SO – Why do 802.11 Acknowledgement Frames have no source MAC?

Ah… now that’s a legitimate good question that deserves a bit of background.

To its to its fullest extent, the question was this:

“Anyone know why 802.11 Acknowledgement Frames have no source MAC address? I don’t see it when I capture the packets from TCPDUMP or Wireshark from Linux with a monitor-mode and promiscuous-mode driver. How does the Access Point distinguish ACK frames from different 802.11 clients if there is no source MAC addresses in the frame?

I can see from all the captures that the ACK comes immediately after the frame is sent (around 10 to 30 microseconds) but that alone can’t be enough to distinguish the source can it? Maybe each frame has some kind of unique identifier and the ACK frame has this ID inside it? Maybe there is identifying information in the encrypted payload since the WLAN uses WPA-PSK mode?”

From George Ou, here.

And my answer is this:

ACK frames, like all 802.11 management frames, have a DA (Destination Address) and SA (Source Address) in their MAC header (both not to be exactly confused with just “MAC address, see below), and that’s all what’s needed in this context.

TLD;DR: In 802.11 context, “MAC address”, SA (Source addr), TA (Transmitter addr), DA (Destination addr), BSSID or whatnot all look alike a 6 byte “MAC address” that we’re familiar with from other technologies, yet they should not be confused.

And now for the demolition of “MAC address” concept in 802.11 context.

802.11 Acknowledgement Frames are parts of 802.11 managements frames, and 802.11 is “a set of media access control (MAC) and physical layer (PHY) specifications” (source).

What this mean – and this is a very important concept to grasp when working with Wi-Fi – is that 802.11 in itself, including its management frames, have nothing to do with “traditional” (say 802.3, aka Ethernet) PHY (layer 1) nor MAC (layer 2) layers – they are a kind of their own.

802.3/Ethernet, to continue with this analogy – or rather counter example – have no such thing as ACK frames, beacons, probe request, RTS/CTS, auth/deauth, association etc, which are all types of 802.11 management frames. These are simply not needed with 802.3, for the most part because wired Ethernet is not a shared media (that’s IEEE terminology), that may lead to unreliability/collision as is air with 802.11/Wi-Fi.

The important consequence of this is that you should not expect a priori to meet other, more familiar concept nor data from other layer 1/2 technologies. Forget this, once for all.

Sure, Wi-Fi looks like it carry on some MAC and IP and TCP and or UDP or whatnot, and they do most of the time, but regarding management frames such as ACK, that’s a different world – its own world. As it is, 802.11 could perfectly be used – and maybe is used in some niche use cases – to carry other higher level protocols than TCP/IP. And its MAC concept, though looking familiar with its 6 bytes, should not be confused in its form nor use to the MAC of 802.3/Ethernet. To take another example, 802.15 aka Bluetooth also have a 6 bytes MAC, yet that is again another thing.

And to take the 802.11 a contrario example, 802.11 layer 1/2 beacon frames for instance carry some info about SSID, supported rates, Frequency-hopping (FH), parameter set etc etc that have no counterparts in other L1/2 technologies.

Now, embrace the complexity of what is/are “MAC addresses” in 802.11…

And this is why, to take an example in day to day use, pcap/tcpdump have such weird filters such as wlan ra, wlan ta, wlan addr1, wlan addr2, wlan addr3, wlan addr4 – and the like for wireshark capture and display filter.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s