802.11, commonly known as WiFi, is a family of wireless protocols standardized by IEEE [1, P. 277].

Table of contents

  1. The 802.11 architecture and protocol stack
  2. The 802.11 physical layer
    1. 802.11b
    2. 802.11a
    3. 802.11g
    4. 802.11n
  3. The MAC sublayer protocol
  4. 802.11 frame structure
  5. Services
  6. References

The 802.11 architecture and protocol stack

802.11 networks can be used in two modes: infrastructure mode and ad-hoc mode [1, P. 299].

Infrastructure mode uses an AP (Access Point) that is connected to the network. Clients send and receive packets via the AP. Several APs can be connected to form an extended network [1, P. 299].

Figure: 802.11 architecture in infrastructure mode [1, P. 300]

Ad-hoc mode is a collection of computers connected to each other so that they can send frames to each other. There’s no AP [1, P. 299].

Figure: 802.11 architecture in ad-hoc mode [1, P. 300]

The 802.11 physical layer corresponds to the OSI physical layer, but the data link layer is split into multiple sublayers.

Figure: Part of 802.11 protocol stack [1, P. 300]

In 802.11 the MAC sublayer determines which channel gets to transmit next. The sublayer above, the LLC (Logical Link Layer), hides the differences between the varying 802.11 versions for the network layer [1, P. 300].

The 802.11 physical layer

“All 802.11 techniques use short-range radios to transmit signals in either 2.4-GHz or 5-GHz ISM frequency bands”. These bands are unlicensed, and so are shared by many other devices such as garage door openers, or microwave ovens. Fewer applications tend to use the 5-GHz band, so 5-GHz can be better for some applications despite shorter range due to higher frequency [1, P. 301].

All 802.11 transmission methods define multiple rates. Different rates can be used depending on the current conditions. If the signal is weak, a low rate is used. If the signal is clear, the highest rate is used. The process of adjustment is called rate adaption.


802.11b is a spread-spectrum method. It supports rates of 1, 2, 5.5, and 11Mb/s [1, P. 301].

802.11b is similar to the CDMA system, except that one spreading code is shared between all users. 802.11b uses a spreading sequence called the Barker Sequence. The autocorrelation of the Barker Sequence is low except when sequences are aligned. This allows a receiver to lock onto the start of a transmission. The Barker sequence is “used with BPSK modulation to send 1 bit per 11 chips” [1, P. 302].

Higher rates use CCK (Complementary Code Keying) to construct codes, rather than the Barker Sequence [1, P. 302].


802.11a was standardized after 802.11b, despite the group being formed first (hence the name). It supports rates up to 54Mb/s in the 5-GHz ISM band [1, P. 302].

802.11a is based on OFDM (Orthogonal Frequency Division Multiplexing).

Bits are sent over 52 subcarriers in parallel. 48 carry data, and 4 are used for synchronization. A symbol lasts 4μs, and sends either 1, 2, 4, or 6 bits. “The bits are coded for error correction with a binary convolutional code first so only 1/2, 2/3, or 3/4 of the bits are not redundant” [1, P. 302].

802.11a can run at different rates using the different combinations . The rates range from 5 to 55Mb/s.


802.11g uses the OFDM modulation methods of 802.11a, but operates in 2.4GHz ISM band [1, P. 302].

It has the same rates as 802.11a, as well as compatibility with 802.11b devices [1, P. 302].


802.11n was ratified in 2009. The aim of 802.11n was throughput of 100Mb/s after transmission overheads were removed [1, P. 302].

To meet the goal:

  • Channels were doubled from 20MHz to 40MHz.
  • Frame overhead was reduced by allowing a group of frames to be sent together.
  • Up to four streams could be transmitted at a time using four antennas.

[1, P. 303]

In 802.11, the stream signals interfere at the receiver, but they can be separated using MIMO (Multiple Input Multiple Output) techniques [1, P. 303].

The MAC sublayer protocol

The 802.11 MAC sublayer is different from the Ethernet MAC sublayer for two reasons:

  • Radios are almost always half duplex
  • Transmission ranges of different stations might be different

    802.11 uses the CSMA/CA (CSMA with Collision Avoidance) protocol. CSMA/CA is similar to ethernet CSMA/CD. It uses channel sensing and exponential backoff after collisions, but instead of entering backoff once a collision has been detected, CSMA/CA uses backoff immediately (unless the sender has not used the channel recently and the channel is idle) [1, P. 303].

The algorithm will backoff for a number of slots, for example 0 to 15 in the case of the of the OFDM physical layer. The station waits until the channel is idle by sensing that there is no signal for a short period of time. It counts down idle slots, pausing when frames are sent. When its counter reaches 0, it sends its frames [1, P. 303].

Acknowledgements “are used to infer collisions because collisions cannot be detected” [1, P. 303].

This way of operating is called DCF (Distributed Coordination Function). in DCF each station is acting independently, without a central control.

The other problem facing 802.11 protocols is transmission ranges differing between stations. It’s possible for transmissions in one part of a cell to not be received in another part of the cell, which can make it impossible for a sender to sense a busy channel, resulting in collisions [1, P. 304].

Figure: The hidden terminal problem [1, P. 305]

802.11 defines channel sensing to consist of physical and virtual sensing. Physical sensing “checks the medium to see if there is a valid signal” [1, P. 305].

With virtual sensing, each station keeps a record of what channel is in use. It does this with the NAV (Network Allocation Vector). Each frame includes a NAV field that contains information on how long the sequence that the frame is part of will take to complete [1, P. 305].

802.11 is designed to:

  • Be reliable.
  • Be power-saving.
  • Provide quality of service.

The main strategy for reliability is to lower the transmission rate if too many frames are unsuccessful. Lower transmission rates use more robust modulations. If too many frames are lost, a station can lower its rate. If frames are successfully delivered, a station can test a higher rate to see if should upgrade [1, P. 307].

Another strategy for successful transmissions is to send shorter frames. 802.11 allows frames to be split into fragments, with their own checksum. The fragment size can be adjusted by the AP. Fragments are numbered and sent using a stop-and-wait protocol [1, P. 307].

802.11 uses beacon frames. Beacon frames are broadcast periodically by the AP. The frames advertise the presence of the AP to clients and carry system parameters, such as the identifier of the AP, the time, how long until the next beacon, and security settings” [1, P. 307].

Clients can set a power-management bit in frames that are sent to the AP to alert it that the client is entering power-save mode. In power-save mode, the client rests and the AP buffers traffic intended for it. The client wakes up for every beacon, and checks a traffic map that’s sent with the beacon. The traffic map tells the client whether there is buffered traffic. If there is, the client sends a poll to the AP, and the AP sends the buffered traffic [1, P. 307].

802.11 provides quality of service by extending CSMA/CA with defined intervals between frames. Different kinds of frames have different time intervals. The interval between regular data frame is called the DIFS (DCF InterFrame Spacing). Any station can attempt to acquire a channel after the channel has been idle for DIFS [1, P. 308].

The shortest interval is SIFS (Short InterFrame Spacing). SIFS is used to send an ACK, other control frames like RTS, or for sending another fragment (which prevents another station from transmitting during the middle of a frame) [1, P. 308].

Different priorities of traffic are determined with different AIFS (Arbitration InterFrame Space) intervals. A short AIF can allow the AP to send higher priority traffic. An AIF that is longer than DIFS means the traffic will be sent after regular traffic [1, Pp. 308-9].

Another quality of service mechanism is transmission opportunity. Previously, CSMA/CA allowed only one frame to be sent at a time. This slowed down stations with significantly faster rates. Transmission opportunities make it so each station has equal airtime, not an equal number of sent frames [1, P. 309].

802.11 frame structure

There are three different classes of frames used in the air:

  • Data
  • Control
  • Management

Figure: Format of the 802.11 data frame [1, P. 310]

The first part of frame is the Frame Control field, made up of 11 subfields:

  • Protocol Version: set to 00 for current versions of 802.11.
  • Type: can be one of data, control, or management, and the Subtype (e.g RTS or CTS). These are set to 10 and 0000 in binary for a normal data field.
  • To DS and From DS: these bits indicate whether frames are coming or going from a network connected to the AP (the network is called the distribution system).
  • More Fragments: this bit means that more fragments will follow.
  • Retry: this bit “marks a retransmission of a frame sent earlier”.
  • Power Management: this bit indicates that the sender is going into power-save mode.
  • More Data: this bit indicates that the sender has additional frames for the receiver.
  • Protected Frame: this bit indicates that the frame body has been encrypted for security.
  • Order: this “bit tells the receiver that the higher layer expects the sequence of frames to arrive strictly in order”.

[1, Pp. 309-10].

The second field in the data frame is the Duration field. This describes how long the frame and its acknowledgements will occupy the channel (measured in microseconds). It’s included in all frames, including control frames [1, P. 310].

The addresses to and from an AP follow the standard IEEE 802 format. The Address 1 is the receiver, Address 2 is the transmitter, Address 3 is the address of the endpoint that originally sent the frame via the AP [1, P. 310].

The Sequence 16-bit field numbers frames so that duplicates can be detected. The first 4 bits identify the fragment, the last 12 contain a number that’s incremented on each transmission [1, P. 310].

The Data field contains the payload. It can be up to 2312 bytes. The first bytes of the payload are for the LLC layer to identify the higher-layer protocol that the data is a part of [1, P. 310].

The final part of the frame is the Frame Check Sequence field, containing a 32-bit CRC for validating the frame [1, P. 310].

“Management frames have the same format as data frames, plus a format for the data portion that varies with the subtype (e.g. parameters in beacon frames)” [1, P. 310].

Control frames contain Frame Control, Duration, and Frame Check Sequence fields, but they might only have one address and no Data section.


802.11 defines a number of services that must be provided by conformant wireless LANs.

Mobile stations use the association service to connect to APs. Usually, the service is used just after a station has moved within range of an AP. When the station is within range, it learns the identity and capabilities of the AP through either beacon frames, or by asking the AP directly. The station sends a request to associate with the AP, which the AP can either accept or reject [1, P. 311].

The reassociation service is used to let a station change its preferred AP. If correctly used, there should be no data loss between the handover. The station or the AP can also disassociate. The station should use this before shutting down [1, P. 311].

Stations should authenticate before sending frames via the AP. Authentication is handled differently depending on the security scheme. If the network is open, anyone can use it. Otherwise credentials are required. WPA2 (WiFi Protected Access 2) is the recommended approach that implements security defined in the 802.11i standard. With WPA2, the AP communicates with an authentication server that “has a username and password database to determine if the station is allowed to access the network”. A password can also be configured (known as a pre-shared key) [1, P. 311].

The distribution service determines how to route frames from the AP. If the destination is local, the frames are sent over the air. If they are not, they are forwarded over the wired network. [1, P. 311]

The integration service handles translation for frames to be sent outside the 802.11 LAN [1, P. 312].

The data delivery service lets stations transmit and receive data using the protocols outlined in this section [1, P. 312].

A privacy service manages encryption and decryption. The encryption algorithm for WPA2 is based on AES (Advanced Encryption Standard). The encryption keys are determined during authentication [1, P. 312].

The QOS traffic scheduling is used to handle traffic with different priorities. It uses the protocols described in The MAC sublayer protocol section [1, P. 312].

“The transmit power control service gives stations the information they need to meet regulatory limits on transmit power that vary from region to region” [1, P. 312].

“The dynamic frequency selection service give stations the information they need to avoid transmitting on frequencies in the 5-GHz band that are being used for radar in the proximity” [1, P. 312].


  1. [1] A. Tanenbaum and D. Wetherall, Computer Networks, 5th ed. 2011.