Which frames contain ssid information
We will focus on the contents of each frame rather than understanding the context of the frame in the frame exchange process. Separate post to follow that will cover the various frame exchanges. As you can see below, the level of knowledge expected for the CWNA exam is much simpler. In the CWAP exam, it is expected that you can identify the frame type, which information elements IE contain which values, and understand what each value represents.
The CWNA objectives include an understanding of the general frame format. The CWAP exam is all about understanding each frame type, which fields are used, and what each information element IE contains information about. The frame header contains information about the where the frame is going, the data rate, cipher suite used to encrypt data frames, and more! It is important to understand each field in the header. The four address fields are source, destination, transmitter, and receiver.
The header contents are different for each frame type; the image below shows that some fields may be 0 bytes when not in use or X bytes. For example, the header of an acknowledgement ACK frame only uses one of four address fields, the receiver address RA. The other values found in the frame control field of the header that are frequently referenced include:.
The body of an The body of a frame varies in size depending on the transmission. The trailer contains the frame check sequence FCS. This is a bit cyclic redundancy check CRC used to validate that the contents of the entire frame have not been tampered with or become corrupted while being transferred over the wireless medium.
All values of the frame header and body are ran through a calculation; the result is held in the FCS field. The receiver will discard the frame and not send an ACK frame. The sender knows to retransmit the frame because it did not receive acknowledgement. All The In the header there is a frame control field that contains the values for type and subtype of the frame. The image below shows the three types of frames. Protocol version will always be 00 to indicate that The type field indicates 0-management, 1-control, or 2-data.
The subtype field indicates the type of management, control, or data frame. In our example here we see 8, 11, and 8 in the subtype fields. The management frame is a beacon, the control frame is a request-to-send RTS , and the data frame is a QoS Data frame.
Management frames are used to manage the BSS. This includes probing, associating, roaming, and disconnecting clients from the BSS. As shown above, management frames use a type of 0 in the frame control field within the frame header. In this frame, the station sends all its capabilities to the AP; it will only include capabilities that the AP has also advertised in the beacon or probe response frame.
Stations send reassociation requests to APs that wish to roam to. The primary difference between reassociation and association requests is that the station will indicate the current AP it is connected to in reassociation requests.
If the station does not receive a reassociation response for reasons such as load balancing, it will remain connected to the original AP and search for other APs to roam to.
There are also cases where, after leaving a BSS for a short period of time, a station will send a reassociation request to an AP it was recently connected to. As you can see below, the probe response frame contains all but 3 of the same fields as beacon frames. The three differences are: the probe response frame does not contain a TIM, a QoS capabilities information element, and any information elements requested by the station.
Be sure to understand the differences between active and passive scanning for both exams. Beacons contain the configuration of the WLAN including whether it supports standards such as The presence of certain information elements IE indicate whether the related configuration is present. The figure below shows which fields are mandatory in a beacon frame. Note that this information is in the body of the management frame.
Below shows a beacon frame in Wireshark. We can see a timestamp of which is used to keep time synchronized among stations in a BSS. Our beacon interval, also known as target beacon transmit time TBTT is the default of Two bytes are used for the Authentication Algorithm Number field , which are shown in Figure This field identifies the type of authentication used in the initial The authentication process is discussed more thoroughly in Chapter 8.
The values permitted for this field are shown in Table Only two values are currently defined. Other values are reserved for future standardization work. Authentication is a multistep process that consists of a challenge from the access point and a response from the mobile station attempting to associate. The Authentication Transaction Sequence Number, shown in Figure , is a two-byte field used to track progress through the authentication exchange.
It takes values from 1 to 65,; it is never set to 0. Use of this field is discussed in Chapter 8. Beacon transmissions announce the existence of an Beacon frames carry information about the BSS parameters and the frames buffered by access points, so mobile stations must listen to Beacons. The Beacon Interval, shown in Figure , is a bit field set to the number of time units between Beacon transmissions. One time unit, which is often abbreviated TU, is 1, microseconds ms , which is about 1 millisecond.
It is common for the Beacon interval to be set to time units, which corresponds to an interval between Beacon transmissions of approximately milliseconds or 0. In this field, each bit is used as a flag to advertise a particular function of the network. Stations use the capability advertisement to determine whether they can support all the features in the BSS.
Stations that do not implement all the features in the capability advertisement are not allowed to join. These two bits are mutually exclusive. Setting the Privacy bit to 1 requires the use of WEP for confidentiality. In infrastructure networks, the transmitter is an access point. This field was added to Setting it to 1 indicates that the network is using the short preamble as described in Chapter Zero means the option is not in use and is forbidden in the BSS.
When it is set to 1, it indicates that the network is using the packet binary convolution coding modulation scheme described in Chapter 12 , or the higher-speed Zero means that the option is not in use and is forbidden in the BSS.
When it is set to one, it indicates that the network is using the Channel Agility option described in Chapter This bit is set to one to indicate the use of the shorter slot time supported by Stations and access points use these two bits as a label.
The meanings of the labels are shown in Table Station supports polling and requests that it never be polled results in station treated as if it does not support contention-free operation. Mobile stations use the Current AP Address field , shown in Figure , to indicate the MAC address of the access point with which they are associated.
This field is used to ease associations and reassociations. Stations transmit the address of the access point that handled the last association with the network.
When an association is established with a different access point, this field can be used to transfer the association and retrieve any buffered frames. To save battery power, stations may shut off the antenna units in While stations are sleeping, access points must buffer frames for them. Dozing stations periodically wake up to listen to traffic announcements to determine whether the access point has any buffered frames. When stations associate with an access point, part of the saved data is the Listen Interval , which is the number of Beacon intervals that stations wait between listening for Beacon frames.
The Listen Interval, shown in Figure , allows mobile stations to indicate how long the access point must retain buffered frames. Higher listen intervals require more access point memory for frame buffering. Access points may use this feature to estimate the resources that will be required and may refuse resource-intensive associations. The Listen Interval is described in Chapter 8. The Association ID, shown in Figure , is a bit field. When stations associate with an access point, they are assigned an Association ID to assist with control and management functions.
Even though 14 bits are available for use in creating Association IDs, they range only from , The master timekeeper for a BSS periodically transmits the number of microseconds it has been active. When the counter reaches its maximum value, it wraps around. Counter wraps are unlikely given the length of time it takes to wrap a bit counter.
At over , years, I would bet on a required patch or two before the counter wrap. Stations may send Disassociation or Deauthentication frames in response to traffic when the sender has not properly joined the network. Part of the frame is a bit Reason Code field , shown in Figure , to indicate what the sender has done incorrectly. Table shows why certain reason codes are generated. Fully understanding the use of reason codes requires an understanding of the different classes of frames and states of the Station has left the basic service area or extended service area and is deauthenticated.
Station has left the basic service area or extended service area and is disassociated. Disassociated because of unacceptable values in Power Capability element. Disassociated because of unacceptable values in Supported Channels element. Invalid information element added with Status codes indicate the success or failure of an operation.
The Status Code field , shown in Figure , is 0 when an operation succeeds and nonzero on failure. Table shows the status codes that have been standardized. Reassociation denied; prior association cannot be identified and transferred.
Authentication rejected; the next frame in the sequence did not arrive in the expected window. Association denied; the mobile station does not support all of the data rates required by the BSS. Association denied; the mobile station does not support the Short Preamble option. Association denied; the mobile station does not support the PBCC modulation option.
Association denied; the mobile station does not support the Channel Agility option. Information elements are variable-length components of management frames. A generic information element has an ID number, a length, and a variable-length component, as shown in Figure Standardized values for the element ID number are shown in Table Reserved [ a ] formerly for challenge text extension, before However, it is widely implemented, so I include it in the table.
Network managers are only human, and they usually prefer to work with letters, numbers, and names rather than bit identifiers. Stations attempting to join a network may scan an area for available networks and join the network with a specified SSID.
The SSID is the same for all the basic service areas composing an extended service area. Some documentation refers to the SSID as the network name because network administrators frequently assign a character string to it. Some products require that the string be a garden variety ASCII string, though the standard has no requirement on the content of the string.
In all cases, the length of the SSID ranges between 0 and 32 bytes. The zero-byte case is a special case called the broadcast SSID ; it is used only in Probe Request frames when a station attempts to discover all the Several data rates have been standardized for wireless LANs.
The Supported Rates information element allows an When mobile stations attempt to join the network, they check the data rates used in the network. Some rates are mandatory and must be supported by the mobile station, while others are optional. The Supported Rates information element is shown in Figure It consists of a string of bytes. Each byte uses the seven low-order bits for the data rate; the most significant bit indicates whether the data rate is mandatory.
Mandatory rates are encoded with the most significant bit set to 1 and optional rates have a 0. Up to eight rates may be encoded in the information element. As the number of data rates has proliferated, the Extended Supported Rates element was standardized to handle more than eight data rates.
In the initial revision of the When 7 bits are used to have a multiple of kbps, the maximum data rate that can be encoded is Research and development on wireless LAN technology has made this rate achievable in the near future.
As a result, the IEEE changed the interpretation from a multiple of kbps to a simple label in Previously standardized rates were given labels corresponding to the multiple of kbps, but future standards may use any value.
Current standardized values are shown in Table As an example, Figure shows the encoding of two data rates. This is encoded as a mandatory 2-Mbps rate and an optional Mbps rate. The FH Parameter Set information element, shown in Figure , contains all parameters necessary to join a frequency-hopping The FH Parameter Set has four fields that uniquely specify an Chapter 12 describes these identifiers in depth. The amount of time spent on each channel in the hopping sequence is called the dwell time.
It is expressed in time units TUs. Several hopping patterns are defined by the This field, a single byte, identifies the set of hop patterns in use. Stations select one of the hopping patterns from the set. This field, also a single byte, identifies the hopping pattern in use. Each pattern consists of a long sequence of channel hops.
This field, a single byte, identifies the current point in the hop sequence. Direct-sequence High-rate direct sequence networks use the same channels and thus can use the same parameter set. The channel number is encoded as a single byte, as shown in Figure Access points buffer frames for mobile stations sleeping in low-power mode.
Periodically, the access point attempts to deliver buffered frames to sleeping stations. A practical reason for this arrangement is that much more power is required to power up a transmitter than to simply turn on a receiver. The designers of Part of this operation is to send the Traffic Indication Map TIM information element Figure to the network to indicate which stations have buffered traffic waiting to be picked up.
The meat of the traffic indication map is the virtual bitmap , a logical structure composed of 2, bits.
Each bit is tied to the Association ID. When traffic is buffered for that Association ID, the bit is 1. If no traffic is buffered, the bit tied to the Association ID is 0. DTIM frames indicate that buffered broadcast and multicast frames will be delivered shortly. Zero is reserved and is not used. The DTIM count cycles through from the period down to 0. The Bitmap Control field is divided into two subfields. Bit 0 is used for the traffic indication status of Association ID 0, which is reserved for multicast traffic.
The remaining seven bits of the Bitmap Control field are used for the Bitmap Offset field. To save transmission capacity, the Bitmap Offset field can be used to transmit a portion of the virtual bitmap. The Bitmap Offset is related to the start of the virtual bitmap.
By using the Bitmap Offset and the Length, The CF Parameter Set information element is transmitted in Beacons by access points that support contention-free operation. Contention-free service is discussed in Chapter 9 because of its optional nature. The initial Rather than continue to revise the specification each time a new country was added, a new specification was added that provides a way for networks to describe regulatory constraints to new stations.
The main pillar of this is the Country information element , shown in Figure Each constraint descriptor specifies a unique band, and they may not overlap, since a given frequency has only one maximum allowed power. The first two letters are the ISO country code e. Many countries have different indoor and outdoor regulations, and the third character distinguishes between the two.
When a single set of omnibus regulations covers all environments, the third character is a space. The first channel number is the lowest channel subject to the power constraint. Channel number assignment for each PHY is discussed in the appropriate chapter. The size of the band subject to the power constraint is indicated by the number of channels. The size of a channel is PHY-dependent. The size of the information element must be an even number of bytes.
If the length of the information element is an odd number of bytes, a single byte of zeroes is appended as a pad. These two elements can be used to build a hopping pattern that complies with regulatory constraints in additional countries, which allows further adoption of the frequency-hopping PHY without requiring additional revision to the specification.
In Probe Request frames, the Request information element is used to ask the network for certain information elements. The shared-key authentication system defined by The challenge is sent using the Challenge Text information element , which is shown in Figure The Power Constraint information element is used to allow a network to describe the maximum transmit power to stations.
In addition to a regulatory maximum, there may be another maximum in effect. The only field, a one-byte integer, is the number of decibels by which any local constraint reduces the regulatory maximum.
If, for example, the regulatory maximum power were 10 dBm, but this information element contained the value 2, then the station would set its maximum transmit power to 8 dBm Figure The Power Capability information element allows a station to report its minimum and maximum transmit power, in integer units of dBm Figure It has no associated data, so the length field is always zero Figure For stations to know how to tune transmission power, it helps to know the attenuation on the link.
TPC Report information elements are included in several types of management frames, and include two one-byte fields Figure The first, the transmit power, is the transmit power of the frame containing the information element, in units of dBm.
The second, the link margin , represents the number of decibels of safety that the station requires. Both are used by the station to adapt its transmission power, as described in Chapter 8. The Supported Channels information element is similar to the Country information element, in that it describes sub-bands that are supported. After the header, there is a series of sub-band descriptors.
Each sub-band descriptor consists of a first channel number, which is the lowest channel in a supported sub-band, followed by the number of channels in the sub-band Figure For example, a device that only supported channels 40 through 52 would set the first channel number to 40, and the number of channels to To warn stations in the network about the impending channel change, management frames may include the Channel Switch Announcement element shown in Figure When the operating channel is changed, it disrupts communication.
If this field is set to 1, associated stations should stop transmitting frames until the channel switch has occurred. If it is set to zero, there is no restriction on frame transmission. The new channel number after the switch. At present, there is no need for this field to exceed a value of Channel switching can be scheduled. This field is the number of Beacon frame transmission intervals that it will take to change the channel.
Share on google. Share on twitter. Share on linkedin. Share on print. Share on email. Prev Previous All you need to Know about Beacons. Talk to a Bluetooth IoT Expert.
Schedule a Demo. Contact Sales. Association request. Reassociation request. Probe request. Timing advertisement. Association response. Reassociation response. Probe response.
Control Wrapper. Block ack request BAR. Block ack BA. Null no data. CF-ACK no data. CF-Poll no data. QoS Data. QoS Null no data. Reassociation response frame - 0x03 Sent from an AP containing the acceptance or rejection to a device reassociation request frame. The frame includes information required for association, such as the association ID and supported data rates. Probe request frame - 0x04 Sent from a wireless client when it requires information from another wireless client.
Probe response frame - 0x05 Sent from an AP containing capability information, such as the supported data rates, after receiving a probe request frame. Disassociation frame - 0x0A Sent from a device wanting to terminate a connection. Allows the AP to relinquish memory allocation and remove the device from the association table.