set the Qos info.
Which information field you talking about & what type of wireless frame ?
Rasika
Hi,
What is the maximum power supported by the country by reading the beacon
(11. Country)
Thanks
Hi,
if a device (client) is not “n” capable, we wont see HT capabilities in its probe request frames for the simple reason that it is not capable of 802.11n. Likewise if 802.11n mode is disabled for an AP even though it is “n” capable, will the beacon and probe response contain HT capabilities? My understanding is it should not. I would like to pick your brain on this.
Hi Madhu,
Yes, your understanding is correct. AP should not announce it’s ‘n’ capability as part of beacon and probe response if ‘n’ mode is disabled.
Hi,
I am trying to do a Passive Scan by listening to Beacon frames. Is there a way to determine if an AP supports Open connection? (no authetication)
I just want to get a list of Open WiFi Networks in the area.
Yes, in the beacon frame it defines an Information Element stating if the said supports WPA. If this Information element is missing , then the SSID is Open.
Thanks for responding to these queries, much appreciated your help to the community.
Rasika
Thanks for the reply.
Where would I find this Information Element? Which bytes in the Beacon Frame should I look at?
this will come in handy when creating rouge frames with python
in the Country IE field, I want to know the code and regulatory class for India
What are the mandatory or optional parameters necessary to calculate the Throughput of any WLAN network. ??
Throughput dependence on multiple parameters.
1. Operational bandwidth
2. Guard Interval
3. MCS index
4. NSS (number of spatial streams)
5. Frame aggregation/Block ack
6. Retry count / percentage of medium
7. packet error rate.
8. Number of BSS in the operational channel.
9. Beam forming, STBC, LDBC enable/disable
Hi Rasika,
How a station is able to maintain connection to his associated access point ?
How an access point is able to know if the station is out of range (or just offline) ?
Cheers
Some amount of time will be there in AP when a station move to Out of range once that time complete if the station not came and connected back AP will send De Deauthentication to STA and remove the STA parameters from Association table.
Time depends up on vendor to vendor
Is there a response message from clients to that Beacon Frame? That is, before the client decides or not to connect to that AP, does the client respond with a response message to Beacon Frame?
Client will do Probe Request (& AP will send probe response ) prior to association. Beacon frames use to advertise SSID capability & send as broadcast, so it is not expect to response for a broadcast frame.
HTH
Rasika
Hi Rasika,
i have examined the wpa and wpa2 beacon frames and noticed that wpa beacon frames do not have RSN field. is there any other way to differentiate between wpa and wpa2 beacon frames? (I’m looking for a specific field…)
thanks.
WPA2 : will Have RSNIE
WPA : will Have WPAIE
WPA/WPA2 : Will Have Both RSNIE & WPAIE
Your blog is very interesting. Thanks for sharing nice information.
Thank you for kind appreciation
Rasika
Can I use image about frame structure to my company’s page?
That image will use to Wi-Fi introduction document for our customer.
Hello, That image shared here is got from CWNP book (educational purposes). Best if you can create your own image using that & use it internally.
Regards
Rasika
Pingback: Dual Authentication Key Management (AKM) – A Journey to Fast Transition (FT) – John Waas
Why beacons data rate is 1mbs…
Beacons go lowest mandatory data rate configured. If you have 1Mbps as Basic/Mandatory rate on 2.4GHz band, then beacons go that data rate
HTH
Rasika
Hi,
Could you help us in understanding more on Available Admission Capacity–in BSS load element
Thank you
thank you for the information
Are you aware of any limitations in clients regarding maximum size of the individual information elements, as well as maximum size of the entire management frame?
Because on Android 8 and 11, I am experiencing truncation where only 24 out of 91 bytes of the last information element are received. This is using the lowest-user accesible API, no user code is affecting it.
On Linux, the full IE is received.
In an instance where the total frame size is smaller (due to less IE fields being present in the frame) everying is recieved correctly on Android.
The problematic beacon frame size has 351 bytes of tagged parameters, while the problem-free frame has 223 bytes of tagged parameters.
(the larger problematic frame is sent by a Spreadtrum/Unisoc device, the smaller, working frame is sent by a Realtek device.
Regards,
Joel
Hi Joel,
Thank you for the info shared
I do not have much details about client limitations of of IE size or mgt frame size.
I would say trying to reach out those vendor support may get an answer.
HTH
Rasika
Thanks Rasika.
I just found strong evidence that on Android, the maximum IE size is probably 256 (someone compiled iw for Android and posted the output).
On my Linux workstation, the maximum length as reported by “iw list” is 2304.
So it is a matter of getting hostapd and the kernel to output less IEs. Some IEs are probably not needed, I will find ways to disable them!
Hi Joel,
I will explore about it as well. I know with 6GHz (MBSSID) element, beacon size has gone 1000 bytes as well. With that I noticed it will created multiple IEs (for MBSSID) as we cannot have one large single IE. If you check MBSSID related post given below, you will find some PCAPS
HTH
Rasika
The 802.11 standard mentions that the Vendor Specific IEs need to be at the end.
The problematic WLAN adapter (Unisoc/Spreadtrum UWE5622/Cdtech CDW-20U5622-02) places the IEs in invalid order:
(…)Vendor SpecificVendor SpecificHT CapabilitiesHT InformationSecondary Channel OffsetExtended CapabilitiesVendor Specific
My clients all ignore the last Vendor Specific IE.
A bug in the transmitter. Althrough the driver is open-source, the first two Vendor Specific elements seem to be added by the firmware, not the driver. I am considering to inject my custom Vendor Specific element earlier in the beacon, hoping that it will be picked up by 802.11 clients.