In the MAC header is a Frame Control field that is in total 2 bytes, so it has in total 16 bits. Those bits are defined as follows:
Protocol Version, this is the version of the 802.11. In the wired network, there are two different versions at this moment. Version 4 and 6 (IPv4 and IPv6). In the wireless network is only one version. So, the Protocol Version is always 00. 01, and 10. 11 is not used at this moment.
Type is the frame type. This field is also 2 bits. Again, the possible values are 00, 01, 10 and 11. 11 is not used at this moment. 00 are Management Frames, 01 are Control Frames and 10 are Data Frames. If we look in a WireShark trace, we see those values in the Frame Control field.
A Management Frame (type 00)
A Control Frame (type 01)
A Data Frame (type 10)
The next field is the subtype. This is a 4 bits field, with several options. You need to remember that it is a combination of the type and subtype. For example, in the Management Frame you see a subtype of 1000 and you see the same subtype in the data frame. Those 2 frames are not the same. The 1000 in the Management Type frame represents a beacon, the 1000 in the Data Frame represents a QoS Data frame. You can see the subtype fields in the previous screenshots.
The last 8 bits are represented under the flag.
In this situation, the “To DS” and the “From DS” bits are 0 and 1. There are 4 different situations. You can have 00, 01, 10, and 11. When it is set to ‘1’ it means it is the Distribution System (Access Point). When it is set to ‘0’ it means it is not a Distribution System (Client).
00 means communication between two clients without a Distribution System, this is in most cases an IBBSS (Ad-Hoc).
01 means communication from the AP to a Client.
10 means communication from a client to an AP.
11 means communication between two Distribution Systems. Mesh network or Wireless bridge networks don’t use any clients in their communication. This is also the situation where the MAC header has 4 addresses.
More Fragments is the bit that is set to ‘1’ when there will be more data packages coming or set to ‘0’ when there are no data packages coming. In this situation, the bit is set to ‘0’ and in the description, you see that “this is the last fragment.”
Retry is the retransmission bit. If it is set to ‘1’ this package is a retransmission. This occurs when the last package didn’t receive an ACK.
Power Management is the bit if the client is in Power Save Mode. PS mode is indicated by a NULL Frame. As you can see in previous screenshot the Type is 10 (Data Frame) and a subtype 0100 (Null Data) frame. The Power Management bit is set to ‘1’ so Client is going to sleep.
More Data is used for the buffered data. When the client wakes up out PS Mode and there are several packages buffered for the client, the more data bit is set to ‘1.’ When the more data bit is set to ‘0’ as in our example there is no data buffered for the client.
Protected Frame is used for encrypted data frame or not encrypted data frame. In this example my iPhone is connected to an open authenticated SSID, and no encryption enabled. So, the bit is set to ‘0.’
Order Flag is for the order of the frame. It is only set to ‘1’ when the frame is a non-QoS data frame. In all other situations, the order flag bit is set to ‘0.’
The below table shows the frame types and frame subtypes. There are more subtypes than shown in this table.