Our Blog

We are passionate about modern day security

Jul 22

In our previous post, we started exploring wireless packets by introducing MAC frames and Management Frames. In this article, we’ll dive deeper into Control and Data frames, essential components in 802.11 Wi-Fi networks.

What Are Control Frames?

Control frames in Wi-Fi (802.11) networks are crucial for managing the flow of traffic and ensuring the successful delivery of data frames. Think of them as the traffic controllers of Wi-Fi, regulating who can transmit data and when.

Types of Control Frames in Wi-Fi Networks

Control frames are identified by a type value of 0x01 and a 4-bit subtype, allowing for 16 possible subtypes (0x0000-0x1111). Here are the 14 utilized subtypes in 802.11 networks:

  • Reserved (0x0000-0x0010)
  • TACK (0x0011)
  • Beamforming Report Poll (0x0100)
  • VHT HE NDP Announcement (0x0101)
  • Control Frame Extension (0x0110)
  • Control Wrapper (0x0111)
  • Block ACK Request (0x1000)
  • Block ACK (0x1001)
  • PS-Poll (0x1010)
  • Request To Send (0x1011)
  • Clear To Send (0x1100)
  • Acknowledgement (0x1101)
  • Contention Free End (0x1110)
  • Contention Free End and Acknowledgement (0x1111)

Control Wrapper Frame

The Control Wrapper frame, defined in the 802.11n standard, carries other control frames and incorporates the High Throughput (HT) control field. This ensures all control frame fields are moved into corresponding fields within the control wrapper frame.

Control Wrapper Frame Diagram

Block Acknowledgement Request (BlockAckReq) and Block Acknowledgement (BlockAck)

Introduced in the 802.11e standard in 2007, the Block Acknowledgement (Block ACK) mechanism improves channel efficiency by allowing multiple QoS data frames to be acknowledged with a single Block ACK frame, rather than acknowledging each frame individually.

To use Block ACK, the requesting device must ensure that the recipient supports this capability. This is done by sending a series of QoS data frames with the NAV reservation set and the Ack Policy subfield in the QoS Control Field set to Block ACK. A Block Acknowledgement Request frame is then sent to acknowledge the outstanding QoS data frames.

Block ACK Frame Diagram

PS-Poll Frame

The Power Save Poll (PS-Poll) frame, part of the 802.11e standard’s Automatic Power Save Delivery (APSD), allows devices to conserve power by periodically waking up to check for pending data from the access point and retrieving it if available. This balances energy efficiency with timely data reception.

PS-Poll Frame Diagram

RTS/CTS Frames

Request To Send (RTS) and Clear To Send (CTS) frames manage the initiation of data transmission. An RTS frame, 20 bytes long, is sent before data transmission, with the Duration field specifying a microsecond value. Listening devices use this to set their NAV timers and avoid transmitting until the timer reaches zero.

RTS Frame

An RTS frame is crucial for initiating communication in busy networks. It serves as a signal to clear the channel for the upcoming data transmission. When a device wants to send data, it first sends an RTS frame to the receiving device, indicating the duration for which the channel will be used.

RTS Frame Diagram

CTS Frame

Upon processing the RTS frame, the responding device sends a 14-byte CTS control frame, specifying the time available for transmission in the Duration field. This frame serves to acknowledge the RTS frame and inform other devices in the network that they should hold off on transmitting data for the specified duration, thus preventing collisions and ensuring smooth communication.

CTS Frame Diagram

ACK Frame

Acknowledgement frames (ACK) confirm the receipt of previous packets. If an ACK is not received, the frame will be retransmitted due to a failed CRC checksum (FCS). Broadcast and multicast frames do not require an acknowledgment.

A generic ACK frame is 14 bytes long and looks like this:

ACK Frame Diagram

What Are Data Frames?

Data frames in Wi-Fi (802.11) networks are used to transmit information across the network.

Types of Data Frames in Wi-Fi Networks

Data frames are identified by a type value of 0x02 and have 15 possible subtypes (0x0000-0x1111). Here are the key subtypes of data frames in 802.11 networks:

  • Data: A standard data frame without QoS support.
  • Data + CF-Ack: A data frame that includes an acknowledgment of previously received frames.
  • Data + CF-Poll: A data frame that requests the recipient to send data.
  • Data + CF-Ack + CF-Poll: A data frame that acknowledges previously received frames and requests the recipient to send data.
  • Null (no data): A frame with no data payload, often used for maintaining association with the access point.
  • QoS Data: A data frame with QoS support.
  • QoS Data + CF-Ack: A QoS data frame that includes an acknowledgment of previously received frames.
  • QoS Data + CF-Poll: A QoS data frame that requests the recipient to send data.
  • QoS Data + CF-Ack + CF-Poll: A QoS data frame that acknowledges previously received frames and requests the recipient to send data.
  • QoS Null (no data): A QoS frame with no data payload, indicating a change in QoS parameters or power management state.
  • Reserved: Subtypes reserved for future use.

Data Frame Subtypes

Understanding the different subtypes of data frames helps in optimizing the performance and reliability of Wi-Fi networks. Here are some critical data frame subtypes:

Data + CF-Ack

This frame subtype combines standard data transmission with an acknowledgment of previously received frames, ensuring that the communication is confirmed and reliable.

Data + CF-Ack Frame Diagram

Data + CF-Poll

In addition to carrying data, this frame subtype requests the recipient to send data, facilitating bidirectional communication.

Data + CF-Poll Frame Diagram

Data + CF-Ack + CF-Poll

This subtype not only transmits data and acknowledges previously received frames but also requests the recipient to send data, ensuring efficient two-way communication.

Data + CF-Ack + CF-Poll Frame Diagram

Null (no data)

A Null data frame contains no payload and is primarily used to maintain an active association with the access point, especially during periods of inactivity.

Null Data Frame Diagram

QoS Data

Quality of Service (QoS) data frames include additional fields to prioritize traffic, ensuring that high-priority applications like voice and video receive the necessary bandwidth and low latency.

QoS Data Frame Diagram

QoS Data + CF-Ack

This frame subtype combines QoS data transmission with an acknowledgment of previously received frames, maintaining high-priority communication with confirmation.

QoS Data + CF-Ack Frame Diagram

QoS Data + CF-Poll

In addition to QoS data transmission, this frame subtype requests the recipient to send data, ensuring efficient use of network resources for high-priority traffic.

QoS Data + CF-Poll Frame Diagram

QoS Data + CF-Ack + CF-Poll

This subtype not only transmits QoS data and acknowledges previously received frames but also requests the recipient to send data, optimizing bidirectional communication for high-priority traffic.

QoS Data + CF-Ack + CF-Poll Frame Diagram

QoS Null (no data)

A QoS Null frame contains no payload but indicates a change in QoS parameters or power management state, helping to manage network resources efficiently.

QoS Null Frame Diagram

Conclusion

In this post, we have explored the critical functions and types of Control and Data frames within 802.11 Wi-Fi networks. By understanding these frames, networking professionals can better manage and troubleshoot wireless communications, ensuring more efficient and reliable network performance. Stay tuned for more in-depth tutorials on wireless networking and other cybersecurity topics.

For more detailed discussions and updates, follow our blog and join the conversation on our Discord. If you have any questions or topics you’d like us to cover, feel free to leave a comment below.




You May Also Enjoy