Wired Stuff
WiFi Tablet Corner
My80211 White Papers (Coming Soon!)

Cisco Wireless Compatibility Matrix (Nov. 2011)

Social Links
Anchor / Office Extends Ports

 

Peek Inside Cisco's Gear

See inside Cisco's latest wireless gear!

2.4 GHz Channel Overlap

EXAMPLE 1  

EXAMPLE 2

EXAMPLE 3  

CWSP RELEASE DATE 2/08/2010
  • CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204
    CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204
    by David D. Coleman, David A. Westcott, Bryan E. Harkins, Shawn M. Jackman

    Shawn Jackman (Jack) CWNE#54 is a personal friend and has been a mentor to me for many years.  I've had the pleasure and opportunity to work with Jack for 4 years. Jack is a great teacher who takes complex 802.11 standards and breaks them down so almost anyone can understand the concept at hand. I'm excited for you brother. Great job and job well done! Put another notch in the belt!

Interference Types

BLUETOOTH
 

Microwave Oven
 

Cordless Phone

JAMMER!
 

LWAPP QoS Packet Tagging

 

 

IEEE 802.11a/g/n Reference Sheet

 

« Wireless Sniffing in Windows 7 with Netmon 3.4 | Main | 802.11 BEACON Discussions »
Saturday
Dec052009

802.11: Null Data Frames

I was speaking to a friend last evening on the topic of client troubleshooting. The discussion came up about roaming and roaming aggressiveness. We talked about the different aspects of client behavior and the discussion turned into an 802.11 frame discussion. More specifically the NULL frame.

The Null Data Frame is a very interesting frame. In fact, most folks overlook these frames, perhaps because they don’t know their importance. Just a few months ago I was troubleshooting a client issue and the NULL frame confirmed by idea and backed my findings as it pertained to a wireless issue I was troubleshooting

Lets look at the NULL frame and it's importance. 

The Null Data Frame is a control frame. It is only transmitted by a STA (wireless client). Access points do not transmit these frames. It carry’s no data payload. In fact, the only purpose of this frame (by standard) is to carry the power management bit in the frame controlled field. The power management bit will be either "0" zero or "1" one. 

When the STA sends a power management bit of "0" to the access point in which it is associated to, it is the STAs way of informing the access point that the STA is in an active power state (awake) and transmission of frames from access point to STA should be normal.  

When the STA sends a power management bit of "1" to the access point in which it is associated to. This is informing the access point that the STA is going offline and any frames that come into the access point for this STA should be buffered at the access point till the STA returns and sends a NULL frame of "0", active state. 

A text example of the exchange: 

STA ---NULL FRAME "0"----->  AP "Client says to the AP: Hey AP I’m online send me data"

 

STA ---NULL FRAME "1"----->  AP "Client says to the AP: Hey AP buffer any transmissions coming in for me. Ill be back in a bit (no pun intended)"

 

So why would a client go offline and what is the importance !?!?! Its very important. Lets talk through a few examples. 

There are two main reasons why a STA will go offline, or send a power man bit of "1" to an access point.

Power Save Mode: PSM allows a STA to go into "sleep or doze" mode. PSM essentially turns off the NIC radio for short burst to conserve battery power for a device. You will notice significant power conservation and longer battery life when PSM is enabled. VoIP phones, PDAs and other small battery form factor devices benefits from PSM. A word of *caution*, be aware that some applications can suffer from aggressive power save mode options. 

Active/Passive Scanning: The other reason why a STA will inform an access point to buffer its frames by sending a power man bit of "1" is when it’s ready to roam. Suppose a client has hit its roaming threshold and is seeking out another access point to associate to. In order to seek out other access points in the area it has to go off channel. By doing so, the STA tells the AP, buffer the frames man, ill be back for them in a bit!

Example:

The STA is on AP TEST, AP test is on channel 1

The client will send a NULL FRAME to the access point with the man bit of 1. The STA goes offline and floods channels 2,3,4,5,6,7,8,9,10,11 (depending on configuration of the client of course) with probe request looking for other APs.

Lets look at a packet capture:

Note frame 75 - This is my STA sending the AP a Data Null Frame. If you open the packet and drill down into the frame control you will see the power management bit is set 1.

 

Note frame 78 - This is my STA sending the AP a Data Null Frame. Note that the power bit is set to 0. Indicating to the STA is back on channel and any data that was buffered and future date should be sent to the client until its next doze state. 

Note frame 82 - STA is going back to bed!

 

What is also interesting to note is the TIME stamp. Look at the time delta between frames 75 - 78. This is the period of time the STA was off line, generally speaking.

You might ask when does the client come back online to the AP. Well that is dependent on how the STA is configured. For example, Intel has what I call the "slide bar" for PSM. The more aggressive the mode the longer the STA will be in sleep or doze mode. 

Now that you know what a NULL frame is and its purpose. If you are troubleshooting a STA issue pay attention to what the STA is telling the access point! If a client is sending NULL frames there is a reason why!

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>