Blogs

802.11 - Action Frames

By gstefanick posted Jan 19, 2016 09:00 AM

  

The 802.11 standard section 8.5 comments on action frames. Action frames are interesting. Action frames can be triggered by access points or client stations. The action frame provides information and direction as in what to do. The 802.11 standard comments about action frames in 17 different sections of subsection 8.5. While many of these aren't used by vendors today some important ones are. Lets review some comments about action frames and then head to the frame captures.

802.11 Standard Overview

8.5.1 Introduction

  • Sub clause 8.5 describes the Action field formats allowed in each of the action categories defined in Table 8- 38 in 8.4.1.11.

 

8.5.2 Spectrum management Action frames

  • 8.5.2.1 General
  • Five Action frame formats are defined for spectrum management. A Spectrum Management Action field, in the octet field immediately after the Category field, differentiates the five formats. The Spectrum Management Action field values associated with each frame format are defined in Table 8-191.

 

8.5.3 QoS Action frame details

  • 8.5.3.1 General
  • Several Action frame formats are defined for QoS purposes. These frames are identified by the single octet QoS Action field, which follows immediately after the Category field. The values of the QoS Action field are defined in Table 8-192.

 

8.5.4 DLS Action frame details

  • 8.5.4.1 General
  • Several Action frame formats are defined for DLS management purposes. A DLS Action field, in the octet field immediately after the Category field, differentiates the formats. The DLS Action field values associated with each frame format are defined in Table 8-198.

 

8.5.5 Block Ack Action frame details

  • 8.5.5.1 General
  • The ADDBA frames are used to set up or, if PBAC is used, to modify Block Ack for a specific TC or TS. A Block Ack Action field, in the octet immediately after the Category field, differentiates the Block Ack Action frame formats. The Block Ack Action field values associated with each frame format within the Block Ack category are defined in Table 8-202.

 

8.5.6 Vendor-specific action details

  • The Vendor Specific Action frame is defined for vendor-specific signaling. The format of the Action field of the Vendor Specific Action frame is shown in Figure 8-437. An Organization Identifier, in the octet field immediately after the Category field, differentiates the vendors (see 8.4.1.31).

 

 

8.5.7.1 General

  • Several Action frame formats are defined for Radio Measurement purposes. A Radio Measurement Action field, in the octet field immediately after the Category field, differentiates the formats. The Radio Measurement Action field values associated with each frame format are defined in Table 8-206.

 

8.5.8 Public Action details

  • 8.5.8.1 Public Action frames
  • The Public Action frame is defined to allow the following:
    • Inter-BSS and AP to unassociated-STA communications 
    • Intra-BSS communication — GAS

 

 

8.5.9 FT Action frame details

  • 8.5.9.1 General
  • Four Action frame formats are defined to support fast BSS transitions over the DS, which are initiated through the currently associated AP. The FT Action frames are sent over the air between the STA and the current AP. The Action frame is used as a transport mechanism for data that are destined for the target AP. An FT Action field, in the octet immediately after the Category field, differentiates the FT Action frame formats. The FT Action field values associated with each FT Action frame format are defined in Table 8-222.

 

 

8.5.10 SA Query Action frame details

  • 8.5.10.1 General
  • Two Action frame formats are defined for the SA Query procedure. A SA Query Action field, in the octet field immediately after the Category field, differentiates the formats. The Action field values associated with each frame format are defined in Table 8-227.

 

8.5.11 Protected Dual of Public Action frames

  • The Protected Dual of Public Action frame is defined to allow robust STA-STA communications of the same information that is conveyed in Action frames that are not robust (see 8.4.1.11). A Public Action field, in the octet immediately after the Category field, differentiates the Protected Dual of Public Action frame formats. The defined Protected Dual of Public Action frames are listed in Table 8-228.
  • The Protected Dual of Public Action frames have the same format as the corresponding nonprotected Public Action frame.

 

8.5.12 HT Action frame details

  • 8.5.12.1 HT Action field
  • Several Action frame formats are defined to support HT features. An HT Action field, in the octet immediately after the Category field, differentiates the HT Action frame formats. The HT Action field values associated with each frame format within the HT category are defined in Table 8-229. The frame formats are defined in 8.5.12.2 through 8.5.12.9.

 

8.5.13 TDLS Action field formats

  • 8.5.13.1 General
  • Several Action field formats are defined to support TDLS. A TDLS Action field, in the octet immediately after the Category field, differentiates the TDLS Action field formats. The TDLS Action field values associated with each Action field format within the TDLS category are defined in Table 8-238.

 

8.5.14 WNM Action details

  • 8.5.14.1 WNM Action fields
  • Several Action frame formats are defined for wireless network management (WNM) purposes. An Action field, in the octet field immediately after the Category field, differentiates the formats. The Action field values associated with each frame format are defined in Table 8-250.

 

8.5.15 Unprotected WNM Action details

  • 8.5.15.1 Unprotected WNM Action fields
  • Unprotected WNM Action frames are not encapsulated using mechanisms defined for robust management frames. An Action field, in the octet field immediately after the Category field, differentiates the formats. The Action field values associated with each frame format is defined in Table 8-260.

 

8.5.16 Self-protected Action frame details

  • 8.5.16.1 Self-protected Action fields
  • The Self-protected Action frame is defined to allow robust STA-STA communications of the Action frames that are not robust (see 8.4.1.11). The protocols that use these Action frames are responsible for deciding whether to protect these frames and supporting protection mechanisms for these frames as needed.

 

8.5.17 Mesh Action frame details

  • 8.5.17.1 Mesh Action fields
  • Several Mesh Action frame formats are defined for mesh BSS operation. A Mesh Action field, in the octet field immediately after the Category field, differentiates the formats. The Mesh Action field values associated with each frame format are defined in Table 8-267.

 

8.5.18 Multihop Action frame details

  • 8.5.18.1 Multihop Action fields
  • Several Multihop Action frame formats are defined for mesh BSS operation. A Multihop Action field, in the octet field immediately after the Category field, differentiates the formats. The Multihop Action field values associated with each frame format are defined in Table 8-279. The Mesh Control field is present immediately after the Multihop Action field in all Multihop Action frames.

Action Frames

 

The action frame is pretty consistent across the different action frame types. You have the typical MAC header information and action details.

 

Category - This describes the action frame type. If we follow what the 802.11 standard shares we would assume there are 17 different categories. However only of few of these are actually used in the real world. These categories do not follow 1 thru 17 either. Spectrum is 0, QoS is 1, Block ACK is 3, Public is 4, Radio Measurement is 5, FT is 6, and so on.

 

Action - Pretty simple. What is being asked. What action you shall do. This is typically followed by a number which translates to a action. You’re frame analyzer might fill this in for you like Omnipeek has for me here in the examples.

 

Element - This field allows for more information pertaining to the action. Not all frames will have a element field from my experience. But you will see some comments related to the action.

Untitled.png

Example: DFS event is under way. The access point is sending an action frame to the cell to announce a channel change.

 

Category - 0 Spectrum Management

Action - 4 Channel Switch Announcement

Element - New Channel 64

Untitled.png

Example: Here is a radio asking to allow a block ack request. In other words a radio is asking to send a series of frames without having to ACK each and every frame. Note this is on MPDU frames not MSDU. You can tell this by MSDU no permitted.

 

Category - 3 Block Ack

Action - 0 ADDBA Request

Untitled.png

Example: This action frame shows a client responding and approving a block ack request on MPDU frames with a block ack response frame.

 

Category - 3 Block Ack

Action - 1 ADDBA Response

Status Code: 0 Successful

Untitled.png

Example: In this example there it is a block ack tear down. In other words the sender is ending the block ack agreement. This could be because he has already sent all of his frames.

 

Category - 3 Block Ack

Action - 2 DELBA

Status Code: 39

Untitled.png'

Example: In this example TSPEC. Where a client is requesting a TS <traffic stream>.

 

Category - 17 WNM

Action - 0 ADDTS Reuquest

Status Code: 0 Admission Accepted

 

* Note I believe Omnipeek is decoding this wrong in the category code where you see WMM, it think it would read WNM.

Untitled.png

Example: In this example TSPEC. The access point is refusing the TS.

 

Category - 17 WNM

Action - 1 ADDTS Response

Status Code: 3 Refused

Untitled.png

 

I hope you enjoyed my brief overview of action frames.

0 comments
6 views