MAC Frame Resolution and PHY Protocol Type Detection of IEEE 802 . 11

Frame resolution and physical layer (PHY) protocol type detection are the basis of research and development of intrusion prevention systems for IEEE 802.11 wireless network. Aiming at the problems which cannot be solved by the specifications export, this paper proposed a MAC frame analytical method and a PHY protocol type detection algorithm based on parsing the IEEE 802.11packets captured by the library Libpcap. The packet structure and the length of the frame preamble (18 or 26 bytes) are presented. Then the methods of transforming byte-order and resolving sub-fields are given. A detection algorithm of PHY protocol type is proposed based on the experiments and examples are given to verify these methods. This work can be a reference for the R & D related to link layer frame analysis.


Introduction
IEEE 802.11Wireless LAN (WLAN) plays an important role in personal Internet access as well as industrial applications [1] [2] [3] [4], because of its convenient deployment, lower cost and mobility.Compared to the wired network, WLAN is more vulnerable [5] [6] [7].It is very easy to capture and analyze the transmitting message, because the medium of WLAN is shared.Therefore, it is particularly important to research the security technologies for WLAN.
The research on the technology for WLAN security mostly focused on intrusion detection systems [6] [7] [8] [9] [10] in the past, but is still at an initial stage.Mature commercial products are also inadequate.
Real-time monitoring and analysis of the WLAN environment is an effective way to find potential risks, such as vulnerabilities, suspicious devices or behavior.At a WLAN-forbidden location, unauthorized APs and STAs can be detected by the real-time monitoring system to avoid an exposure of the private network.
Capturing and resolving the MAC frames are the technical basis of a real-time monitoring and analysis system, vulnerability scanning system and intrusion detection system for WLAN [6] [7] [8] [9] [10].IEEE 802.11MAC frames are categorized into three types: control frames, management frames, and data frames.Control frames and management frames contain a lot of useful information and are transmitted in plain text.Although the body of data frame is encrypted when a security measure is enabled, the frame header is still in plaintext.Therefore, we can parse the captured MAC frames to get the information and use the appropriate detection algorithm to identify the potential risks in a WLAN.
However, there are some practical problems, for which no literature presents solutions about frame capture and analysis.For example, the length of frame preamble is not the same when different STAs capture MAC frames from a same AP or STA.There are bytes and bits order converting problems when analyzing the captured data.The research of packet capture and analysis focused on the PDU (protocol data unit) encapsulated in TCP or UDP rather than that in link layer frame in the past.
Detection of PHY protocol types is basic content of the WLAN environment analysis and further development.Network managers can analyze the behaviors of APs or STAs on the basis of their real-time PHY protocol type and other information to identify suspicious devices in a WLAN.
However, the specification of some information elements in the standard is not detailed enough, so the detection algorithm of PHY protocol types cannot be designed based on the standard.And, no literature proposes the detection algorithm.
Aiming at the problems above, this paper proposes a MAC frame resolution method and a PHY protocol type detection algorithm of IEEE 802.11, on the basis of a large number of experiments for frame capturing and analyzing.The packet capturing is based on the library of Linux Libpcap.

Structure of Captured Data and Length of Frame Preamble
The length of frame preamble is not the same when different STAs capture MAC frames from a same AP or STA.The captured data are represented by the structure shown in Figure 1.The MAC frame consists of a header, a body and the FCS.The frame preamble is related to network interface card.
There are two kinds of length of the frame preamble.One is 26 bytes and the other is 18 bytes.The length can be calculated from the value of third byte of the captured data.An example of the captured binary data of a beacon frame is shown in Figure 2. The third byte of the example shown in Figure 2 is 0x1A, which indicates that the frame preamble is 26 bytes.If the third byte of the captured data is 0 × 12, it represents that the frame preamble is 18 bytes (shown in Figures 9-13).

Method of Frame Resolution
To analyze the information contained in the frame, we need to identify the value         in each field.The frame resolution must be corresponding to the frame format.
The information for security detection comes mainly from management frames.This section will illustrate an analytical method of IEEE 802.11MAC Frame in three examples, which are adopting this method in analyzing1) a management frame's header, 2) Control Frame field of the management frame and 3) Control Sequence field of the management frame.Their structures are shown in Figures 3-5 respectively [11].The information contained in these fields is the most basic information for analyzing 802.11 wireless network environment.This informa-     A multi byte numeric field needs to be converted from the network order to host order when parsing a captured packet.The sub-fields of a numeric field need to be reversely picked up from the binary value after the order converting, i.e. the last sub-field is picked up at first from the highest bit of the binary value.A non-numeric field, such as address, and its sub-fields, if existing, can be sequentially obtained from the captured data.This solution is illustrated with the data shown in Figure 2.
The 24-byte data, which starts from 27th byte of the data shown in Figure 2, is the header of the beacon frame.Value of the fields in the beacon frame header after parsing the captured data is shown in Table 1.The host byte order of a multi byte numeric field is different from its network byte order in Linux, so that the byte order of Frame Control, Duration and Sequence Control is reversed if compared to that of captured data.
The value of Frame Control filed in above example is 0x0080, which is 0000000010000000 in binary.According to resolving method for sub-field in the Frame Control shown in Figure 4, the results are drawn in Table 2.
According to the standard [11], this is a management frame (Type = 00), of which the body is a beacon frame body (Subtype = 1000).
Applying the same method, we can get two subfields' value for Sequence Control shown in Table 3.

The Information Elements and Detection Algorithm for PHY Protocols
The commonly used WLAN PHY protocols are IEEE 802.11a, b, g and n.In order to analyze the type of protocol from the captured data, the information ele- ments in the frame body need to be analyzed after parsing the content of beacon frame as described in previous sections.
The format of beacon frame body is shown in Figure 6  The information elements used by the PHY protocol type have not been explicitly defined in the standard.This can lead to confusion when designing a de-tecting algorithm.So first list several possible information elements, such as ERP element and HT Capability element, based on the standard.Then during the experiments, use the aforementioned analytical method to analyse the captured beacon frame.
The results of information elements contained in the beacon frame body received from different PHY protocol APs are shown in Table 4. Notice that the structure of the captured frame header is consistent with the format defined in IEEE Std802.11-2007.Information element of HT Capabilities is fully defined in IEEE Std802.11-2012while its element ID is reserved in IEEE Std802.11-2007.According to Table 4, the detection algorithm of the PHY protocol types is shown in Figure 8.

NIC Working Frequency Acquisition Method
The algorithm shown in Figure 8 needs to obtain working frequency of NIC (Network Interface Card).During the experiment, we find that if the length of frame preamble in captured data is 26 bytes, the frequency value of NIC is located in 19th and 20th byte of data.If the length of frame preamble in captured data is 18bytes, the frequency value of NIC is located in 11th and 12th byte of data.Using the analytical method in Section 2.2, we can get the working frequency of NIC.The specific examples are shown in Section 4.

Case Study
The effectiveness of the proposed methods can be verified through the following examples.Testing environment consists of a dual-band supported AP and a STA which are installed with the frame capturing program.The operating system of STA is Linux.The experiment AP is set to different PHY protocols.Launch the frame capturing program on STA and let it last for 5 minutes to get a certain number of frames.When obtaining a sufficient number of frames, stop the frame capturing program.Analyze the captured beacon frames according to the analysis method in section 2.2 and algorithm shown in Figure 8.

IEEE 802.11b
Set the PHY protocol of AP to IEEE 802.11b.The captured data of a beacon frame are shown in Figure 9.We find that HT Capabilities information element and ERP information element do not exist.The octets containing the working frequency are 6C 09.Shaded area in the figure shows the location of the working frequency octets.According to the previous frame resolution method, the frequency value is 0x096C, which is 2412 MHz in decimal, that is, the working frequency of AP is on the 2.4 GHz band.According to the algorithm shown in Figure 8, the PHY protocol of the AP is IEEE 802.11b, consistent with the preset.

IEEE 802.11a
Set the PHY protocol of AP to IEEE 802.11a.The captured data of a beacon

Conclusions
Capturing and resolving the MAC frames are the technical basis of kinds of security systems for IEEE 802.11 wireless network.Real-time detection of PHY protocol types of APs or STAs can help network manager to analyse the WLAN environment to identify suspicious devices.However, their solutions cannot be exported by the specifications due to different implementations and specifications not detailed enough.Also, no literature presents the related solutions, which might be due the research of packet capture and analysis focused on the PDU encapsulated in TCP or UDP rather than that in link layer frame in the past.
This paper proposed an analytical method for IEEE 802.11MAC frame and an algorithm for detecting PHY protocol types.The proposed method is based on analysing a large amount of captured MAC frames, and proved in an intrusion prevention system for WLAN.The detection algorithm of PHY protocols is easy to implement.The proposed ideas can not only be a reference for the research and development based on IEEE 802.11Link Layer frame analysis, but also for capture and analysis of industrial protocol frames which are directly encapsulated in link layer frames, such as SV or GOOSE message in Smart Substation communications according to IEC 61850.That is, this work is also helpful for the research and development of testing and analysis systems for industrial devices, of which application PDUs are encapsulated in link layer frames.
We will research the relationship between the length of frame preamble and NIC.The data structure of frame preamble could also be further analysed.The detection method of the newest PHY standard IEEE 802.11ac, single mode and mixed mode of PHY protocol could be further explored etc.

Figure 1 .
Figure 1.Structure of the captured data.

Figure 2 .
Figure 2. A captured beacon frame data.

Figure 7 .
Figure 7. Common general format of information element.

Figure 9 .
Figure 9.The captured data of a beacon frame from an AP set into IEEE 802.11b.

Figure 10 .
Figure 10.The captured data of a beacon frame from an AP set into IEEE 802.11a.

Figure 11 .
Figure 11.The captured data of a beacon frame from an AP set into IEEE 802.11b/g.

Figure 12 .
Figure 12.The captured data of a beacon frame from an AP set into IEEE802.11a/n.

Figure 13 .
Figure 13.The captured data of a beacon frame from an AP set into IEEE 802.11b/g/n.
[13].There are two types of components in management frame body: 1) Fixed-length field, such as Timestamp; 2) Variable-length field, called Information Element (IE), such as SSID.The common general format of an information element is shown in Figure 7 [11].Each element is assigned to a unique Element ID as defined in IEEE 802.11 standard to indicate its function.The Length field specifies the number of octets in the Information field.The Information field is variable-length and element-specific [11] [12].

Table 1 .
Value of each field in beacon frame header.

Table 2 .
Value of each subfield in Frame Control.

Table 3 .
Value of each subfield in Sequence Control.