Is this which frame in 802.11 data?

Question

I got this data from my WiFi driver.

48:01:3A:01:11:1A:FF:3F:
9B:67:FF:1A:E2:F4:09:34:
11:1A:FF:3F:9B:67:80:1E:
21:00:0A:00:00:12:43:6F:
72:65:6C:6F:67:69:63:5F:
72:74:6C:5F:77:6C:61:6E:
01:04:82:84:0B:16:21:02:
00:00:00:00:00:00:00:00:

I know the "frame control" field is "0x48 0x01", but I'm confused if this is data frame or control frame.

I suppose as follows:

[protocol version] bit0 bit1 - 0 0
[type] bit2 bit3 - 0 1
[subtype] bit4 bit5 bit6 bit7 - 0 0 1 0
[to ds] bit0 - 1
[from ds] bit1 - 0
[more flag] bit2 - 0
[retry] bit3 - 0
[pwr mgmt] bit4 - 0
[more data] bit5 - 0
[protected frame] bit6 - 0
[order] bit7 - 0

So... the type is "data frame", subtype is "null" and STA to AP.

Is it right?

Can you please add how you acquired this data? What command(s) were used to collect it? — slm, Jul 31 '18 at 02:34
I used the "printk" from the frame pointer. This pointer exists in the "issue_probersp" function in the rtl8192 driver. The frame pointer value is "pframe". — Kim Gwanyoung, Jul 31 '18 at 04:26
What you're showing w/ this doesn't make sense to me either - https://witestlab.poly.edu/blog/802-11-wireless-lan-2/. — slm, Jul 31 '18 at 04:30
As I look your link, my data is correct. But, I mistaked the loop size of printk. Thanks a lot. — Kim Gwanyoung, Jul 31 '18 at 05:22

score 1 · Accepted Answer · answered Jul 31 '18 at 05:39

Background

The frame control field looks like this:

For a frame control of "0x48 0x01":

0x48 = 0100_1000b
0x01 = 0000_0001b

NOTE: But you have to realize that the bytes are in reverse order because they're transmitted in LSB. Therefore 0x01 is actually the bytes for version and type.

Protocol Version field

0000 0001
     ^^^^--- Subtype
  ^^-------- Type
^^---------- Protocol Version

Type field

With respect to the 'Type' field, the bits represent the type of frames:

Type (2-bits) There are 3 types (Management, Control, Data) of wireless frames defined in the standard. Below shows the bit value of “Type” field respect to each different type of frames.

00– Management Frame

01– Control Frame

10– Data Frame

11– Reserved

Subtype field

And the 'Subtype':

Subtype (4-bits)

There are many different kinds of management, control & data frames. Therefore > 4-bit Subtype field is required to differentiate them. Here are few examples of different subtypes (CWAP Official Study Guide – Page 79)

For the 2nd byte, 0x48, the rest of the control fields would be like this:

0100 1000
     ^------ Power Mgmt
 ^---------- From DS

From DS field

For the 'From DS':

From DS (1-bit)

When it set to “1” that indicate data frame is going from Distribution System (DS) to client station (STA)

Also this To DS & From DS field combination (00, 01,10 & 11) indication different scenarios

To DS=0, From DS=0

– It can be management or control frames where it does not go to DS

– Station to Station communication in IBSS

– STSL: Station to Station Link where data frame exchange direct client to client.

To DS=0, From DS=1

– Downstream traffic from AP to a client station.

To DS=1, From DS=0

– Upstream traffic from a client station to an AP.

To DS=1, From DS=1

Data frames uses four address format.Usually occurs when Wireless Distribution System (WDS) in use, like Wireless Bridge or Mesh Network.

Power Mgmt

Power Management (1-bit)

When a client station in “Power Save mode” it will shutdown some of the transceivers components for a period of time to conserve power.The station indicates that it is using Power Save mode by changing the value of Power Save mode bit to 1. As you can see below “Null ” data frames used to inform AP about client in Power Save mode.

This tutorial explains in full details how to decipher the rest of the bits, titled: CWAP – MAC Header : Frame Control.

References

I read the data in 1byte unit not 2bytes. So, I think the byte order must not be changed. — Kim Gwanyoung, Jul 31 '18 at 05:52
I'm pretty sure that it's ordered the way that I'm explaining it. — slm, Jul 31 '18 at 05:57
@KimGwanyoung - what are you showing me here? I know that's the order that you're seeing them but that's not the order that they get encoded as bits into the frame. Look at this screenshot from wireshark - https://i.stack.imgur.com/SEPyr.png — slm, Jul 31 '18 at 06:14
In your screenshot, please see two highlighted parts. The first line is "0x2208", the other is "08 22". I read "08 22" in the memroy by one byte. So, in my case, type and subtype will be "0x48" in the frame control field. — Kim Gwanyoung, Jul 31 '18 at 07:40
@KimGwanyoung - my hunch about the order is driven from the 0x48, a (0100b) = 4 doesn't make sense for the protocol version, according to docs has to be (0000b). - https://mrncciew.com/2014/09/27/cwap-mac-header-frame-control/ — slm, Jul 31 '18 at 13:53
This is the section: "1. Protocol Version (2-bits) This field is simply used to indicate which protocol version of 802.11 is being used by the frame. This is always set to “0” as currently one version of 802.11 technology exist." — slm, Jul 31 '18 at 13:53
The 0x48 is 01001000.It is right. But the bit order is b7 b6 b5 b4 b3 b2 b1 b0. And the frame control field bit order is b0 b1 b2 b3 b4 b5 b6 b7. — Kim Gwanyoung, Aug 01 '18 at 05:42
@KimGwanyoung - I found this Q - https://stackoverflow.com/questions/11562036/order-of-sending-frame-control-fielddata-of-an-802-11-frame as well as this - http://www.cas.mcmaster.ca/~rzheng/course/CAS765fa13/hw3.pdf. The order would seem to be in little endian for 802.11, not network byte order. So the 0x48 = 0100_1000b when read from WiFi driver would be 0x12, right? — slm, Aug 01 '18 at 08:07
Yes it is. My confusion due to endian. And do you agree with my idea that the "0x48 0x01" is data frame/null data? — Kim Gwanyoung, Aug 02 '18 at 02:06