Address fields are present in the MAC header of 802.11 frames. A frame may contain 4 address fields.
Address fields are 6 octets in length. Address fields are used to indicate Source, Transmitter, Destination, Receiver and BSSID. The address could be a unicast, multicast or broadcast address.
Isn't "Source" same as "Transmitter"? Isn't "Destination" same as "Receiver"?.
It depends on the type of frames. They could be same (e.g. in Management frames) or different (in Data frames).
The above diagram illustrates the difference between various addresses.
No, they are not. Only Address1 is mandatory. For e.g, CTS frame only has Address1. The remaining fields are filled based on the the frame.
How is each field used?
Address fields are used based on the type of frames: Control, Management and Data.
The Address fields in Data frames are based on the direction of the frame: "To DS" or "From DS".
Note: In case of A-MSDU, SA and DA are part of A-MSDU sub-headers. BSSID is filled in Address3 and Address4 instead of SA and DA.
Address Fields in Sniffer logs
Lets looks at some sniffer traces and examine the address fields.
Address fields are 6 octets in length. Address fields are used to indicate Source, Transmitter, Destination, Receiver and BSSID. The address could be a unicast, multicast or broadcast address.
Isn't "Source" same as "Transmitter"? Isn't "Destination" same as "Receiver"?.
It depends on the type of frames. They could be same (e.g. in Management frames) or different (in Data frames).
The above diagram illustrates the difference between various addresses.
- SA(Source Address): Source of the data (MSDU) --> STA1
- TA(Transmitter Address) : STA that transmitted the frame --> STA1, AP1, AP2
- RA(Receiver Address) : Immediate recipient of the frame --> AP1, AP2, STA2
- DA(Destination Address) : Final recipient of the data (MSDU) --> STA2
- BSSID (Basic Service Set IDentifier) : Unique identifier of the BSS, e.g, the MAC address of the AP in an infrastructure network --> AP1, AP2
No, they are not. Only Address1 is mandatory. For e.g, CTS frame only has Address1. The remaining fields are filled based on the the frame.
How is each field used?
Address fields are used based on the type of frames: Control, Management and Data.
Control Frames
|
Management Frames
|
Data Frames
|
|
Address1
|
RA
|
RA
|
RA
|
Address2
|
TA(not all)
|
TA
|
TA
|
Address3
|
Not used
|
BSSID
|
BSSID or SA or DA
|
Address4
|
Not used
|
Not used
|
BSSID or SA
|
The Address fields in Data frames are based on the direction of the frame: "To DS" or "From DS".
- "To DS": Set to 1 in all data frames sent from STA to AP
- "From DS": Set to 1 in call data frames sent from AP to STA
- Both "To DS" and "From DS" may be set to 1 if the frame is being relayed between APs.
To DS
|
From DS
|
Address 3
|
Address 4
|
0
|
0
|
BSSID
|
Not used
|
0
|
1
|
SA
|
Not used
|
1
|
0
|
DA
|
Not used
|
1
|
1
|
DA
|
SA
|
Note: In case of A-MSDU, SA and DA are part of A-MSDU sub-headers. BSSID is filled in Address3 and Address4 instead of SA and DA.
Address Fields in Sniffer logs
