802.11 MAC Layer Defined
By Jim Geier
June 4, 2002
The 802.11 standard specifies a common medium access control (MAC) Layer, which
provides a variety of functions that support the operation of 802.11-based wireless LANs.
In general, the MAC Layer manages and maintains communications between 802.11
stations (radio network cards and access points) by coordinating access to a shared radio
channel and utilizing protocols that enhance communications over a wireless medium.
Often viewed as the "brains" of the network, the 802.11 MAC Layer uses an 802.11
Physical (PHY) Layer, such as 802.11b or 802.11a, to perform the tasks of carrier
sensing, transmission, and receiving of 802.11 frames.
Medium access basics
Before transmitting frames, a station must first gain access to the medium, which is a
radio channel that stations share. The 802.11 standard defines two forms of medium
access, distributed coordination function (DCF) and point coordination function (PCF).
DCF is mandatory and based on the CSMA/CA (carrier sense multiple access with
collision avoidance) protocol. With DCF, 802.11 stations contend for access and attempt
to send frames when there is no other station transmitting. If another station is sending a
frame, stations are polite and wait until the channel is free.
As a condition to accessing the medium, the MAC Layer checks the value of its network
allocation vector (NAV), which is a counter resident at each station that represents the
amount of time that the previous frame needs to send its frame. The NAV must be zero
before a station can attempt to send a frame. Prior to transmitting a frame, a station
calculates the amount of time necessary to send the frame based on the frame's length and
data rate. The station places a value representing this time in the duration field in the
header of the frame. When stations receive the frame, they examine this duration field
value and use it as the basis for setting their corresponding NAVs. This process reserves
the medium for the sending station.
An important aspect of the DCF is a random back off timer that a station uses if it detects
a busy medium. If the channel is in use, the station must wait a random period of time
before attempting to access the medium again. This ensures that multiple stations wanting
to send data don't transmit at the same time. The random delay causes stations to wait
different periods of time and avoids all of them sensing the medium at exactly the same
time, finding the channel idle, transmitting, and colliding with each other. The back off
timer significantly reduces the number of collisions and corresponding retransmissions,
especially when the number of active users increases.
With radio-based LANs, a transmitting station can't listen for collisions while sending
data, mainly because the station can't have it's receiver on while transmitting the frame.
As a result, the receiving station needs to send an acknowledgement (ACK) if it detects
no errors in the received frame. If the sending station doesn't receive an ACK after a
specified period of time, the sending station will assume that there was a collision (or RF
interference) and retransmit the frame.
For supporting time-bounded delivery of data frames, the 802.11 standard defines the
optional point coordination function (PCF) where the access point grants access to an
individual station to the medium by polling the station during the contention free period.
Stations can't transmit frames unless the access point polls them first. The period of time
for PCF-based data traffic (if enabled) occurs alternately between contention (DCF)
The access point polls stations according to a polling list, then switches to a contention
period when stations use DCF. This process enables support for both synchronous (i.e.,
video applications) and asynchronous (i.e., e-mail and Web browsing applications)
modes of operation.
No known wireless NICs or access points on the market today, however, implement PCF.
802.11 MAC Layer Functions
The following summarizes primary 802.11 MAC functions, especially as they relate to
infrastructure wireless LANs:
Scanning: The 802.11 standard defines both passive and active scanning;
whereby, a radio NIC searches for access points. Passive scanning is mandatory
where each NIC scans individual channels to find the best access point signal.
Periodically, access points broadcast a beacon, and the radio NIC receives these
beacons while scanning and takes note of the corresponding signal strengths. The
beacons contain information about the access point, including service set
identifier (SSID), supported data rates, etc. The radio NIC can use this
information along with the signal strength to compare access points and decide
upon which one to use.
Optional active scanning is similar, except the radio NIC initiates the process by
broadcasting a probe frame, and all access points within range respond with a
probe response. Active scanning enables a radio NIC to receive immediate
response from access points, without waiting for a beacon transmission. The
issue, however, is that active scanning imposes additional overhead on the
network because of the transmission of probe and corresponding response frames.
Authentication: Authentication is the process of proving identity, and the 802.11
standard specifies two forms: Open system authentication and shared key
authentication. Open system authentication is mandatory, and it's a two step
process. A radio NIC first initiates the process by sending an authentication
request frame to the access point. The access point replies with an authentication
response frame containing approval or disapproval of authentication indicated in
the Status Code field in the frame body.
Shared key authentication is an optional four step process that bases
authentication on whether the authenticating device has the correct WEP (wired
equivalent privacy) key. The radio NIC starts by sending an authentication request
frame to the access point. The access point then places challenge text into the
frame body of a response frame and sends it to the radio NIC. The radio NIC uses
its WEP key to encrypt the challenge text and then sends it back to the access
point in another authentication frame. The access point decrypts the challenge text
and compares it to the initial text. If the text is equivalent, then the access point
assumes that the radio NIC has the correct key. The access point finishes the
sequence by sending an authentication frame to the radio NIC with the approval
Association: Once authenticated, the radio NIC must associate with the access
point before sending data frames. Association is necessary to synchronize the
radio NIC and access point with important information, such as supported data
rates. The radio NIC initiates the association by sending an association request
frame containing elements such as SSID and supported data rates. The access
point responds by sending an association response frame containing an
association ID along with other information regarding the access point. Once the
radio NIC and access point complete the association process, they can send data
frames to each other.
WEP: With the optional WEP enabled, the wireless NIC will encrypt the body
(not header) of each frame before transmission using a common key, and the
receiving station will decrypt the frame upon receipt using the common key. The
802.11 standard specifies a 40-bit key and no key distribution method, which
makes 802.11 wireless LANs vulnerable to eavesdroppers. The 802.11i
committee, however, is improving 802.11 security by incorporating 802.1X and
stronger encryption into the standard.
RTS/CTS: The optional request-to send and clear-to-send (RTS/CTS) function
allows the access point to control use of the medium for stations activating
RTS/CTS. With most radio NICs, users can set a maximum frame length
threshold whereby the radio NIC will activate RTS/CTS. For example, a frame
length of 1,000 bytes will trigger RTS/CTS for all frames larger than 1,000 bytes.
The use of RTS/CTS alleviates hidden node problems, that is, where two or more
radio NICs can't hear each other and they are associated with the same access
If the radio NIC activates RTS/CTS, it will first send a RTS frame to access point
before sending a data frame. The access point will then respond with a CTS
frame, indicating that the radio NIC can send the data frame. With the CTS frame,
the access point will provide a value in the duration field of the frame header that
holds off other stations from transmitting until after the radio NIC initiating the
RTS can send its data frame. This avoids collisions between hidden nodes. The
RTS/CTS handshake continues for each frame, as long as the frame size exceeds
the threshold set in the corresponding radio NIC.
Power Save Mode: The optional power save mode that a user can turn on or off
enables the radio NIC to conserve battery power when there is no need to send
data. With power save mode on, the radio NIC indicates its desire to enter "sleep"
state to the access point via a status bit located in the header of each frame. The
access point takes note of each radio NIC wishing to enter power save mode, and
buffers packets corresponding to the sleeping station.
In order to still receive data frames, the sleeping NIC must wake up periodically
(at the right time) to receive regular beacon transmissions coming from the access
point. These beacons identify whether sleeping stations have frames buffered at
the access point and waiting for delivery to their respective destinations. The
radio NICs having awaiting frames will request them from the access point. After
receiving the frames, the radio NIC can go back to sleep.
Fragmentation: The optional fragmentation function enables an 802.11 station to
divide data packets into smaller frames. This is done to avoid needing to
retransmit large frames in the presence of RF interference. The bits errors
resulting from RF interference are likely to affect a single frame, and it requires
less overhead to retransmit a smaller frame rather than a larger one. As with
RTS/CTS, users can generally set a maximum frame length threshold whereby the
radio NIC will activate fragmentation. If the frame size is larger than the
threshold, the radio NIC will break the packet into multiple frames, with each
frame no larger than the threshold value.
This tutorial is meant to provide an overview of the 802.11 MAC functions. In future
articles, we'll discuss each function in more detail and show practical configuration
Jim Geier provides independent consulting services to companies developing and
deploying wireless network solutions. He is the author of the book, Wireless LANs
(SAMs, 2001), and regularly instructs workshops on wireless LANs.
Don't miss Jim Geier as one of the featured speakers at the 802.11 Planet Conference
and Expo next week. He'll be giving a workshop on RF Site Survey Basics, and
speaking on panels discussing wireless data and home networking.
802.11 Beacons Revealed
By Jim Geier
October 31, 2002
In a previous tutorial, I provided an overview of the various frame types that 802.11
stations (network cards and access points) use to support wireless data communications.
In addition to data frames that carry information from higher layers, 802.11 includes
management and control frames that support data transfer. The beacon frame, which is a
type of management frame, provides the "heartbeat" of a wireless LAN, enabling stations
to establish and maintain communications in an orderly fashion.
A typical beacon frame is approximately fifty bytes long, with about half of that being a
common frame header and cyclic redundancy checking (CRC) field. As with other
frames, the header includes source and destination MAC addresses as well as other
information regarding the communications process. The destination address is always set
to all ones, which is the broadcast Medium Access Control (MAC) address. This forces
all other stations on the applicable channel to receive and process each beacon frame. The
CRC field provides error detection capability.
The beacon's frame body resides between the header and the CRC field and constitutes
the other half of the beacon frame. Each beacon frame carries the following information
in the frame body:
Beacon interval. This represents the amount of time between beacon
transmissions. Before a station enters power save mode, the station needs the
beacon interval to know when to wake up to receive the beacon (and learn
whether there are buffered frames at the access point).
Timestamp. After receiving a beacon frame, a station uses the timestamp value to
update its local clock. This process enables synchronization among all stations
that are associated with the same access point.
Service Set Identifier (SSID). The SSID identifies a specific wireless LAN.
Before associating with a particular wireless LAN, a station must have the same
SSID as the access point. By default, access points include the SSID in the beacon
frame to enable sniffing functions (such as that provided by Windows XP) to
identify the SSID and automatically configure the wireless network interface card
(NIC) with the proper SSID. Some access point vendors have an option to disable
the SSID from being broadcast in beacon frames to reduce security issues.
Supported rates. Each beacon carries information that describes the rates that the
particular wireless LAN supports. For example, a beacon may indicate that only
1, 2, and 5.5Mbps data rates are available. As a result, an 802.11b station would
stay within limits and not use 11 Mbps. With this information, stations can use
performance metrics to decide which access point to associate with.
Parameter Sets. The beacon includes information about the specific signaling
methods (such as frequency hopping spread spectrum, direct sequence spread
spectrum, etc.). For example, a beacon would include in the appropriate parameter
set the channel number that an 802.11b access point is using. Likewise, a beacon
belonging to frequency hopping network would indicate hopping pattern and
Capability Information. This signifies requirements of stations that wish to
belong to the wireless LAN that the beacon represents. For example, this
information may indicate that all stations must use wired equivalent privacy
(WEP) in order to participate on the network.
Traffic Indication Map (TIM). An access point periodically sends the TIM
within a beacon to identify which stations using power saving mode have data
frames waiting for them in the access point's buffer. The TIM identifies a station
by the association ID that the access point assigned during the association
An 802.11 probe response frame is very similar to a beacon frame, except that probe
responses don't carry the TIM info and are only sent in response to a probe request. A
station may send a probe request frame to trigger a probe response when the station needs
to obtain information from another station. A radio NIC, for instance, will broadcast a
probe request when using active scanning to determine which access points are within
range for possible association. Some sniffing software (e.g., NetStumbler) tools send
probe requests so that access points will respond with desired info.
Beacons in action
In infrastructure networks, access points (not radio NICs) periodically send beacons. You
can set the beacon interval through the access point configuration screen. In general, the
beacon interval is set to 100ms, which provides good performance for most applications.
In ad hoc networks, there are no access points. As a result, one of the peer stations
assumes the responsibility for sending the beacon. After receiving a beacon frame, each
station waits for the beacon interval and then sends a beacon if no other station does so
after a random time delay. This ensures that at least one station will send a beacon, and
the random delay rotates the responsibility for sending beacons.
By increasing the beacon interval, you can reduce the number of beacons and associated
overhead, but that will likely delay the association and roaming process because stations
scanning for available access points may miss the beacons. You can decrease the beacon
interval, which increases the rate of beacons. This will make the association and roaming
process very responsive; however, the network will incur additional overhead and
throughput will go down. In addition, stations using power save mode will need to
consume more power because they'll need to awaken more often, which reduces power
saving mode benefits.
In an idle network, beacons dominate all other traffic. A packet-monitoring tool, such as
AirMagnet or AiroPeek would display a continuous stream of beacon frames. With no
user-generated traffic, an occasional data frame carrying protocols used for non-802.11
purposes, such as dynamic host configuration protocol (DHCP) will appear. Of course on
networks with active users, a variety of other frames, such as association
requests/responses, data frames carrying Internet traffic, acknowledgements, etc.,
intermix between the beacons.
There are no reservations for sending beacons, and they must be sent using the mandatory
802.11 carrier sense multiple access / collision detection (CSMA/CD) algorithm. If
another station is sending a frame when the beacon is to be sent, then the access point (or
NIC in an ad hoc network) must wait. As a result, the actual time between beacons may
be longer than the beacon interval. Stations, however, compensate for this inaccuracy by
utilizing the timestamp found within the beacon.
The amount of overhead that the transmissions of beacon frames generate is substantial;
however, the beacon serves a variety of functions. For example, each beacon
transmission identifies the presence of an access point. By default, radio NICs passively
scan all RF channels and listen for beacons coming from access points in order to find a
suitable access point.
When a beacon is found, the radio NIC learns a great deal about that particular network.
This enables a ranking of access points based on the received signal strength of the
beacon, along with capability information regarding the network. The radio NIC can then
associate with the most preferable access point.
After association, the station continues to scan for other beacons in case the signal from
the currently-associated access point become too weak to maintain communications. As
the radio NIC receives beacons from the associated access point, the radio NIC updates
its local clock to maintain timing synchronization with the access point and other stations.
In addition, the radio NIC will abide by any other changes, such as data rate, that the
frame body of the beacon indicates.
The beacons also support stations implementing power saving mode. With infrastructure
networks, the access point will buffer frames destined for sleeping stations and announce
which radio NICs have frames waiting through the TIM that's part of the beacon. On the
other hand, the beacon in ad hoc network marks the beginning of a period where stations
buffering frames can alert sleeping stations that frames are waiting for delivery.
802.11 Medium Access Methods
By Jim Geier
November 26, 2002
The 802.11 standard ensures that all stations, both radio-based network interface cards
(NICs) and access points, implement access methods for sharing the air medium. When
installing wireless LANs (WLAN), most people don't give much thought to these
mechanisms. A solid understanding of 802.11's medium access methods, however, will
enable you to deal more effectively with issues such as radio frequency interference,
denial of services attacks and throughput issues.
Distributed Coordination Function (DCF)
The 802.11 standard makes it mandatory that all stations implement the DCF, a form of
carrier sense multiple access with collision avoidance (CSMA/CA). CSMA is a
contention-based protocol making certain that all stations first sense the medium before
transmitting. The main goal is to avoid having stations transmit at the same time, which
results in collisions (define) and corresponding retransmissions.
If a station wanting to send a frame senses energy above a specific threshold on the
medium (which could mean the transmission of another station), the station wanting
access will wait until the medium is idle before transmitting the frame. The collision
avoidance aspect of the protocol pertains to the use of acknowledgements that a receiving
station send to the sending station to verify error-free reception. Think of this process of
accessing the medium as a meeting where everyone is polite and each person only speaks
when no one else is talking. In addition, everyone who understands what the person is
saying nods their head in agreement.
The DCF protocol is somewhat more complex than this, though. For example, an 802.11
station utilizes information it gains from other frames that stations are sending over the
wireless network. In the control field of each frame, there is a duration field that a
sending station places a value in, to indicate how long the station will require the
medium. As part of making a decision on whether to transmit a frame, a station must see
that the time associated with the duration value of the last frame sent has expired, as well
as sense that no physical transmission is taking place. The duration field enables stations
to reserve the medium for subsequent frames of some specific 802.11-defined frame
exchanges (e.g., RTS/CTS).
Because of its nature, DCF supports the transmission of asynchronous signals. A
distinguishing factor of asynchronous signaling is that there are no timing requirements
between data carrying frames. For example, the DCF protocol doesn't make any attempt
to deliver a series of data frames within any timeframe or at any instant in time. As a
result, there is a random amount of delay between each data frame transmission. This
form of synchronization is effective for network applications, such as e-mail, Web
browsing and VPN access to corporate applications.
DCF Protocol Issues
The DCF protocol is the heart of many WLAN troubles. RF interference is probably the
biggest problem. If a source of RF interference (e.g., cordless phone or other WLAN) is
present, the DCF can block stations from transmitting for as long as the interfering signal
is present. The stations sense enough energy on the medium and wait patiently, in most
cases for just a few seconds or minutes. Of course this causes the throughput of the
network to drop significantly. That's why you should perform an RF site survey in the
facility before installing a WLAN.
Similar to the impact of typical RF interference, someone could implement a denial of
service attack, which is a deliberate action to instill RF interference at a level high
enough to block a majority of the stations from transmitting. Again, all of the stations
will not transmit because they respectfully follow the DCF protocol.
Instead of lasting for only a few seconds, however, a denial of service attack could be
planned in a way to corrupt the network for hours or days until the jamming source is
found. This type of attack will generally cause the network to be useless (i.e., throughput
equal to zero). In order to reduce this impact, maximize the use of directional antennas to
minimize the reception of RF signals from outside the facility where someone could
conceal themselves with a high-powered jamming device.
Point Coordination Function (PCF)
As an optional access method, the 802.11 standard defines the PCF, which enables the
transmission of time-sensitive information. With PCF, a point coordinator within the
access point controls which stations can transmit during any give period of time. Within a
time period called the contention free period, the point coordinator will step through all
stations operating in PCF mode and poll them one at a time. For example, the point
coordinator may first poll station A, and during a specific period of time station A can
transmit data frames (and no other station can send anything). The point coordinator will
then poll the next station and continue down the polling list, while letting each station to
have a chance to send data.
Thus, PCF is a contention-free protocol and enables stations to transmit data frames
synchronously, with regular time delays between data frame transmissions. This makes it
possible to more effectively support information flows, such as video and control
mechanisms, having stiffer synchronization requirements.
Timing mechanisms within the 802.11 protocol ensure that stations on the WLAN
alternate between the use of DCF and PCF. As a result, the WLAN can support both
asynchronous and synchronous information flows. For a period of time, stations will fend
for themselves by using CSMA. For the following time period, the stations will wait for a
poll from the point coordinator before sending data frames.
Don't run to your access point, though, and expect to find a switch that enables PCF. The
only access point that I know of on the market supporting PCF is AOpen's WarpLink
AOI-706. The big name vendors, such as Cisco, Proxim, and Symbol, don't include PCF
Some chipsets have PCF functionality embedded somewhere in the firmware, but access
point vendors seem to be reluctant to activate it, even though PCF has been part of the
802.11 standard since its inception in 1997. The problem is that the 802.11 standard is
fairly vague in defining portions of the PCF protocol. As a result, you'd probably need to
use the same vendor for the access points and radio cards to make it work properly. The
Wi-Fi Alliance does not include PCF functionality in their interoperability standard.
802.11 MAC (Media Access Control)
The following section describes the common Media Access Control layer used by the
802.11 family of standards.
The 802.11 family uses a MAC layer known as CSMA/CA (Carrier Sense Multiple
Access/Collision Avoidance) NOTE: Classic Ethernet uses CSMA/CD - collision
detection). CSMA/CA is, like all Ethernet protocols, peer-to-peer (there is no
requirement for a master station).
In CSMA/CA a Wireless node that wants to transmit performs the following
1. Listen on the desired channel.
2. If channel is idle (no active transmitters) it sends a packet.
3. If channel is busy (an active transmitter) node waits until transmission stops
then a further CONTENTION period. (The Contention period is a random
period after every transmit on every node and statistically allows every node
equal access to the media. To allow tx to rx turn around the contention time
is slotted 50 micro sec for FH and 20 micro sec for DS systems).
4. If the channel is still idle at the end of the CONTENTION period the node
transmits its packet otherwise it repeats the process defined in 3 above until
it gets a free channel.
1. D = DCF Inter Frame Space (DIFS)
2. S = Short Inter Frame Space (SIFS)
3. CW = Contention Window
4. MPDU = MAC Protocol Data Unit
5. A = Ack
802 11 also offers a polling mode (known as PCF - Point Co-ordination Function)
which is fairly classic polling scheme e.g. 3270 bi-sync!! As with all polling protocols
a single master (Base Station) is required.
To improve efficiency additional features are employed:
1. Positive Acknowledgement (ACK)
2. MAC level retransmission
At the end of every packet the receiver, if it has successfully received the packet, will
return an ACK packet (if not received or received with errors the receiver will NOT
respond i.e. there is no NACK). The transmit window allows for the ACK i.e.
CONTENTION period starts after the ACK should have been sent.
MAC level retransmission
If no ACK is received the sender will retry the transmit (using the normal CSMA/CA
procedures) until either successful or the operation is abandoned with exhausted
Bit error rates on wireless systems (10**-5, 10**-6) are substantially higher than
wire-line systems (10**-12). Large blocks may approach the number of bits where
the probability of an error occurring may = 1 i.e. every block could fail including the
re-transmission. To reduce the possibility of this happening large blocks may be
fragmented by the transmitter and reassembled by the receiver node e.g. a 1500
byte block (12,000 bits) may be fragmented into 5 blocks of 300 bytes (2,400 bits).
While there is some overhead in doing this - both the probability of an error
occurring is reduced and, in the event of an error, the re-transmission time is also
The Hidden Node Problem
The hidden node problem occurs in a point to multi-point network and is defined as
being one in which three (or more nodes) are present. Node A, Node B and Node C.
It is possible that in this case Node B can hear Node A (and vice versa) and Node B
can hear Node C (and vice versa) BUT Node C cannot hear Node A. In a CSMA/CA
environment Nodes A and C would both properly transmit (they cannot hear each
other on the 'listen' phase so could both simultaneously and properly transmit a
packet) but Node B would get corrupted data. Nodes A and C are said to be 'hidden'
from each other.
Use of RTS and CTS
Hidden Nodes are solved by the use of a RTS (request to send)/CTS (clear to send)
protocol prior to packet transmission. In our three node network above Node A sends
a small RTS packet which is heard by Node B which send a small CTS packet which is
heard by both Nodes A and Node C. Node C will not transmit in this case.
CSMA/CA with RTS/CTS
1. D = DCF Inter Frame Space (DIFS)
2. S = Short Inter Frame Space (SIFS)
3. CW = Contention Window
4. MPDU = MAC Protocol Data Unit
5. A = Ack
Each node in a 802.11 network is identified by its MAC address (exactly the same as
Ethernet a 6 byte - 48 bit value). Receiving nodes recognize their MAC address.
MAC Packet Format
The following defines the format of an 802.11 packet (for 802.3 packet format see
Frame Duration Address1 Address2 Address3 Sequence Address4 Data FCS
Control ID (source) (destination) (rx node) Control (tx node)
2 2 6 6 6 2 6 0 - 2,312 4
NOTE: Bits are numbered right to left (i.e. bit number is same as 2**n)
Field Bits Values Notes/Description
15 - 14 Protocol version. Currently 0
13 - 12 Type
11 - 8 Subtype
7 To DS. 1 = to the distribution system.
6 From DS. 1 = exit from the Distribution System.
More Frag. 1 = more fragment frames to follow (last
or unfragmented frame = 0)
4 Retry. 1 = this is a re-transmission.
Power Mgt. 1 = station in power save mode, 1 =
More Data. 1 = additional frames buffered for the
destination address (address x).
WEP. 1 = data processed with WEP algorithm. 0 = no
0 Order. 1 = frames must be strictly ordered.
For data frames = duration of frame. For Control
Duration ID 15 - 0 Frames the associated identity of the transmitting
Address 1 47 - 0 Source address (6 bytes).
Address 2 47 - 0 Destination address (6 bytes).
Receiving station address (destination wireless
Address 3 47 - 0
15 - 0
Address 4 47 - 0 Transmitting wireless station.
Frame Body 0 - 2312 octets (bytes).
Frame Check Sequence (32 bit CRC). defined in
FCS 31 - 0
IEEE 802.11 Tutorial