So I've been doing a lot of wireless related stuff lately. Mainly audits of wireless environments. Lots of passive sniffing and packet analysis, so it's necessary to have a solid understanding of 802.11 Framing and the various packet types. By simply looking at the packets you can determine a great deal about the network in question.
A typical packet is made up of the following:
Frame Control [2 bytes] – This defines the options in the header fields and specifies the type of frame (management, data or control) in use. The frames format changes depending on the options specified in this Frame Control field.
Duration/ID [2 bytes] – This defines the amount time that the transmission medium is expected to be busy for the duration of the data transmission.
Address 1 [6 bytes] – This is the destination/receiving address.
Address 2 [6 bytes] - This is the source address. The address of the device that sent the frame.
Address 3 [6 bytes] – This is a filtering address. It is used to filter traffic on the same frequency as other BSS networks.
Sequence Control [2 bytes] – This is used for fragmentation in management and data frames and contains the sequence number and fragment number fields. Frames with payloads larger than 2312 bytes will be fragmented. Fragmentation is seldom used, as the maximum size of an Ethernet frame is 1500 bytes.
Address 4 [6 bytes] – This address is only used in WDS (Wireless Distribution Systems) to specify the source address. This is the station that sent the packet over the WDS.
Data Frame [variable] – This contains the payload. In management frames the structure is strictly ordered and contains fixed length parameters followed by variable length parameters in any order.
Frame Check Sequence [4 bytes] – This is a CRC32 checksum and is used to provide message integrity against accidental corruption of the frame in transit.
Obviously this is a very simple breakdown of an 802.11 frame.
In the Frame Control header field, which defines the options for the remainder of the header fields, there are two bits called the ‘To DS’ and ‘From DS’ bits. These are the 8th and 9th bits respectively. The To Distribution System and From Distribution bits are important for analysis as, depending on the combination of these flags, they identify the type of network the packet originated from.
The distribution system can have various definitions but it’s easiest to define the distribution system as that which connects the wireless network to other networks. In most cases this will be the wired network. By looking at which bit is set we can determine the source and destination MAC addresses in use.
To DS bit is set – The packet is coming from a wireless station to the wired network
From DS bit is set – The packet is coming from the wired network, or possibly the AP itself and is destined for a wireless station.
From DS and To DS are cleared – The packet is from an Ad-hoc network.
From DS and To DS are set – The packet is from a WDS network. Most often a WDS network is used to connect networks together. An example would be a bridge between buildings.
WDS networks are the only ones that will have a value set for all four address fields. When analyzing a packet from a WDS network it is important that you don’t mix up the Receiver Address (address 1), the Transmitter Address (Address 2), the Destination Address (Address 3) and the Source Address (Address 4).
The Receiver Address is the MAC address of the device at one end of a WDS network (I.e.: a bridge) that bridges the wireless connection to the wired network.
The Transmitter Address is the MAC address of the device at the other end of the WDS network that bridges the traffic from the wired network to the wireless network.
Node ←→Wired Network ←→ AP/bridge ←→ AP/bridge ←→ Wireless Network ←→ Node
The Transmitter and Receiver neither create the frame or are the intended recipient of the frame, they merely receive and forward the frame on. The frame is created by the device identified by the MAC address in the source address field. The destination address field identifies the final recipient of the frame.
Hopefully this has clarified how addressing works in a 802.11 frame.