Skip to main content

12.2 802.11 MAC Header

Each MAC frame consists of a MAC header, a frame body of variable length, and an FCS (Frame Check Sequence) of 32 bit CRC. Figure 12-1 shows the 802.11 header.

figure

Figure 12-1. IEEE 802.11 header. Note that all members are not always used, as this section will shortly explain

346

Chapter 12 ■ Wireless in Linux

The 802.11 header is represented in mac80211 by the ieee80211_hdr structure:

struct ieee80211_hdr {
        __le16 frame_control;
        __le16 duration_id;
        u8 addr1[6];
        u8 addr2[6];
        u8 addr3[6];
        __le16 seq_ctrl;
        u8 addr4[6];
} __packed;

(include/linux/ieee80211.h)

If you're used to Ethernet (struct ethhdr), this structure might feel a bit "heavy" — an Ethernet header has only three fields: source MAC, destination MAC, and EtherType. The 802.11 header, on the other hand, can contain up to 4 or even 6 addresses (counting the two in the Mesh extension header), plus a bunch of control bits.

Don't let this "luxury lineup" intimidate you. In a typical data frame (like a phone talking to a router), only 3 addresses are actually used. For a simple ACK frame, only a single address is used. Figure 12-1 shows only 4 addresses, because Mesh networks use a special extension header to squeeze in two more.

Let's break down this header. We'll start with the first field — frame control. These 16 bits are very important; in many cases, they determine how the subsequent fields (especially those addresses) should be interpreted.

The Frame Control

The frame control field is 16 bits long, structured as shown in Figure 12-2.

figure

Figure 12-2. Frame control fields

Think of it as a master switch panel, where each bit has a specific meaning. Let's look at each member:

  • Protocol Version: Identifies the 802.11 MAC version. Currently there is only one version, so this field is always 0. You can think of it as a "legacy placeholder," or space reserved for possible major protocol revisions in the future.

  • Type: 802.11 divides packets into three major categories: management, control, and data.

    • Management packets (IEEE80211_FTYPE_MGMT): These are "management signaling." For example, to connect to WiFi, you must first authenticate and then associate, or if you want to scan for nearby APs, all of these are management frames. Without them, you can't even connect to the network, let alone transmit data.
    • Control packets (IEEE80211_FTYPE_CTL): These typically assist data transmission. The most classic example is PS-Poll, used by a sleeping station to request data from an AP. Another well-known combination is RTS/CTS: before sending data, you first send an RTS (Request to Send); if the channel is free, the receiver sends back a CTS (Clear to Send), and then you send the data. This is designed to solve the "hidden node" problem by reserving the channel upfront to avoid collisions.
    • Data packets (IEEE80211_FTYPE_DATA): This is the actual data we want to transmit. There is a special case here called Null packets. Although they are of data frame type, they carry no payload. They are mainly used to notify the AP: "I'm going to sleep" or "I'm awake." We'll cover this in detail in the "Power Save Mode" section later.

  • Subtype: Each of the three categories above has finer subdivisions, and that's what the Subtype field does. It's the "specific identity" of the frame.

    • For management frames, if the Subtype is 0100, it's a Probe Request (IEEE80211_STYPE_PROBE_REQ) — the "who's out there?" shout your phone makes when scanning for networks.
    • For control frames, Subtype 1011 represents RTS (IEEE80211_STYPE_RTS).
    • For data frames, Subtype 0100 represents Null Data (IEEE80211_STYPE_NULLFUNC).
    • Another key value is 1000 (IEEE80211_STYPE_QOS_DATA), representing a QoS data frame. This was added by the 802.11e amendment, primarily to support latency-sensitive applications like voice and video — what we commonly call "high-priority queues."

  • ToDS / FromDS (To Distribution System / From DS): These two bits indicate the direction of data flow, especially in infrastructure mode with an AP (Access Point).

    • ToDS = 1: Indicates the packet is destined for the Distribution System (DS). Simply put, it's a client sending to the AP, asking the AP to forward it into the LAN.
    • FromDS = 1: Indicates the packet is coming from the Distribution System. Simply put, it's the AP sending to the client.

    There's an interesting combination here: if both bits are 1, it represents a frame being transmitted in a Wireless Distribution System (WDS), meaning two APs are backhauling data over wireless. In this case, you'll use all 4 addresses (covered in detail below).

  • More Frag: When fragmentation is enabled, this bit is set to 1. If a packet is too large and gets chopped into several fragments, all but the last one have this bit set to 1, telling the receiver "I'm not done yet, don't rush."

  • Retry: If this packet is a retransmission, this bit is 1. 802.11 runs over an unreliable wireless link, so packet loss is normal. If a sent packet doesn't receive an ACK, the sender must retransmit. This bit tells the receiver: "Don't mind the repetition — the previous one was probably lost, this is a resend."

  • Pwr Mgmt: When this bit is set to 1, it means the station is about to enter power save mode. When the AP sees this bit, it understands: "Don't drop data destined for this station — buffer it for me, and they'll request it when they wake up." We'll cover this complex "sleep-wake" mechanism in detail later.

  • More Data: This is the AP's response to a sleeping station. When the AP sends packets to a sleeping station, if its buffer still has data left to send, it sets this bit to 1. When the station sees this bit, it knows: even though it just received one packet, it needs to stay awake or quickly send a PS-Poll to get another batch, because there's more coming. When the buffer is empty, this bit goes back to 0.

  • Protected Frame: If this bit is 1, it means the frame body is encrypted. Only data frames and authentication frames can be encrypted.

  • Order: If the "strict ordering" MAC service is in use, this bit is set to 1. It's a mechanism to guarantee frames arrive in order, but it's rarely used nowadays.

⚠️ Note The Action Frame (IEEE80211_STYPE_ACTION) was originally introduced by 802.11h, mainly for spectrum management and transmit power control. But later, because the management frame subtype space ran out, many newer standards (like HT operations in 802.11n) repurposed Action Frames to carry information. It's like a universal envelope — what's inside depends on the specific protocol amendment.

The Other 802.11 MAC Header Members

Besides frame control, the 802.11 header has several other key players:

  • Duration/ID: This field is typically used to set the NAV (Network Allocation Vector), a virtual carrier sensing mechanism. Simply put, it tells everyone nearby: "I'm going to occupy the channel for this long — hold your tongue and do the math." It consists of 15 bits, with the most significant bit (the 16th) being 0.

    But in power save mode, this field has a special purpose: for PS-Poll frames, it carries the station's AID (Association ID). The AID is a number assigned by the AP to each connected device, and it's crucial in the sleep-wake mechanism.

  • Sequence Control: This is a 2-byte field consisting of two parts:

    • Fragment Number (4 bits): The fragment number.
    • Sequence Number (12 bits): The sequence number.

    Out-of-order delivery and packet loss are common in wireless environments. The sender generates the sequence number in the ieee80211_tx_h_sequence() method. If the receiver gets a packet with the exact same sequence number as a previous one (usually because the ACK was lost, causing the sender to retransmit), mac80211's ieee80211_rx_h_check() method treats it as a duplicate frame, drops it, and increments the dot11FrameDuplicateCount counter.

    Note: Control frames typically do not have this field.

  • Address 1 – Address 4: This is the most confusing part. Why does a packet need 4 addresses?

    • Address 1 (RA, Receiver Address): The receiver address. All packets have this, telling the NIC "who this is for."
    • Address 2 (TA, Transmitter Address): The transmitter address. Most packets have this (except for ultra-short control frames like ACK and CTS), telling the NIC "who sent this."
    • Address 3: Used mainly for management and data frames. In infrastructure mode (with an AP), it's typically the source or destination address (depending on the ToDS/FromDS settings). For example, in a data packet from your phone to your computer, even though it's forwarded through the AP, Address 3 is still the computer's MAC address.
    • Address 4: This only appears in special cases — when both ToDS and FromDS are set to 1. This usually happens in WDS (Wireless Distribution System) or Mesh networks, representing the ultimate source or destination of a packet that has traversed multiple wireless hops.

  • QoS Control: This was added by the 802.11e amendment and is only present in QoS data packets. Because it wasn't part of the original 802.11 spec, it's not a member of the standard ieee80211_hdr structure. If you look for it in the code, it's actually appended after the header. mac80211 provides the ieee80211_get_qos_ctl() method to access it.

    This field contains the TID (Traffic Identifier), ACK Policy (e.g., whether to use Block Ack), and the A-MSDU present flag (telling you if this is an aggregated frame). We'll dive into A-MSDU in the "High Throughput (802.11n)" section later.

  • HT Control Field: This was added by the 802.11n amendment for High Throughput operations. See section 7.1.3.5(a) of the 802.11n-2009 spec.

This section broke down the 802.11 MAC header and examined every one of its members. Becoming familiar with this structure is fundamental to understanding the mac80211 stack, because nearly every byte your driver handles has its logic defined right here.

Now that we know what frames look like, we need to consider: how do these frames flow between different devices? This brings us to network topologies and the MAC Layer Management Entity (MLME).