Beacon Frame Analysis
♣ What is Beacon?
Beacon is an 802.11 broadcast frame sent by AP in a periodic manner.
♣ Who can send Beacon?
As per 802.11 protocol standard only AP is allowed to send Beacon frame. Station cannot send Beacon.
Note: In IBSS network all involved wireless device can send Beacon. But in case of BSS or ESS, only AP is allowed to transmit Beacon.
♣ Why do we need Beacon?
In simple logic, beacon is transmitted to advertise about AP capabilities. Recent Beacon frame also proves that transmitted AP is active at that particular time. Below are other purposes for Beacon
♦ BSS time synchronization.
♦ Update BSS features.
♦ Power save management.
♣ What is Beacon Interval? What is the unit of it?
Beacon Interval (BI) is “At what time interval Beacon frame is sent from AP”.
This unit of BI is TU (Time Units). 1TU = 1024㎲ = 1.024㎳.
In general BI is set to 100TU = 102.4㎳ [We generally call it as 100㎳ but logically it’s not same. Remember it]
♣ Beacon frame field explanation with screenshot:
♦
Note that: There are many fields can be added to Beacon depending on the capabilities of AP. We will try to see the meaning of common important fields for a basic Beacon.
♦
In sniffer generally we can see 3 sections for any 802.11 frame.
A. PHY information [Mainly collected by Wireshark from captured hardware]
B. 802.11 Frame Header.
C. 802.11 Frame Body.
A. PHY information:
Let’s follow the screenshot for understating.
a. Overall Fields:
b. Get BI from MAC timestamp:
c. More on PHY:
B. 802.11 Frame Header:
For more details on each field of 802.11 MAC header, please follow MAC header related post. Here we will point out any specific meaning for Beacon frame.
C. 802.11 Frame Body.
a. Fixed Parameter:
b. Tagged Parameter:
This is just a simple beacon with above information. When AP supports some features that IE gets added in Beacon.
Example:
♦ If AP supports 11n then HT IE elements are added in Beacon.
♦ If AP supports 11ac then VHT IE elements are added in Beacon.
♦ If AP supports 11ax then HE IE elements are added in Beacon.
♦ If AP supports WMM then WMM IE elements are added in Beacon.
♦ If AP supports WMM then WMM IE elements are added in Beacon.
♦ If AP supports security then corresponding security IE elements are added in Beacon.
There are many more.
♣ What is our conclusion from above Beacon?
From above frame analysis we can get one complete picture about AP. Let’s put one line statement and the reason(s) behind that conclusion.
♦ AP supports only 2.4Ghz ::: 2.4GHz spectrum was true/Frequency 2412MHz falls in 2.4Ghz band/Channel was 1/ ERP IE can be added for 2.4GHz AP/Beacon transmitted rate was 1Mbps not 6Mbps (11a).
♦ AP is configured in Channel 1 ::: Channel 1 or Frequency 2412MHz is advertised.
♦ AP is configured in 11bg ::: Supported rates [Including Basic rate] are 1, 2, 5.5 , 11 Mbps [11b Rate]
+
6 to 54 Mbps [11g Rate]
/ Not seen any 11n HT IEs.
♦ AP is in open security ::: …. …. …0 …. = Privacy: AP/STA cannot support WEP
♦ AP is not configured with hidden SSID ::: We can see SSID as ‘b58’
♦ AP’s every beacon is DTIM beacon as DTIM period is 1.
For more details on DTIM.
So, this AP is configured in 2.4GHz 11bg mode Channel 1 with open security.
♥♥ If you have any doubts or query please let me know in comment section or send mail at feedback@wifisharks.com. ♥♥