802.11 frame format parsing

1. MAC802.11 data frame format

The first thing to note is that the frame format of mac802.11 is very special. It is different from the TCP/IP protocol and its length is variable. The data frame lengths of different functions are different. This feature shows that mac802.11 data frames are more flexible, but more complex. The maximum length of a mac 802.11 data frame is determined by the following factors:

 

1.1 The number of mac addresses is not fixed. The number of mac addresses of mac 802.11 varies according to the frame type. For example, an ACK frame has only one mac address, and a data frame has three mac addresses. In the WDS mode (as mentioned below), the frame header actually has four mac addresses.

 

The length of the information carried by the management frame of 1.2 is not fixed. In the management frame, there are not only some information similar to the mac address and the part mark, in addition, it includes some other information about security settings and physical communication. For example, our SSID name is obtained through the management frame. The AP sends management frames containing different information according to different situations. The details of frame management will be discussed in later articles. Skip this section for the time being.

 

1.3 encryption (wep, wpa, etc.) information and QOS (quality of service) information. If the encrypted data frame format is different from the unencrypted data frame format, the encrypted data frame format also contains an encryption header for decryption. But QOS is also the same.

 

The mac 802.11 data frame is so complicated. Let's start with the common format.

 

Frame control (2 bytes ):

This field is used to indicate the data frame type, whether to partition, and so on. To put it bluntly, this field records the attributes of mac 802.11.

* Protocol version: indicates the version type. Currently, this field in all frames is 0x00.

* Type: Specifies the data frame Type, whether it is a management frame, a data frame or a control frame.

* Subtype: indicates the sub-type of the data frame. Even if it is a control frame, the control frame is divided into RTS frame, CTS frame, and ACK frame, and the specific data frame type is determined through this field.

* To DS/From DS: These two data frames indicate the transmission direction of the data packet. They are discussed in four possible cases.

** If the data packet To DS is 0 and From DS is 0, the data packet is transmitted between the network hosts.

 

** If the data packet To DS is 0 and From DS is 1, the data frame is From the AP.

** If the data packet To DS is 1 and From DS is 0, the data frame is sent To the AP.

** If the data packet To DS is 1 and From DS is 1, it indicates that the data frame is sent From AP, that is, it is a WDS (Wireless Distribution System) data frame, for what is WDS, refer to the introduction here # Portal

* Moreflag: The fragment flag. If the data frame is split, this flag is 1; otherwise, it is 0.

* Retry: indicates whether the frame is re-sent. If it is 1, it is not 0.

* PowerManage: when the network host is in power-saving mode, this flag is 1; otherwise, it is 0.

* Moredata: When an AP caches data packets from a network host in power-saving mode, the data frame sent by the AP to the network host in power-saving mode is 1. Otherwise, the value is 0.

* Wep: indicates the encryption flag. If it is 1, the data content is encrypted. Otherwise, it is 0.

* Order indicates that Order is used in PCF mode, which is not discussed here.

 

Lifecycle/Associate ID (2 bytes ):

Didn't we talk about a mechanism of virtual carrier monitoring in the past? His Network Allocation Vector (NAV) exists here, which is called duration, that is, the life cycle. Of course not all the NAV values stored in this field. In a data frame of a specific type, it may also represent the Associate ID. Once a host is associated with an AP, the AP will assign an Associate ID to the host. For example, when the network host notifies the AP that it is going to enter the power-saving mode (power saving), the domain in the notification data frame sent by the network host to the AP indicates the Associate ID rather than the NAV. Of course, you can also use the highest bit to determine the meaning of this domain:

* When the 15bit value is 0, this field indicates duration.

* If 15bit is 1 and 14bit is 1, it indicates the Associate ID.

 

Sequence Control (2 bytes: 4 bits/12 bits): this domain is divided into two parts. One is the part serial number and the identifier frame column number. The part serial number records the part sequence number. For example, if A frame A is split into a1, a2, a3, then the fragment sequences of a1, a2, and a3 are 0, 1, and 2, respectively. This is the same as the IP segment principle. This domain occupies 4 bits. The remaining 12 bits are used to identify the sequence number of the frame, which is the same as the serial number in the IP header.

 

MAC address 1-4

The four addresses have different meanings in different frames. These will be discussed later.

In the future, we may encounter the following types of mac addresses:

RA (receiver address): the receiver of the data frame in the wireless network.

TA (transmitter address): the sender of the data frame in the wireless network.

BSSID (Basic Service Set ID): In the infrastructure BBS, BSSID is the mac address of the AP. However, in IBBS, It is a random 46-bit binary sequence, and the highest two are the Universal/Local and Individual/Group flags. In the BSSID of IBBS, the Universal/Local flag is 1, indicating a Local MAC, and the Individual/Group flag is 0, indicating a personal MAC. That is to say, in IBBS, The BSSID address should be like 10xxxxxxxx-xxxxxxxx-xxxxxxxxxx-xxxxxxxx-xxxxxxxx (x indicates a random number either 0 or 1, and 2 represents)

DA (destine address): The target mac address of the frame.

SA (source address): the source mac address of the frame

DA and SA have the same meaning as common Ethernet. In wireless networks, we may need to send data to a host in other networks through AP. However, some people may wonder that it will take a long time to enter the mac address of this host directly in RA. Note the meaning of RA. It refers to the receiver in the wireless network, not the receiver in the network, that is, the target host is no longer in the wireless network. In this case, the RA is just a transit, so an extra DA field is required to specify the final destination of the frame. Of course, if DA is available, SA is required, because the SA field is indispensable if the target host needs to respond. (Assuming there is no SA field, the data packets responded by the target host can only be sent to the AP to which the source host belongs ~)

 

The most typical example is that in WDS mode, a data frame has four addresses. RA and TA indicate the receiving end and the sending end. These two addresses are used for wireless transmission. Two other addresses are DA and SA, which are the same as the source address and destination address in Ethernet. The format of WDS frames is as follows:

For example, AP1 has host A and AP2 has host B. If A wants to communicate with B, A will first send A data frame to AP1, and then AP1 sends A frame to ap2. At this time, there will be four addresses in the frame, namely RA = mac (AP2), TA = mac (AP1), DA = mac (B), and SA = mac ().