In this talk, we will explain the functioning of Wireless LANs in theory and in practice. We will present the IEEE 802.11 standard in general and MAC protocols in particular, by discussing the functions of MAC sublayer management entity and the MAC layer frames in detail. We will discuss the changes in the states of a WiFi client as it goes through the process of WiFi communication. Towards the end, we will briefly talk about various vantage points ( at the client side as well as in the air ) that allow us to capture network traffic.

1. Tutorial - IEEE 802.11 Protocol and
Frames
Dheryta Jaisinghani
1

2. Primer to General WLANs and
Enterprise WLANs
2

3. Wireless Networks - Adhoc vs Infrastructure Mode
● Adhoc -
○ Wireless communication happens without an
Access Point (AP)
○ Nodes talk to each other directly
● Infrastructure -
○ Wireless communication happens via an AP
○ Nodes talk to each other via AP
3

4. IEEE 802.11 Structure
Figure 4.11 from IEEE Std Draft 2012 4
● STA (Station)
○ Logical entity,
singly addressable
by MAC+PHY
● BSS (Basic Service Set)
○ Set of stations
synchronized to
communicate
● DS (Distribution
System)
○ System that
connects all BSS’s
● SS (Station Services)
○ Set of services
that enable
transport of
MSDUs within a
BSS

5. Enterprise WLAN Design - A Cisco Deployment
https://www.cisco.com/c/en/us/td/docs/wireless/wcs/4-0/configuration/guide/wcscfg40/wcsovrv.html
WiFi Protocol
- IEEE
802.11
WiFi Clients
5
What does controller do?
● Manages lot of APs
● Load balancing
● Configurations
● Band Selection
● Channel Selection
● Band Steering
● Mobility Management

6. IEEE 802.11 Standards
● Standard: a,b,g,n,ac,ad,ah,ax etc
● Frequency Bands: 2.4 GHz vs 5 GHz
● Data rates: 1 Mbps to 7 Gbps
● Modulations: DSSS, FHSS, OFDM, MIMO-OFDM, MU-MIMO
Summary available here: https://en.wikipedia.org/wiki/IEEE_802.11
6

7. MAC Sublayer Management
Entity
7

8. Functions of MLME
● MLME - MAC subLayer Management
Entity
● Decide when transmit
○ Distributed Coordination Function
○ CSMA/CA
● Scan - Discover nearby Access Points
● Associate and Authenticate
● Connection Management - Rate
Control, Retry Management,
Acknowledgement Handling
● Beacon Handling
● Power Management
Application
Presentation
Session
Transport
Network
MLME|MAC
Physical
WiFi -
IEEE 802.11
Station
Management
88

9. WLANs - Collision Avoidance NOT Detection
● Collision detection is hard in WLANs
● Most WLAN radios - Transmitters and Receivers - are half-duplex.
● Senders and Receivers may not be in range of each other
9

10. IEEE 802.11 MAC Protocol Architecture
10
Figure 9.1 from IEEE Std Draft 2012

11. Distributed Co-ordination Function
● Fundamental Access method
● Based on Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA)
○ Sense the carrier, transmit if free
○ Carrier Sensing can be Physical or Virtual with RTS and CTS
○ Delivery success measured with Acknowledgements
● IFS (Inter-Frame Space) - Time interval between frames
○ SIFS - Short IFS
○ PIFS - PCF IFS
○ DIFS - DCF IFS
○ AIFS - Arbitration IFS (QoS)
● IFS
○ Reduces collision probability
○ Implements priority
■ Lower IFS, Higher Priority
11
Figure 9.3 from IEEE Std Draft 2012

12. Frame transmission
12
Ref: 802.11 Arbitration CWNP white paper

13. Carrier Sensing - Physical vs Virtual
● Physical - Sense energy with PHY
● Virtual - RTS
(Request-To-Send)/CTS(Clear-To-Send)/NAV(Network-Allocation-Vector)
13
Figure 9.4 from IEEE Std Draft 2012

14. Why virtual CS?
● It solves hidden node problem
14
N1 N2R
Collisions
N1 N2R
1.RTS
2.CTS Keeps Quite
for NAV
Hidden Nodes

15. Point Co-ordination Function
● Uses a Point Co-ordinator (PC) for deciding who will transmit when
● PC runs at the Access Point
● PC uses polling mechanism to decide the turn
● Eliminates all contention, PCF has only contention-free period
● Has higher delays than DCF with higher reliability
● Carrier Sensing is Virtual
15

16. Hybrid Co-ordination Function
● Implemented for QoS WLANs
● Combines , DCF and PCF along with additional QoS guidelines for alternating
Collision and Collision-Free Periods (CP and CFPs)
● CP - Enhanced Distributed Channel Access (EDCA)
● CFP - Hybrid Coordination Function Controlled Channel Access (HCCA)
● Stations should obtains transmission opportunity (TxOP) before they can
transmit for both EDCA and HCCA
● Traffic priorities - background, best-effort, video, and voice
● All parameters are announced in beacons and probe response frames
● Refer to Chapter 9. MAC sublayer functional description from IEEE 802.11 for
details
16

17. Enabling QoS with Frame Priorities and More
17
Data from upper layers
Priority
Access Categories
Backoff as per CW and IFS
Transmission Scheduler
● IFS and Contention
Window Sizes
● Block Acknowledgements
● TxOPs
● Direct Link Protocol
(DLP)
● No ACK for time critical
applications
● Piggyback data
Ref: Deyun Gao, Jianfei Cai and
King Ngi Ngan, "Admission control in
IEEE 802.11e wireless LANs," in
IEEE Network, vol. 19, no. 4, pp.
6-13, July-Aug. 2005.
doi: 10.1109/MNET.2005.1470677

18. Calculating IFS and CW
● SlotTime = aCCATime + aRxTxTurnaroundTime + aAirPropagationTime +
aMACProcessingDelay
○ SlotTime for 802.11a/n/ac (5 GHz) = 9μS
○ SlotTime for 802.11g/n (2.4 GHz – HT or ERP) = 9μS with short
preamble
○ SlotTime for 802.11g/n (2.4 GHz – HT or ERP) = 20μS with long
preamble
○ SlotTime for 802.11b/g/n (2.4 GHz – DSS ) = 20μS
● SIFSTime = aRxRFDelay + aRxPLCPDelay + aMACProcessingDelay +
aRxTxTurnaroundTime
○ SIFS for 802.11b/g/n (2.4 GHz) = 10μS
○ SIFS for 802.11a/n/ac (5 GHz) = 16μS
● RIFS = 2μS, DIFS = SIFS + 2x SlotTime, PIFS = SIFS + SlotTime 18

19. Contd...
● EIFS (in EDCA) = SIFS + AIFS[AC] + ACK_Tx_Time
○ EIFS (in DCF) = SIFS + DIFS + ACK_Tx_Time
○ EIFS 802.11b/g/n devices using DSS = 364μS
○ EIFS 802.11g/n devices using OFDM = 160μS
○ EIFS 802.11a/n devices (5GHz) = 160μS
● AIFS[AC] = AIFSN[AC] × SlotTime + SIFSTime
○ Voice and Video = 2 slot times
○ Best Effort = 3 slot times
○ Background = 7 slot times
● Contention Window=
● BE/BK = aCWMin to aCWMax, VI=(aCWMin+1)/2 - 1 to aCWMin,
VO=(aCWMin+1)/4 - 1 to (aCWMin+1)/2 - 1
● Backoff Time = Random() × aSlotTime
○ [Random=Pseudorandom number [0,CW], aCWMin<=CW<=aCWMax]
19

20. Fragmentation and Defragmentation
● MAC sublayer data units (MSDUs) are partitioned into smaller units for higher
reliability
● Original Data Unit - MSDU is divided into smaller MPDUs (MAC Protocol Data
Units) each MPDU has its own MAC header and CRC
● Each MPDU should be separately acknowledged
● Burst transmissions allowed in an obtained TxOP
20
Figure 9.2 from IEEE Std Draft 2012

21. IEEE 802.11 - Introduction to WiFi Frames
Frame Types
Data FramesManagement Frames Control Frames
RTS/CTS/ACK/PollingScanning/Association/Authentication
21
QoS/Non-QoS

22. Physical Layer Headers
- RadioTap/Prism Headers - Depending upon the chipset and driver
- MAC Timestamp
- Channel Frequency
- Signal Strength
- MCS Rate
- Antenna Information
- Channel Information
PHY Header MAC Header Frame Body FCS
22

23. Frame Structure
23
Figure 8.1 from IEEE Std Draft 2012
Figure 8.2 from IEEE Std Draft 2012

24. Frame Control Field
● Protocol Version - Version of 802.11 standard followed
● Type - Data, Management or Control Frame
● Subtype - Each type has multiple subtype for frames. For example Type
Management frames - Subtypes - Association Req/Res, Reassociation Req/Res
[Type Subtype Mapping - Table 8.1 in the standard]
● To DS and From DS - Direction from Distribution System
○ 0,0 => A data frame from one station to other station in the same BSS
○ 1,0 => A data frame for DS or Port Access Entity at the AP
○ 0,1 => A data frame from DS or in Mesh network
○ 1,1 => A data frame using 4-address MAC header. Used in Mesh network
● More Fragments - Used in case of fragmented frames, set to 1 when more
fragments present
● Retry - Set to 1 is sent again 24

25. Frame Control Field [Contd…]
● Power Management - 1 indicates that STA is in Power-Save Mode, 0 indicates
active mode [Meaning changes for adhoc and mesh networks]
● More Data - Indicates that data is buffered for a STA in power-save mode, 1-
Data buffered
● Protected Frame - 1 if cryptographic encapsulation used
● Order - 1 - if strictly ordered service is used
25

26. Other Fields
● Duration -
○ Control Frame - Association ID
○ Network Allocation Vector
● Addresses
○ DA - Destination Address (Final Recipient)
○ SA - Source Address (Initiator)
○ TA - Transmitter Address
○ RA - Receiver Address
● Sequence Control - Used for fragmentation
● QoS Control Field - Identifies traffic category, TxOP, ACK Policy, Queue Size
etc [See Table 8.4 in IEEE std Draft for Details]
26

27. Capturing Network Traffic
● Tools
a. Wireshark/tshark/TCPDump etc
b. System Logs
● Collection Points
a. Client Side Capture
i. Data Path - Wireshark captures all application layer traffic
ii. Control Path - Debug Device Driver Logs, system logs, kernel logs
b. AP Side Capture
i. Example - Enabled with OpenWRT
c. In the Air - Sniffing the IEEE 802.11 frames in the air
27

28. In the Air Sniffing Process
- Monitor Mode
- Multiple Channel Sniffing - Round Robin
- sudo iw dev wlan0 interface add mon0 type monitor
- Single Channel Sniffing - Specify the channel
- sudo iw dev mon0 set freq 2437
- Checking if monitor mode is supported
- Hardware Support
- Driver Support
- sudo iw list - search for “monitor”
- For Details Refer -
https://www.slideshare.net/DherytaJaisinghani/tutorial-wifi-driver-code-opening
-nuts-and-bolts-of-linux-wifi-subsystem
- 28

29. Wireshark Filters
1. Management Frames - wlan.fc.type == 0
a. Probe Requests - wlan.fc.type_subtype == 0x04
b. Probe Responses - wlan.fc.type_subtype == 0x05
c. Beacons - wlan.fc.type_subtype == 0x08
2. Control Frames - wlan.fc.type == 1
a. RTS - wlan.fc.type_subtype == 0x1b
b. CTS - wlan.fc.type_subtype == 0x1c
c. ACK - wlan.fc.type_subtype == 0x1d
3. Data Frames - wlan.fc.type == 2
a. QoS Data - wlan.fc.type_subtype == 0x28
b. Non-QoS Data - wlan.fc.type_subtype == 0x20
29

30. Client-side State Machine and
MAC Implementation
30

31. Client Side WiFi State Machine
● Class 1 Frames
○ Control Frames -
RTS/CTS/ACK/CF-End/CF-End+ACK
○ Management Frames - Probe
Requests/Probe
Responses/Beacons/Authentication/D
eauthentication
○ Data Frames - Only allowed in
IBSS/Peer Mode
● Class 2 Frames
○ Management Frames - Association
Request/Association
Response/Reassociation
Request/Response/Disassociation
● Class 3 Frames
○ Data Frames
○ Management Frames
○ Control Frames
Details from IEEE Std Draft 2012
31

32. Linux WiFi Subsystem
32

33. Data Path vs Control Path
Data Application
System Call
Sockets
Network Protocols
Net_dev core
Driver
Network Application
nl80211
cfg80211
mac80211
Data Path Control Path
Application
Programming
Driver
Programming
33

34. Backports Code Structure
net/wireless/handlers/wireless/nl80211.c (struct
genl_opsnl80211_ops)
nl80211
cfg80211
mac80211
ath9k
net/wireless (Configurations) - Struct cfg80211_ops
/net/mac80211 (Rate Control, MLME-Authenticate,
Reassociate, Deauthenticate, Associate,
Disassociate, Beacon , Probe, PM, Scan, Retries,
ACK Handling, etc) - struct ieee80211_ops
drivers/net/wireless/ath/ath9k (Transmit and
Receive)
34

35. Contact Me
● Webpage: www.dheryta.co.in
● Email: dherytaj@iiitd.ac.in
35