This chapter is a rather short one. It serves as an overview (and refresher) of how 802.11 MAC Operations work in relation to Data Frame Exchanges. These Data Frames are what the users are interested in; the management and control frames exist to support them. Additionally, we’ll talk about some functionalities on the MAC layer and what to keep an eye on.
Data vs QoS Data
As we learned earlier in CWNA class and Chapter 4 of this CWAP series, we can distinguish two major types of data frames: “regular” Data and QoS Data frames. Both can be separated from each other in a capture file by filtering for their subtypes (10000 or 32 for Data, 101000 or 40 for QoS Data). François from SemFio Networks has made a very handy reference sheet for these filters, which I use all the time—it’s definitely worth bookmarking.
When capturing Data frames, it’s best to stand close to the client to ensure you can capture and demodulate the traffic. Being too far away from the client, such as on the other side of the AP, might cause you to miss data frames sent by a distant client.
Regarding QoS Data frames, the differentiating key point is the QoS Control field, which shows the QoS priority assigned by the transmitter to the frame. In end-to-end QoS analysis, look for frames in both directions between the station and AP to verify that they are correctly tagged. For a complete QoS picture, don’t forget to check the wired side of the network—but that’s outside the scope of this book, right?
(Block) Acknowledgements
Data frames should always be acknowledged by the receiver. If not, the retry bit is set to 1 and the frame is retransmitted. To make data transfer more efficient and faster, multiple data frames can be acknowledged by a single ACK, called a Block Acknowledgement.
First, the transmitting device should send a special Action Frame (Add Block Ack Request), for which the receiver has to respond with a similar Action Frame (Add Block Ack Response). These frames have to be acknowledged by an ack frame themselves. After this negotiation, the transmitter can send multiple data frames followed by the infamous Block Ack frame. Thereafter, another action frame (Delete Block Ack Request) is sent out and acknowledged, ending the whole Block Ack Exchange.
In the Add Block Ack Request Action Frame, the important parameters that are requested are the Block Ack Policy (immediate or delayed Block Ack – immediate is commonly used), the Timeout value (Block Ack time window) and the max number of frames that can be buffered and acknowledged by the Block Ack.
The Add Block Ack Response Action Frame includes the same parameters in its response and adds a status code indicating whether the request is accepted or not.
Common issues with MAC Operations
Me and you already know a bit more on how all these things work, but sometimes things don’t work as expected. Some of these functionalities and what can go wrong are also valid to be included in this chapter.
Power Save Operations
There are three ways that stations can perform power-saving. The first method is the legacy variant that uses PS-Poll frames. If the AID of the station is seen in the beacon frame, the client knows it has buffered waiting for them, and sends a PS-Poll frame to request the data and telling the AP it is awake. Even if the More Data bit is set to 1, a separate PS-Poll frame has to be sent out to request more frames.
This is very inefficient, so that’s why another method was introduced: Unscheduled Automatic Power Save Delivery (U-APSD). Instead of sending multiple PS-Poll frames, one null (QoS) Data frame is sent with Power Management bit to 0 (STA will stay awake), after which all buffered frames can be sent. If a frame is received with More Data bit set to 0, the power saving STA knows it was the last buffered frame, it sends out another null (QoS) Data frame with the PM bit set to 1 (STA will go to sleep). It is clear that only 2 null frames are way more efficient that X amount of PS-Poll Frames, resulting in less overhead.
The third method that is written about in this book is WMM-PS, which works basically the same as U-APSD, but the STA can request buffered frames from a specific AC. A great example is a smartphone that would first request VoIP packets prior to data from an incoming email message.
CWAP-404 does not go any further than this, but you should know that with 802.11ax, a new power-saving method was introduced: Target Wake Time (TWT). This works by creating a wake-up schedule between AP and STA. Outside the TWT interval (“awake time”), the STA can sleep. Because of this, there is no need to send PS-Poll frames nor Null Data frames. The AP knows when the STA can or cannot receive the frames. This is yet another improvement in a more efficient Wi-Fi and conserves more battery (less wake time), which is great for especially IoT and low-power devices.
Protection Mechanisms
In environments where devices with different 802.11 capabilities coexist, protection mechanisms are crucial to keep things running smoothly and avoid unnecessary collisions. These mechanisms, like ERP and HT protection modes, help ensure older legacy devices can play nice with modern Wi-Fi gear.
ERP protection, introduced with 802.11g, is all about handling coexistence with 802.11b devices in the 2.4 GHz band. When this kicks in, the ERP Information Element in Beacon and management frames signals the use of RTS/CTS or CTS-to-Self. This way, legacy devices, which can’t understand newer ERP frames, know when to back off from the medium.
HT protection takes it a step further with 802.11n, offering modes to manage coexistence with non-HT devices. These modes determine whether RTS/CTS or CTS-to-Self is required to shield HT transmissions in mixed environments. I’ve already gone into detail on these modes in my Chapter 3 post, so I’ll skip that here.
If protection mechanisms aren’t working correctly, legacy devices can end up stepping on advanced transmissions they can’t decode, causing collisions, reduced throughput, and overall chaos. When troubleshooting, it’s worth checking Beacon or Probe Response frames for the ERP or HT elements, looking for RTS/CTS or CTS-to-Self activity, and identifying any legacy devices operating in the BSS.
Getting this right ensures your network stays efficient and stable, even with a mix of devices from multiple Wi-Fi generations.
Load Balancing
Load Balancing is about spreading clients across multiple APs to prevent overloading a single one and to keep the network running smoothly. APs use factors like client count or channel utilization to decide when to steer a client elsewhere. This can be done by rejecting authentication frames, ignoring probe requests, or even disassociating a client, nudging it toward a less busy AP. However, the ultimate decision to roam lies with the client, which may result in sticky connections or poor performance. Troubleshooting often means looking at disassociation or rejection frames and checking for reason codes tied to load balancing. If it’s set too aggressively, clients might get kicked off repeatedly or fail to connect.
Band Steering
Band Steering is about steering dual-band clients to use a specific band (mainly 5 GHz), which offers better performance and capacity. APs commonly delay or ignore probe requests on 2.4 GHz, hoping to push clients toward 5 GHz. In some cases, they’ll flat-out reject authentication attempts on 2.4 GHz. This usually works well with modern devices, but older or simpler clients can struggle to connect or experience delays. Troubleshooting this involves looking at how clients are trying to connect and checking captures or AP logs for signs of steering. You might need to tweak settings to keep things working for legacy devices.
Both load balancing and band steering can do wonders for performance, but if misconfigured, they’ll leave clients frustrated. The trick is finding the sweet spot between optimization and compatibility. And if you can do it, create separate SSID’s (with a different name) for the different bands, preventing that a ping-pong between 2.4GHz and 5GHz can occur, resulting in a hard disconnect. But I might have to reconsider this last piece of advice, with the latest generation of Wi-Fi introduced by the Wi-Fi Alliance: Wi-Fi 7. This standard specifies the use of Multi-Link Operation, where a client is simultaneously connected with multiple radio’s (across different bands). More on that in CWAP-405 or other recent books/blogs.
That’s about it for MAC Operations! It’s a short chapter, but the topics covered here form the foundation of how Wi-Fi devices communicate – from managing data frames to power save operations and protection mechanisms. Load balancing and band steering might look simple on paper, but as we’ve seen, there’s quite a bit going on behind the scenes.
Thanks for reading, and if you have questions, feel free to drop them below or reach out on LinkedIn!
Source(s):
Carpenter, T., et al. (2021). CWAP-404: Certified Wireless Analysis Professional Study Guide (2nd ed.). Durham NC, USA: Certitrek Publishing