06 Understanding 802.11 Frame Types
What type of countdown mechanism is used by DCF to avoid collisions between stations that need to transmit frames?
A binary exponential countdown mechanism
What is the value of the first backoff timer?
A random number of timeslots between 0 and 31
What optional information can be contained in a probe request?
A specific SSID
When are beacons broadcasted by the AP in a BSS?
About 10 times per second (every 102.4 ms)
What management frame is used in the 802.11k amendment to request radio measurement information, as well as a report of neighbouring APs to make more efficient roaming decisions?
Action
What management frame is used in the 802.11v amendment to allow for network-assisted client power savings?
Action
What management frame is used in the 802.11y amendment to allow an AP to announce an impending channel change?
Action
What is the term for when the wireless device broadcasts a probe request frame to ask any APs within range to identify themselves?
Active scan
What is contained in the association response frame to uniquely identify the client within the cell?
Association Identifier (AID)
What management frame is sent when a client asks to join a cell after the authentication phase is completed?
Association request
What management frame is sent when a client decides to join a cell?
Authentication request
What are the eight most common types of wireless management frames?
Beacon, probe, authentication, deauthentication, association, disassociation, reassociation and action
What control frame is used to acknowledge that a burst of unicast frames has been received?
Block ACK
How does a station inform an AP that it is going to dozing mode to save battery power?
By sending an empty data frame with the Pwr Mgmt bit set to 1
What is the term used for the physical carrier sense process in wireless networks?
CCA
What is the name of the fundamental technique used by DCF to determine if the media is available before transmitting?
CSMA/CA
What is contained in the Address3 field of an 802.11 frame?
DA when the RA is not the final recipient; SA when the TA is not the originator
What is the name of the function in the 802.11 standard that decides which frame is transmitted first onto a shared wireless network?
DCF
What is the name of the default waiting period used after sending a standard priority frame?
DIFS
What is the term for when wireless clients coordinate with the AP for direct client-to-client communication?
DLS
What management frame is sent when a client wants to leave the authenticated state or when the AP wants to force a device out of the authenticated state?
Deauthentication
What is DA?
Destination Address of the final destination to receive the frame
What is DLS?
Direct Link Setup
What information is contained in an authentication response when using Open System authentication?
Direct authentication success
What states can be configured for each data rate on an AP?
Disabled, supported and mandatory
What management frame is sent when a client decides to leave a cell or when the AP decides to disconnect the client?
Disassociation
What is DCF?
Distributed Coordination Function
What is DIFS?
Distributed Interframe Space
What is the name of the waiting period used after collisions before retransmitting frames?
EIFS
What is EIFS?
Extended Interframe Space
What is the basic format of an 802.11 MAC frame?
Frame Control [2 bytes]; Duration/ID [2 bytes]; Address1 [6 bytes]; Address2 [6 bytes]; Address3 [6 bytes]; Sequence Control [2 bytes]; Address4 [6 bytes]; Data [0-2304 bytes]; FCS [4 bytes]
What are the four steps that a host takes to join a network offered by an AP?
Host sends authentication request to BSSID; AP sends authentication response if satisfied with host's identity; Host sends an association request to BSSID; AP sends an association response with AID
What is the name of the timer used to provide a safety cushion between frames and give the channel enough time for multipath signals to dampen out?
Interframe space
What happens to the contention window after each failed transmission attempt?
It is doubled from the previous range
What is the name of the two methods defined in the 802.11 standard to deliver power savings by putting the radio to sleep when it is not needed?
Legacy PSM and U-APSD
What five types of information are contained in an association request?
List of 802.11 capabilities; SSID; Supported channels; Supported data rates; Security parameters
What are the three different types of 802.11 frames?
Management, control and data
What information is contained in a probe response?
Most of the the beacon information
What timer is maintained by wireless clients to predict when the channel will become free?
NAV
What is NAV?
Network Allocation Vector
What control frame is used by a station to request the next frame that was buffered while its radio was powered down?
PS-Poll
What is the term for when the wireless device simply listens for any beacon frame broadcast from nearby APs?
Passive scan
What are the two ways a wireless device can scan its surroundings to look for any live APs that might offer network service?
Passive scan or active scan
What is the name of the process where the client listens to the channel to overhear any other transmissions that might be occurring?
Physical carrier sense
What is the two-fold process that wireless devices can use to detect if a channel is available before transmitting?
Physical carrier sense and virtual carrier sense
What is PS?
Power Save
What is PSM?
Power Save Mode
What management frame is sent from a client to a BSSID to ask for WLAN characteristics?
Probe request
What management frame is sent from a client to the broadcast address to discover APs within signal range?
Probe request
What is the format of the 802.11 Frame Control field (16 bits)?
Protocol Version [2 bits]; Type [2 bits]; Subtype [4 bits]; To DS [1 bit]; From DS [1 bit]; More Frag [1 bit]; Retry [1 bit]; Pwr Mgmt [1 bit]; More Data [1 bit]; WEP [1 bit]; Order [1 bit]
What is contained in the Address1 field of an 802.11 frame?
RA
What is the name of the waiting period used by an 802.11n station between each segment of a burst?
RIFS
What are the names of the four different interframe space periods used from the shortest to the longest?
RIFS, SIFS, DIFS and EIFS
What control frame is used in 802.11ac to reserve channel space?
RTS/CTS
What control frame is used to reserve channel airtime and avoid collisions when 802.11b clients are present in a 802.11g cell?
RTS/CTS
What management frame is sent to the new AP when a client wants to roam from one BSS to another, while staying within the same SSID?
Reassociation request
What is RA?
Receiver Address of the next immediate station on the wireless medium to receive the frame
What is RIFS?
Reduced Interframe Space
What is the name of the process where a client can move seamlessly from one BSS to another within the ESS?
Roaming
What is contained in the Address4 field of an 802.11 frame?
SA when a frame is being transported form one AP to another AP in a mesh network
What is the name of the waiting period used between data frames and frame acknowledgments, or between 802.11g protection mode control frames?
SIFS
What is SIFS?
Short Interframe Space
What are the six basic steps of the roaming process?
Signal from AP-1 is degrading; Client sends a broadcast probe request with SSID; APs sends probe responses; Client sends reassociation request to AP-2; AP-1 performs client handoff to AP-2; AP-2 sends a reassoication response to client
What is SA?
Source Address of the original source that initially created and transmitted the frame
What types of data rates are implemented by the 802.11 protocol?
Supported and mandatory
What is contained in the Address2 field of an 802.11 frame?
TA
What field in each beacon lists AIDs of stations for which the AP has buffered unicast traffic?
TIM
What does mandatory data rate mean?
The AP can use the data rate and expects every client to support it
What does supported data rate mean?
The AP can use the data rate if a client also supports its use, but the client is not required to support it
What does a disabled data rate mean?
The AP will not use the data rate for any client communication
What are the two drawbacks of passive scanning?
The device must wait until beacons are broadcast at the next interval; Beacons don't always contain specific SSIDs
What type of data rate is used by acknowledgement frames?
The first mandatory data rate below the current optimal data rate
What type of data rate is used by broadcast management frames and RTS/CTS by default?
The lowest mandatory data rate supported by the cell
What is a contention window?
The range of random backup timer values
What is the term for the waiting time between numbers during countdown?
Timeslot
What are the values of the DS flags in an 802.11 frame sent directly from a wireless client to another wireless client via DLS?
To DS =0; From DS=0
What are the values of the DS flags in an 802.11 management frame sent from a wireless client to an AP?
To DS =0; From DS=0
What are the values of the DS flags in an 802.11 management or control frame that is broadcasted from an AP to all wireless clients in the BSS?
To DS =0; From DS=0
What are the values of the DS flags in an 802.11 frame sent through an AP to a wireless client?
To DS =0; From DS=1
What are the values of the DS flags in an 802.11 frame sent from a wireless client through an AP?
To DS =1; From DS=0
What are the values of the DS flags in an 802.11 frame relayed from an AP to another AP in a mesh network?
To DS =1; From DS=1
What is a backoff timer?
Total waiting time during countdown before a station transmits a frame
What is TA?
Transmitter Address of the station that transmitted the frame onto the wireless medium
What is the name of the process where the client overhears the Duration/ID field in the frame header of other transmissions and predicts how long it should wait before it can transmit?
Virtual carrier sense
What are the four steps that a client must go through before it can transmit a frame?
Wait for at least a DIFS period; Determine that no other devices are transmitting; Wait and listen during countdown of its backoff timer; Transmit if the channel is still clear
How does a station know that a frame has been transmitted successfully?
When it receives a frame acknowledgement
How many MAC addresses are contained in an 802.11 header?
3 or 4
How long does Cisco APs take to age out and send an deauthentication request to an unresponsive client?
5 minutes
What are the default mandatory data rates of 802.11a/n?
6, 12 and 24 Mbps
What 802.11 amendment defines DLS?
802.11z
What is the size of the maximum payload that can be carried in an 802.11 frame?
2304 bytes
What are the default mandatory data rates of 802.11b/g/n?
1, 2, 5.5 and 11 Mbps
What is the maximum number of timeslots in a contention window?
1023
What control frame is used to acknowledge that a unicast frame has been received?
ACK
What are the four most common control frames?
ACK, Block ACK, PS-Poll and RTS/CTS
What management frame contains information about the WLAN, including the SSID, mandatory and supported data rates, and sometimes vendor-specific information?
Beacon
What is CSMA/CA?
Carrier Sense Multiple Access/Collision Avoidance
What information is contained in an authentication response when using WEP authentication?
Challenge phrase
What is CCA?
Clear Channel Assessment
What are the seven steps performed by the legacy PSM method?
Client sends frame with Pwr Mgmt bit set; Client shifts radio into sleep mode; AP buffers unicast frames; Client wakes up about every three beacon frames; Beacon contains a TIM with clients AID; Client sends PS-Poll to retrieve buffered frames; AP sends buffered frames
