Saturday, September 21, 2013

Understanding the Address Fields in 802.11 frames

Address fields are present in the MAC header of 802.11 frames. A frame may contain 4 address fields.


Address fields are 6 octets in length. Address fields are used to indicate Source, Transmitter, Destination, Receiver and BSSID. The address could be a unicast, multicast or broadcast address.

Isn't "Source" same as "Transmitter"? Isn't "Destination" same as "Receiver"?. 
It depends on the type of frames. They could be same (e.g. in Management frames) or different (in Data frames).


The above diagram illustrates the difference between various addresses.
  • SA(Source Address): Source of the data (MSDU)  --> STA1 
  • TA(Transmitter Address) : STA that transmitted the frame --> STA1, AP1, AP2
  • RA(Receiver Address) : Immediate recipient of the frame --> AP1, AP2, STA2
  • DA(Destination Address) : Final recipient of the data (MSDU) --> STA2
  • BSSID (Basic Service Set IDentifier) : Unique identifier of the BSS, e.g,  the MAC address of the AP in an infrastructure network --> AP1, AP2
Are all the 4 address fields always used?
No, they are not. Only Address1 is mandatory. For e.g, CTS frame only has Address1. The remaining fields are filled based on the the frame.

How is each field used?
Address fields are used based on the type of frames: Control, Management and Data.

Control Frames
Management Frames
Data Frames
Address1
RA
RA
RA
Address2
TA(not all)
TA
TA
Address3
Not used
BSSID
BSSID or SA or DA
Address4
Not used
Not used
BSSID or SA

The Address fields in Data frames are based on the direction of the frame:  "To DS" or "From DS".

  • "To DS": Set to 1 in all data frames sent from STA to AP
  • "From DS": Set to 1 in call data frames sent from AP to STA
  • Both "To DS" and "From DS" may be set to 1 if the frame is being relayed between APs.

To DS
From DS
Address 3
Address 4
0
0
BSSID
Not used
0
1
SA
Not used
1
0
DA
Not used
1
1
DA
SA

Note: In case of A-MSDU, SA and DA are part of A-MSDU sub-headers. BSSID is filled in Address3 and Address4 instead of SA and DA.

Address Fields in Sniffer logs
Lets looks at some sniffer traces and examine the address fields.









4 comments:

  1. you can find more information on the website http://wlan-wifi.com/bssid

    ReplyDelete
  2. Hi Sumanth,

    Very nice article. Thank you for providing detailed information about addressing mechanism in 802.11.

    I have a scenario, where i am not able to understand the Addressing mechanism.The scenario is like
    "An access point is connected to a switch with Ethernet connection, to the same switch a station called STA2 is connected. Now one more station STA1 is connected to the AP via wireless interface. Now if i ping from STA1 to STA2 how the packet will reach to STA2". And what are the address fields that src, dst, transmitter and BSID will change.

    On the same scenario, if i ping to google.com, from STA1, what the address fields will contain.

    please provide me a detailed explanation.

    ReplyDelete
  3. Thank you very much for a set of wonderful and useful articles on basics of Wi-Fi. The explanations presented along with sequence diagrams and packet captures are totally helpful. Once again, thank you very much. Hope to see more detailed articles on 802.11ac/ad/ax

    ReplyDelete
  4. its useful information, thank you very much for 3-address and 4-address format verification

    ReplyDelete