Saturday, September 21, 2013

Understanding the Address Fields in 802.11 frames

Address fields are present in the MAC header of 802.11 frames. A frame may contain 4 address fields.


Address fields are 6 octets in length. Address fields are used to indicate Source, Transmitter, Destination, Receiver and BSSID. The address could be a unicast, multicast or broadcast address.

Isn't "Source" same as "Transmitter"? Isn't "Destination" same as "Receiver"?. 
It depends on the type of frames. They could be same (e.g. in Management frames) or different (in Data frames).


The above diagram illustrates the difference between various addresses.
  • SA(Source Address): Source of the data (MSDU)  --> STA1 
  • TA(Transmitter Address) : STA that transmitted the frame --> STA1, AP1, AP2
  • RA(Receiver Address) : Immediate recipient of the frame --> AP1, AP2, STA2
  • DA(Destination Address) : Final recipient of the data (MSDU) --> STA2
  • BSSID (Basic Service Set IDentifier) : Unique identifier of the BSS, e.g,  the MAC address of the AP in an infrastructure network --> AP1, AP2
Are all the 4 address fields always used?
No, they are not. Only Address1 is mandatory. For e.g, CTS frame only has Address1. The remaining fields are filled based on the the frame.

How is each field used?
Address fields are used based on the type of frames: Control, Management and Data.

Control Frames
Management Frames
Data Frames
Address1
RA
RA
RA
Address2
TA(not all)
TA
TA
Address3
Not used
BSSID
BSSID or SA or DA
Address4
Not used
Not used
BSSID or SA

The Address fields in Data frames are based on the direction of the frame:  "To DS" or "From DS".

  • "To DS": Set to 1 in all data frames sent from STA to AP
  • "From DS": Set to 1 in call data frames sent from AP to STA
  • Both "To DS" and "From DS" may be set to 1 if the frame is being relayed between APs.

To DS
From DS
Address 3
Address 4
0
0
BSSID
Not used
0
1
SA
Not used
1
0
DA
Not used
1
1
DA
SA

Note: In case of A-MSDU, SA and DA are part of A-MSDU sub-headers. BSSID is filled in Address3 and Address4 instead of SA and DA.

Address Fields in Sniffer logs
Lets looks at some sniffer traces and examine the address fields.