802.

11 Frame Types and Formats

There are three types of 802.11 frames: management, control, and data. Management frames

are used to mange the BSS, control frames control access to the medium, and data frames

contain payloads that are the layer 3-7 information. We will focus on the contents of each

frame rather than understanding the context of the frame in the frame exchange process.

Separate post to follow that will cover the various frame exchanges. As a consumer of all my

own blog posts, I’ll be formatting this post in a way that it can be easily used as a reference

and be as searchable as possible.

This post covers the information you will be expected to know for the CWNA-107 and

CWAP-403 exams about frame types, formatting, and values. As you can see below, the level

of knowledge expected for the CWNA exam is much simpler. In the CWAP exam, it is

expected that you can identify the frame type, which information elements (IE) contain which

values, and understand what each value represents.

CWNA-107 Objectives covered:

 3.2 Identify and explain the basic frame types defined in the 802.11-2016 standard

o 3.2.1 General frame format

o 3.2.2 MAC addressing

o 3.2.3 Beacon frame

 o 3.2.4 Association frames

o 3.2.5 Authentication frames

o 3.2.6 Data frames

o 3.2.7 Acknowledgement (ACK) frames

o 3.2.8 Block ACK frames

CWAP-403 Objectives covered:

 4.2 Identify and use MAC information in captured data for analysis

o 4.2.1 Management, control, and data frames

o 4.2.2 MAC Frame Format

 Frame Control Field

 To DS and From DS

 Address Fields

 Frame Check Sequence (FCS)

o 4.2.3 802.11 Management Frame Formats

 Information Elements

 Authentication

 Association and Reassociation

 Beacon

 Probe Request and Probe Response

o 4.2.4 Data and QoS Data Frame Formats

o 4.2.5 802.11 Control Frame Formats

 Acknowledgement

 RTS/CTS

 Block Acknowledgement and related frames

 4.3 Validate BSS configuration through protocol analysis

o 4.3.1 Country code

o 4.3.2 Minimum basic rate

o 4.3.3 Supported rates

o 4.3.4 Beacon intervals

o 4.3.5 WMM settings

o 4.3.6 RSN settings

o 4.3.7 HT and VHT operations

o 4.3.8 Channel width

o 4.3.9 Primary channel

o 4.3.10 Hidden or non-broadcast SSIDs

 4.4 Identify and analyze CRC error frames and retransmitted frames

 5.2 Analyze QoS configuration and operations

o 5.2.1 Verify QoS parameters in capture files

General Frame Format

802.11 frames consist of three major parts: header, body, and trailer. The CWNA objectives

include an understanding of the general frame format. The CWAP exam is all about

understanding each frame type, which fields are used, and what each information element

(IE) contains information about. We’ll cover the basics for now.

Frame Format

Detailed Frame Format

Header

The frame header contains information about the where the frame is going, the data rate,

cipher suite used to encrypt data frames, and more! It is important to understand each field in

the header. The four address fields are source, destination, transmitter, and receiver. The

header contents are different for each frame type; the image below shows that some fields

may be 0 bytes when not in use or X bytes. For example, the header of an acknowledgement
(ACK) frame only uses one of four address fields, the receiver address (RA). The other

values found in the frame control field of the header that are frequently referenced include:

 DS Status – Indicates the directionality of the frame. Refer to the table below from the
802.11-2016 standard for the possible values and their meaning.

 More Fragments – if set to 1, the frame has been fragmented and has more fragments to
transmit

 Retry – if set to 1, the previous attempt to transmit this frame failed.

To DS / From DS

The example below is from a QoS Data frame therefor it includes a QoS Control field as

well.
 QoS Data Frame Body

The body of an 802.11 frame contains the layer 3-7 information that is encapsulated and,

hopefully, protected (encrypted) as well. The body of a frame varies in size depending on the

transmission. For example, voice traffic frames will be smaller than a file download that will

increase the TCP window based on the speed/reliability of the connection end-to-end.

Trailer

The trailer contains the frame check sequence (FCS). This is a 32-bit cyclic redundancy

check (CRC) used to validate that the contents of the entire frame have not been tampered

with or become corrupted while being transferred over the wireless medium. All values of the

frame header and body are ran through a calculation; the result is held in the FCS field. If the

receiver runs the frame through the same calculation but the result is not the same, the frame

is corrupt/damaged. The receiver will discard the frame and not send an ACK frame. The

sender knows to retransmit the frame because it did not receive acknowledgement. This is
typically a result of high interference/collisions. Typically, the station that receives a bad

CRC will discard the frame instead of forwarding it onto the operating system so you will not

be able to see “bad” frames within protocol analyzers such as Wireshark.

FCS

Frame Types

All 802.11 frames fall under one of the three types: management, control, or data. The

802.11ac-2013 standard states that all data frames be sent as QoS data frames. In the header

there is a frame control field that contains the values for type and subtype of the frame. The

image below shows the three types of frames. Protocol version will always be 00 to indicate

that 802.11 is in use. The type field indicates 0-management, 1-control, or 2-data.

The subtype field indicates the type of management, control, or data frame. In our example

here we see 8, 11, and 8 in the subtype fields. The management frame is a beacon, the control

frame is a request-to-send (RTS), and the data frame is a QoS Data frame.
 Type and
Subtype

Management Frames

Management frames are used to manage the BSS. This includes probing, associating,

roaming, and disconnecting clients from the BSS. As shown above, management frames use a

type of 0 in the frame control field within the frame header.

Subtype Field Description

0000 Association request

0010 Reassociation request

0100 Probe request

0110 Timing advertisement

1000 Beacon
 1010 Disassociation

1100 Deauthentication

1011 Authentication

1110 Action

0001 Association response

0011 Reassociation response

0101 Probe response

0111 Reserved

Association Request/Response

Stations send association requests to access points (APs) requesting to join the BSS. In this

frame, the station sends all its capabilities to the AP; it will only include capabilities that the

AP has also advertised in the beacon or probe response frame. The AP responds to the station

using an association response frame that includes an association ID (AID). Each station

within the BSS has a unique AID.

 Association Request

Reassociation Request/Response

Stations send reassociation requests to APs that wish to roam to. The AP responds to the

station the same way it does in the association request/response. The primary difference

between reassociation and association requests is that the station will indicate the current AP

it is connected to in reassociation requests. If the station does not receive a reassociation

response for reasons such as load balancing, it will remain connected to the original AP and

search for other APs to roam to. There are also cases where, after leaving a BSS for a short

period of time, a station will send a reassociation request to an AP it was recently connected

to.
 Part
ial Reassociation Request frame body

Probe Request/Response

As part of the active ad passive scanning processes, stations send probe requests with a

specific SSID, wildcard, or no value (null) in the “SSID Parameter Set” field to search for

wireless networks. When the field is wildcard/null, the client is requesting any AP nearby to

respond with all SSIDs using a probe response frame. When the probe request contains a

specific SSID, the client is requesting any AP nearby to respond if they support that SSID.

The probe response frame is a targeted beacon that is sent to the station who is “probing”. As

you can see below, the probe response frame contains all but 3 of the same fields as beacon

frames. The three differences are: the probe response frame does not contain a TIM, a QoS

capabilities information element, and any information elements requested by the station. Be

sure to understand the differences between active and passive scanning for both exams.
 Probe Request with
Wildcard SSID
 Probe
Response

Beacon

APs send beacons at a regular interval called the target beacon transmit time (TBTT) to

advertise the SSIDs they service. Beacons contain the configuration of the WLAN including

whether it supports standards such as 802.11k, 802.11r, the required cipher suites and

authentication key management (AKM) methods, whether protection mechanisms are

required, etc. The presence of certain information elements (IE) indicate whether the related
configuration is present. The figure below shows which fields are mandatory in a beacon

frame. Note that this information is in the body of the management frame.

Beacon
Frame Format

Below shows a beacon frame in Wireshark. We can see a timestamp of 316618342401 which

is used to keep time synchronized among stations in a BSS. Our beacon interval, also known

as target beacon transmit time (TBTT) is the default of 102.4ms. The required “Capability

Info” field is expanded below. The SSID being advertised by the beacon is “Taynouse” and

supported data rates are listed following. It is important to capture your own beacons and start

poking around; the number of optional fields is much longer than the required fields. It is

important to know the names and purpose of all the beacon fields for the CWAP exam. I

highly recommend downloading a copy of the 802.11-2016 standard for free here and

searching for each of these fields yourself.

 Beacon Header and Body

Required Capabilities Information in Beacons

The CWAP objectives state that you should be able to determine the configuration of a BSS

from looking at a decoded BSS frame. I have highlighted the areas of importance below.
 BSS Configuration

Authentication

Authentication frames are used to join the BSS as part of the open system authentication

process. Open system authentication is a simple process used to verify that the station

attempting to join the BSS has the capabilities to do so. The station sends an authentication

request and the AP sends an authentication response. The body of the authentication frame

includes the algorithm number, transaction sequence number, and status code. With open

system authentication, the authentication algorithm number is 0. The sequence number will

either be 1 or 2 to indicate which frame of the two-frame transaction you are viewing. The

authentication response frame is always sequence number 2 and will include a status code

indicating success or fail.

Authentication Frame Format

 Authenti
cation Frame

The PCAP below shows deauthentication, disassociation, reassociation, authentication, and

the 4-way handshake!

From Deauth to Reassociation PCAP

Disassociation

A type of management frame sent from either the station or the AP. Disassociation frames are

used to terminate the station’s association; it is a notification and does not expect a response.

Clients may disassociate prior to powering off. APs may disassociate clients for various

reasons including failure to properly authenticate, for load balancing or timeout reasons,

entering a state of maintenance, etc. The 802.11-2016 standard includes a list of

disassociation reasons. When a station is disassociated it still maintains its authentication.

This makes it easier for the client to associate again in the future. The table below is part of

table 9-45 showing reason codes for disassociation from the 802.11-2016 standard.
 Rea
son Code Table

In the example below, we can see reason code 8 (LEAVING_NETWORK_DISASSOC):

Disassociated because sending STA is leaving (or has left) BSS.

 Disassociate Frame

Deauthentication

Deauthentication frames are used to reset the state machine for an associated client. The

authentication process takes place prior to association therefor, if a station is deauthenticated,

it is also disassociated. Deauthentication frames also include a reason code in the body of the

frame from the table mentioned above. Know that deauthenticating a client resets their

process in the 802.11 state machine back to step 1.

Deauthentication Frame

Action
Action frames are management frames that trigger an action to happen. The list of

management frame subtypes had become exhausted, so instead of creating new management

frames as new technologies required them, the action frame can be used. Action frames do

not expect an ACK. They were first introduced in the 802.11h-2003 standard which also

introduced transmit power control (TPC) and dynamic frequency selection (DFS). The

802.11-2016 standard includes action frames for many categories such as spectrum

management, QoS, HT, VHT, radio measurements, and many more. The table below from

9.6.2.1 of the 802.11-2016 standard shows the spectrum management action frames.

Spectrum
Management Action Frames

Below we can see the action frame type of “Action No Ack” and an example frame used to

communicate a compressed beamforming report.

Action No ACK
 Action No Ack Frame

This action frame is an “add block ack response” (ADDBA) action frame. It is used to setup

the block ack policy for the exchange of blocks of QoS data frames.

Action ADDBA
Timing Advertisement

Timing advertisement frames were introduced in 802.11p-2010; this standard describes how

Wi-Fi can be used in vehicular environments. This type of management frame is not in use

today and is expected to be used to communicate time values to devices that cannot maintain

their own timing.

Control Frames

Control frames are used to control access to the medium and are used for frame

acknowledgement. Control frames only contain a header and trailer, no body. The control

frame types bolded in the table below are only used in point coordination function (PCF)

based wireless networks. These were never implemented in the real world.

Subtype Field Description

0100 Beamforming Report Poll

0101 VHT/HE NDP Announcement

0110 Control Frame Extension

0111 Control wrapper

1000 Block ACK Request

1001 Block ACK

1010 PS-Poll

1011 RTS

1100 CTS
 1101 ACK

1110 CF-End

1111 CF-END+CF-ACK

Request to Send – RTS

Stations send RTS frames to reserve the medium for the amount of time, in microseconds,

found in the duration field in the frame header. RTS and CTS frames are very simple. The

medium will not be reserved for the station until it receives a clear to send frame response

from the access point. I explain the RTS/CTS process in detail in my Wireless Contention

Mechanisms post. RTS/CTS are used as a NAV distribution method as part of the virtual

carrier sense process.

RTS
Frame Format

RTS
Frame
Clear to Send – CTS

Frame sent by an AP in response to an RTS frame sent by a station. CTS messages are sent at

the lowest mandatory data rate, allowing them to reach all stations in the BSS. They only use

the receiver address (RA) field in the header. The station in the receiver address field is the

one that will be transmitting frames.

CTS Frame Format

CTS
Frame
Acknowledgement – ACK

ACK frames create a delivery verification method; they are expected after the transmission of

data frames to confirm receipt of the frame. If the CRC check fails, the receiver will not send

an ACK. If the sender does not receive an ACK, it will retransmit the frame.

ACK Frame Format

ACK
Frame

PS-Poll

PS-Poll frames are used in the legacy 802.11-1997 power save method to request frames

buffered on the AP while the client was sleeping. Clients include their AID in the

Duration/ID field when sending PS-Poll frames. The process is covered in greater detail in

my Power Save Methods post.

 PS-
Poll Frame Format

Block ACK / Block ACK Request

Introduced in 802.11e-2005, block acknowledgements are used to confirm receipt of a block

of QoS data frames. A station will send multiple QoS data frames followed by a block ack

request (BAR). The AP will send a block ack frame back that includes a bitmap that indicates

which frames were received. With this method, only the frames indicated by the bitmap that

weren’t received are retransmitted. This increases the overall network efficiency by reducing

the amount of ACK frames that need to be sent.

BAR Frame Format

The block ack below shows a BA Ack Policy of 0 meaning immediate acknowledgement of

the transmitted frames is required.

Block ACK Frame Format

 Block ACK Frame

BAR Frame

Beamforming Report Poll

Beamforming report poll frames are sent from the beamformer (the AP) to beamformees

(STAs) to request additional feedback about the RF conditions. This frame is sent to the

second and subsequent beamformees; it allows the AP to update its steering matrix for

sending in MU-MIMO environments.

 Beamforming Report Poll Frame Format

VHT/HE NDP Announcement

Null data packet (NDP) announcement frames notify the recipient that an NDP will follow.

The figure below shows the frame exchange process. The beamformer (AP) will request that

the station send an NDP sounding frame by setting the training request (TRQ) value in the

Link Adaption Control subfield of the HT Control Field. The information gathered from the

sounding frame can be used to calculate a steering matrix for the purpose of using

beamforming for future transmissions to the same station.

NDP Announcement Frame Exchange

Link Adaption Control Subfield Format

NDP Announcement Frame Format

NDP Announcement Frame

Control Wrapper

Per the IEEE 802.11-2016 standard, the control wrapper control frame is used to add the HT

control field to other control frames. This is accomplished by “wrapping” (or encapsulating)

the original control frame, minus duration/ID, Address 1, and the FCS, in a control wrapper

frame. We can see below a “Carried Frame Control” value that indicates the subtype value of

the control frame being carried. This is how 802.11n HT capability information is added to

control frames.

Control Wrapper Frame Format

Control Frame Extension

Added in 802.11ad – Directional Multigigabit (DMG), which defines the use of Wi-Fi in the

60GHz frequency range, control frame extension frames reuse 4 bits of the frame control

field (B8-B11) for additional control frames that are used with DMG. The list of additional

control frames for DMG can be found in the table below from the 802.11-2016 standard.
 Control Frame Extension Table

Data Frames

Data frames are used to transfer information or trigger an event. Not all data frames contain a

payload, some are “null data frames” and only contain a header and trailer. The data frame

types bolded in the table below are only used in HCF controlled channel access (HCCA) or

point coordination function (PCF) based wireless networks. These were never implemented

in the real world. This leaves only 4 to pay attention to.

Subtype Field Description

0000 Data

0001 Data + CF-ACK

0010 Data + CF-Poll

 0011 Data + CF-ACK + CF-Poll

0100 Null (no data)

0101 CF-ACK (no data)

0110 CF-Poll (no data)

0111 CF-ACK + CF-Poll (no data)

1000 QoS Data

1001 QoS Data + CF-ACK

1010 QoS Data + CF-Poll

1011 QoS Data + CF-ACK + CF-Poll

1100 QoS Null (no data)

1101 Reserved

1110 QoS CF-Poll (no data)

1111 QoS CF-ACK + CF-Poll (no data)

Data

Used when communicating to a non-QoS station. Broadcast/Multicast traffic is typically sent

as a simple data frame unless the station knows that all stations within the BSS are QoS

capable.
 Data Frame Format

QoS Data

Used when a QoS station transmits to another QoS station. The header in QoS data frames

contains a QoS control field that will indicate the access category (AC), policy type, and

payload type.

QoS Control Field

Null Data / QoS Null Data

Used to transmit control information without carrying any data. Some stations may use null

data frames to indicate that they are entering power save mode or that they are waking up.
 QoS Null
Data Frame

Example PCAP

Attached is a PCAP file that you can use to apply filters to view the frames for yourself to

better understand the frame format and values. The frames that can be found include:

association request/response, authentication request/response, probe request/response, 4-way

handshake, RTS/CTS, QoS and simple data frames, and more! It also includes captures of the

data frames for inspection of layer 3-7.

HowIWiFi PCAP
Basic information:

SSID: HowIWiFi

PSK: CWAPnotes123

STA: 00:20:A6:FC:B0:36

AP: 2C:F8:9B:DD:06:A0

To decrypt the data frames in this capture, open preferences, select IEEE 802.11, select

“Edit…” next to Decryption keys, and enter the PSK and SSID as shown below.

Enable Decryption

Below is a list of filters you can apply and the types of frames or frame exchange that will be

shown.
 Filter Frames

Disassociation, Deauthentication, Authentication,

frame.number >= 9250 &&
Association Request/Response, 4-way handshake
frame.number <=9274
(EAPOL), ACKs

frame.number == 4505 || Station using action frame to request 802.11k neighbor

frame.number == 4507 report and AP responding with report.

(wlan.fc.pwrmgt == 1) && Station using null data frame to notify the AP that it is
(wlan.fc.type_subtype == 0x0024) going to sleep.

Station sends disassociation frame to AP with “STA is

wlan.fc.type_subtype == 0x000a leaving BSS” reason code. AP sends disassociation
frame to STA with “Unknown” reason code.

Shows number of times a frame had to be retransmitted.

wlan.fc.retry == 1
2.4% of frames in capture.

AP sends deauthentication frames to STA with reason

codes “Unknown” and “Class 3 frame received from
wlan.fc.type_subtype == 0x000c
nonassociated STA” meaning that the STA transmitted
frames prior to association.

wlan.fc.type_subtype == 0x0005 ||
Shows all probe requests and probe responses.
wlan.fc.type_subtype == 0x0004

AP sends RTS to STA, AP sends CTS with RA as itself

frame.number >= 15946 && to indicate that it is clear to transmit frames, AP sends
frame.number <= 15949 QoS data frame to STA, and STA sends a Block ACK
to confirm receipt.

Conclusion
It is very satisfying once you understand how to perform the detective work to troubleshoot a

wireless issue that requires protocol analysis. The sheer number of frames and their unique

elements may seem overwhelming when studying for the CWAP exam; especially the frames

that only show up every so often and aren’t obvious in their intent, such as action and null

data frames. Practice makes perfect. Real-world experience with over-the-air packet captures

and performing protocol analysis goes a long way. For some of the more complex processes,

such as NDP sounding, I found it best to focus on the basics. Many of these frame types have

multiple levels of understanding. A The next step is to understand the frame exchanges in

which these frames are used.

I hope these short explanations, visuals, and attached PCAPs help you better understand the

purpose of each frame type by showing the format and a decoded frame within Wireshark. I

don’t believe there is such thing as “too much practice” for the CWAP exam, perform as

many packet captures as you can and try to picture the stations communicating with the AP.

References

IEEE 802.11-2016 Standard

CWNA-107 Study Guide

CWAP PW0-270 Study Guide

CWAP-403 Study Guide

IEEE 802 Privacy Threat Analysis

Transmission of IPv6 Packets over IEEE 802.11p Networks

Overview of DCF and HCF

DCF (Distributed Coordiantaion Function) and HCF (Hybrid Coordination
Function) are QoS methods for gaining access to the wireless medium.

802.11-2012 Standard defines:

 DCF (default / mandatory)

 PCF (optional)
 HCF

QoS in original 802.11 standard

 The original 802.11 standard defined two methods in which an 802.11 radio card
may gain control of the half-duplex medium:
1. Distributed Coordination Function (DCF)
 DCF is the default method and mandatory method for 802.11 access
 DCF is a contention based method determining who gets to transmit on
the wireless medium next
 Utilizes multiple checks and balances to try to minimize collisions
 DCF medium contention mechanisms discussed earlier allow for an
802.11 radio to transmit a single frame.
After transmitting a frame, the 802.11 station must contend for the
medium again before transmitting another frame.
2. Point Coordination Function (PCF)
 PCF was never adopted by WLAN vendors
 In PCF, the access point briefly takes control of the medium and polls the
clients
 PCF medium contention mechanisms discussed earlier allow for an
802.11 radio to transmit a single frame.
After transmitting a frame, the 802.11 station must contend for the
medium again before transmitting another frame.

802.11e (QoS for Wireless)

 802.11e (QoS for Wireless) is the new standard that defines enhanced medium
access methods; Hybrid Coordination Function (HCF).
HCF combines capabilities from both DCF and PCF and adds enhancements to
them to create two channel-access methods:
Enhanced Distributed Channel Access (EDCA) and HCF Controlled Channel
Access (HCCA):
1. Enhanced Distributed Channel Access (EDCA)
 EDCA is an extension to DCF
 The EDCA medium access method will provide for the“prioritization of
frames” based on upper-layer protocols i.e. Application traffic, such as
voice or video
2. Hybrid Coordination Function Controlled Channel Access (HCCA)
 HCCA has never been adopted by WLAN vendors
 HCCA is an is an extension of PCF
 HCCA gives the access point the ability to provide for “prioritization of
stations.” In other words, certain client stations will be given a chance to
transmit before others

Specifics of DCF and HCF

DCF (Di str i bute d Coor di antai on F unc ti on)
DCF has four components as checks and balances that work
together at the same time to ensure that only one 802.11 radio is
transmitting on the half-duplex medium, these four checks, all function at the same
time:

 Interframe space
 IFS is a period of time that exists between transmissions of wireless frames.
 6 types of interframe spaces (listed shortest to longest):
1. Reduced interframe space (RIFS), highest priority
2. Short interframe space (SIFS), second highest priority
3. PCF interframe space (PIFS), middle priority
4. DCF interframe space (DIFS), lowest priority
5. Arbitration interframe space (AIFS), used by QoS stations
6. Extended interframe space (EIFS), used after receipt of corrupted frames
 The length of time of each IFS varies depending on the transmission speed of
the network
 Interframe spaces are one line of defense used by CSMA/CA to ensure that
only certain types of 802.11 frames are transmitted following certain
interframe spaces.
For example, only ACK frames, block ACK frames, data frames, and clear-to-
send (CTS) frames may follow a SIFS.
 Two most common IFS are the SIFS and the DIFS
 Interframe spacing also acts as a backup mechanism to virtual carrier sense
 Duration/ID field
  One of the fields in the MAC header of an 802.11 frame is the Duration/ID
field.
 The value of the Duration/ID field indicates how long the RF medium will
be busy before another station can contend for the medium.
 When a client transmits a unicast frame, the Duration/ID field contains a value
from 0 to 32,767
 The Duration/ID value represents the time, in microseconds, that is required
to transmit an active frame exchange process so that other radios do not
interrupt the process.
 A client that is transmitting the data frame calculates how long it will take
to receive an ACK frame and includes that length of time in the Duration/ID
field in the MAC header of the transmitted unicast data frame.
 The value of the Duration/ID field in the MAC header of the ACK frame that
follows is 0 (zero).
 In the rare case of a PS-Poll frame, the Duration/ID is used as an ID value of
a client station using legacy power management.
 Carrier sense
 The first step that an 802.11 CSMA/CA device needs to do to begin
transmitting is to perform a carrier sense. This is a check to see
whether the medium is busy.
 Two types of Carrier sense:
1. Virtual Carrier Sense
 Virtual carrier sense is a layer 2 carrier sense mechanism.
 Virtual carrier sense uses a timer mechanism known as the network
allocation vector (NAV)
 The NAV timer maintains a prediction of future traffic on the medium
based on Duration value information seen in a previous frame
transmission.
 A listening radio hears a frame transmission from another station
 It looks at the header of the frame and determines whether the
Duration/ID field contains a Duration value or an ID value.
 If the field contains a Duration value, the listening station will set its
NAV
timer to this value.
 The listening station will then use the NAV as a countdown timer,
knowing that the RF medium should be busy until the countdown
reaches 0.
2. Physical Carrier Sense
 Physical carrier sense is a layer 1 line of defense.
 It is possible that a station did not hear the other radio transmitting and
was therefore unable to read the Duration/ID field and set its NAV
timer.
 Physical carrier sensing is performed constantly by all stations that are
not transmitting or receiving.
 When a station performs a physical carrier sense, it is actually listening
to the channel to see whether any other transmitters are taking up the
channel.
 Physical carrier sense has two purposes:
 1. To determine whether a frame transmission is inbound for a station
to receive. If the medium is busy, the radio will attempt to
synchronize with the transmission.
2. To determine whether the medium is busy before transmitting. This
is known as the clear channel assessment (CCA). The CCA
involves listening for RF transmissions at the Physical layer. The
medium must be clear before a station can transmit.
 Random backoff timer
 An 802.11 station may contend for the medium during a window of time
known as the backoff timer
 The station selects a random backoff value using a pseudorandom backoff
algorithm.
 The station chooses a random number from a range called a contention
window (CW) value.
 After the random number is chosen, the number is multiplied by the slot time
value.
Slot time sizes are dependent on the physical layer specification (PHY) in use
(DSSS, OFDM, etc.).
 The random backoff timer is the final timer used by a station before it
transmits.
 When the backoff time is equal to 0, the client can reassess the channel and,
if it is clear, begin transmitting.
 If no medium activity occurs during a particular slot time, then the
backoff timer is decremented by a slot time.
 If the physical or virtual carrier sense mechanisms sense a busy medium, the
backoff timer decrement is suspended, and the backoff timer value is
maintained.
 When the medium is idle for a duration of a DIFS, AIFS, or EIFS
period, the backoff process resumes and continues the countdown
from where it left off.
 When the backoff timer reaches 0, transmission commences.
 Unsuccessful transmissions cause the CW size to increase exponentially up
to a maximum value as shown below:
The following example is a simple review of the process:

 An OFDM station selects a random number from a contention window of 0–15.

For this example, the number chosen is 4.
 The station multiplies the random number of 4 by a slot time of 9μs.
 The random backoff timer has a value of 36μs (4 slots).
 For every slot time during which there is no medium activity, the backoff time is
decremented by a slot time.
 The station decrements the backoff timer until the timer is zero.
 The station transmits if the medium is clear.

The random backoff timer is another line of defense and helps minimize the
likelihood of two stations trying to communicate at the same time, although it does
not fully prevent this from occurring. If a station does not receive an ACK, it starts the
carrier sense process over again.

 
HCF (H ybr i d Coor di nati on F unc ti on)
 HCF defines the ability for an 802.11 radio to send multiple frames when
transmitting on the RF medium.
 When an HCF-compliant radio contends for the medium, it receives an allotted
amount of time to send frames.
 This period of time is called a transmit opportunity (TXOP).
 During this TXOP, an 802.11 radio may send multiple frames in what is called a
frame burst.
 A short interframe space (SIFS) is used between each frame to ensure that no
other radios transmit during the frame burst.