Chapter 9. Flashcards Preview

CWNA > Chapter 9. > Flashcards

Flashcards in Chapter 9. Deck (89):

How many sublayers is the 802.11 data-link layer divided into? What are they?

2 sublayers.

The upper portion is the IEEE 802.2 Logical Link Control (LLC).
The bottom portion of the data-link layer is the media access control (MAC) sublayer.


What is the MSDU? What kind of 802.11 frame carries the MSDU payload?

The MSDU contains data from the LLC and layers 3-7. A simple definition of the MSDU is that it is the data payload that contains the IP packet plus some LLC data.

Only 802.11 data frames carry an MSDU payload in the frame body.


What is the max size for an MSDU payload?

2,304 bytes plus an overhead for encryption.


What is an MPDU?

When an MSDU (MAC Service Data Unit), is sent to the MAC sublayer of the OSI the MAC header information is added to the MSDU to identify it, THE MSDU is now encapsulated in a MAC PROTOCOL DATA UNIT (MPDU)


What are the 3 basic components to of an MPDU? What do they do?

A MAC Header, Frame Body, Frame Check Sequence.

A MAC Header : Frame control information, duration information, MAC addressing, and sequence control information are all found in the MAC header. Furthermore, QoS data frames contain specific QoS control information.

A Frame Body : The frame body component can be variable in size and contains information that is different depending on the frame type and frame subtype. The MSDU upper layer payload is encapsulated in the frame body. The MSDU layer 3–7 payload is protected when using encryption.

Frame Check Sequence (FCS). The FCS comprises a 32-bit cyclic-redundancy check (CRC), that is used to validate the integrity of received frames.


What are the 2 layers of the Physical layer?

The upper portion is known as the physical convergence procedure sublayer (PLCP), and the lower portion is known as the physical medium dependent (PMD) sublayer


What does the Physical Layer Convergence Procedure (PLCP) do?

The PLCP prepares the frame for transmission by taking the frame from the MAC sublayer and creating the PLCP Protocol Data Unit (PPDU).


What does the PMD sublayer do?

Modulates and transmits the data as bits that is just recieved from the PLCP sublayer above it.


What is the only difference between the PLCP and a MPDU?

They are the exact same thing, except which layer of the OSI model they are on. The PLCP is located on the physical layer and the MPDU is located on the data layer.


What does the PLCP do to the PSDU to prepare it for transmission?

The PLCP adds a preamble and PHY header
to the PSDU.


What do preambles do?

The preamble is used for synchronization between transmitting and receiving 802.11 radios.


What is the purpose of an integration service?

This transports the MSDU payload in the data frame from an 802.11 wireless frame format into an 802.3 frame to ride on the ethernet medium.


What is the max size for 802.3 Ethernet frames with a payload? What is the max size for VLAN payload?

802.3 frame size is 1,518 with a max payload of 1,500.

1522 with a data payload of 1504 bytes.


What is an individual MAC address located in the 802.11 frame?

Individual addresses are assigned to unique stations on the network (also known as a unicast address).


What is a Group Address MAC address located in the 802.11 frame?

A multiple destination address (group address) could be used by one or more stations on a network. There are two kinds of group addresses.


What are the 2 kinds of group addresses located in an 802.11 frame header?

Multicast-Group Address An address used by an upper-layer entity to define a logical group of stations is known as a multicast-group address.

Broadcast address : A group address that indicates all stations that belong to the network is known as a broadcast address. A broadcast address, all bits with a value of one, defines all stations on a local area network.


How many MAC addresses can an 802.11 frame have? How many are typically used?

4 max.
3 typically used,


What is the source address (SA) used for in an 802.11 frame header?

The MAC address of the original sending station is known as the SA. The source address can originate from either a wireless station or the wired network


What is the destination address (DA) used for in an 802.11 frame header?

The MAC address that is the final destination of the layer 2 frame is known as the DA. The final destination may be a wireless station or could be a destination on the wired network such as a server or a router.


What is the transmitter address (TA) used for in an 802.11 frame header?

The MAC address of an 802.11 radio that is transmitting the frame onto the half-duplex 802.11 medium is known as the TA


What is the receiver address (TA) used for in an 802.11 frame header?

The MAC address of the 802.11 radio that is intended to receive the incoming transmission from the transmitting station is known as the RA.


What is the Basic Service Set Identifier (BSSID) used for in an 802.11 frame header?

This is the MAC address that is the layer 2 identifier
of the basic service set (BSS). The BSSID is the MAC address of the AP’s radio or is derived from the MAC address of the AP’s radio if multiple basic service sets exist.


What are management frames for?

Management frames are used by wireless stations to join and leave the basic service set (BSS).


What IOS layer information does an 802.11 management frame carry?

Only layer 2, frame with an important field called the information elements.


What are 802.11 control frames? What is the only thing that they contain?

They assist with the delivery of the data frames, and are transmitted at one of the basic rates. Control frames are also used to clear the channel, acquire the channel, and provide unicast frame acknowledgements. They contain only header information.


What are 802.11 data frames?

They carry the actual data that is passed down from the higher protocols. The layer 3 – 7 MSDU payload is normally encrypted for data privacy reasons.


What are beacons and their purpose?

The AP of a basic service set sends the beacons while the clients listen for the beacon frames. Each beacon contains a timestamp, which client stations use to keep their clocks synchronized with the AP. Because so much of successful wireless communications is based on timing, it is imperative that all stations be in sync with each other.


What is a time stamp in a beacon frame?

Synchronization information


What are some things that are included in a beacon frame?

1. Time Stamp
2. Spread spectrum information
3. Channel information
4. Data Rates
5. Service Set Capabilities.
7. Traffic indication Map.
8. QoS capabilities
9. Robust Security Network Capabilities (TKIP or CCMP)
10. Vendor Proprietary Info


What is located in the QoS capabilities section in a beacon frame?

Quality of service and Enhanced Distributed Channel Access (EDCA) information


How many times a second is a beacon frame transmitted?

10 times per second.


What is passive scanning?

The client station listens for the beacon frames that
are continuously being sent by the APs


What does a client station do when it hears the same SSID from multiple stations?

If the client station hears beacons from multiple APs with the same SSID, it will determine which AP has the best signal, and it will attempt to connect to that AP.


How does active scanning work? (DETAILED)

In active scanning, the client station transmits management frames known as probe requests. These probe requests either can contain the SSID of the specific WLAN that the client station is looking for or can look for any SSID.

If a directed probe request is sent, all APs that support that specific SSID and hear the request should reply by sending a probe response.

The information that is contained inside
the body of a probe response frame is the same information that can be found in a beacon
frame, with the exception of the traffic indication map (TIM). Just like the beacon frame, the probe response frame contains all of the necessary information for a client station to learn about the parameters of the basic service set before joining the BSS


What is a directed probe request?

A probe request with the specific SSID information.


What is a null probe request?

A probe request without the SSID information.


What does it mean when a station goes off channel?

It is common for a client station that is already associated to an AP and transmitting data to go off-channel and continue to send probe requests every few seconds across other channels. By continuing to actively scan, a client station can maintain and
update a list of known APs, and if the client station needs to roam, it can typically do so faster and more efficiently.


Whats one drawback from passive scanning and active scanning?

In contrast, active scanning uses probe request frames
that are sent out across all available channels by the client station. In contrast, active scanning uses probe request frames that are sent out across all available channels by the client station. If a client station receives
probe responses from multiple APs, signal strength and quality characteristics are typically used by the client station to determine which AP has the best signal and thus which AP to connect to.


What is Authentication? How does it work?

Authentication is the first of two steps required to connect to the 802.11 basic service set. Both authentication and association must occur, in that order, before an 802.11 client can pass traffic through the AP to another device on the network.

The 802.11 authentication merely establishes an initial connection between the client and the AP. Think of this as authenticating that both of the devices are valid 802.11 devices.


What is open system authentication?

A legacy Security Model. This means that clients can associate with the AP without any formal authentication first.


What is Shared Key Authentication?

A legacy Security Model. Uses WEP when authenticating client stations and requires that a static WEP key be configured on both station and the AP. Can be easily hacked.


What does association mean? What are the steps after authentication?

After the station has authenticated with the AP, the next step is for it to associate with the AP. When a client station associates, it becomes a member of a basic service set (BSS). Association means that the client station can send data through the AP and on to the distribution system medium.

1. The client station sends an association request to the AP, seeking permission to join the BSS.
2. The AP sends an association response to the client, either granting or denying permission to join the BSS. In the body of the association response frame is an association identifier (AID), a unique association number given to every associated client.


Does association occur before or after Shared Key or Open System authentication?

After. After a client station becomes a member of the BSS by completing association,
the client will begin communications at upper layers and establish IP connectivity


What is critical regarding association and data rates

If the station can not support the required data rates it will fail association.


What is roaming and who makes the decision?

As wireless LANs grew to multiple APs, the 802.11 standard provided the ability for the
client stations to transition from one AP to another while maintaining network connectivity for the upper-layer applications. The decision to roam is currently made by the client station.


Can a station be authenticated to multiple AP"s?

Yes. When you put in your wireless password you are authenticating for the SSID and extended service set its supplied with. Only one association is possible.


How does roaming work in technical detail? What is the ultimate goal, a process called what? How does this process work?

The client station sends a reassociation request frame to the new AP. This happens because you are reassociating to the SSID of the wireless network.

1. Reassocation request is sent to the new AP the station wants to associate with, including the old AP's MAC address.
2, The new AP sends an ACK to the station, at the same time using the stations old MAC to identify the old AP on the network. During the time the client is reassocaiting, the network is still trying to send it data, so the data is buffering at the old AP.
3. The new AP asks the client to join its BSS.
4. The station responds with an ACK.
5. The new AP asks the old AP for the clients buffered data and sends it to the station.


What is a disassociation?

A notification, not a request. If a station wants to disassociate from an AP, or an AP from a station, either device can send a message and the connection is terminated, This always happens when you power down a system for example.


What is a deauthentication?

A deauthentication frame is a notification and not a request. If a station wants to deauthenticate from an AP, or an AP wants to deauthenticate from stations,
either device can send a deauthentication frame. Because authentication is a prerequisite for association, a deauthentication frame will automatically cause a disassociation to occur.


What is an ACK Frame? Why is it important

The ACK frame is one of the nine control frames and one of the key components of the 802.11 CSMA/CA medium access control method.

Since 802.11 is a wireless medium that cannot guarantee successful data transmission, the only way for a station to know that a frame it transmitted was properly received is for the receiving station to notify the transmitting station. This notification is performed using an ACK.


How much is an octet of data?

8 bits.


How large is an ACK frame?

14 octets.


What is a short interframe space (SIFS)

When a station receives data, it waits for a short period of time.


What is a fragmentation? How is a fragmentation structured? What are some bros and cons?

The 802.11-2012 standard allows for fragmentation of frames. Fragmentation breaks an 802.11 frame into smaller pieces known as fragments, adds header information to each fragment, and transmits each fragment individually.

Although the same amount of actual data is being transmitted, each fragment requires its own header, and the transmission of each fragment is followed by a SIFS and an ACK.

A pro : Large frames and broken down into multiple smaller fragments and sent 1 at a time. If an RF interference wave hits and knocks out one of the frames, then a small amount of data would need to be retransmitted, If a larger frame got knocked out, more air time would be needed to retransmit,

A con : Lots of fragments could actually eat up air time because each fragment needs to also be given heads and frame information and participate in medium transmission rules such as CSMA/CA and ACKS.


What is 802.11b-Only Mode?

The AP will operate in B mode only and support legacy modulation DSSS, HR-DSSS, and ERP-DSSS with rates of 1,2, 5.5, and 11 Mbps.


What is 802.11g-Only Mode?

AP's configured as g-only mode communicate with only 802.11g clients using ERP-OFDM tech only. a and n devices Modulation rates up to 54 Mbps will be supported.


What modulation scheme can 802.11 b/g mode handle?

DSSS, HR-DSSS, OFDM. Legacy clients will be able to communicate using this method.


What is the major reason for G clients going into protection mode?

Because a legacy device is transmitting on the network. The legacy device will not be able to interpret the Duration/ID value on newer frames and not be able to set a value on a NAV timer. So the legacy device will think the medium is free and transmit data.


What does a 802.11g DEVICE do when it wants to send data in a mixed mode environment?

What is the reason for this?

What does this do to the slower legacy devices?

In a mixed-mode environment, when an 802.11g device wants to transmit data, it will first perform a NAV distribution by transmitting a request to send/clear to send (RTS/CTS) exchange with the AP or by transmitting a CTS-to-Self using a data rate
and modulation method that the 802.11b HR-DSSS stations can understand.

The RTS/CTS or CTS-to-Self will hopefully be heard and understood by all of the 802.11b and 802.11g stations. The RTS/CTS or CTS-to-Self will contain a Duration/ID value that will be used by all of the listening stations to set their NAV timers.

To put it simply, using a slow transmission that all stations can understand, the ERP (802.11g) device notifies all the stations to reset their NAV values. After the RTS/CTS or CTS-to-Self has been used
to reserve the medium, the 802.11g station can transmit a data frame by using OFDM modulation without worrying about collisions with 802.11b HR-DSSS or legacy 802.11 DSSS stations.


How is protection mode triggered on a b/g network?

When an ERP (802.11g) AP decides to enable the use of a protection mechanism, it needs to notify all of the ERP (802.11g) stations in the BSS that protection is required. It accomplishes this by setting the NonERP Present bit, and the ERP stations will know that Protected mode is required.


What are 3 reasons that protection mode is enabled?

1. If a non-ERP STA associates with an ERP AP, the ERP AP will enable the NonERP_ Present bit in its own beacons, enabling protection mechanisms in its BSS. In other words, an HR-DSSS (802.11b) client association will trigger protection.

2. If an ERP AP hears a beacon from an AP where the supported data rates contain only 802.11b or 802.11 DSSS rates, it will enable the NonERP_Present bit in its own beacons, enabling protection mechanisms in its BSS. In simpler terms, if an 802.11g AP hears a beacon frame from an 802.11 or 802.11b AP or ad hoc client, the protection mechanism will be triggered

3. If an ERP AP hears a management frame (other than a probe request) where the supported rate includes only 802.11 or 802.11b rates, the NonERP_Present bit may be set to 1.


What is the loss of throughput caused by when a network is in protection mode?

A large amount of RTS/CTS or CTS-to-Self overhead is added prior to every ERP-OFDM data transmission. Aggregate throughput on a 54 Mbps is around 18-24...however with protection mode on it could drop to 13-9.


Is protection mode existent on 802.11n and ac networks? Why is throughput degradation not noticed as much on these modulation rates?

Yes, because it needs to be backward compatible with all other wireless modulation schemes.

Not noticed as much due to high throughout speeds.


How does a station perform collision avoidance?

A station performs collision avoidance by setting its NAV when it hears another station transmitting (virtual
carrier sense) and by listening for RF (physical carrier sense).


What does request to send/clear the send (RTS/CTS) do?

Request to send/clear to send (RTS/CTS) is a mechanism that performs a NAV distribution and helps prevent collisions from occurring. This NAV distribution
reserves the medium prior to the transmission of the data frame.


What is the first thing a station must do before it sends data if configured for CTS\RTC?

When RTS/CTS is enabled on a station, every time the station wants to transmit a frame it must perform an RTS/CTS exchange prior to the normal data transmissions.


Explain the process that used RTC\CTS.

1. When RTS/CTS is enabled on a station, every time the station wants to transmit a frame it must perform an RTS/CTS exchange prior to the normal data transmissions.
2. When the transmitting station goes to transmit data, it first sends an RTS frame. The duration value of the RTS frame resets the NAV timers of all listening stations so that they must wait until the CTS, DATA, and ACK have been transmitted.
3. The receiving station, the AP, then sends a CTS, which is also used for NAV distribution. The duration value of the CTS frame resets the NAV timer of
all listening stations so that they must wait until the DATA and ACK have been transmitted.


What are two reasons behind RTS/CTS?

It can be used when a hidden node exists.
It can be used automatically as a protection mechanism when different technologies such as 802.11 b/g/n coexist in the same basic service set.


What a RTS/CTS exchange between a client station and an AP.



What is CTS-to-Self?
What are the benefits?

used strictly as a protection mechanism for mixed-mode environments. One of the benefits of using CTS-to-Self over RTS/CTS as a protection mechanism is that the
throughput will be higher because fewer frames are being sent.


How does CTS-to-Self work?
How is the performed?

When a station using CTS-to-Self wants to transmit data, it performs a NAV distribution by sending a CTS frame. This CTS notifies all other stations that they must wait until the DATA and ACK have been transmitted. Any station that hears the CTS will set their
NAV to the value provided.

Since CTS-to-Self is used as a protection mechanism for mixed-mode environments, the ERP (802.11g) station will transmit the CTS by using DSSS technology that all stations can understand. Then the DATA and the ACK will be transmitted at a faster 802.11g speed by
using ERP-OFDM data rates.


Draw a RTS/CTS frame exchange having a modern client + an ancient client + modern AP.

Chapter 9.11


Draw up a normal RTS\CTS exchange.

Diagram 9.11


Which type of protection mode is most commonly used in an environment?



What is the most common type of data frame?

A simple data frame. Which has MSDU upper-layer information encapsulated in the frame body. The integration service that resides in APs and WLAN controllers takes the MSDU payload for a simple data frame and transfers the MSDU into 802.3 Ethernet frames.


Describe Active Mode power-management.

Active mode is a legacy power-management mode used by very old 802.11 stations. When a station is set for Active mode, the wireless station is always ready to transmit or receive data. Active mode allows higher throughput then power-save mode.


What is power save mode?

An optional mode. Clients will shut down some of the transceiver components for a period of time to conserve power. The wireless radio takes a short nap.


How does power save mode work?

If a station is part of a basic service set, it will notify the AP that it is enabling Power Save mode by changing the Power Management field to 1. When the AP receives a frame from a station with this bit set to 1, the AP knows that the station is in Power Save mode. If the AP then receives any data that is destined for the station in Power Save mode, the AP will store the information in a buffer. The buffered data is then sent to the client when it awakes.


What is an association identifier?

Any time a station associates to an AP, the station receives an association identifier (AID). The AP uses this AID to keep track of the stations that are
associated and the members of the BSS.


What is a traffic indication map?

A field of the beacon frame. The TIM field is a list
of all stations that have undelivered data buffered on the AP, waiting to be delivered. Every beacon will include the AID of the station until the data is delivered.


How does beacons work with power save? How does it know when to go back to sleep?

Beacon frames are transmitted at an interval frequency. Each beacon has an AID. So the stations know when the next beacon frame will be. The stations can stay asleep for longer. When the station listens for beacons and it sees that its identifier is in the AID, it awakens to get the buffered data by sending a PS-POLL frame to the AP.

The client station knows to stay awake because each buffered unicast frame that it is send has a 1 bit field called ?More Data field" that if set to 1, means that more data is coming.


What is a delivery traffic indication map (DTIM)?
What is its purpose?
How are they transmitted?

A delivery traffic indication map (DTIM) is used to ensure that all stations using power management are
awake when multicast or broadcast traffic is sent.

The purpose is so that the client stations are awake when broadcasts or multicasts are sent out.

A TIM or DTIM is transmitted as part of every beacon


What is the 802.11e amendment?

Introduced WMM Power Save and U-APSD.


What is Automatic power save delivery?

APSD. Is an enhanced power-management method.


What are the 2 methods used for APSD? Which one is based on the WiFi alliance's WMM power save certification>

Scheduled Power Save Delivery and unscheduled automatic power save delivery.

Unscheduled automatic power save delivery.


What is WMM-PS and what are its goals?

The goal of WMM-PS is to have client devices spend more time in a doze state and consume less power. WMM-PS is also designed to minimize latency for time-sensitive applications such as voice during the power-management process.


How does WMM-PS work?

1. Uses 802.D priority queries.
2. The client station sends a trigger frame related to a WMM access category to inform the AP that the client is awake and ready to download any frames that the AP may have buffered for that access category.
3, The AP will then send an ACK to the client and proceed to send a frame burst of buffered application traffic during a transmit opportunity (TXOP)


What are 4 advantages to enhanced power-management?

1. Applications now control power-save behavior by setting doze state periods and sending trigger frames.
2. The trigger and delivery method eliminates the need for PS-Poll frames
3. The client can request to download buffered traffic and doesn't have to wait for a beacon.
All the downlink application traffic is sent in a faster frame burst during the AP's TXOP.


What are the conditions that have to be met for a wifi client to use enhanced WMM-PS?

The client needs to be a certified for WMM-PS
The AP needs to be certified for WMM-PS.