802.11 frame types

In the IEEE 802.11 wireless LAN protocols (such as Wi-Fi), a MAC frame is constructed of common fields (which are present in all types of frames) and specific fields (present in certain cases, depending on the type and subtype specified in the first octet of the frame).

Generic 802.11 Frame

The very first two octets transmitted by a station are the Frame Control. The first three subfields within the frame control and the last field (FCS) are always present in all types of 802.11 frames. These three subfields consist of two bits Protocol Version subfield, two bits Type subfield, and four bits Subtype subfield.

Frame control

802.11 Frame Control Field

The first three fields (Protocol Version, Type and Subtype) in the Frame Control field are always present. The fields, in their order of appearance in transmission, are:

1. Protocol Version
2. Type
3. Subtype
4. To-DS
5. From-DS
6. More-Fragments
7. Retry
8. Power Management
9. More Data
10. Protected frame
11. +HTC/order

Protocol version subfield

The two-bit protocol version subfield is set to 0 for WLAN (PV0) and 1 for IEEE 802.11ah (PV1). The revision level is incremented only when there is a fundamental incompatibility between two versions of the standard. ^{[1] [2]} PV1 description is incorporated in the latest 802.11-2020 standard.

Types and subtypes

Various 802.11 frame types and subtypes

Type value (bits 3–2)	Type description	Subtype value (bits 7–4)	Subtype description
00	Management	0000	Association Request
00	Management	0001	Association Response
00	Management	0010	Reassociation Request
00	Management	0011	Reassociation Response
00	Management	0100	Probe Request
00	Management	0101	Probe Response
00	Management	0110	Timing Advertisement
00	Management	0111	Reserved
00	Management	1000	Beacon
00	Management	1001	ATIM
00	Management	1010	Disassociation
00	Management	1011	Authentication
00	Management	1100	Deauthentication
00	Management	1101	Action
00	Management	1110	Action No Ack (NACK)
00	Management	1111	Reserved
01	Control	0000–0001	Reserved
01	Control	0010	Trigger [3]
01	Control	0011	TACK
01	Control	0100	Beamforming Report Poll
01	Control	0101	VHT/HE NDP Announcement
01	Control	0110	Control Frame Extension
01	Control	0111	Control Wrapper
01	Control	1000	Block Ack Request (BAR)
01	Control	1001	Block Ack (BA)
01	Control	1010	PS-Poll
01	Control	1011	RTS
01	Control	1100	CTS
01	Control	1101	ACK
01	Control	1110	CF-End
01	Control	1111	CF-End + CF-ACK
10	Data	0000	Data
10	Data	0001–0011	Reserved
10	Data	0100	Null (no data)
10	Data	0101–0111	Reserved
10	Data	1000	QoS Data
10	Data	1001	QoS Data + CF-ACK
10	Data	1010	QoS Data + CF-Poll
10	Data	1011	QoS Data + CF-ACK + CF-Poll
10	Data	1100	QoS Null (no data)
10	Data	1101	Reserved
10	Data	1110	QoS CF-Poll (no data)
10	Data	1111	QoS CF-ACK + CF-Poll (no data)
11	Extension	0000	DMG Beacon
11	Extension	0001	S1G Beacon
11	Extension	0010–1111	Reserved

Action frames

Action frames extend management frames to control a certain action. Some of the action categories are QoS, Block Ack, Public, Radio Measurement, Fast BSS Transition, Mesh Peering Management, etc. These frames are sent by a station when it needs to tell its peer for a certain action to be taken.

For example, a station can tell another station to set up a block acknowledgement by sending an ADDBA Request action frame. The other station would then respond with an ADDBA Response action frame.

Wi-Fi Neighbor Awareness Networking (NAN), also known as Wi-Fi Aware, service discovery frames are NAN-specific public action frames. ^[4] They are used in Remote ID for example. ^[5]

ToDS and FromDS

ToDS is one bit in length and set to 1 if destined to Distribution System, ^[6] while FromDS is a one-bit length that is set to 1 if originated from Distribution System. ^[6]

Retry

Set to 1 if the Data or Management frame is part retransmission of the earlier frame. This bit is reused for different purpose in Control frame.

Protected frame

Set to 1 if the Management Frame is protected by encryption as described in IEEE_802.11w-2009.

+HTC/order

It is one bit in length and is used for two purposes:

• It is set to 1 in a non-QoS data frame transmitted by a non-QoS WLAN station to indicate the frame being transmitted is using Strictly-Ordered service class (this use is obsolete and will be removed from the future 802.11 Standard).
• It is set to 1 in a QoS data or management frame transmitting at HT or higher rate to indicate that the frame contains HT Control field (see above)

References

1. "802.11 frames : A starter guide to learn wireless sniffer traces". community.cisco.com. October 25, 2010. Retrieved February 20, 2019.
2. 802.11 Working Group. Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. 2016. New York, NY: IEEE. p. 638.
3. LAN/MAN Standards Committee (February 9, 2021). IEEE Standard for Information Technology--Telecommunications and Information Exchange between Systems Local and Metropolitan Area Networks--Specific Requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications Amendment 1: Enhancements for High-Efficiency WLAN. New York, NY: IEEE Standards Association. p. 76. doi:10.1109/IEEESTD.2021.9442429. ISBN   978-1-5044-7390-3.
4. EPpatent 3369083B1  
5. Kais Belwafi; Ruba Alkadi; Sultan A. Alameri; Hussam Al-Hamadi; Abdulhadi Shoufan (2022). "Unmanned Aerial Vehicles' Remote Identification: A Tutorial and Survey". IEEE Access . 10: 87577–87601. doi:10.1109/ACCESS.2022.3199909. ISSN   2169-3536. Wikidata   Q125618419.
6. Rapp, Dale (May 17, 2014). "THE TO DS AND FROM DS FIELDS". DALESWIFISEC. Retrieved August 13, 2019.