Below shows a frame format of a Data Frame. (source IEEE 802.11-2012 standard)
The content of the address fields of data frames are dependent upon the values of the To DS and From DS fields in the Frame Control field and whether the Frame Body field contains either an MSDU (or fragment thereof) or an entire A-MSDU, as determined by the A-MSDU Present subfield of the QoS Control field.
The content of the address fields is shown in below table (source IEEE 802-11 2012 Table 8-19). Where the content of a field is shown as not applicable (N/A), the field is omitted. Note that Address 1 always holds the receiver address of the intended receiver, and that Address 2 always holds the address of the STA that is transmitting the frame.
These addresses field descriptions as shown as below.
Source Address (SA) : This is the address where the frame is sent from.
Destination Address (DA) : This is the address where the frame is being sent to.
Transmitter Address (TA) : This is the address of the station that is transmitting the RF frame.
Receiver Address (RA) : This is the address of the station that is receiving the RF frame.
Basic Service Set Identifier (BSSID) : This is the basic service set ID of the AP.
Typically all 4 address fields are used only in Wireless Distribution system (WDS) or Mesh AP back-haul scenarios. Below shows a Wireless bridge topology where you can see all the 4 address fields are being used.
Here is the packet capture of the wireless bridge, which shows a QoS data frame with To DS=1 & From DS=1. As you can see below, all 4 Address fields of MAC header are being used.
Address 1: RA – 64:ae:0c:93:75:90 (AAP2 802.11 BSSID for SSID-MGMT)
Address 2: TA – a4:0c:c3:1a:ee:60 (AAP1 802.11 BSSID for SSID-MGMT)
Address 3: DA – c8:f9:f9:d7:3b:a7 (7965 MAC address)
Address 4: SA – 00:1a:e3:a7:ff:40 (vlan 2 gateway MAC in C3750)
In case of a A-MSDU frame, Address 3 will be always BSSID. If address 4 is used that also BSSID.
For data frames of subtype Null (no data), CF-Ack (no data), CF-Poll (no data), and CF-Ack+CF-Poll (no data) and for the corresponding QoS data frame subtypes, the Frame Body field is null (i.e., has a length of 0 octets); these subtypes are used for MAC control purposes.
For data frames of subtypes Data, Data+CF-Ack, Data+CF-Poll, and Data+CF-Ack+CF-Poll, the Frame Body field contains all of, or a fragment of, an MSDU after any encapsulation for security.
For data frames of subtypes QoS Data, QoS Data+CF-Ack, QoS Data+CF-Poll, and QoS Data+CF-Ack+CF-Poll, the Frame Body field contains an MSDU (or fragment thereof) or A-MSDU after any encapsulation for security.
The maximum length of the Frame Body field can be determined from the maximum MSDU length plus the length of the Mesh Control field (if present) plus any overhead from encapsulation for encryption (i.e., it is always possible to send a maximum length MSDU, with any encapsulations provided by the MAC layer within a single data MPDU). When the frame body carries an A-MSDU, the size of the frame body field is limited by:
— The PHY’s maximum PLCP service data unit (PSDU) length
— If A-MPDU aggregation is used, a maximum MPDU length of 4095 octets
The duration value calculation for the data frame is based on the rules in 9.7 that determine the data rate at which the control frames in the frame exchange sequence are transmitted. If the calculated duration includes a fractional microsecond, that value is rounded up to the next higher integer. All STAs process Duration/ID field values less than or equal to 32 767 from valid data frames (without regard for the RA, DA, and/or BSSID address values that might be present in these frames) to update their NAV settings as appropriate under the coordination function rules.
1. CWAP Official Study Guide – Chapter 6
2. IEEE 802.11-2102 Standard
Please change this. It seems to be vice-versa:
Address 1: RA – a4:0c:c3:1a:ee:60 (AAP1 802.11 BSSID for SSID-MGMT)
Address 2: TA – 64:ae:0c:93:75:90 (AAP2 802.11 BSSID for SSID-MGMT)
Thank you very much Vibhor, I have updated it now.
Juan Carlos said:
In infrastrutuce mode, two stations connected to the same AP’s. for example:
STA-A send a packet to STA-B, will this frame cross the AP’s or this frame will be directly sended between the STA-A and STA-B?
I thought in infrastructure mode all the frames will be processed by the APs, but in an Ekahau course the instructor said the oppsite, he said the frame doesn’t reach the AP.
So if this is true, every STA or PC connected to the same AP need to reach each other. when i ask this, he said the AP sends a copy of the frame. and i don’t understand this point neither because this means frame duplication every time an STA sends traffic.
I always though that working in infrastructure mode means every frame will be sent to the AP, and the AP will forward the frame once again.
If he is right i don’t know how manufactures can implement client isolation if two STA can comunicate each other without sending the frames to the AP.
Anybody can clarify this?
That’s not correct, in infrastructure mode it has to go via the AP.
In ad-hoc mode station can talk to another station directly.