Management frames are the frames that are used for managing the wireless LAN. In this blog, I want to write out which frames there are and what their purposes are.
Beacon Frames
Beacon frames have the information about the wireless network and are sent by the access point. Every 100 Time Unit is a beacon frame transmitted per SSID. So, an access point with multiple SSIDs sends multiple beacon frames every 100 TU. 1 TU is not exactly 1 millisecond (1.024 milliseconds). Many references to the beacon frames are that they transmit every 100 milliseconds—this is not true. It is every 102.4 milliseconds and it also depends on how busy the network is.
Beacon frames announce the existing of the BSS with the information that is required for the client to connect. In the body frame are 67 fields that give information about the wireless network; the first five are mandatory.
Timestamp (8 bytes)
This represents how long the access point is active. The timestamp is in microseconds.
Beacon interval (2 bytes)
This is the interval in Time Units. As said it is not always 100 TU.
Capability information (2 bytes)
Information about the capabilities of the access points (QoS, Short or Long preamble, IBSS, and so forth).
SSID (variable)
The SSID of the network and the SSID element ID.
Supported Rates (variable)
This tells which data rates are supported. Each data rate has 8 bits. The first bit is if the data rate is mandatory or supported, the other 7 bits represent the data rate in units of 500 kbps. For example, data rate 12 is mandatory and it looks like this: 10011000. The first 1 shown that it is mandatory, the 0011000 represent 24. 24 is 24 * 500 kbps (12 mbps).
In the below screenshot, you see the 5 mandatory fields. WireShark is a little bit different than the fields are described. For example, the beacon interval is in seconds and not in TU.
![](https://raatswireless.com/wp-content/uploads/2019/03/12-1-282x300.png "\\"BeaconFrame\\"")
You can filter in wireshark with wlan.fc.type_subtype == 0x08
![](https://raatswireless.com/wp-content/uploads/2019/03/12-2-300x64.png "\\"BeaconSubtype\\"")
Probe Request/Response Frames
Those frames are used by the client for active scanning. The client transmits a Probe Request to the broadcast address and all the access points on that channel will reply with a Probe Response. It is possible that a client sends a Probe Request with a specific SSID. In this case, only the access point with that SSID on that channel will reply with a Probe Response. After the Probe Response, the client replies with an acknowledgement.
![](https://raatswireless.com/wp-content/uploads/2019/03/12-3-300x14.png "\\"ProbeFrame\\""){kind=small}
In the Probe Request you see the information from the client, which data rates and the capabilities that it supports.
![](https://raatswireless.com/wp-content/uploads/2019/03/12-4-300x285.png "\\"ProbeFrame\\"")
The response of the access point is almost the same as a beacon frame. There are a couple differences between those frames. The beacon has a TIM field and the Probe Response does not. The TIM field tells the client if there are any buffered data for the client. A Probe Response has information that the client requests.
The acknowledgement frame is not a management frame, so I will not discuss that here.
You can filter in wireshark with wlan.fc.type_subtype == 0x04 (for Probe Request)
![](https://raatswireless.com/wp-content/uploads/2019/03/12-5-300x62.png "\\"ProbeSubtype\\"")
You can filter in wireshark with wlan.fc.type_subtype == 0x05 (for Probe Response)
![](https://raatswireless.com/wp-content/uploads/2019/03/12-6-300x67.png "\\"ProbeSubtype\\"")
