802.11 Frame Types
In the IEEE 802.11 wireless LAN protocols (such as Wi-Fi), a MAC frame is constructed of common fields (which are present in all types of frames) and specific fields (present in certain cases, depending on the type and subtype specified in the first octet of the frame).
The very first two octets transmitted by a station are the Frame Control. The first three subfields within the frame control and the last field (FCS) are always present in all types of 802.11 frames. These three subfields consist of two bits Protocol Version subfield, two bits Type subfield, and four bits Subtype subfield.
Frame Control
The first three fields (Protocol Version, Type and Subtype) in the Frame Control field are always present. The fields, in their order of appearance in transmission, are:
- Protocol Version
- Type
- Subtype
- To-DS
- From-DS
- More-Fragments
- Retry
- Power Management
- More Data
- Protected Frame
- +HTC/Order
Protocol Version Subfield
The 2-bits Protocol Version subfield is set to 0 for WLAN (PV0) and 1 for PV1 (IEEE 802.11ah). The revision level is incremented only when there is a fundamental incompatibility between two versions of WLAN standard.[1][2] PV1 description is incorporated in the latest 802.11-2020 standard.
Types and SubTypes
| Type Value
B3..B2 |
Type
Description |
Subtype Value
B7 .. B4 |
Subtype Description |
|---|---|---|---|
| 00 | Management | 0000 | Association Request |
| 00 | Management | 0001 | Association Response |
| 00 | Management | 0010 | Reassociation Request |
| 00 | Management | 0011 | Reassociation Response |
| 00 | Management | 0100 | Probe Request |
| 00 | Management | 0101 | Probe Response |
| 00 | Management | 0110 | Timing Advertisement |
| 00 | Management | 0111 | Reserved |
| 00 | Management | 1000 | Beacon |
| 00 | Management | 1001 | ATIM |
| 00 | Management | 1010 | Disassociation |
| 00 | Management | 1011 | Authentication |
| 00 | Management | 1100 | Deauthentication |
| 00 | Management | 1101 | Action |
| 00 | Management | 1110 | Action No Ack (NACK) |
| 00 | Management | 1111 | Reserved |
| 01 | Control | 0000-0001 | Reserved |
| 01 | Control | 0010 | Trigger[3] |
| 01 | Control | 0011 | TACK |
| 01 | Control | 0100 | Beamforming Report Poll |
| 01 | Control | 0101 | VHT/HE NDP Announcement |
| 01 | Control | 0110 | Control Frame Extension |
| 01 | Control | 0111 | Control Wrapper |
| 01 | Control | 1000 | Block Ack Request (BAR) |
| 01 | Control | 1001 | Block Ack (BA) |
| 01 | Control | 1010 | PS-Poll |
| 01 | Control | 1011 | RTS |
| 01 | Control | 1100 | CTS |
| 01 | Control | 1101 | ACK |
| 01 | Control | 1110 | CF-End |
| 01 | Control | 1111 | CF-End + CF-ACK |
| 10 | Data | 0000 | Data |
| 10 | Data | 0001-0011 | Reserved |
| 10 | Data | 0100 | Null (no data) |
| 10 | Data | 0101-0111 | Reserved |
| 10 | Data | 1000 | QoS Data |
| 10 | Data | 1001 | QoS Data + CF-ACK |
| 10 | Data | 1010 | QoS Data + CF-Poll |
| 10 | Data | 1011 | QoS Data + CF-ACK + CF-Poll |
| 10 | Data | 1100 | QoS Null (no data) |
| 10 | Data | 1101 | Reserved |
| 10 | Data | 1110 | QoS CF-Poll (no data) |
| 10 | Data | 1111 | QoS CF-ACK + CF-Poll (no data) |
| 11 | Extension | 0000 | DMG Beacon |
| 11 | Extension | 0001 | S1G Beacon |
| 11 | Extension | 0010-1111 | Reserved |
ToDS and FromDS
ToDS is one bit in length and set to 1 if destined to Distribution System,[4] while FromDS is a one-bit length that is set to 1 if originated from Distribution System.[4]
Retry
Set to 1 if the Data or Management frame is part retransmission of the earlier frame. This bit is reused for different purpose in Control frame.
+HTC/Order
It is one bit in length and is used for two purposes:
- It is set to 1 in a non-QoS data frame transmitted by a non-QoS WLAN station to indicate the frame being transmitted is using Strictly-Ordered service class (this use is obsolete and will be removed from the future 802.11 Standard).
- It is set to 1 in a QoS data or management frame transmitting at HT or higher rate to indicate that the frame contains HT Control field (see above)
References
- ↑ "802.11 frames : A starter guide to learn wireless sniffer traces" (in en). 2010-10-25. https://community.cisco.com/t5/wireless-mobility-documents/802-11-frames-a-starter-guide-to-learn-wireless-sniffer-traces/ta-p/3110019.
- ↑ 802.11 Working Group. Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. 2016. New York, NY: IEEE. p. 638.
- ↑ LAN/MAN Standards Committee (9 February 2021). Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications; Amendment 1: Enhancements for High-Efficiency WLAN. New York, NY: IEEE Standards Association. p. 76. doi:10.1109/IEEESTD.2021.9442429. ISBN 978-1-5044-7390-3. https://ieeexplore.ieee.org/document/9442429.
- ↑ 4.0 4.1 Rapp, Dale (2014-05-17). "THE TO DS AND FROM DS FIELDS". https://dalewifisec.wordpress.com/2014/05/17/the-to-ds-and-from-ds-fields/.
 |
