— 802.11 Wireless Networks: The ">
Classroom Glossary Public page

WIR-101 Week 2 — 802.11 Protocol Architecture

920 words

"The 802.11 MAC is one of the most complicated in existence. There is simply no other protocol that attempts to do so much in a shared medium." — 802.11 Wireless Networks: The Definitive Guide, Matthew Gast

Lecture (50 min)

2.1 The 802.11 Frame Structure

Every 802.11 frame has three parts: MAC header, frame body (payload), and FCS (Frame Check Sequence, a 32-bit CRC).

The MAC header contains:

  • Frame Control (2 bytes): protocol version, type (management/control/data), subtype, flags (ToDS, FromDS, More Frag, Retry, Power Mgmt, More Data, Protected, Order)
  • Duration/ID (2 bytes): NAV (network allocation vector) for CSMA/CA arbitration
  • Address fields (6 bytes each, up to 4): Source, Destination, BSSID, and (in WDS mode) a fourth address

The Wireshark display filter wlan.fc.type_subtype enumerates all subtypes:

  • 0x00 = Association Request
  • 0x01 = Association Response
  • 0x02 = Reassociation Request
  • 0x08 = Beacon
  • 0x0b = Authentication
  • 0x0c = Deauthentication
  • 0x20 = Data
  • 0x28 = QoS Data (802.11e)

2.2 Management Frame Sequence: Association

The association sequence establishes a station's relationship with an AP:

Station                              AP
   |--- Probe Request ─────────────>|  (optional; passive scan uses Beacons)
   |<── Probe Response ─────────────|
   |--- Authentication (Open) ─────>|
   |<── Authentication Response ────|
   |--- Association Request ────────>|
   |<── Association Response ────────|
   |=== Data Frames ================|

Authentication vs. Association: 802.11 "Authentication" at this level is a holdover from WEP-era open-system and shared-key modes. Modern WPA2/WPA3 networks use open-system 802.11 authentication (effectively no authentication), then rely on the 4-way handshake (WPA2) or SAE (WPA3) for actual key derivation.

2.3 CSMA/CA: How Stations Share the Medium

Ethernet uses CSMA/CD (collision detection). 802.11 uses CSMA/CA (collision avoidance) because detecting collisions on a wireless medium is impractical -- a transmitting station cannot hear other transmissions while it is transmitting.

CSMA/CA process:

  1. Carrier Sense: station listens. If medium is idle for DIFS (Distributed Inter-Frame Space), proceed.
  2. Backoff: draw a random backoff counter from [0, CW]. Decrement while medium is idle. Transmit when counter reaches 0.
  3. ACK: receiver sends ACK after SIFS (Short IFS). If ACK not received, double the CW (binary exponential backoff) and retry.

Security implication: the NAV field in frame headers is taken on trust. A malicious station can set an artificially high NAV, telling all other stations the medium is busy, causing a virtual carrier-sense denial of service without actually transmitting data. This is a MAC-layer DoS, not a physical-layer jam.

2.4 Management Frame Injection: The Deauthentication Attack

In 802.11 prior to 802.11w (Management Frame Protection), management frames are unprotected -- they are not covered by the session's encryption keys. Any station that knows the BSSID and a connected client's MAC address can forge a Deauthentication frame.

The deauth attack:

  1. Attacker puts their NIC in monitor mode
  2. Captures a Beacon from the target AP (learns BSSID)
  3. Observes a connected client (learns STA MAC)
  4. Crafts and injects a Deauth frame with: src=BSSID, dst=STA MAC, reason code=7 (Class 3 frame from non-associated STA)
  5. Client disconnects, attempts re-association
  6. During re-association, a 4-way handshake occurs -- which the attacker captures

Tool: aireplay-ng -0 1 -a BSSID -c CLIENT_MAC wlan0mon

Defense: 802.11w (Management Frame Protection, MFP) encrypts Deauth frames for associated clients using the PTK. WPA3-SAE mandates MFP. WPA2 networks can optionally enable it.

2.5 Monitor Mode vs. Managed Mode

In managed mode (normal operation), the NIC only processes frames destined for its MAC address or broadcast. The OS never sees other stations' traffic.

In monitor mode, the NIC passes all captured frames to the OS, regardless of destination address. This is the prerequisite for all passive Wi-Fi analysis and injection attacks.

Not all NICs support monitor mode. The Alfa AWUS036ACM does. Intel integrated NICs in most laptops do not. The Linux iw command confirms: iw phy phy0 info | grep -A5 "Supported interface modes".

Radiotap header: when a NIC captures in monitor mode, Linux prepends a Radiotap header to each frame containing: RSSI (dBm signal), noise, data rate, channel frequency, antenna. This is the metadata visible in Wireshark's "Radiotap Header" expansion.

Lab Preview

Lab 2 puts you in monitor mode with airodump-ng and Wireshark. You will capture Beacon frames, identify the radiotap header fields, then drill into an Association Request + Response sequence in a provided PCAP file.

Homework

Reading (45 min): Skim the first two chapters of the Wireshark 802.11 wiki (link in the course portal). Focus on: frame types, the Association sequence diagram, and the Deauth frame reason codes.

Hands-on (60 min): Using airodump-ng against the authorized lab AP, capture 30 seconds of beacon traffic. In Wireshark, apply the filter wlan.fc.type_subtype == 0x08 and expand one Beacon frame completely. Screenshot and annotate: SSID, BSSID, channel, supported rates, RSN (security) information element. Hand in the annotated screenshot.

Toolchain Diary Entry

First-introduce this week: airmon-ng, airodump-ng, aireplay-ng, Wireshark 802.11 mode

airmon-ng check kill: kills NetworkManager, wpa_supplicant, and dhclient before enabling monitor mode. Must be run first or monitor mode may not persist.

airmon-ng start wlan0: enables monitor mode, typically renames interface to wlan0mon.

airodump-ng wlan0mon: live 802.11 frame capture with summary table (BSSID, ESSID, channel, encryption, connected clients).

airodump-ng -w capture --output-format pcap,csv wlan0mon: write capture to PCAP + CSV for offline analysis.

aireplay-ng -0 N -a BSSID -c CLIENT wlan0mon: send N deauthentication frames. Use only against authorized targets.

Key Terms

  • BSSID: Basic Service Set Identifier; the AP's MAC address on the wireless interface
  • SSID: Service Set Identifier; the human-readable network name in Beacon and Probe frames
  • Beacon frame: management frame broadcast by the AP every ~100 ms advertising network presence and capabilities
  • CSMA/CA: Carrier Sense Multiple Access with Collision Avoidance; 802.11's MAC arbitration protocol
  • NAV: Network Allocation Vector; virtual reservation of the medium via the Duration field
  • Monitor mode: NIC mode that passes all captured frames to the OS, regardless of destination address
  • Radiotap header: OS-inserted metadata prepended to each captured 802.11 frame in monitor mode
  • MFP / 802.11w: Management Frame Protection; encrypts unicast Deauth/Disassoc frames; mandatory in WPA3