Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Tutorial on IEEE 802.11 - MAC Protocols and Frames

2,164 views

Published on

In this talk, we will explain the functioning of Wireless LANs in theory and in practice.
We will present the IEEE 802.11 standard in general and MAC protocols in particular, by discussing the functions of MAC sublayer management entity and the MAC layer frames in detail.
We will discuss the changes in the states of a WiFi client as it goes through the process of WiFi communication.
Towards the end, we will briefly talk about various vantage points ( at the client side as well as in the air ) that allow us to capture network traffic.

Published in: Education
  • Login to see the comments

Tutorial on IEEE 802.11 - MAC Protocols and Frames

  1. 1. Tutorial - IEEE 802.11 Protocol and Frames Dheryta Jaisinghani 1
  2. 2. Primer to General WLANs and Enterprise WLANs 2
  3. 3. Wireless Networks - Adhoc vs Infrastructure Mode ● Adhoc - ○ Wireless communication happens without an Access Point (AP) ○ Nodes talk to each other directly ● Infrastructure - ○ Wireless communication happens via an AP ○ Nodes talk to each other via AP 3
  4. 4. IEEE 802.11 Structure Figure 4.11 from IEEE Std Draft 2012 4 ● STA (Station) ○ Logical entity, singly addressable by MAC+PHY ● BSS (Basic Service Set) ○ Set of stations synchronized to communicate ● DS (Distribution System) ○ System that connects all BSS’s ● SS (Station Services) ○ Set of services that enable transport of MSDUs within a BSS
  5. 5. Enterprise WLAN Design - A Cisco Deployment https://www.cisco.com/c/en/us/td/docs/wireless/wcs/4-0/configuration/guide/wcscfg40/wcsovrv.html WiFi Protocol - IEEE 802.11 WiFi Clients 5 What does controller do? ● Manages lot of APs ● Load balancing ● Configurations ● Band Selection ● Channel Selection ● Band Steering ● Mobility Management
  6. 6. IEEE 802.11 Standards ● Standard: a,b,g,n,ac,ad,ah,ax etc ● Frequency Bands: 2.4 GHz vs 5 GHz ● Data rates: 1 Mbps to 7 Gbps ● Modulations: DSSS, FHSS, OFDM, MIMO-OFDM, MU-MIMO Summary available here: https://en.wikipedia.org/wiki/IEEE_802.11 6
  7. 7. MAC Sublayer Management Entity 7
  8. 8. Functions of MLME ● MLME - MAC subLayer Management Entity ● Decide when transmit ○ Distributed Coordination Function ○ CSMA/CA ● Scan - Discover nearby Access Points ● Associate and Authenticate ● Connection Management - Rate Control, Retry Management, Acknowledgement Handling ● Beacon Handling ● Power Management Application Presentation Session Transport Network MLME|MAC Physical WiFi - IEEE 802.11 Station Management 88
  9. 9. WLANs - Collision Avoidance NOT Detection ● Collision detection is hard in WLANs ● Most WLAN radios - Transmitters and Receivers - are half-duplex. ● Senders and Receivers may not be in range of each other 9
  10. 10. IEEE 802.11 MAC Protocol Architecture 10 Figure 9.1 from IEEE Std Draft 2012
  11. 11. Distributed Co-ordination Function ● Fundamental Access method ● Based on Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) ○ Sense the carrier, transmit if free ○ Carrier Sensing can be Physical or Virtual with RTS and CTS ○ Delivery success measured with Acknowledgements ● IFS (Inter-Frame Space) - Time interval between frames ○ SIFS - Short IFS ○ PIFS - PCF IFS ○ DIFS - DCF IFS ○ AIFS - Arbitration IFS (QoS) ● IFS ○ Reduces collision probability ○ Implements priority ■ Lower IFS, Higher Priority 11 Figure 9.3 from IEEE Std Draft 2012
  12. 12. Frame transmission 12 Ref: 802.11 Arbitration CWNP white paper
  13. 13. Carrier Sensing - Physical vs Virtual ● Physical - Sense energy with PHY ● Virtual - RTS (Request-To-Send)/CTS(Clear-To-Send)/NAV(Network-Allocation-Vector) 13 Figure 9.4 from IEEE Std Draft 2012
  14. 14. Why virtual CS? ● It solves hidden node problem 14 N1 N2R Collisions N1 N2R 1.RTS 2.CTS Keeps Quite for NAV Hidden Nodes
  15. 15. Point Co-ordination Function ● Uses a Point Co-ordinator (PC) for deciding who will transmit when ● PC runs at the Access Point ● PC uses polling mechanism to decide the turn ● Eliminates all contention, PCF has only contention-free period ● Has higher delays than DCF with higher reliability ● Carrier Sensing is Virtual 15
  16. 16. Hybrid Co-ordination Function ● Implemented for QoS WLANs ● Combines , DCF and PCF along with additional QoS guidelines for alternating Collision and Collision-Free Periods (CP and CFPs) ● CP - Enhanced Distributed Channel Access (EDCA) ● CFP - Hybrid Coordination Function Controlled Channel Access (HCCA) ● Stations should obtains transmission opportunity (TxOP) before they can transmit for both EDCA and HCCA ● Traffic priorities - background, best-effort, video, and voice ● All parameters are announced in beacons and probe response frames ● Refer to Chapter 9. MAC sublayer functional description from IEEE 802.11 for details 16
  17. 17. Enabling QoS with Frame Priorities and More 17 Data from upper layers Priority Access Categories Backoff as per CW and IFS Transmission Scheduler ● IFS and Contention Window Sizes ● Block Acknowledgements ● TxOPs ● Direct Link Protocol (DLP) ● No ACK for time critical applications ● Piggyback data Ref: Deyun Gao, Jianfei Cai and King Ngi Ngan, "Admission control in IEEE 802.11e wireless LANs," in IEEE Network, vol. 19, no. 4, pp. 6-13, July-Aug. 2005. doi: 10.1109/MNET.2005.1470677
  18. 18. Calculating IFS and CW ● SlotTime = aCCATime + aRxTxTurnaroundTime + aAirPropagationTime + aMACProcessingDelay ○ SlotTime for 802.11a/n/ac (5 GHz) = 9μS ○ SlotTime for 802.11g/n (2.4 GHz – HT or ERP) = 9μS with short preamble ○ SlotTime for 802.11g/n (2.4 GHz – HT or ERP) = 20μS with long preamble ○ SlotTime for 802.11b/g/n (2.4 GHz – DSS ) = 20μS ● SIFSTime = aRxRFDelay + aRxPLCPDelay + aMACProcessingDelay + aRxTxTurnaroundTime ○ SIFS for 802.11b/g/n (2.4 GHz) = 10μS ○ SIFS for 802.11a/n/ac (5 GHz) = 16μS ● RIFS = 2μS, DIFS = SIFS + 2x SlotTime, PIFS = SIFS + SlotTime 18
  19. 19. Contd... ● EIFS (in EDCA) = SIFS + AIFS[AC] + ACK_Tx_Time ○ EIFS (in DCF) = SIFS + DIFS + ACK_Tx_Time ○ EIFS 802.11b/g/n devices using DSS = 364μS ○ EIFS 802.11g/n devices using OFDM = 160μS ○ EIFS 802.11a/n devices (5GHz) = 160μS ● AIFS[AC] = AIFSN[AC] × SlotTime + SIFSTime ○ Voice and Video = 2 slot times ○ Best Effort = 3 slot times ○ Background = 7 slot times ● Contention Window= ● BE/BK = aCWMin to aCWMax, VI=(aCWMin+1)/2 - 1 to aCWMin, VO=(aCWMin+1)/4 - 1 to (aCWMin+1)/2 - 1 ● Backoff Time = Random() × aSlotTime ○ [Random=Pseudorandom number [0,CW], aCWMin<=CW<=aCWMax] 19
  20. 20. Fragmentation and Defragmentation ● MAC sublayer data units (MSDUs) are partitioned into smaller units for higher reliability ● Original Data Unit - MSDU is divided into smaller MPDUs (MAC Protocol Data Units) each MPDU has its own MAC header and CRC ● Each MPDU should be separately acknowledged ● Burst transmissions allowed in an obtained TxOP 20 Figure 9.2 from IEEE Std Draft 2012
  21. 21. IEEE 802.11 - Introduction to WiFi Frames Frame Types Data FramesManagement Frames Control Frames RTS/CTS/ACK/PollingScanning/Association/Authentication 21 QoS/Non-QoS
  22. 22. Physical Layer Headers - RadioTap/Prism Headers - Depending upon the chipset and driver - MAC Timestamp - Channel Frequency - Signal Strength - MCS Rate - Antenna Information - Channel Information PHY Header MAC Header Frame Body FCS 22
  23. 23. Frame Structure 23 Figure 8.1 from IEEE Std Draft 2012 Figure 8.2 from IEEE Std Draft 2012
  24. 24. Frame Control Field ● Protocol Version - Version of 802.11 standard followed ● Type - Data, Management or Control Frame ● Subtype - Each type has multiple subtype for frames. For example Type Management frames - Subtypes - Association Req/Res, Reassociation Req/Res [Type Subtype Mapping - Table 8.1 in the standard] ● To DS and From DS - Direction from Distribution System ○ 0,0 => A data frame from one station to other station in the same BSS ○ 1,0 => A data frame for DS or Port Access Entity at the AP ○ 0,1 => A data frame from DS or in Mesh network ○ 1,1 => A data frame using 4-address MAC header. Used in Mesh network ● More Fragments - Used in case of fragmented frames, set to 1 when more fragments present ● Retry - Set to 1 is sent again 24
  25. 25. Frame Control Field [Contd…] ● Power Management - 1 indicates that STA is in Power-Save Mode, 0 indicates active mode [Meaning changes for adhoc and mesh networks] ● More Data - Indicates that data is buffered for a STA in power-save mode, 1- Data buffered ● Protected Frame - 1 if cryptographic encapsulation used ● Order - 1 - if strictly ordered service is used 25
  26. 26. Other Fields ● Duration - ○ Control Frame - Association ID ○ Network Allocation Vector ● Addresses ○ DA - Destination Address (Final Recipient) ○ SA - Source Address (Initiator) ○ TA - Transmitter Address ○ RA - Receiver Address ● Sequence Control - Used for fragmentation ● QoS Control Field - Identifies traffic category, TxOP, ACK Policy, Queue Size etc [See Table 8.4 in IEEE std Draft for Details] 26
  27. 27. Capturing Network Traffic ● Tools a. Wireshark/tshark/TCPDump etc b. System Logs ● Collection Points a. Client Side Capture i. Data Path - Wireshark captures all application layer traffic ii. Control Path - Debug Device Driver Logs, system logs, kernel logs b. AP Side Capture i. Example - Enabled with OpenWRT c. In the Air - Sniffing the IEEE 802.11 frames in the air 27
  28. 28. In the Air Sniffing Process - Monitor Mode - Multiple Channel Sniffing - Round Robin - sudo iw dev wlan0 interface add mon0 type monitor - Single Channel Sniffing - Specify the channel - sudo iw dev mon0 set freq 2437 - Checking if monitor mode is supported - Hardware Support - Driver Support - sudo iw list - search for “monitor” - For Details Refer - https://www.slideshare.net/DherytaJaisinghani/tutorial-wifi-driver-code-opening -nuts-and-bolts-of-linux-wifi-subsystem - 28
  29. 29. Wireshark Filters 1. Management Frames - wlan.fc.type == 0 a. Probe Requests - wlan.fc.type_subtype == 0x04 b. Probe Responses - wlan.fc.type_subtype == 0x05 c. Beacons - wlan.fc.type_subtype == 0x08 2. Control Frames - wlan.fc.type == 1 a. RTS - wlan.fc.type_subtype == 0x1b b. CTS - wlan.fc.type_subtype == 0x1c c. ACK - wlan.fc.type_subtype == 0x1d 3. Data Frames - wlan.fc.type == 2 a. QoS Data - wlan.fc.type_subtype == 0x28 b. Non-QoS Data - wlan.fc.type_subtype == 0x20 29
  30. 30. Client-side State Machine and MAC Implementation 30
  31. 31. Client Side WiFi State Machine ● Class 1 Frames ○ Control Frames - RTS/CTS/ACK/CF-End/CF-End+ACK ○ Management Frames - Probe Requests/Probe Responses/Beacons/Authentication/D eauthentication ○ Data Frames - Only allowed in IBSS/Peer Mode ● Class 2 Frames ○ Management Frames - Association Request/Association Response/Reassociation Request/Response/Disassociation ● Class 3 Frames ○ Data Frames ○ Management Frames ○ Control Frames Details from IEEE Std Draft 2012 31
  32. 32. Linux WiFi Subsystem 32
  33. 33. Data Path vs Control Path Data Application System Call Sockets Network Protocols Net_dev core Driver Network Application nl80211 cfg80211 mac80211 Data Path Control Path Application Programming Driver Programming 33
  34. 34. Backports Code Structure net/wireless/handlers/wireless/nl80211.c (struct genl_opsnl80211_ops) nl80211 cfg80211 mac80211 ath9k net/wireless (Configurations) - Struct cfg80211_ops /net/mac80211 (Rate Control, MLME-Authenticate, Reassociate, Deauthenticate, Associate, Disassociate, Beacon , Probe, PM, Scan, Retries, ACK Handling, etc) - struct ieee80211_ops drivers/net/wireless/ath/ath9k (Transmit and Receive) 34
  35. 35. Contact Me ● Webpage: www.dheryta.co.in ● Email: dherytaj@iiitd.ac.in 35

×