Professional Documents
Culture Documents
Wireless Media Access - Learning Guide
Wireless Media Access - Learning Guide
You also need to learn the technologies that the creators of Wi-Fi protocols chose to help prevent the problems of
sharing a common media, and interference. When troubleshooting a WLAN, you can use a packet analyzer to
observe the communication between devices. The following describes tools for understanding the types of frames
that are encountered, their role, and their speed. With this information, you can quickly detect errors in a portion of
a dialog.
Wi-Fi client devices are half duplex. They can send and receive, but they cannot do both at the same time. Client
adapters and APs are also half duplex. Only one device can transmit at a time on a channel in a given area. If two
frames are sent at the same time, a collision occurs and both frames must be discarded. Therefore, each device
must send in turn.
No central device decides which frame is transmitted first. The most commonly used Wi-Fi media access method is
DCF. With DCF, the coordination is distributed, allowing each device to take care of itself. In an alternate method,
an AP can perform the coordination. This method is called PCF; it is mentioned in the IEEE 802.11 protocol but has
not been implemented.
In DCF, when a station is ready to send a frame, the station must wait before sending the frame. Each transmitting
station picks a random number from a range. The idea is to stop stations from trying to transmit at the same time.
The priority of the frame can determine the random number (such as a voice frame, which would have a higher
priority, and thus pick from a smaller range).
To avoid collisions, the devices in the cell use Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA)
as opposed to the IEEE 802.3 Ethernet method CSMA/CD. When a device needs to send a data frame, it first waits
a DIFS time (mandatory silence time) after the medium becomes clear. Next, the station picks a random number
(for example, between 0 and 15). The device then counts down from this number. The speed at which the
countdown occurs depends on the network type; this speed rhythm is called the slot time. The total number of
microseconds in the selected countdown value is called the backoff timer.
While counting down, the station listens to the media. When the station hears Wi-Fi traffic, it adjusts its countdown
timer for the expected duration of this traffic. Every station announces how long it is going to talk and tries to
reserve the medium for enough time for the receiving station to be able to acknowledge the transmission. The
diagram shows the NAV, which represents a countdown timer. In this simple model, as the station hears someone
announce that it is transmitting for 24 slot times, it simply adds 24 to the countdown timer setting. The station then
continues counting from the new total.
Some explanations refer to the countdown timer as the NAV, others regard the NAV as a separate timer
for which you pause the countdown timer. It does not actually matter. Whether you pause a separate
counter for a NAV time of 24 slots, or add 24 to a slot timer you refer to as the NAV, it has the same effect.
When the counter reaches zero, the station sends its frame if the media is free. Wi-Fi devices have two ways to
determine whether the media is free:
• The first method is logical and is based on the NAV. This method recalculates the time to wait, based on the
signal of the other station. This method allows the station to avoid being ready to send when another device
occupies the medium.
• The second method is physical. When a station is ready to send, it listens to the media to verify that nothing
else is sending. This method is called CCA. If the media is free, then the station transmits.
If the transmission fails, then the device picks up a new random number. DCF uses a contention window to control
the size of the random backoff. Two parameters define the contention window:
• aCWmin
• aCWmax
The random number that is used in the random backoff is initially a number between 0 and aCWmin. If the initial
random backoff expires without successfully sending the frame, then the station or AP increments the retry counter
and doubles the value of the random backoff window size. This doubling in size continues until the size equals
aCWmax.
Wi-Fi devices cannot send and receive at the same time. While sending, the station does not know if another
machine is sending at the same time, so there is no way to know if the message reached the recipient in good
condition. Wi-Fi networks rely on a system of acknowledgments that confirm that the frame was received; for each
unicast frame that is sent, the recipient returns an acknowledgment, usually an acknowledgment (ACK) frame.
0 1 RA/DA TA/BSSID SA NA
1 0 RA/BSSID TA/SA DA NA
1 1 RA TA DA SA
802.11 frames have two parts: a PHY (Layer 1) header and a data link (Layer 2 or MAC) header. The physical
header depends on the technology that the frame uses (802.11, a/b/g/n/ac). The MAC header may have different
optional fields, depending on the technology that you use (quality of service [QoS] or no QoS, encryption or not,
and so on). However, all 802.11 frames have a structure similar to the one shown in the diagram. The 802.11
header is longer than an Ethernet header. It starts with a PHY preamble and physical header (Layer 1), followed by
these parts (Layer 2):
• The Frame Control field (2 B long [16 b])
• A Duration field, expressing how long the medium is reserved (2 B long [16 b])
• Three of the four possible MAC addresses (18 B total)
• A Sequence Control field (2 B long [16 b])
• An optional fourth MAC address (6 B [48 b])
• The frame body (2304 B or octets)
• A 4-B (32-b) FCS
The Sequence Control field has an incremental counter, which is incremented for every frame, and is used to show
whether the frame is a fragment or a complete frame.
The Frame Control field helps define the purpose of the frame and where it is sent. The first subfield contains
information about the protocol version. The second subfield contains information about the type (2 bits) and
indicates whether the frame type is data, control, or management. The final subfield contains information about the
subtype (4 bits).
The next part of the Frame Control field is 2 bits and indicates whether the frame is coming from or going toward
the DS (Ethernet side of the AP).
• If the frame is between the AP and client, not To DS and From DS are set to 0.
• If the frame is destined for the DS, To DS is set to 1, and From DS is set to 0 • If the frame is coming from the
DS, To DS is set to 0, and From DS is set to 1.
• If the frame is transitioning between two BSSIDs (for example, in a repeater or bridge context), both To DS and
From DS are set to 1.
Several MAC addresses appear in the frame because the transmission is likely to occur in an infrastructure mode,
in which the AP is the relay between the sender and the receiver (maybe one on Ethernet, and one on wireless).
You may be surprised to see that there are multiple addresses that appear in wireless; more than in Ethernet. The
reason is because wireless must manage a source and destination address pair (just like Ethernet), plus a
transmitter and receiver address, plus a BSSID (the AP to which you belong) address. It is not always the case that
the source is the transmitter, and the destination is the receiver.
Now consider the response coming back from the server on Ethernet to the wireless client:
• Source: Server MAC address
• Destination: Wireless client MAC address
• Transmitter: AP MAC address
• Receiver: Wireless client MAC address
• BSSID: AP MAC address
As you can see, addresses can vary depending on the direction of traffic. Depending on where the frame is
captured and in which context, one to four addresses are used.
transmission. ACKs only have to wait an SIFS before they can be sent. The SIFS timer is shorter than the DIFS
timer, and ensures that ACKs always wait a shorter amount of time than any other frame. Therefore, a station
wanting to send an ACK, always gets in first.
This frame space process is also included in the NAV timer algorithm. When a station transmits, it announces how
long the frame will take in its physical header. The duration field value of the frame includes the amount of time the
transmitting station is requesting that all other stations wait after the end of the transmission. This time will be set to
SIFS(time) + ACK(time).
When a receiver receives the frame, it waits an SIFS, and sends back the ACK to indicate the end of the
transaction (the ACK frame duration will be set to zero).
When the medium is freed, any other station that wants to send waits a DIFS as normal, then counts down its timer.
When the backoff timer reaches zero, it can transmit.
Frame Types
Management frames:
• Beacon, probe request, and probe response
• Authentication request and authentication response
• Association request and association response
• Deauthentication, reassociation request, and reassociation response
Control frames:
• RTS, CTS, and ACK
• PS-Poll
Data frames:
• Simple data
• Null function (empty frame)
These types of frames have the same header form but with different indicators. The main difference is in the body
of each frame. The frame might contain specific information, such as the allowed speeds in a beacon frame, which
is a management frame type. Or the frame might contain nothing, as is the case in an ACK frame. In this case, the
body is empty, and all the information that is needed is in the header.
Before sending a signal, each station tries to determine the optimal data rate. This data rate depends on the RSSI
and loss rate, or SNR. The SNR can be determined from packets that were previously exchanged with the
recipient.
The protocol must also ensure that the other stations understand what is happening. These stations might be too
far away to understand the speed that some of the senders use. To make the problem even more complex, the
sender and receiver might see each other differently and decide to use a different speed to transmit.
To help organize the different data rates, the AP (in infrastructure mode) sends the supported rates in its beacons.
Rates can be mandatory, supported, or disabled.
To connect to this AP, a station must be able to send frames at 9 and 24 Mbps.
The AP always sends its management frames at the lowest mandatory data rate (9 Mbps), which becomes the
lowest common data rate (arrow 1 in the figure).
To send a data frame, a client chooses the best data rate, depending on how it sees the recipient (arrow 2 in the
figure).
The recipient acknowledges using the mandatory data rate that is at or below the data rate that the sender used.
For example, if the frame was sent at 48 Mbps, then the first mandatory data rate that is lower would be 24 Mbps
(arrow 2). If the frame was sent at 12 Mbps, then the ACK would come back at 9 Mbps.
The situation is more complex for the unicast frame itself. Part of it, typically the physical header, is always sent at
the lowest possible supported data rate, even if that rate is disabled (in this example, 6 Mbps) to make sure that all
stations in the cell hear the physical header. This physical header announces the size, speed, and format of the
following Layer 2 information. The Layer 2 frame is sent at the optimal data rate, which is selected by the
transmitter (usually the best or fastest possible). Depending on the protocol that is used (802.11b/g/n or 802.11a/n/
ac), this rule varies slightly, but the general principle remains valid (arrow 2).
All of this communication occurs in the half-duplex environment. All frames must be acknowledged. If an ACK is not
received, then the sender assumes that a collision occurred and tries to resend.
Time stamp 8 8
Beacon interval 2 2
Capability information 2 2
SSID 2 to 34 2 to 34 2 to 34
Supported rates 3 to 10 2 to 10 3 to 10
DS parameter set 3 3
ERP information 3 3
• Six fields, called parameter sets—frame header, DS, control frame, IBSS, enterprise resource planning (ERP),
and external supported rates—that indicate whether the AP uses FHSS or DSSS, if it is an AP of a client in ad
hoc mode, and so on: 28 B or more
• The Traffic Indication Map (TIM), which is used to tell whether the AP has traffic that is buffered for some
stations in power-save mode: 7 to 256 B
Probes
When a client station hears a beacon, it should have enough information to know whether it can connect to the AP
and should then display to the user a screen that acknowledges that a connection is possible. Upon startup, a WiFi
client can listen to each channel, one after the other, to detect these beacons. This process is called passive
scanning. The Wi-Fi client can also actively send discovery messages to locate a specific SSID or to discover all
the APs on each channel. This proactive behavior is called active scanning. Some vendors consider active
scanning to be more efficient than passive scanning because the client gathers the information faster than if it waits
on each channel long enough to gather all the possible beacons.
The client sends a discovery message, called a probe request, which contains these information elements:
• The SSID that the client is looking for (2 to 34 B): This SSID field is sometimes left empty (set to null value) to
scan for any SSID.
• The rates that the client supports, usually all the IEEE 802.11a/b/g/n/ac rates (3 to 260 B)
If the SSID name is specifically mentioned in the request, then the AP answers only if it has the relevant SSID. If
null is mentioned instead, then the AP should answer with the SSIDs that it has.
The answer is called a probe response, and it is similar to the beacon in that it contains all that a client needs to
know to connect to the Wi-Fi network. The only differences are that probe responses do not contain the TIM and
are sent only when the AP receives a probe request (unlike the beacon, which is sent regularly).
Authentication can be password-based, such as WEP, obsolete, or open. With open authentication, the name
authentication is inappropriate, because no authentication takes place. This step remains from a WEP form of
authentication that was found to be insecure, and therefore is no longer used. However, you still have to go through
the process, so this simple step is usually always successful. It is effectively a simple way to ascertain that the
client has the physical ability to connect; in other words, that the client is an 802.11 Wi-Fi device that can send and
receive frames in a correct format. With open authentication, the client first sends a message that is called an
authentication request. This message contains all the fields of an authentication frame, but the algorithm number is
0, the transaction number is 1, the status code is 0 (successful), and the challenge text is not present.
Authentication (Bytes)
Status code 2
Capability information 2 2
Listen interval 2 2
SSID 2 to 34 2 to 34
Supported rates 3 to 10 3 to 10
The AP answers with an authentication response frame; in the case of open authentication, this frame contains a
zero algorithm number, has a transaction number of 2, has a status code of 0 (success), and the challenge text is
not present. This response validates that the client has the required capability to connect. A WEP password-based
shared authentication would contain a challenge phrase. WEP is deprecated, and shared authentication has been
found to be very insecure, so neither of these authentications should be used in a wireless network today.
After being authenticated, the client asks the AP to join the cell. The client sends an association request message,
which contains this information:
• The client capabilities (2 B): The Capability Information field is the same type of field as the one in the AP
beacon frame.
• A listen interval (2 B): The Listen Interval field specifies how often (in beacons) the client will listen to AP
messages if it must turn to power-save mode. In power-save mode, the client turns its radio down to save
power, then wakes up to listen and determine whether the AP has traffic for it.
• The SSID that the client is trying to join (2 to 34 B): Unlike in probe frames, the name must be mentioned.
• The rates that the client supports (3 to 257 B): The Supported Rates field provides this information.
The AP answers with an association response frame, which contains the same Capability Information field.
However, this frame replaces the Listen Interval field with a Status Code field (2 B), which is usually Success, and
then adds an Association ID field (2 B). The AP then adds its own rates to the Supported Rates field. Note that the
AP is not required to send the SSID in the Association Response.
The answer that the AP gives is a message such as, "Association succeeded. You are client number 5 in my cell."
The rates appear again because the system does not know whether the client went through the probe process or
tried to associate directly. The Supported Rates field is important because this information indicates how the
devices will be able to talk to each other.
At any time, both the client and the AP can leave each other by sending a deauthentication message. This
message contains in its body a Reason Code field (2 B), or a disassociation message, which is built on the same
structure. With a disassociation message, the station is still authenticated but is disassociated.
Deauthentication (Bytes) Disassociation (Bytes)
Reason code 2 2
Capability information 2 2
Listen interval 2
SSID 2 to 34
Current AP address 6
Supported rates 3 to 10 3 to 10
Status code 2
Association ID 2
The client can send a reassociation request message. This message contains the same fields as the association
message, plus a 6-B Current AP Address field that is added to the Fixed Parameters. This 6-B field indicates the
MAC address of the AP to which the client is currently associated.
The AP answers with a reassociation response, which has the same format as an association response.
Control Frames: Controlling the Wireless Network
Control frames are special messages that are used in the cell to improve the efficiency of the connection. Although
there are multiple frame types, some are reserved for PCF mode, which is never implemented in most networks.
In normal DCF mode, a common control frame is the ACK message. The destination station sends this message as
a response to any frame that it receives in good condition. The ACK message is a 14-B-long empty frame.
When the original frame sender receives the ACK, it assumes that the message matches the frame that was just
sent and deduces which station sent the ACK as the station to which it just transmitted. As a result of the
implication of the sender, even the SA is not necessary. In addition, ACKs do not need to be numbered. This frame
is built to be as efficient and as light as possible, because it was expected to be transmitted after every unicast
frame. Its job is to confirm that the original frame was received.
The RTS and CTS control frames are similar in format to the ACK. These frames are used when a station wants to
send an RTS query before sending the frame. The receiver answers with a CTS message if the transmission is
possible.
• 802.11n and 802.11ac use a method that is similar to the first scenario to maintain compatibility in mixed
protocol environments. RTS frames for bonded channels are sent across the multiple channels that are used.
The bandwidth that is used (also known as a bandwidth indicator) is also sent in the RTS frame. CTS frames
are sent in a similar fashion (multiples with a bandwidth indicator). When the client receives the CTS frame, it
knows how many channels are free in the bond. 802.11n tends to wait for a 40-MHz bond to become free.
However, 802.11ac, on seeing an 80-MHz bond only having the first 40 MHz free, will transmit at 40 MHz.
(Similarly, if 802.11ac only sees the lower 20-MHz channel free on a 40- or 80-MHz bond, it will send at 20
MHz.)
The RTS frame contains the same fields as the ACK along with a TA. The RTS has these fields:
• The Frame Control field (2 B, shown as FC in the figure).
• The Duration field (2 B, shown as D in the figure): This field is set to show the time that is required for the whole
transmission exchange, which includes an SIFS, the CTS, an SIFS, the data frame, an SIFS, and the ACK.
• The RA to which the frame is transmitted.
• The TA.
• An FCS.
An SIFS, not a DIFS, is used in the RTS-CTS-DATA-ACK exchange. From the moment that an RTS query starts,
the station assumes that the conversation has begun and that it has priority over other stations. This method
ensures that someone does not interrupt the conversation by trying to send before the transaction is complete.
The CTS that is received in response to the RTS has the same format as an ACK. The CTS has these fields:
• The Frame Control field (2 B, shown as FC in the figure).
• The Duration field (2 B, shown as D in the figure): This field is set to show the time that is required for the
remaining transmission exchange; an SIFS, the data frame, an SIFS, and the ACK.
• The RA to which the frame is returned.
• An FCS.
There is no TA or SA because only the RA can answer an RTS. Therefore, the sender of the frame is implied.
A client can send a null data frame (empty frame body) to indicate to the AP that it is going to sleep (power-save
mode). The AP will buffer packets for the client and send them when the client "wakes up."
© 2024 Cisco et/ou ses filiales. Tous droits réservés. Contenus imprimés de 00u3u2gd2roHta8UC5d7