802.11 Mgmt : Action Frames

Tags

Action Frames are a type of management frame used to trigger an action in the cell. Action frame format is as shown below

Category – Describes the action frame type. Here are the different category type of Action frames (per 802.11-2007 standard where current CWAP exam is based on)
0 – Spectrum Management
1 : QoS
2 : DLS
3 : Block ACK
4 : Public
5 : Radio Measurement
6 : Fast BSS Transistion
7 : High Throughput (HT)
8 : SA Query
9 : Protected dual of public action
10-125 : Reserved/Unused
126 : Vendor specific protected
127 : Vendor specific
128-255: Error

Action – The action to perform, it is usually a number represent different actions
Element– Adds additional information specific to the action

Here are few example for captures of Action Frames. For the full list of action frame code values refer table 4.10 of CWAP Official Study Guide (page 165-168). If you want to know more information including other type of action frames refer IEEE 802.11-2012 section 8.5 (page 726- 812). Here is a brief description of selected type of action frame category.

You can filter Action Frames in wireshark using below filter (management frames with subtype value 13 ).

(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0d)

1. Spectrum Management (Category 0)

0 : Measurement Request
1 : Measurement Report
2 : TPC Request
3 : TPC Report
4 : Channel Switch Announcement
5-255 : Reserved

Here is a sample capture of TPC Request action frame with action code 2.Here is a sample capture of TPC Report action frame with action code 3.2. QoS Action Frames (Category 1)
QoS action frames has different code values with below description of that action
0 : ADDTS Request
1 : ADDTS Response
2 : DELTS
3 : Shedule
4 : QoS Map Configure
5-255 : Unused/Reserved

Below shows a ADDTS Request action frame witch action code of 0.Below shows a ADDTS Response action frame with action code of 1.3. DLS Action Frames (Category 2)
0 : DLS Request
1 : DLS Response
2: DLS Teardown
3-255 : Reserved

4. Block ACK Action Frames (Category 3)
Block ACK action frames have following code values
0 : ADDBA Request
1 : ADDBA Response
2 : DELBA
3-255: Unsued/Reserved

Below shows a ADDBA Request action frame with action code value of 0Below shows a ADDBA Request action frame with action code value of 1.
5. Radio measurement Action Frames (Category 5)
Radio Measurement action frames action code as given below
0 : Radio measurement request
1 : Radio measurement report
2 : Link measurement request
3 : Link measurement report
4 : Neighbor report request
5 : Neighbor report response
6-255 : Unused/Reserved

Below shows a Neighbor Report Request action frame with action code value of 4. (typically used with 802.11k)

Below shows a Neighbor Report Response action frame with action code value of 5. (typically used with 802.11k)

6. Fast BSS Transition Action Frames(Category 6)
Fast BSS transition action category is having following code values
0 : Reserved
1 : FT Request – Sent by STA to its associated AP to initiate over-the-DS FT.
2 : FT Response – Tx by currently associated AP to the station sent FT request
3 : FT confirm – Confirmation to the target AP of receipt of the ANonce
4 : FT ACK – Tx by currently associatd AP as a response to STA’s FT confirm frame.
5-255 : Reserved

Below shows a FT Request action frame with action code value of 1. (typically used with 802.11r when a station first associate to a network)

7. HT Action frames (Category 7)
0 : Notify Channel Width
1 : SM Power Save
2 : PMSP
3 : Set PCO Phase
4 : CSI
5 : Noncompressed Beamforming
6 : Compressed Beamforming
7 : ASEL Indices Feedback
8-255 : Reserved

8. SA Query Action Frames (Category 8)
0 : SA Query Request
1 : SA Query Response

9. Protected Public Action Frames (Category 9)
This is to allow robust STA-STA of the same information that is conveyed in Action Frames that are not robust.

10. WNM Action Frames (Category 17)
This is defined for Wireless Network Management (WNM) purposes

11. VHT Action Frames (Category x)
Used in 802.11ac
0 : VHT compressed Beamforming
1 : Group ID Management
2 : Operating Mode Notification
3-255 : Reserved

12. Vendor Specific (Category 127)

References
1. CWAP Official Study Guide – Chapter 4
2. IEEE 802.11-2012 standard.

1. 802.11 Management Frame Types
2. 802.11: Mgmt – Beacon Frame

5 thoughts on “802.11 Mgmt : Action Frames”

Matthew said:

December 29, 2016 at 1:54 am

Hello,
Can an Action Frame be sent by an AP to get a response from all nearby stations, associated or not, if it is addressed as a broadcast?
I’m trying to query all devices in range for their MAC address even if they are just passing and not associated.
Thank you

- A John said:
  
  September 28, 2019 at 8:26 am
  
  One way is If you are unassociated and send specific frames as defined by class in spec you will get to know the response about validity of association. Like data frame cannot be sent when you are not associated.
  
raj kumar said:

April 17, 2017 at 3:01 pm

Hi,
For a vendor specific action frames , After specifying the OUI , subtype, action & dialog token fields , we have the elements to be specified. while specifying elements we follow TLV format( type, length, & value) , can you please confirm the size of the length field in TLV format as of now I am taking that length as 1 byte.

Thanks
Raj kumar

Sunny said:

March 4, 2019 at 6:50 am

WNM Action Frames (Category 17) : this is wrong. category 17 is for WMM. WNM uses category 10.

Ajay kumar said:

September 14, 2019 at 2:44 pm

Hi ,Thanks for giving a lot of information about action frames.I have an doubt that WNM action frame category is 17.But In ADDTS request action frames category is 17 in capture what u provided.But ADDTS request frame comes under QOS Action frame which category is 1.Could u explain this….?