Show Menu
Cheatography

802.11 Cheat Sheet (DRAFT) by

802.11 Association Process

This is a draft cheat sheet. It is a work in progress and is not finished yet.

802.11 Connection Basics

Connection Status

State 1
Unauth­ent­icated and Unasso­ciated
State 2
Authen­tic­ated, Unasso­ciated
State 3
Authen­tic­ated, Associated
STA must be in State 3 before connection is establ­ished.

Control Frames

ACK: After receiving a data frame, the receiver will send and ACK frame if no errors were found. If the transm­itter doesn't receive an ACK within a predet­ermined period, it will retransmit the frame
RTS: The transm­itter sends an optional RTS frame before sending any data frames.
CTS: The receiver responds to the RTS with a CTS frame, clearing the transm­itter to send its data frame. The CTS provides collision control management by including a time value were all other devices are to hold off transm­ission while the RTS transm­itter sends its data
 

Management Frames

1000
Beac­on: Sent period­ically from an AP to announce its presence and relay inform­ation that is required by the STAs to connect to the wireless network.
0100
Probe Request: Sent from a STA to discover 802.11 networks within its proximity. Probe requests advertise the STAs supported data rates and 802.11 capabi­lities such as 802.11n.
0101
Probe Respon­se: Sent from an AP after receiving a Probe Request and having at least one common supported data rate. Advertises the SSID, supported data rates, encryption types, and other 802.11 capabi­lities.
1011
Auth­ent­ication Request: The STA chooses a SSID/n­etwork from the probe responses it receives. It also checks the compat­ibility on encryption type. Once compatible networks are discovered the STA will attempt low-level 802.11 authen­tic­ation with compatible APs. The STA sends a low-level 802.11 authen­tic­ation frame to an AP, setting the authen­tic­ation to open and the sequence to 0x0001.
1011
Auth­ent­ication Respon­se: The AP receives the authen­tic­ation frame and responds to the STA with authen­tic­ation frame set to open indicating a sequence. If an AP receives any frame other than an authen­tic­ation or probe request from a STA that is not authen­ticated it will respond with a deauth­ent­ication frame placing the mobile into an unauth­ent­icated and unasso­ciated state. The STA will have to begin the associ­ation process from the low level authen­tic­ation step. At this point the STA is authen­ticated but not yet associ­ated.
1100
Deau­the­nti­cat­ion
0000
Asso­ciation Request: Once the STA determines which AP it would like to associate to, it will send an associ­ation request to that AP. The associ­ation request contains chosen encryption types and other compatible 802.11 capabi­lities.
0001
Asso­ciation Respon­se: If the elements of associ­ation request match the capabi­lities of the AP, it will create an Associ­ation ID for the STA and respond with an associ­ation response, with a success message granting network access to the STA.
0010
Reas­soc­iation Request
0011
Reas­soc­iation Response
1010
Disa­sso­cia­tion

Beacon Frame

The AP broadcasts a Beacon frame at regular intervals, typically every 100ms. This is called the Target Beacon Transmit Time (TBTT)
The Beacon carries regula­tory, capability and BSS management inform­ation such as Supp­orted Data Rates, SSID and Time­sta­mp.
A Beacon is also used to advertise the AP capabi­lities. This is used by clients doing a passive scan to make a decision to connect to the AP. This is necessary to keep all clients synchr­onized with the AP in order for the clients to perform functions like power save.