Frame Format
Wireless Frames are a little bit different than the Ethernet frames. The Ethernet frame starts with a “preamble” and a “Start-of-Frame Delimiter (SFD).” This is the PHY frame—the wireless frame has this as well, but it is more complex. In this blog, I want to explain the MAC frame. The MAC frame in the Ethernet frame is also less complex than a Wireless frame. All MAC frames have a Destination Address, a Source Address, Length/Type, and a Frame Check Sequence (FCS). If you look into the wireless frames, as said, they are a little bit more complex, as you can see in the screenshot. Frame Body and FCS is part of the MAC frame, but it is not the MAC header.
![](https://raatswireless.com/wp-content/uploads/2019/03/9-1-300x34.png "\\"Frame\\""){kind=small}
There are differences between the different amendments in frames as well. In 802.11-2007 the Frame Body field changed from 2312 octets to 2304 octets. Another change was adding 2 octets for the QoS field. With the amendment of 802.11n we got a new change in the Frame Body. Last time it was reduced, but thanks to aggregated frames (A-MSDU), the Frame Body can be 0-7951 octets. A second change is a new field, named the HT Control (4 Octets). The last change was in 2013 when the Frame Body became variable.
![](https://raatswireless.com/wp-content/uploads/2019/03/9-2-300x29.png "\\"Frame2007\\""){kind=small}
802.11-2007
![](https://raatswireless.com/wp-content/uploads/2019/03/9-3-300x26.png "\\"Frame2012\\""){kind=small}
802.11-2012, 802.11n
![](https://raatswireless.com/wp-content/uploads/2019/03/9-4-300x25.png "\\"Frame2013\\""){kind=small}
802.11-2013, 802.11ac
MAC header
![](https://raatswireless.com/wp-content/uploads/2019/03/9-5-300x26.png "\\"Frame\\""){kind=small}
![](https://raatswireless.com/wp-content/uploads/2019/03/9-6-300x228.png "\\"FrameWireshark\\"")
If we unravel the trace above with the MAC header. First you see the Frame Control. After the Frame Control is 2 octets of Duration/ID (this is the NAV, that is used in the CSMA). The Frame Control field will be discussed later.
In this blog, I want to dive in to the 3 addresses that a frame—mostly—has. I was expecting to see, in WireShark, also 3 addresses. Wireshark showed me 6 addresses, so I was confused. When you examine the addresses better, you see only 3 unique addresses. In a To DS (1) From DS (0) situation, the Receiver Address is the same as the BSSID, and the Transmitter Address is the same as the Source Address and the third address is the Destination Address. So WireShark shows all the possible addresses and the last address that WireShark shows is the STA address. In this situation, Client to an Access Point, the STA address is the same as the TA that is the same as the SA.
![](https://raatswireless.com/wp-content/uploads/2019/03/9-7-300x128.png "\\"Addresses\\"")
Below the addresses you see the sequence number. The sequence number is a 16-bit (2 octets) field that consists of 4 bits for the Fragment Number and 12 bits for the Sequence Number. The Fragment Number starts with 0 for the first (or only) fragment and is incremented for all the other fragments that come after the first fragment.
After the sequence number, you have the Frame Check Sequence (FCS) and the QoS Control.
If you check other frames you see different headers and focus on the change in the addresses.
RTS
![](https://raatswireless.com/wp-content/uploads/2019/03/9-8-300x122.png "\\"RTSWireShark\\"")
![](https://raatswireless.com/wp-content/uploads/2019/03/9-9-300x52.png "\\"RTSFrame\\"")
An RTS frame has a Receiver Address and a Transmitter address.
CTS
![](https://raatswireless.com/wp-content/uploads/2019/03/9-10-300x119.png "\\"CTSWireShark\\"")
![](https://raatswireless.com/wp-content/uploads/2019/03/9-11-300x66.png "\\"CTSFrame\\"")
An CTS frame has only a Receiver Address. This is always to the client. With a CTS-to-Self the Receiver Address is the same as the Transmitter Address, but you don’t use the Transmitter Address in a CTS frame.
ACK
![](https://raatswireless.com/wp-content/uploads/2019/03/9-12-300x99.png "\\"ACKWireShark\\"")
The same is for an ACK that is always from the Access Point to the client. Also here, you see only the Receiver Address.
Okay, back to the MAC header. As already stated, there are 4 different address fields. Most of the time the first 3 are used and that is probably the reason why the 4th address is not after the third but after the sequence control. In the frame control there are two bits named To DS and two bits named From DS. If the To DS or From DS is set to ‘1’ it means it is the Distribution System. Those two fields are each 1 bit, so the possibilities are 00, 01, 10, and 11.
00 means communication between two clients without a Distribution System, this is in most cases an IBBSS (Ad-Hoc).
01 means communication from the AP to a Client
10 means communication from a client to an AP
11 means communication between two Distribution Systems. Mesh network or Wireless bridge networks don’t use any clients in their communication. This is the only situation where the frame header has 4 addresses.
![](https://raatswireless.com/wp-content/uploads/2019/03/9-13-300x203.png "\\"MACAddresses\\"")
If you go back to the first part of this blog, you see in the WireShark trace the 6 different addresses. This is a “To DS 1 and a From DS 0” situation so if you go back to the addresses you can see that the RA is the same as the BSSID, the TA the same as SA and the third address is the DA. So, the conclusion is that WireShark shows all the addresses (RA, TA, DA, SA, BSSID and STA) and not just 3 unique addresses for the fields; Address 1, 2, and 3. It was different than I assumed, but it makes sense when you look into it.
