802.11 PROTOCOL INTELLIGENCE

NAV & Hidden Node - Virtual Carrier Sense

Physical carrier sense (CCA) detects energy on the channel. But it only works if you can hear the transmitter. NAV (Network Allocation Vector) extends carrier sense to devices that cannot physically detect an ongoing transmission - the foundation for solving the hidden node problem via RTS/CTS.

IEEE 802.11-2020 §10.23 MAC Layer - DCF CWNA / CWAP Domain

The hidden node problem does not show up in the AP's association table. It shows up as retransmission counts that do not correlate with RSSI - devices far enough apart that physical carrier sense fails, but both in range of the same AP.

// quick wireshark filters - NAV, RTS/CTS, virtual carrier sense
wlan.fc.type_subtype == 0x1bRTS frames. Frame size that triggered it visible in Duration field.
wlan.fc.type_subtype == 0x1cCTS frames. Duration = RTS Duration minus SIFS minus CTS time. Sets NAV on all listeners.
wlan.duration > 1000Duration field > 1ms. Large TXOP or RTS protection in progress.
wlan.fc.type_subtype == 0x1b || wlan.fc.type_subtype == 0x1cFull RTS/CTS exchange. Sequence: RTS → CTS → DATA → ACK with SIFS spacing.
wlan.fc.retry == 1 && wlan.fc.type == 2Retransmitted data frames. Persistent retries with no RTS/CTS = possible hidden node.
Full filter reference → /wireshark-filters

Virtual Carrier Sense - How NAV Works

Every 802.11 MAC frame carries a Duration/ID field (2 bytes, bytes 3–4 of the MAC header). In most frame types this field encodes the number of microseconds the medium will be busy - including the current frame plus any expected response frames (SIFS + ACK, or SIFS + CTS + SIFS + DATA + SIFS + ACK for RTS). Any STA that receives and decodes this frame updates its NAV timer to the Duration value if it is larger than the current NAV.

PHYSICAL CARRIER SENSE (CCA)

Detect RF energy above the CCA threshold on the channel. If energy detected → channel busy → defer. Range-limited: only works if you can physically hear the transmission (~100–200 m outdoors).

Limitation: hidden nodes are out of range
VIRTUAL CARRIER SENSE (NAV)

When a STA receives any frame addressed to another STA, it reads the Duration field and sets its NAV countdown timer. Even if it cannot hear the transmitter, it heard the receiver and now knows the channel is reserved for Duration µs.

Result: effective medium reservation across hidden nodes
NAV TIMER LIFECYCLE
1. Frame received
STA receives any 802.11 frame (addressed to AP, to another STA, or broadcast)
2. Duration field read
MAC extracts Duration/ID field bytes. Duration = time medium is reserved in µs.
3. NAV update
If Duration > current NAV → set NAV = Duration. If Duration ≤ current NAV → no update (NAV already covers it).
4. NAV countdown
NAV decrements at 1 µs per µs of real time while channel is (virtually) busy.
5. Medium available
When NAV = 0 AND physical CCA clear → STA may begin DIFS + backoff procedure.
DURATION FIELD ENCODING - IEEE 802.11-2020 §9.3.1.3
Bit 15 = 0, bits 14–0: Duration in µs (0–32767). Used in most data and management frames.
Bit 15 = 1, bit 14 = 0: Association ID (AID) in PS-Poll frames (bits 13–0 = AID). Not a duration.
Duration = 0: Set in DTIM Beacon, Broadcast/Multicast frames - no NAV reservation needed.
DATA frame Duration: SIFS + ACK time. e.g., 5 GHz OFDM: 16 + 28 = 44 µs.

The Hidden Node Problem

The hidden node problem occurs when two STAs are both within range of the AP but out of range of each other. Physical CCA tells each STA the channel is clear - but when both transmit simultaneously, their signals collide at the AP.

out of range STA A Device A AP Access Point STA C Device C COLLISION at AP → FCS fail → no ACK → retry → CW doubles
Why CCA fails here

STA A performs CCA - channel appears idle (C is out of range, A cannot hear C). STA C performs CCA - channel appears idle (A is out of range). Both proceed independently to DIFS + backoff. Both backoff timers may expire at similar times → both transmit → collision at AP.

AP FCS failure

AP receives overlapping signals from A and C simultaneously. The combined waveform cannot be decoded. FCS check fails. AP discards the frame(s) and sends no ACK. Both A and C timeout waiting for ACK after SIFS + ACK timeout (at least DIFS + ACK slot).

Exponential backoff consequence

Both A and C interpret no-ACK as collision → double their CW (Contention Window). Next backoff drawn from doubled CW. If this keeps happening → CW grows to CWmax (1023 slots) → throughput collapse. Hidden node can reduce AP throughput by 40-60% in dense deployments.

RTS/CTS - The Solution

RTS/CTS (Request to Send / Clear to Send) adds a two-frame handshake before the data exchange. The CTS frame - broadcast by the AP and heard by both A and C - carries a Duration field that sets NAV on all nearby STAs, preventing them from transmitting during the upcoming data exchange.

PROTECTED EXCHANGE SEQUENCE
DIFS + Backoff
RTS (20B)
SIFS
CTS (14B)
SIFS
DATA
SIFS
ACK
← STA A transmits ← AP responds (heard by ALL) ← STA C sets NAV, stays silent
RTS FRAME (20 bytes)
Frame Control 2B - Type=01 (Control), Subtype=1011 (RTS)
Duration 2B - time for CTS+SIFS+DATA+SIFS+ACK in µs
RA (Receiver) 6B - destination AP MAC
TA (Transmitter) 6B - STA A MAC
FCS 4B
CTS FRAME (14 bytes)
Frame Control 2B - Type=01, Subtype=1100 (CTS)
Duration 2B - time for DATA+SIFS+ACK in µs (RTS duration minus SIFS minus CTS)
RA (Receiver) 6B - STA A MAC (copied from RTS TA)
FCS 4B
STA C receives CTS → reads Duration → sets NAV → stays silent for DATA+ACK
CTS-TO-SELF - THE LIGHTWEIGHT ALTERNATIVE

An AP operating in mixed b/g mode uses CTS-to-self instead of RTS/CTS when ERP (non-ERP) STAs are present. The AP sends a CTS addressed to itself using a legacy OFDM rate. All legacy STAs decode the CTS (they understand legacy rates) and set NAV. This protects the subsequent HT/VHT/HE transmission from interference by legacy STAs. Half the overhead of RTS/CTS - only one protection frame instead of two.

dot11RTSThreshold - WHEN TO USE RTS/CTS

RTS/CTS adds ~110 µs overhead (RTS + SIFS + CTS + SIFS = approx). For small frames, this overhead exceeds the benefit. IEEE 802.11 defines dot11RTSThreshold - RTS/CTS is only used when MPDU length exceeds this value. Default: 2,347 bytes (effectively disabled). Optimal in high-density deployments: 500–750 bytes. Never set to 0 (sends RTS for every frame including small ones - massive overhead).

The Exposed Node Problem - The Other Side

The exposed node problem is the inverse of hidden node. STA B can hear STA A transmitting to AP1. B defers - even though B could safely transmit to AP2 (which is out of A's range). B is unnecessarily prevented from transmitting by carrier sense it doesn't need to obey. This reduces overall network efficiency.

TOPOLOGY
AP1 ←→ STA A ←→ STA B ←→ AP2
STA A is transmitting to AP1. STA B can hear A → B defers.
But B's transmission to AP2 would not interfere with A→AP1 (AP2 is out of A's range).
B is unnecessarily deferring - this is the exposed node inefficiency.

RTS/CTS partially mitigates the exposed node problem in some topologies. 802.11ax OFDMA-based spatial reuse (OBSS_PD) addresses it more broadly by allowing non-OBSS STAs to transmit simultaneously at reduced power when BSS Color indicates a different BSS.

Identifying NAV and RTS/CTS in PCAP

FC Type=01 Subtype=1011 (0xB)
RTS frame - look for RA (AP), TA (STA), Duration field (covers DATA+SIFS+ACK)
FC Type=01 Subtype=1100 (0xC)
CTS frame - RA = STA that sent RTS. Duration = RTS Duration − SIFS − CTS time.
Duration field in DATA frame
Read the Duration field (bytes 3-4). Should equal SIFS + ACK transmission time (~44 µs at 5 GHz OFDM 6 Mbps).
Frames back-to-back with SIFS spacing
RTS → (SIFS) → CTS → (SIFS) → DATA → (SIFS) → ACK. SIFS = 16 µs at 5 GHz. Look for this 4-frame burst pattern.
Repeated frames with growing inter-frame gaps
Exponential backoff in progress - likely hidden node or heavy contention. CW doubling visible as increasing time between retries.
WIRESHARK FILTERS
wlan.fc.type_subtype == 0x1b // RTS frames
wlan.fc.type_subtype == 0x1c // CTS frames
wlan.duration > 1000 // Duration > 1ms - may indicate large TXOP or RTS protection
// related reference
Interframe Spacing →Channel Access (EDCA) →Frame Aggregation →Frame Types →Wireshark Filters →