Frame Types

For the most part, all frames are going to have the same type of header. The difference is in the body of the frame. The body is more specific and indicates what the frame is all about. Table 7-2 shows some frame types.

Table 7-2 Frame Types Table





Request to Send (RTS)

Simple data

Probe Request

Clear to Send (CTS)

Null function

Probe Response



Association Request

Power-Save-Poll (PS-Poll)


Association Response

Contention Free End (CF-End)


Authentication Request

Contention Free End + Acknowledgment (CF-End +ACK)


Authentication Response




Reassociation request

Reassociation response

Announcement traffic indication message (ATIM)

Each frame type merits its own discussion to follow.

Management Frames

Management frames, as their name indicates, are used to manage the connection. In looking at a frame capture, the Type field indicates Management, and the subtype tells what kind of management frame it is. As Table 7-2 listed, there are 11 Management frame types. There are some more-often seen frames that you should be familiar with. These frame types are discussed in the following sections.

Beacons and Probes

Figure 7-4 shows a management frame with a subtype of 8. This indicates that it is a beacon frame, which is used to help clients find the network.

t—ranr _u ijj Liyl^ un r.± e Liy lh. Lc|jhj i cj v IEEE 802.11 Beacon frame, Flags:

TYpe^Subtype: Beacon frame (0x03) ^ Frame Central: 0*0080 (NarmalJ Vers Inn; 0

Type: Management frame (3) j V Flags: 0*0

Key Topic

Figure 7-4 Management Frame Capture

Figure 7-5 shows a sample network where the AP is sending a beacon frame.


Wireless Client


Wireless Client

Figure 7-5 Sample Network Using Beacon Frames

When the client hears the beacon frame, it can learn a great deal of information about the cell. In Figure 7-6, you can see that the beacon frame includes a timestamp that gives a reference time for the cell, the beacon interval, and a field called Capability Information, which provides specifics for this cell. The Capability Information field includes information regarding power save mode, authentication, and preamble information.

A beacon frame also includes the SSIDs that the AP supports, the rates that are supported, and six fields called Parameter Set that indicate modulation methods and such.

Another field you will find is Traffic Indication Map (TIM), which indicates whether the AP is buffering traffic for clients in power-save mode.

When a client sees a beacon frame, it should be able to use that information to determine if it is able to connect to the wireless Cell. Chapter 16, "Wireless Clients," covers the

IEEE 502,11 wireless LAN management frame v Fixed parameters (12 bytes)

Timestamp: OI0OOOOOHA7341A1BA

Beacon Interval: O.1024OG [Seconds]

v Capability information : 0x0401

1 = ESS capabilities: fransmitter is an AP

0 00. . CFP participation capabilities; No point coordinator at AP (0x0000)

0 = Short Preamble: Short preamble not allcwed

0 = PBCC: PBCC modulation not aL Lowed

0 = Channel Agility: Channel agility not in use

0 = Spectrum Management: dotllSpectrumManagementRequired FALSE

1 = Short Slot Time: 5hort slot time in use

... 0 = Automatic Pcwer Save Delivery: apsd not implemented

.0 - D5SS-0FDH: O5SS-OF0M modulation not allrned

0 = Delayed Block Ack: delayed block ack not implemented

0 = Immediate Block Ack: immediate bldck ack not implemented

Tagged parameters (52 bytes) t> 55ID parameter set: "Carroll"

(p Supported Rates: 1.0|B) 2.0(B) 5.5(B) 11.0(B) IB.0 24.0(B) 36.0 54.0 t> OS Parameter set: Current Channel: 6

Tr.-iffir rnrjjrgtlan M^n I1 TlM'i HTIM n nf 1 hi-m.-,n Pmnf,_

Figure 7-6 Beacon Frame Details process of how a client searches channels and displays connection capability information. For now, just understand that the beacon frame allows a client to passively scan a network.

Sometimes, however, you do not want to passively scan a network. Perhaps you know exactly what cell you want to connect to. In this situation, you can actively scan a network to determine if the cell you are looking for is accessible. When a client actively scans a network, it uses probe request and probe response messages. Figure 7-7 shows a client actively scanning.

Probe request "Is SSID CARROLL out there?"


Probe request "Is SSID CARROLL out there?"


To Distribution


Probe response "Here I am!"

Figure 7-7 Active Scanning

As you can tell in the figure, the client is looking for a wireless cell with the SSID of "Carroll." This client sends a probe request and the AP, upon receiving the probe request, issues a probe response. The probe response is similar to the beacon frame, including capability information, authentication information, and so on. The difference is that a beacon frame is sent frequently and a probe response is sent only in response to a probe request.

Connecting After a Probe or Beacon

After a client has located an AP and understands the capabilities, it tries to connect using an authentication frame. This frame has information about the algorithm used to authenticate, a number for the authentication transaction, and information on whether authentication has succeeded or failed.

One thing to note is that authentication can be Open, meaning that no authentication algorithm such as WEP is being used. The only reason an authentication message is used is to indicate that the client has the capability to connect. In Figure 7-8, the client is sending an authentication request, and the AP is sending an authentication response. Upon authentication, the client sends an association request, and the AP responds with an association response.

Was this article helpful?

+1 0

Post a comment