Beacon frames are used by the access points (and stations in an IBSS) to communicate throughout the serviced area the characteristics of the connection offered to the cell members. This information used by clients trying to connect to the network as well as clients already associated to the BSS.
Beacons are sent periodically at a time called Target Beacon Transmission Time (TBTT)
1 TU = 1024 microseconds
Beacon interval =100 TU (100x 1024 microseconds or 102.4 milliseconds)
Here is the frame format of a Beacon frame.
Below shows a beacon frame capture. In the frame body section there are few mandatory fields & few optional fields. Here are the mandatory fields in a Beacon frame.
1. Timestamp (8 byte)
2. Beacon Interval (2 byte)
3. Capability info (2 byte)
4. SSID (variable size)
5. Supported Rates (variable size)
1. Timestamp (8 byte):
A value representing the time on the access point, which is the number of microseconds the AP has been active.When timestamp reach its max (2^64 microsecond or ~580,000 years) it will reset to 0. This field contain in Beacon Frame & Probe Response frame.
2. Beacon Interval (2 byte)
Beacon Interval field represent the number of time units (TU) between target beacon transmission times (TBTT). Default value is 100TU (102.4 milliseconds)
3. Capability Information (2 byte)
This field contains number of subfields that are used to indicate requested or advertised optional capabilities.
Present in all Beacons, probe requests, probe responses,association request & re-association requests. Element ID is 0 for the SSID IE. SSID could have maximum of 32 characters.
5. Supported Rates
This is present in Beacons, Probe Req, Probe Res, Association Req, Association Res, Reassociation Req and Reassociation Response. It is 8 octet field where each octet describe a single supported rate. Last bit (7th) of each octet indicate whether the data rate is “basic rate or mandatory” or “supported rate”. If 7th bit value is 1 it indicate a basic rate where as if value is 0 indicate a supported rate. The next 7 bit (0-6) specify the data rate value in units of 500kbps.
Eg. 6 Mbps (12 x500kbps units) Basic Rate value represent as 10001100
7th bit =1 (to indicate basic rate)
0-6th = 001100 (value 12 to indicate 6 Mbps)
Here is a expansion of a “Supported Rate” field of a Beacon. It has Element ID, Length & Supported Rates fields. At least one mandatory rate must be set by AP & any station wanting to join the cell must support all basic rates. Given example shows a default setting of 802.11a radio where 6 Mbps, 12Mbps & 24Mbps set as “Basic Rates” to ensure joining station understand all modulation techniques (ie BPSK-6,9 Mbps QPSK-12,18 Mbps QAM-24Mbps & higher)
7. DS Parameter (2 byte)
Present with beacon frame generated by stations using Clause 15, 18 or 19 PHY or if the beacon sent using one of the rates defined by one of the clause.
8. CF Parameter (8 byte)
Used with PCF, unused in real networks
9. IBSS parameter (4 byte)
Present only within beacon frames generated by stations in IBSS (or Add-Hoc network)
10. TIM (Traffic Indication Map)
Present only within beacon frames generated by APs. TIM element contains information useful for stations in low-power mode. The AP uses Delivery Traffic Indication Map (DTIM) to inform the cell if it has broadcast or multicast frames buffered. DTIM is not present in all beacons and all TIMs.
As you can see below it has following fields
a. Element ID (1 byte)
b. Length (4 byte)
c. DTIM Count (1 byte)- how many beacon frames(including current one) appear before next DTIM. Value 0 indicate current TIM is a DTIM
d. DTIM Period (1 byte) – number of beacon interval between successive DTIMs
e. Bitmap Control (1 byte) – if 1st bit=1, buffered multicast/broadcast data at AP, if 1st bit=0, no multicast/broadcast data at AP.
f. Partial Virtual Bitmap (1-251 byte) – represent stations in low power mode for which AP has traffic buffered.
Each country has regulatory bodies that limit the channels or power levels allowed in their regulatory domain. It defines the country of operation along with the allowed channels & maximum transmit power. This is not a mandatory field in a beacon.
12-13. FH Parameters & FH Pattern table (used by Legacy FH stations)
14. Power Constraint (3 byte)
This element is related to 802.11h. This is for UNII2 & UNII-2 extended (CH52,56,60,64 & CH100-139) where spectrum is used for other purposes like civilian airport radar, weather radar. So to avoid interference with those systems AP should operate max power specified by these constraint fields.
15. Channel Switch (6 byte)
This is also related to 802.11h. When a radar blast is detected, all stations must leave the affected channel. The AP can set to announce to the cell which is the next channel.
16. Quite (8 byte)
Another element related to 802.11h where an AP can request a quiet time during which no station should transmit in order to test the channel for the presence of radars.
17. IBSS DFS – used with 802.11h in IBSS
18. TPC Report (4 byte)
This element is also related to 802.11h. TPC Report element contain Transmit Power & Link Margin information, usually sent in response to a TPC Request element. Below shows the “TPC Report” element of a beacon frame.
19. ERP Information ( 3 byte)
ERP element is present only on 2.4GHz network supporting 802.11g & it is present in beacon & probe responses. The non-ERP_Present bit set to 1 in following conditions
a. A nonERP station (legacy 802.11 or 802.11b) associate to the cell
b. A neighboring cell is detected, allowing only nonERP data rates
c. Any other management frame (except probe request) is received from neighboring cell supporting only nonERP data rates.
20. Extended Supported Rates
Extended Support Rates element specifies the supported rates not carried in the Supported Rates Element. It is only required if there are more than 8 supported rates.
21. RSN– Robust Secure Network
RSN information element used to indicate Authentication Cipher, Encryption Cipher & other RSN capability of stations. In the below RSN IE, it shows AP support 802.1X & 802.11r FT as Authentication Suites. Also it use AES as pairwise cipher (for unicast traffic) & group cipher (for broadcast/multicast)
22. BSS Load
This element is used only when QoS is supported & often called QBSS load element. It provides information on the cell load, from the AP point of view. It has following subfields
a. Station Count – How many stations are currently associated
b. Channel Utilization – % of time that AP sensed medium was busy (normalized 0-255)
c. Available Admission Capacity–
24. QoS capability
This element is used only when QoS is supported. It is used as a replacement to the EDCA parameter element when EDCA parameter is not present.
25-32,34-36. Vendor Specific
33. Mobility Domain
If AP supporting 802.11r (Fast Transition BSS), it will use Mobility Domain IE to indicate that. Below shown a MDIE of a beacon which supports FT-over-the-DS.
37. HT Capability
Used in 802.11n.
40. Overlapping BSS Scan Parameters.
41. Extended capabilities
42. VHT Capabillity
Used with 802.11ac
1. CWAP Official Study Guide – Chapter 4