There are 15 different types of Data Frames defined in IEEE 802.11-2007 standard. Data frames with a value of 1 in the QoS subfield of the Subtype field (Bit7) are collectively referred to as QoS data frames. Each of these data subtypes contains QoS in their names, and this frame format is distinguished by the presence of a QoS Control field in the MAC header.
A QoS STA always uses QoS data frames for data transmissions to other QoS STAs. A QoS STA uses frames with the QoS subfield of the Subtype field set to 0 for data transmissions to non-QoS STAs. A non-QoS STA always uses frames with the QoS subfield of the Subtype field set to 0 (Bit7) for data transmissions to other STAs.
All STAs use frames with the QoS subfield of the Subtype field set to 0 (Bit7) for broadcast data frames unless a transmitting STA knows that all STAs in a BSS have QoS capability, in which case the transmitting STAs use QoS data frames.
All STAs use frames with the QoS subfield of the Subtype field set to 0 for group addressed data frames (ie multicast) unless it is known to the transmitter that all STAs in the BSS that are members of the multicast group have QoS capability, in which case STAs use QoS data frames.
Below table summarize all Data Frame types. Each bit of the Subtype field indicate different type of Data frames (eg Bit7=1 QoS , Bit6=1 Null frame, Bit5=1 CF-Poll & Bit4=1 CF-ACK)
In wireshark you can filter all Data frame using below filter (Type =2)
wlan.fc.type == 2
Data:
In Non-QoS Data frames there is no QoS control field present in the MAC header. Below shows a simple data frame which you can filter using below ( Type 2 , subtype 0). In this frame To DS & From DS field set to 1 & therefore used 4 addresses field in MAC header (Typically all other scenarios, 3 addresses field use in MAC header)
wlan.fc.type_subtype == 0x0020
Data + CF-ACK :
wlan.fc.type_subtype == 0x0021
Data + CF-Poll :
wlan.fc.type_subtype == 0x0022
Data + CF-Ack + CF-Poll :
wlan.fc.type_subtype == 0x0023
Null Data :
Here is a Null (no data frame). In this case this frame is used to indicate client is going to Power Save mode sending this to AP by the client ( Note that Power Mgmt bit set to 1 in Frame Control)
wlan.fc.type_subtype == 0x0024
CF-ACK (no data):
wlan.fc.type_subtype == 0x0025
CF-Poll (no data):
wlan.fc.type_subtype == 0x0026
CF-ACK + CF-Poll (no data) :
wlan.fc.type_subtype == 0x0027
QoS Data:
Here is a QoS Data frame Where subtype is 8. Note that QoS control field in the MAC header.
wlan.fc.type_subtype == 0x0028
QoS Data + CF-Poll:
wlan.fc.type_subtype == 0x002a
QoS Data + CF-ACK + CF-Poll:
wlan.fc.type_subtype == 0x002b
QoS Null Data :
wlan.fc.type_subtype == 0x002c
Rerved Data Frame:
wlan.fc.type_subtype == 0x002d
QoS Data + CF-Poll (no data):
wlan.fc.type_subtype == 0x002e
QoS CF-ACK + CF-Poll (no data):
wlan.fc.type_subtype == 0x002f
References
1. CWAP Official Study Guide – Chapter 6
Related Posts
1. 802.11 Management Frame Types
2. 802.11 Control Frame Types
mrn-cciew 
Great explanation, I was studying this yesterday and I understand this better after reading this post 😀
Nice to hear that Ruwan… 🙂
Hi,
I would like to ask you 2 questions 😉
My first question is, why does STA send Broadcast Data frame?
I am working on school project and I need to determine MAC addresses of STAs in range. I am trying to do that using From DS/To DS bits (assuming that when frame is from STA, these bits are set To DS=1,From DS=0 so I use 2nd address as MAC address of STA, and To DS=0,From DS=1 when frame is originated to STA so I use 1st address as MAC address of STA). It seems that it works for example with QoS data frames, but when I analyze Data frames with bits set To DS=0, From DS=1 (case where I would use 1st address), there is a broadcast address on that place.
So my next question is, if is my assumption correct or not? And if it is not, is there any other way how to determine direction of frame?
Thank you for your reply in advance.
Matus
Hi Rasiya,
How does AP send DATA+CF-POLL to station2 and CF-ACK to station 1 in a single frame as per PCF ?
It’s very nice article. I am improving my WLAN understanding better in this blog.
Thanks Ravat
Pingback: Wireshark and 802.11 Data in Capture Files – Majornetwork
thanks your great article.
Thank you…
Thank you for posting this! Very helpful information
Thank you Aragorn for appreciating it.
Rasika
Good explanation
Hi Rasika, Thanks for great blogs. I am studying them one by one and want to finish most of them :). I wanted to ask questions about some thing not clear, but when I see many questions remains unanswered, then I get sort of worried :). I would appreciate if you can please reply all questions asked in the comments sections in every blog as you see above few questions as well. Thank you very much.
Hi Muhammad,
I am trying my best to answer all questions being asked… There are 500+ comments are there and I will try to get into them slowly…
HTH
Rasika