802.11 PROTOCOL INTELLIGENCE

MAC Frame Format - Field Reference

Every 802.11 frame starts with the same MAC header structure. Understanding each field - what it contains, when it is present, and what it controls - is the core of CWAP certification and PCAP-level protocol analysis.

IEEE 802.11-2020 §9.3 CWAP Core Domain

Three categories of 802.11 PCAP mistakes appear consistently: wrong BSSID in the filter, wrong address field for the traffic direction, and misreading the ToDS/FromDS bits. All three trace back to one thing - not having the MAC header fields memorised.

// quick wireshark filters - MAC header analysis

wlan.fc.type == 0Management frames only. Start here for any association or auth failure.

wlan.fc.type == 2Data frames only. Check ToDS/FromDS bits to determine traffic direction.

wlan.fc.tods == 1 && wlan.fc.fromds == 14-address frames (WDS / 802.11s mesh). Both bits set.

wlan.fc.retry == 1Retransmissions. High count = RF problem, driver issue, or hidden node.

wlan.fc.protected == 1Encrypted frames (CCMP/GCMP active). If data frames show protected=0, encryption failed.

wlan.seq == 1234Specific sequence number. Substitute actual value to track duplicate detection.

Full filter reference → /wireshark-filters

General MAC Frame Structure

FC 2B

Duration 2B

Addr 1 6B

Addr 2 6B

Addr 3 6B

Seq Ctrl 2B

[Addr 4] 6B

[QoS] 2B

[HTC] 4B

Body var

FCS 4B

← Optional fields (ToDS+FromDS, QoS subtype, +HTC bit) →

Minimum frame: FC(2) + Duration(2) + Addr1(6) + FCS(4) = 14 bytes (CTS, ACK control frames). Typical management frame: FC + Duration + Addr1 + Addr2 + Addr3 + SeqCtrl + Body + FCS = 24B header + variable body. Maximum: 4-address QoS+HTC data frame with A-MSDU body.

Frame Control - 16-bit Breakdown

Protocol Version 2b

Type 2b

Subtype 4b

To DS 1b

From DS 1b

More Frags 1b

Retry 1b

Pwr Mgmt 1b

More Data 1b

Protected 1b

+HTC/ Order 1b

0–1

2–3

4–7

8–8

9–9

10–10

11–11

12–12

13–13

14–14

15–15

Protocol Version (2b)

Always 0b00 for all current 802.11 frames. Non-zero values reserved for future protocol versions. A receiver that sees non-zero discards the frame.

Type (2b)

00=Management, 01=Control, 10=Data, 11=Extension (802.11ad/ay DMG frames). Combined with Subtype gives the complete frame function.

Subtype (4b)

Management subtypes: 0=Association Req, 1=Association Resp, 4=Probe Req, 5=Probe Resp, 8=Beacon, 10=Disassoc, 11=Authentication, 12=Deauth. Control: 11=RTS, 12=CTS, 13=ACK. Data: 0=Data, 8=QoS Data.

To DS (1b)

Set (1) when a non-AP STA sends a frame to the AP destined for the DS. ToDS=1, FromDS=0 → STA→AP. Combined with FromDS determines which of the four Address fields are DA/SA/BSSID/TA.

From DS (1b)

Set (1) when AP forwards a frame from the DS to a STA. ToDS=0, FromDS=1 → AP→STA. Both bits=1 → WDS/Mesh 4-address frame. Both=0 → IBSS or management frame.

More Frags (1b)

Set in all but the last fragment of a fragmented MSDU. Receiver buffers fragments until this bit is 0. Fragment number + Sequence number in Sequence Control field used for reassembly.

Retry (1b)

Set when this frame is a retransmission of a previous unacknowledged frame. Receiver uses Retry bit + Sequence number to detect and discard duplicates. Required for reliable delivery.

Pwr Mgmt (1b)

Power Management. When set by a non-AP STA in any frame, the STA will enter PS (Power Save) mode after this exchange. AP begins buffering frames for that STA. Cleared when STA is awake.

More Data (1b)

Set by AP when it has additional buffered frames for a power-saving STA. STA should not go back to sleep yet - more frames are waiting. Used in conjunction with PS-Poll frames.

Protected (1b)

Protected Frame bit (formerly WEP bit). Set when frame body is encrypted: CCMP, GCMP, TKIP, or WEP. Also set for PMF-protected management frames (Deauth/Disassoc under PTK, Broadcast under IGTK/BIP).

+HTC/ Order (1b)

In QoS data frames: HT Control field present (4B appended after Addr4/before frame body). Used for link adaptation feedback, HE variant (HTC = 0 → HT, 1 → HE). In non-QoS: legacy "Order" flag - rarely used.

All MAC Header Fields

Frame Control

2

@0

16 bits. Protocol Version (2), Type (2), Subtype (4), To DS (1), From DS (1), More Fragments (1), Retry (1), Power Management (1), More Data (1), Protected (1), +HTC/Order (1). Present in every 802.11 frame.

Duration/ID

2

@2

Context-dependent. Normal frames: bit15=0, bits14-0 = NAV duration in µs. PS-Poll: bit15=1, bit14=0, bits13-0 = AID. CF-End: Duration=0. Maximum NAV settable: 32,767 µs. See IEEE 802.11-2020 §9.3.1.3.

Address 1

6

@4

Receiver Address (RA) - the immediate next-hop recipient. For unicast: a specific MAC. For broadcast: FF:FF:FF:FF:FF:FF. For multicast: 01:xx:xx:xx:xx:xx. Meaning depends on ToDS/FromDS bits.

Address 2

6

@10

Transmitter Address (TA) - the device that placed this frame on the medium. Always the MAC of the transmitting radio. Absent in CTS and ACK control frames (which are only 14B).

Address 3

6

@16

BSSID, SA, or DA depending on ToDS/FromDS. In most management frames: BSSID of the BSS. In uplink (ToDS=1): Destination Address. In downlink (FromDS=1): Source Address. See Address field mode table.

Sequence Control

2

@22

Fragment Number (bits 3-0): which fragment of MSDU this is (0 for unfragmented). Sequence Number (bits 15-4): 12-bit counter incremented per MSDU from this STA to this DA. Wraps at 4095. Used for duplicate detection (Retry bit + Seq Num).

Address 4

6

@24

Present ONLY when both ToDS=1 and FromDS=1 (WDS/Mesh 4-address frames). SA (Source Address) in WDS. In 802.11s mesh: Source Address of original originator. Absent in all other frame types.

QoS Control

2

@varies

Present in QoS Data frames (Subtype=1000b) and QoS Management. TID (bits 3-0): Traffic Identifier 0–7, maps to WMM AC. EOSP (bit4): End of Service Period. ACK Policy (bits 6-5): 00=Normal ACK, 01=No ACK, 10=No explicit ACK, 11=Block ACK. Bits 15-8: TXOP Limit or AP Queue Size.

HT Control

4

@varies

Present when +HTC bit set in Frame Control. First 2 bits: 00=HT variant (link adaptation, CSI), 01=HE variant (spatial reuse, BSS Color). HT: Link Adaptation Control (LAC) subfield, Calibration. HE: SR Info (BSRP, BSS Color bitmap, UPH). Always last field before Frame Body.

Frame Body

variable

@varies

Type-specific payload. Management frames: IEs (Information Elements). Data frames: MSDU (IP/ARP/DHCP payload). Control frames: type-specific fixed fields (e.g., Block ACK bitmap). Maximum MSDU: 2304 bytes. A-MSDU extends to 7935B (n) or 11426B (ac+).

FCS

4

@last

Frame Check Sequence. CRC-32 over all fields except FCS itself. Computed by transmitter, verified by receiver. Failed FCS → frame discarded, no ACK, retransmission triggered. Adapter drivers typically strip FCS before delivery to OS - Wireshark can be configured to show it.

Address Field Modes - ToDS + FromDS

The meaning of each Address field changes based on the ToDS and FromDS bits. This is one of the most commonly misunderstood aspects of the 802.11 MAC header.

ToDS	FromDS	Addr 1	Addr 2	Addr 3	Addr 4	Use case
0	0	DA (Destination)	SA (Source)	BSSID	—	IBSS (ad-hoc) data frames; Management frames in infrastructure mode
0	1	DA (Destination)	BSSID	SA (Source)	—	AP → STA (downlink). AP is distributing from DS to STA.
1	0	BSSID	SA (Source)	DA (Destination)	—	STA → AP (uplink). STA sends to AP for forwarding into DS.
1	1	RA (Receiver)	TA (Transmitter)	DA (Destination)	SA (Source)	WDS bridge / 802.11s Mesh. 4-address frame for inter-AP or inter-mesh-node forwarding.

CWAP EXAM NOTE

In a typical infrastructure BSS, most frames are ToDS=1/FromDS=0 (uplink) or ToDS=0/FromDS=1 (downlink). Management frames use ToDS=0/FromDS=0 - the BSSID goes in Addr3, regardless of which device sends them. Mesh and WDS frames are the only frames with Addr4 present.

Sequence Control - Duplicate Detection

Fragment Number (bits 3-0)

Sequence Number (bits 15-4)

Fragment Number (4 bits): which fragment this is (0 for unfragmented, 1-15 for subsequent fragments). Sequence Number (12 bits, 0-4095): incremented once per MSDU transmitted to a given DA. Wraps at 4095 → 0.

DUPLICATE DETECTION

Receiver detects duplicates by checking: if Retry bit is set AND Sequence Number + Fragment Number match a recently seen frame → discard as duplicate. Without the Retry bit alone the receiver cannot tell if the same sequence number is a retransmission or a new frame with wrapped counter.

Wireshark Filters

Management frames only

wlan.fc.type == 0

Control frames only

wlan.fc.type == 1

Data frames only

wlan.fc.type == 2

Protected (encrypted) frames

wlan.fc.protected == 1

Retry frames

wlan.fc.retry == 1

Power-save frames (from sleeping STA)

wlan.fc.pwrmgt == 1

4-address frames (WDS/Mesh)

wlan.fc.tods == 1 && wlan.fc.fromds == 1

Uplink STA → AP

wlan.fc.tods == 1 && wlan.fc.fromds == 0

Downlink AP → STA

wlan.fc.tods == 0 && wlan.fc.fromds == 1

QoS Data frames

wlan.fc.type_subtype == 0x28

Specific sequence number

wlan.seq == 1234

FCS errors

wlan.fcs.status == "Bad"

// related reference

Frame Types Reference →Frame Control Decoder →IE Catalog →Frame Sequences →NAV & RTS/CTS →