1.01k likes | 1.51k Vues
IEEE 802.11 Frames. Physical Layer Data Link Layer. Introduction. Wireless LAN standard 802.11 defines the layer 2 in great detail specifying numerous frames that have applications in different situations This presentation is intended to explain the fundamental frames in WLAN 802.11.
E N D
IEEE 802.11 Frames Physical Layer Data Link Layer
Introduction • Wireless LAN standard 802.11 defines the layer 2 in great detail specifying numerous frames that have applications in different situations • This presentation is intended to explain the fundamental frames in WLAN 802.11
IEEE 802.11 Standard Regarding Layer 2 • The 802.11 standard is written by IEEE committees • IEEE splits the Layer 2 functions into two sub-layers: • Link Logical Control LLC • Medium Access Control MAC
IEEE Jargon • Actually this is inherited from OSI/ISO • PDU Protocol Data Unit • A protocol header with encapsulated data • SDU Service Data Unit • The encapsulated data or payload
Data Link Layer • Upper layer queries L2 • Upper layer passes PDU down Upper Layer LLC sub-layer IEEE Layer 2 MAC sub-layer MAC Protocol Data Unit MPDU MPDU has a 2,304 bytes MTU
IEEE 802.11 Layer 2 Medium Access Control
IEEE 802.11 General Layer 2 Frame • What do we need in the frame?
IEEE 802.11 General Frame • What do we need in the frame? • A payload that carries upper layer data Payload 2,304 Bytes
IEEE 802.11 General Frame • What do we need in the frame? • A payload that carries upper layer data • Payload MTU is 2,304 Bytes • Larger than Ethernet MTU • Why would we need that larger payload? Payload 2,304 Bytes
IEEE 802.11 General Frame • What do we need in the frame? • A payload that carries upper layer data • Payload MTU is 2,304 Bytes • Larger than Ethernet MTU • Payload is larger to support additional encapsulating headers like LLC headers, tunnelling, security, QoS, etc Payload 2,304 Bytes
IEEE 802.11 General Frame • What else do we need in the frame? Payload
IEEE 802.11 General Frame • What do we need in the frame? • L2 MAC addresses: destinations and sources • Different situations require more than 2 addresses Address 1 Address 2 Address 3 Address 4 Payload
IEEE 802.11 MAC Addresses • 802.11 frames have four address fields. • These four address fields will contain either three or four MAC addresses depending of the network infrastructure • The MAC addresses are: • Destination Address • Source Address • Receiver Address: different cases
IEEE 802.11 Addresses • Case: from wireless station A to wireless station B via AP Destination Address MAC of Station B Source Address MAC Address of Station A BSSID
IEEE 802.11 Addresses • Case: from wireless station A to “ in wired infrastructure” destination Destination Address MAC of Station C Source Address MAC Address of Station A BSSID
IEEE 802.11 General Frame • How do we need in the frame? • Stations require a confirmation that a Data Frame has been received successfully • Data frames have to be acknowledged back to the sender • There are two ways to implement this scheme: • Send part of the original frame back to sender (more bytes to implement) • Identify each frame with a number (cheaper, less bytes to implement) • Wireless 802.11 uses identification numbers
IEEE 802.11 General Frame • What do we need in the frame? • Each frame needs a number to identify it • Data frames have to be acknowledged back to the sender • Each frame needs a number for identification Address 1 Address 2 Address 3 Sequence Control Address 4 Payload
IEEE 802.11 General Frame • What do we need in the frame? • The Station occupies the medium for a certain time Address 1 Address 2 Address 3 Sequence Control Address 4 Payload
IEEE 802.11 General Frame • What do we need in the frame? • The Station occupies the medium for a certain time • The station advertises such time to avoid collisions Duration ID Address 1 Address 2 Address 3 Sequence Control Address 4 Payload
IEEE 802.11 General Frame • What else do we need in the frame? • There are different types of frames in 802.11: Frame Control Duration ID Address 1 Address 2 Address 3 Sequence Control Address 4 Body 2 Bytes 2 Bytes 6 Bytes 6 Bytes 6 Bytes 2 Bytes 6 Bytes 2,312 Bytes
IEEE 802.11 General Frame • What else do we need in the frame? • There are three (3) types of frames in 802.11: • Management • Control • Data Frame Control Duration ID Address 1 Address 2 Address 3 Sequence Control Address 4 Body 2 Bytes 2 Bytes 6 Bytes 6 Bytes 6 Bytes 2 Bytes 6 Bytes 2,312 Bytes
IEEE 802.11 General Frame • What do we need in the frame? • Correct frames are ACKed • Damaged frames must be discarded Frame Control Duration ID Address 1 Address 2 Address 3 Sequence Control Address 4 Body 2 Bytes 2 Bytes 6 Bytes 6 Bytes 6 Bytes 2 Bytes 6 Bytes 2,312 Bytes
IEEE 802.11 General Frame • What do we need in the frame? • Damaged frames must be discarded • A checksum calculated on the whole frame is used to verify that the data has not been corrupted Frame Control Duration ID Address 1 Address 2 Address 3 Sequence Control Address 4 Body FCS 2 Bytes 2 Bytes 6 Bytes 6 Bytes 6 Bytes 2 Bytes 6 Bytes 2,312 Bytes
IEEE 802.11 General Frame • This is the IEEE 802.11 General Frame Frame Control Duration ID Address 1 Address 2 Address 3 Sequence Control Address 4 Body FCS 2 Bytes 2 Bytes 6 Bytes 6 Bytes 6 Bytes 2 Bytes 6 Bytes 2,312 Bytes
IEEE 802.11 Frame The Fields in more detail
Frame Control Field • The frame control indicates the type of the frame • It also indicates the specific purpose of the frame • Also, it points out if certain properties are being used
Frame Control • 2 Bytes long • 2 bits for VERSION = 00 • 2 bits for TYPE = 00,01,10, 11 • 4 bits for SUB-TYPE = from 000 to 1111
Frame Control Field • TYPE sub-field • 00 Management Frames • 01 Control Frames • 10 Data Frames • 11 unused reserved
Frame Control Field • SUB-TYPE sub-field (4 bits) • 00 Management Frames • Association • Re-association • Probe • Beacon (1000) • Authentication
Frame Control Field • SUB-TYPE sub-field (4 bits) • 01 Control Frames • Power Save Poll • RTS • CTS • ACK • Contention Free • CF-end + CF-ACK
Frame Control Field • SUB-TYPE sub-field (4 bits) • 10 Data Frames • Data (0000) • Data + ACK + CF • Null Data • QoS Data • etc
Frame Control Field • Power management bit • Battery conservation mode • Buffering of data by Access Point • More Data bit • Data is buffered by AP • AP sends data to stations that awake • Meaning: more data to come, do not go to sleep again • Protected data bit • The L2 frame is protected by security (WEP)
Duration / ID Field • Network Access Vector NAV • Contention free period • PS-Poll power save poll
Sequence Control Field • Twelve (12) bits sequence number to identify the frames
Payload • The IEEE 802.11 has no Type field to indicate what it is inside the payload • The payload might contain several modes of encapsulation • These modes are described in two documents: RFC 1042 and 802.11H (Ethernet Tunnel) • The payload can use encapsulated: • LLC Sub-network Access Protocol SNAP • Ethernet standard • Ethernet tunnel
Standard Ethernet Payload 802.11 Header Payload Ethernet header derived Type Encapsulated PDU Ethernet header derived 0800 Encapsulated IP Packet Example
802.3 LLC Payload 802.11 Header Payload MAC Addresses derived SNAP DSAP AAhex SNAP SSAP AAhex Control UI Ethernet Tunnel Type Encapsulated PDU
802.3 RFC-1042 Payload 802.11 Header Payload MAC Addresses derived SNAP DSAP AAhex SNAP SSAP AAhex Control UI RFC1042 encapsulation Type Encapsulated PDU
Checksum • Calculated over whole frame • Calculated in both ends • If correct match in destination, then accept, and ACK back • Otherwise, discard, do not ACK
802.11 Frames Management, Important frames
Acknowledgement • All Unicast data frames need to be ACKed Frame Control (2 bytes) Duration (2 bytes) MAC Address of original data frame Sender (6 bytes) Checksum (2 bytes)
Management Frames • Information elements are inside the payload in fixed fields Frame Control Duration ID Address 1 Address 2 Address 3 Sequence Control Body FCS 2 Bytes 2 Bytes 6 Bytes 6 Bytes 6 Bytes 2 Bytes 2,312 Bytes Authentication data Beacon Association Etc.
Management Type Sub-type Beacon • Beacons announce the existence of 802.11 BSS at regular intervals • All stations must listen to beacons • Ad-hoc (IBSSS) send Beacons as well • In a WLAN (EBSSS) only the AP sends Beacons • In short, client stations learn the wireless network profile from beacons • Among other things the beacon announces: • AP capabilities • BSSID • Support for data bit rate • Support for encoding DSSS or OFDM
Beacon Announces • SSID or logical name • Timestamp: for synchronization • Spread spectrum parameter set: FHSS, DSS, ERP, OFDM • Channel information: Channel being used by AP • Data rates: basic and supported rates • Traffic indication map TIM • QoS • Security capabilities
How some of the different frames are used • Scanning • Roaming • Association – Reassociation • Protection Mechanism • Power Management
Scanning: Passive • Client Station listen for BEACON frames • BEACON frames are send by the AP periodically • BEACON frames advertise the network SSID (among other things) BEACON frame
Beacon Frame • Beacon also advertises the Basic and Supported Data bit Rates • These rates are needed to allow 802.11b and 802.11g in Mixed Mode • 802.11b supports DSSS rates of 1 Mbps, 2 Mbps, 5.5 Mbps, and 11 Mbps • 802.11g supports OFDM rates of 6 Mbps, 9 Mbps, 12 Mbps, 18 Mbps, 24 Mbps, 36 Mbps, 48 Mbps, and 54 Mbps. • When 11b and 11g coexist, these rates have to be advertised BEACON frame
Scanning: Active • User initiates action • User click on “view wireless network” • The wireless station sends a MANAGEMENT frame PROBE REQUEST to any AP listening • The SSID field of the probe request frame is empty Probe request • View wireless networks
Scanning: Active Probe Response • The AP answers with a PROBE RESPONSE • The SSID field has the SSID name • Network scanners, NetStumbler, AnalyzeAir, use this same principle • When the administrator disables this mechanism the scanning of the network is not “very revealing” • Scanning software like Kismet or Aircrack-ng do not use this principle. They just listen quietly to the traffic without probing • View wireless networks