While the net is filled with technical descriptions of 802.1 Ethernet packet headers and all of it's varients, there is an unfortunate silence on the subject of 802.11 (wireless) frames.
While current drivers are quite limited in their ability to hand over raw 802.11 for examination and none allow raw 802.11 to be submitted for unaltered transmission (for good reasons!), it IS possible to capture such packets and they should be documented in some manner other than in the form of (often) convoluted source code.
This document is to be a work in progress beginning with an overview, then delving into the specifics of each packet type. This will be of interest to writers of 802.11 MAC firmware, wireless scanners, and perhaps others interested in network discovery.
Because 802.11 is itself more complex in it's options than 802.1 (Ethernet), it's frame format is likewise more complex. Since not all features of 802.11 are necessary for all packets, the 802.11 frame is variable in length. Fields that are not required for a particular frame type are simply omitted. The order of the fields is such that the leading fields are those that are always required and ending with the least commonly required such that fields are ALWAYS omitted by truncating the header, never by changing the starting octet of a field within the packet.
|Frame control||Duration ID||Address 1||Address 2||Address3||Seq ctl||Address 4||data||Frame CRC|
|Sub-type||Type||protocol||In Order||WEP||More data||Power Management||retry||more frag||From DS||To DS|
Currently, the protocol version is always 00. If and when the spec evolves in a way that would confuse current devices which correctly implement version 0, the protocol version will be bumped to 01. Wireless devices must silently ignore packets with a version number greater than the one they implement.
Type is one of Management, control, or data. Broadly, Management frames are concerned with the administration of a domain (network discovery, joining, authenticating, leaving, de-authenticating, etc).
Control frames deal primarily with traffic control, that is, who can transmit how much and when.
Data frames are the real point of the network. These carry data payloads which are generally packets of a higher level protocol such as IP.
|1001||Announcement traffic indication message (ATIM)|
|01||1010||Power save Poll|
|1110||Contention Free period end CF-end|
|1111||CF-end + CF-ACK|
|0100||NULL data (no payload, used for power management)|
Note that while the data subtype is “officially” defined as above, it can as easily be seen as simple 1 bit fields as in:
|Data frame sub-type|
|reserved (must be 0)||NULL data||CF-poll||CF-ACK|
To DS and From DS
These bits take together determine where the packet is going.
|To DS||From DS|
|1||0||Packet from station (client device) to AP|
|0||1||Packet from AP to station|
|1||1||WDS packet from AP to another AP|
|0||0||Station to Station packet in an ad-hoc (unmanaged) network|
Address fields Unlike Ethernet (802.1), 802.11 frames have 4 address fields, but may use as few as one of them with the rest omitted. A receiving device can always know how many to expect based on the frame control field.
Address 1 is always present and defines which device(s) should accept the packet (in all cases) Thus, RX filtering in a device always looks at Address1.
The type, subtype, ToDS and FromDS fields determine the actual meaning (and presence) of the address fields.
|To DS||From DS||Type||Sub-type||Purpose||Address 1||Address 2||Address 3||Address 4|
|1||0||data||any||packet transmitted from a node||BSSID||SA||DA||none|
|0||1||data||any||packet recieved by a station from AP||DA||BSSID||SA||none|
|0||0||data||any||packet in ad-hoc (unmanaged) network||DA||SA||IBSS||none|
|0||0||ctrl||RTS||request silence to send a large packet||DA||SA||none||none|
|0||0||ctrl||CTS||grant silence||DA (1)||none||none||none|
|0||0||ctrl||ACK||indicate reciept of a frame||DA (2)||none||none||none|
|0||0||ctrl||PS poll||Request any packets saved while sleeping||BSSID||SA||none||none|
BSSID = BSS ID of managed network = MAC address of AP.
DA = intended final recipiant (station)
SA = original sending Station
RA = recieving AP of a WDS pframe.
TA = transmitting AP of a WDS frame.
DA(1) In this case, the destination is the SA of a preceeding RTS frame
DA(2) destination is the SA (sender) of a previous frme