802.11 Frame Format

In a wired Ethernet network, the switch is not an active participant in communication at L2. In a wireless LAN, the AP is an active participant unless something like 802.11z, Extension to Direct Link Setup (DLS) is used.

To direct frames through the AP, the radio must have a MAC address, known as the BSSID.

802.11 frames can carry a maximum payload of 2304 bytes.

To support wireless communication, the Ethernet frame format is quite different compared to wired networks. The Ethernet frame starts out with a 2-byte Frame Control field, identifying the frame type, the direction the frame is traveling in and more.

Name Length (bits)
Protocol Version 2
Type 2
Subtype 4
To DS 1
From DS 1
More Frag 1
Retry 1
Pwr Mgmt 1
More Data 1
Order 1

In a common scenario with multiple clients associated with an AP that is connected to an DS, frames travel from clients towards the DS or from the DS towards the clients.

The frame motion is indicated by two bits, To DS and From DS, in the Frame Control field.

Frames sent by a wireless client will have the To DS bit set while frames received at the AP from the wired part of the network will have the From DS bit set when the wireless frame is generated on the AP.

There are a few examples when both To DS and From DS are set to zero.

  • An AP sends an management control frame, broadcast to all wireless clients in the BSS. The AP is the originator and not the DS so the **DS** fields are set to zero
  • A client sends a management frame to an AP, the AP itself being the destination
  • Frames sent by clients directly without traversing the AP via DLS. Frames are not destined for the AP or the DS

In mesh networks where frames travel from AP to AP, the backhaul links are not in the BSS nor the DS so DS bits are set to one.

802.11 Frame Addressing

While a wired Ethernet frame has two address fields, wireless Ethernet frames can have up to four. This is because intermediate devices are involved in transporting the frames. There is always one transmitter and one receiver.

Transmitting Address (TA) – The device transmitting the wireless frame, may not be the original source of the frame.

Receiving Address (RA) – The intended receiver of the frame, may not be the final destination of the frame.

Source Address (SA) – The original source of the frame.

Destination Address (DA) – The final destination of the frame.

This all sounds a bit confusing but has to do with that the frames must travel through the AP which is an endpoint in the communication, as opposed to a standard L2 Ethernet switch which just forwards frames. There are four address fields where the Adress1 field is always the RA, and Adress2 always the TA. The Adress3 field is used when the RA is not the final recipient and then contains the DA. This happens for example when a wireless client sends frames to a client in the DS.

Address3 can also be used when the TA is not the original source of the frame, such as when traffic is sourced from a client in the DS towards a client in the BSS. The Adress3 field contains the SA in that case.

The Adress4 field is only used in wireless bridge or mesh networks. Relayed frames have to have both the SA and DA as well as the TA and RA since the original frame is being relayed between APs.

Type of Communication To DS From DS Address1 Address2 Address3 Address4
Management control or DLS 0 0 RA TA BSSID
DS to client 0 1 RA BSSID SA or BSSID
Client to DS 1 0 BSSID TA DA or BSSID
Wireless bridge or mesh 1 1 RA TA DA or BSSID SA or BSSID

Accessing the Wireless Medium

The management of a wireless channel is not centralized. This is distributed to every device using the channel through Distributed Coordination Function (DCF).

When two or more stations transmit at the same time, collisions can occur. Collisions ruins the transmitted data, wastes time on the media and causes retransmissions – wasting even more time. Some collisions are inevitable but since the media is not full-duplex, stations should try to avoid collisions.

Carrier Sense

802.3 and 802.11 devices are required to use Carrier Sense Multiple Access (CSMA) technique to sense if the media is busy before transmitting. Wired devices can sense an electrical signal to determine if the media is busy. Wireless devices use a two-fold process to detect if a channel is in use.

Physical carrier sense

When not transmitting the wireless device can listen to the channel to overhear other transmissions. In the case of 802.11n or 802.11ac, several channels may be used so secondary channels must also be monitored.

Virtual carrier sense

Wireless clients transmitting frames must include a duration field in the Duration/ID frame header field. The duration required consists of the time to transmit the frame, an interframe gap, plus a return ACK frame to be sent over the channel. The channel will then be reserved for that amount of time. Other clients overhearing the frame can then predict how long they need to wait for the transmission to complete. Clients maintain a Network Allocation Vector (NAV) that predicts when a channel becomes free. When frames are overheard the Duration value is loaded into the NAV which then counts down while the client waits to transmit. When the NAV hits zero, the client can contend for using the wireless medium. If all clients decide that the channel is free at the same time, what happens? There would be collisions for sure…

Collision Avoidance

Wired devices detect collisions, back off, wait a random time and transmit again. Wireless devices operate in half-duplex mode and must try to avoid collisions.

Wireless clients wait a random timer before transmitting. Time is measured in two ways: by timeslot, a counting tempo at regular intervals, and by a unit called SIFS. A random number between 0 and 31 (timeslots) is used as a backoff timer. Different clients select a different random number (hopefully) lessening the risk of collisions. The range of the random timer is called the contention window.

If the channel becomes busy before the backoff timer hits zero, the timer is paused and the frame duration is added to the NAV. Frames can only be transmitted when all timers have expired.

To complicate things further, there is another timing scheme that controls frame transmission. The interframe space periods provide a safety cushion between frames. These periods of silence gives the channel enough time for signals to dampen out. Remember that signals may take different paths (multipath) and reflected copies taking a slightly longer path.

There are several different interframe space periods used depending on the frame type and priority.

Reduced Interframe Space (RIFS) – The shortest period of time and is used before sending a burst of 802.11n frames. 802.11ac allows for aggregating frames so RIFS is not used there

Short Interframe Space (SIFS) – Used between data frames and frame acknowledgements or CTS 802.11g protection mode control frames

Distributed Interframe Space (DIFS) – Default period used after most frame types of standard priority

Extended Interframe Space (EIFS) – The longest period of time, used after collisions and before retransmitting frames

In summary the following must take place before a wireless client can transmit a frame:

  1. Wait until the channel is quiet for a DIFS period
  2. Choose a random number and count down the backoff timer
  3. Listen during the countdown and pause the counting if another transmission is heard. Resume counting after channel has been quiet for a DIFS period
  4. When the countdown hits zero and the channel is free, the client is allowed to transmit

Wireless frames are acknowledged and non-acknowledged frames have to be retransmitted. The backoff timer value for retransmitted frames(step 2 above) is doubled from the previous value, relaxing the conditions on the channel to give the retransmitted frame a better chance of making it to its destination. This timer is doubled for every failed attempt up to 1023 timeslots.

802.11 Frame Types

There are three frame types according to the 802.11 standard:

  • Management frames
  • Control frames
  • Data frames

Management Frames

The management frames are used to advertise a BSS and its capabilities as well as managing clients as they join or leave the BSS. There are 14 subtypes available but the listed below are the main ones for the CCNA Wireless exam:

Beacon – Frame broadcasted by the AP advertising the BSS, data rates necessary and allowed in the BSS, optionally an SSID, and vendor-specific information. Sent to any and all devices in the BSA about 10 times per second (100ms interval). A different beacon is broadcasted for every SSID the AP supports.

Wireless devices can learn about BSSs within range by listening to the beacons, this is known as passive scanning.

Probe – Sent by a wireless device to ask any AP or a specific AP to provide information about their BSSs. AP answers with probe response containing most of the beacon information. This is known as active scanning.

Authentication and deauthentication – The wireless client must send an authentication request to join the BSS. The AP can support either Open System Authentication, where an 802.11 device can authenticate, or Shared Key Authentication where a Wired Equivalent Privacy (WEP) key must be exchanged with the AP. These are the only two options in authentication frames but other authentication types are available through other frame types.

A client wanting to leave the authenticated state can send a deauthentication frame to the AP. The AP can also force a client out of the authenticated state by sending a deauthentication frame.

Association, diassociation and reassociation – An association request is sent by the client once it has been authenticated to the AP, asking for permission to join the BSS. Assuming the client supports compatible parameters and is allowed to join, the AP replies with an association response frame, along with a Unique Association Identifier (AID) for that client.

A client can gracefully leave the BSS by sending a disassociation frame to the AP. The AP can also make the client leave by sending this frame.

Clients that want to leave one BSS for another, while staying on the same SSID, can send a reassociation request to the new AP. The client is trying to reassociate with the SSID, not the AP. The new AP will respond with a reassociation response frame.


The action frame provides a way to communicate an extended management action to be taken. One example of this is 802.11k where a wireless client can ask for radio measurement information from other devices by sending an action frame. It can also ask for a report of neighboring APs to make roaming more efficient. The 802.11v amendment uses action frames to allow network-assisted client power savings. There is also 802.11y where the AP can announce an impending channel change or channel width change to its associated clients.

Control Frames

The control frames are used to gain control of and help deliver data over a channel. They don’t contain any payload, just frame header information. There are nine types available, four of them described below:

ACK – Short frame sent to acknowledge a unicast frame has been received.

Block ACK – Short frame sent to acknowledge a burst of frames sent as a single block of data has been received.

Power Save Poll (PS-Poll) – Frame sent by a client to an AP to request the next frame that was buffered while the client’s radio was powered down.

RTS/CTS – These are used to reserve the channel. Contain a Duration value that reserves the channel airtime for the frame they are protecting. Also used to avoid collisions for clients not in proximity of each other. If they can’t hear each other, they also can’t hear the Duration values or detect a carrier to know when to stop transmitting. If the client can hear the AP sending CTS/RTS frames, it can stop transmitting.

CTS/RTS are not needed for hidden nodes or 5 GHz speaking nodes such as 802.11a, n and ac because they use OFDM and can understand the same frame header information. They are however used to reserve channel space. Remember that bandwidth can change on frame by frame basis and some frames may require 20 MHz and some others, 40 or 80 MHz. RTS and CTS frames are duplicated and sent on each secondary channel that makes up the appropriate bandwidth to signal that those channels are needed and are free to be used for a frame.

Data Frames

Data is sent to and from clients in data frames. Contains up to four addresses in the frame.

Client Housekeeping

Client and AP must use same Modulation and Coding Scheme (MCS) to sucessfully communicate. The MCS can dynamically change if needed, if both parties agree. The MCS directly affects the data rate. The set of data rates the AP supports can be set in three different modes:

Disabled – The AP will not use this rate for any client communication.

Supported – The AP can use this rate if the client supports it, client is not required to support it.

Mandatory – The AP can use this rate and expects every client to support it. Also known as BSS basic rate.

At least one data rate must be mandatory to provide a common rate that can be used for management and control frames. Broadcast management frames are always sent on the lowest mandatory rate. The idea being that a lower data rate will have a better SNR and greater signal range to manage client devices within the BSS.

Normal data frames and unicast management frames are sent at the most optimal rate supported between the client and the AP. Ack frames are sent at the first mandatory rate that is below the current optimal data rate.

The mandatory and supported data rates are advertised in each beacon frame by the APs. 802.11b/g/n radios consider 1-, 2-, 5.5-, and 11 Mbit/s data rates to be mandatory by default. For 802.11a/n/ac radios, 6-, 12- and 24 Mbit/s data rates are considered mandatory by default.

Before a wireless client can join a BSS, it must be able to support the APs list of advertised data rates. The device can advertise its own set of mandatory and supported rates in an association request frame. The AP compares the client’s list to its own and if the client supports all of the mandatory rates of the AP, the client can take the next step to be associated with the AP.

Below are some scenarios describing how a wireless client and a BSS interacts using management frames.

A Client Scans for APs

Wireless devices scans to look for live APs before joining a BSS. It also builds a list of available SSIDs.

Passive scan – The device listens to beacon frames broadcasted from nearby APs. The drawbacks of passive scanning are that the device has to wait for the beacon, which may be too time consuming and that the beacon might not contain specific SSID names.

Active scan – The device sends a probe request to APs within range, asking them to identify themselves. Request may be for a specific SSID or not. APs respond with unicast probe response frame.

A Client Joins a BSS

  1. Send authentication request to APs BSSID address
  2. If the AP accepts the client’s identity, it replies with authentication response frame
  3. Client asks for BSS membership by sending association request to AP. Client includes a list of its 802.11 capabilities, SSID it wants to join, list of data rates and channels it supports, and any parameters needed to secure the wireless link to the AP
  4. If the AP accepts the client’s request, reply with association response frame
  5. Response contains the AID that uniquely identifies the client as an associated client. Think of it as a membership card

A Client Leaves a BSS

A client after joining a BSS, keeps the relationship with the AP until something happens to remove it. Client may be removed if violating a security policy, is recognized as a rogue device, or stays idle for too long and so on.

Clients can be removed by sending deauthentication or deassocation to the client. Disassociated clients are still authenticated and can rejoin the BSS by reassociating. If a client is deauthenticated it has to restart the whole authentication process.

A client can also gracefully remove itself from the BSS by sending a deauthentication frame.

A client can go to sleep or go out of range from the AP without sending a deauthentication frame. In that case, Cisco APs maintain the AID for five minutes by default to give the unresponsive client a chance to return to the BSS. After five minutes, the AP sends a deauthentication frame in case the client is still listening.

A Client Moves Between BSSs

If there are several APs within range, the client can only associate with one. It can only join one BSS at any given time. A client on the move can stay within the BSS or move to an adjacent one. Moving seamlessly is called roaming.

Roaming is similar to joining a BSS. The client must though recognize that it is nearing the cell boundary and find a potential cell to move into before completely losing the signal.

  1. Client notices signal is degrading based on conditions like RSSI and SNR and decides it needs to roam
  2. Client searches for successor BSS to move into. Broadcasts probe request frame to look for nearby APs offering the same SSID
  3. AP hears probe request and responds with probe response advertising its BSSID and SSID. Other APs may also do the same
  4. Client decides on best AP to join and sends reassociation frame to the new AP, asking for transfering of ESS membership
  5. The new AP communicates with the old AP over the wired DS network. Association is moved to the new AP. Frames destined for the client during the handoff are buffered on the old AP, then relayed to the new AP and sent to the client
  6. If the reassociation is accepted, new AP responds to the client with reassociation response frame

A Client Saves Power

Devices need conserve power. There are methods in 802.11 to save power by putting the radio to sleep when it’s not needed.

The legacy method works by letting the client’s radio power down while the AP stores frames destined for the client. The client’s radio must periodically wake up and fetch the buffered frames from the AP.

  1. Client informs AP that it’s entering power save mode by setting the Power Management bit in the Frame Control field of the frame header
  2. Client shifts radio to very low power or “sleep” mode
  3. AP buffers unicast frames that are destined for the client
  4. Client’s radio must wake up in time to receive a beacon frame, to check for potentially buffered frames
  5. Beacon may contain Traffic Indication Map (TIM), a list of AID entries for clients that have buffered frames
  6. Client retrieves buffered frames, one by one, by sending a PS-Poll management frame to the AP
  7. AP sends the next buffered frame to the client, along with a flag indicating more buffered frames are available
  8. Step 6 and 7 is repeated until all of the frames have been sent

Broadcast and multicast frames are not buffered by the AP for sleeping clients.

It’s possible for an AP to buffer also broadcast and multicast frames and deliver them at regular intervals. The Delivery Traffic Indication Message (DTIM) is a beacon sent at a multiple of regular beacon intervals. This DTIM period is advertised in every beacon so that clients know when to wake up for the next DTIM. At that time the DTIM is sent along with buffered broadcast and multicast frames.

The legacy mode is very AP-centric though. The AP dictates when and how often the client’s radio should wake up.

Ideally the client should have more control over its power consumption. The 802.11e amendment, certified by Wi-Fi Alliance as Wi-Fi Multimedia (WMM), introduced a new QoS mechanism as well as new and improved power save mode that is more client-centric.

There are four different categories of traffic in this amendment, in order of decreasing time-critical deliver: voice, video, best effort and background. If a client goes to sleep, the AP buffers frames in the four different queues. When the client wakes up, it sends a frame marked for one of the queues. The AP responds by sending the buffered frames in that queue in a burst.

This is known as Unscheduled Automatic Power Save Deliver (U-APSD) and must be supported both on the AP and the client. The client doesn’t have to request the frame and is free to wake up when it so desires.

  1. Client informs AP it’s entering power save mode by setting Power Management bit in the frame
  2. Client powers down radio or goes to sleep
  3. AP buffers frames for the client in the four queues
  4. Client wakes up radio
  5. Client wants to receive voice frames, so it marks a frame as voice and signals the AP that it’s awake
  6. AP sends buffered frames for the voice queue in a burst
CCNA Wireless – CCNA Wireless Notes Chapter 6
Tagged on:                     

3 thoughts on “CCNA Wireless – CCNA Wireless Notes Chapter 6

  • November 4, 2017 at 1:48 pm

    Hi There,
    Thank you so much to share this content series. I have recently joined the CCNA Training in Delhi at Netlabs ITS online, and your shared content make me more help with my training classes.


Leave a Reply

Your email address will not be published. Required fields are marked *