Introduction

If you have purchased this book or if you are thinking about purchasing this book, you probably have some interest in taking the Certified Wireless Analysis Professional (CWAP) certification exam or in learning more about what the CWAP certification exam is about. We would like to congratulate you on this next step in the wireless certification process, and we hope that this book can help you on your journey. Wireless networking is one of the hottest technologies on the market. As with many fast-growing technologies, the demand for knowledgeable people is often greater than the supply. The CWAP certification is one way to prove that you have the knowledge and skills to support this growing industry. This Study Guide was written with that goal in mind.

This book was written to help teach you about analyzing wireless networking so that you have the knowledge needed not only to pass the CWAP certification test but also to support and troubleshoot wireless networks. We have included review questions at the end of each chapter to help you test your knowledge and prepare for the test. We have also included labs, white papers, videos, and presentations on the CD to further facilitate your learning.

Before we tell you about the certification process and requirements, we must mention that this information may have changed by the time you are taking your test. We recommend you visit www.cwnp.com as you prepare to study for your test to determine what the current objectives and requirements are.

About CWAP and CWNP

If you have ever prepared to take a certification test for a technology that you are unfamiliar with, you know that you are not only studying to learn a different technology but probably also learning about an industry that you are unfamiliar with. Read on, and we will tell you about CWNP.

CWNP is an abbreviation for Certified Wireless Network Professional. There is no CWNP test. The CWNP program develops courseware and certification exams for wireless LAN technologies in the computer networking industry. The CWNP certification program is a vendor-neutral program.

The objective of CWNP is to certify people on wireless networking, not on a specific vendor’s product. Yes, at times the authors of this book and the creators of the certification will talk about, demonstrate, or even teach how to use a specific product; however, the goal is the overall understanding of wireless, not the product itself. If you learned to drive a car, you had to physically sit and practice in one. When you think back and reminisce, you probably do not tell someone you learned to drive a Ford; you probably say you learned to drive using a Ford.

There are seven wireless certifications offered by the CWNP program:

CWTS: Certified Wireless Technology Specialist The CWTS certification is an entry-level enterprise WLAN certification and a recommended prerequisite for the CWNA certification. This certification is geared specifically toward WLAN sales professionals, project managers, networkers, and support staff who are new to enterprise Wi-Fi.

CWNA: Certified Wireless Network Administrator The CWNA certification is a foundation-level Wi-Fi certification; however, it is not considered an entry-level technology certification. Individuals taking this exam (exam PW0-104) typically have a solid grasp on network basics such as the OSI model, IP addressing, PC hardware, and network operating systems. Many candidates already hold other industry-recognized certifications, such as the CompTIA Network+ or Cisco CCNA, and are looking for the CWNA certification to enhance or complement existing skills.

CWSP: Certified Wireless Security Professional The CWSP certification exam (PW0-200) is focused on standards-based wireless security protocols, security policy, and secure wireless network design. This certification introduces candidates to many of the technologies and techniques that intruders use to compromise wireless networks and that administrators use to protect wireless networks. With recent advances in wireless security, WLANs can be secured beyond their wired counterparts.

CWDP: Certified Wireless Design Professional The CWDP certification exam (PW0-250) is a professional-level career certification for networkers who are already CWNA certified and have a thorough understanding of RF technologies and applications of 802.11 networks. This certification prepares WLAN professionals to properly design wireless LANs for different applications to perform optimally in different environments.

CWAP: Certified Wireless Analysis Professional The CWAP certification exam (PW0-270) is a professional-level career certification for networkers who are already CWNA certified and have a thorough understanding of RF technologies and applications of 802.11 networks. This certification prepares WLAN professionals to be able to perform, interpret, and understand wireless packet and spectrum analysis.

CWNE: Certified Wireless Network Expert The CWNE certification is the highest-level certification in the CWNP program. By successfully completing the CWNE requirements, you will have demonstrated that you have the most advanced skills available in today’s wireless LAN market. The CWNE exam (PW0-300) focuses on advanced WLAN analysis, design, troubleshooting, QoS mechanisms, spectrum management, and extensive knowledge of the IEEE 802.11 standard as amended.

CWNT: Certified Wireless Network Trainer Certified Wireless Network Trainers are qualified instructors certified by the CWNP program to deliver CWNP training courses to IT professionals. CWNTs are technical and instructional experts in wireless technologies, products, and solutions. To ensure a superior learning experience for customers, CWNP Education Partners are required to use CWNTs when delivering training using official CWNP courseware.

How to Become a CWAP

To become a CWAP, you must do the following three things: agree that you have read and will abide by the terms and conditions of the CWNP confidentiality agreement, pass the CWNA certification test, and pass the CWAP certification test.

When you sit to take the test, you will be required to accept this confidentiality agreement before you can continue with the test. After you have agreed, you will be able to continue with the test, and if you pass the test, you are then a CWAP.

The information for the exam is as follows:

• Exam name: Wireless Analysis Professional
• Exam number: PW0-270
• Cost: $225 (in U.S. dollars)
• Duration: 120 minutes
• Questions: 60
• Question types: Multiple choice/multiple answer
• Passing score: 70 percent (80 percent for instructors)
• Available languages: English
• Availability: Register at Pearson VUE (www.vue.com/cwnp)

When you schedule the exam, you will receive instructions regarding appointment and cancellation procedures, ID requirements, and information about the testing center location. In addition, you will receive a registration and payment confirmation letter. Exams can be scheduled weeks in advance or, in some cases, even as late as the same day.

After you have successfully passed the CWNA and CWAP exams, the CWNP program will award you a certification that is good for three years. To recertify, you will need to pass the current PW0-270 exam. If the information you provided the testing center is correct, you will receive an email from CWNP recognizing your accomplishment and providing you with a CWNP certification number. After you earn any CWNP certification, you can request a certification kit. The kit includes a congratulatory letter, a certificate, and a wallet-sized personalized ID card. You will need to log in to the CWNP tracking system, verify your contact information, and request your certification kit.

Who Should Buy This Book?

If you want to acquire a solid foundation in wireless analysis and your goal is to prepare for the exam, this book is for you. You will find clear explanations of the concepts you need to grasp and plenty of help to achieve the high level of professional competency you need in order to succeed.

If you want to become certified as a CWAP, this book is definitely what you need. However, if you just want to attempt to pass the exam without really understanding wireless, this Study Guide is not for you. It is written for people who want to acquire hands-on skills and in-depth knowledge of wireless networking.

How to Use This Book and the CD

We have included several testing features in the book and on the CD-ROM. These tools will help you retain vital exam content as well as prepare you to sit for the actual exam.

Before You Begin At the beginning of the book (right after this introduction) is an assessment test that you can use to check your readiness for the exam. Take this test before you start reading the book; it will help you determine the areas you may need to brush up on. The answers to the assessment test appear on a separate page after the last question of the test. Each answer includes an explanation and a note telling you the chapter in which the material appears.

Chapter Review Questions To test your knowledge as you progress through the book, there are review questions at the end of each chapter. As you finish each chapter, answer the review questions and then check your answers—the correct answers appear on the page following the last review question. You can go back and reread the section that deals with each question you answered wrong to ensure that you answer correctly the next time you are tested on the material.

Electronic Flashcards You will find flashcard questions on the CD for on-the-go review. These are short questions and answers, just like the flashcards you probably used in school. You can answer them on your PC or download them onto a handheld device for quick and convenient reviewing.

Test Engine The CD also contains the Sybex Test Engine. With this custom test engine, you can identify weak areas up front and then develop a solid studying strategy that includes each of the robust testing features described previously. The thorough readme file will walk you through the quick, easy installation process.

In addition to the assessment test and the chapter review questions, you will find three bonus exams. Use the test engine to take these practice exams just as if you were taking the actual exam (without any reference material). When you have finished the first exam, move on to the next one to solidify your test-taking skills. If you get more than 95 percent of the answers correct, you are ready to take the certification exam.

Labs and Exercises Several chapters in this book have labs that use software, spreadsheets, and videos that are also provided on the CD-ROM that is included with this book. These labs and exercises will provide you with a broader learning experience by providing hands-on experience and step-by-step problem solving.

Exam Objectives

The CWAP exam measures your understanding of the fundamentals of RF behavior, your ability to describe the features and functions of wireless LAN components, and your knowledge of the skills needed to install, configure, and troubleshoot wireless LAN hardware peripherals and protocols.

The skills and knowledge measured by this examination were derived from a survey of wireless networking experts and professionals. The results of this survey were used in weighing the subject areas and ensuring that the weighting is representative of the relative importance of the content.

The following chart provides the breakdown of the exam, showing you the weight of each section:

Subject Area	% of Exam
802.11 Physical (PHY) Layer Frame Formats and Technologies	5%
802.11 MAC Layer Frame Formats and Technologies	20%
802.11 Operation and Frame Exchanges	40%
Spectrum Analysis and Troubleshooting	15%
Protocol Analysis and Troubleshooting	20%
Total	100%

802.11 Physical (PHY) Layer Frame Formats and Technologies: 5%

1.1 Understand the importance of each sublayer of the PHY Layer and differentiate between their functions:

1.1.1. PMD

1.1.2. PLCP

1.2 Describe PHY Layer terminology and understand PHY concepts found in the 802.11-2007 standard (as amended):

1.2.1. PSDU

1.2.2. PPDU

1.2.3. Header

1.2.4. Preambles

1.2.5. Frame Formatting

1.2.6. Frame Transmission

1.2.7. CCA

1.2.8. Subcarriers

1.2.9. Guard Intervals

1.2.10. Operating channels and channel widths

1.2.11. Modulation and Coding

1.2.12. Training Fields

1.3 Identify the frame format(s) of the PPDU for each PHY specification and specify the meaning of and purpose for its contents:

1.3.1. PLCP Preamble

1.3.2. PLCP Header

1.3.3. DATA Field

1.4 Describe PHY-specific operations and parameters for each the following 802.11 PHY specifications:

1.4.1. Clause 15 – DSSS

1.4.2. Clause 17 – OFDM

1.4.3. Clause 18 – HR/DSSS

1.4.4. Clause 19 – ERP

1.4.5. Clause 20 – HT

1.5 Understand the function of the primitives used for communication between the PMD and PLCP as well as the PLCP and MAC.

1.6 Demonstrate a detailed knowledge of PHY enhancements introduced by 802.11n:

1.6.1. 40 MHz channels

1.6.2. Additional subcarriers

1.6.3. Short Guard Intervals

1.6.4. Modulation rates

1.6.5. Antenna Selection

802.11 MAC Layer Frame Formats and Technologies: 20%

2.1 Describe MAC Layer terminology and concepts found in the 802.11-2007 standard (as amended):

2.1.1. MSDU

2.1.2. MPDU

2.1.3. A-MSDU

2.1.4. A-MPDU

2.1.5. Header

2.1.6. Trailer

2.1.7. Frame Formatting

2.1.8. Fixed Fields

2.1.9. Subfields

2.1.10. Information Element

2.1.11. Information Field

2.2 Compare and contrast the intended purposes of each 802.11 MAC layer frame type:

2.2.1. Control frame types and subtypes

2.2.2. Management frame types and subtypes, including Action frames

2.2.3. Data frame types and subtypes

2.3 Illustrate the general frame format structure for all frame types.

2.4 Understand and identify the specific frame format structure for each 802.11 MAC layer frame type and subtype:

2.4.1. Header fields and subfields

2.4.2. Information elements (IEs) and Information fields

2.4.3. Frames sizes and data rates

2.4.4. Frame body (payload) contents and sizes

802.11 Operation and Frame Exchanges: 40%

3.1 Identify and explain operational methods, modes, and technologies specific to each PHY, including a considerable emphasis on 802.11n enhancements:

3.1.1. SISO and MIMO

3.1.2. Transmit Beamforming

3.1.3. Spatial Multiplexing

3.1.4. Frame Aggregation

3.1.5. Block Acknowledgements

3.1.6. Space-Time Block Coding (STBC)

3.1.7. Cyclic Shift Diversity

3.2 Explain basic transmit and receive PHY operations.

3.3 Understand and illustrate the technologies related to 802.11 contention:

3.3.1. Demonstrate the use of CSMA/CA operations in 802.11 WLANs.

3.3.2. Explain the processes used for arbitration by DCF and HCF (i.e. EDCA) access methods.

3.3.3. Define Physical Carrier Sense (CCA), understand how it works, and differentiate between its two functional methods:

• Energy Detect
• Carrier Sense

3.3.4. Explain the purpose and detailed functionality of Virtual Carrier Sense (NAV).

3.3.5. Explain how Interframe Spacing (IFS) works, why it is used, and when each of the following IFS are used:

• SIFS
• PIFS
• DIFS
• EIFS
• AIFS
• RIFS

3.3.6. Describe the purpose, functionality, and selection of Contention Windows.

3.3.7. Describe how the Backoff Timer works and why it is used.

3.3.8. Define a Slot Time, calculate its value for each PHY specification, and understand how it is used.

3.3.9. Identify standards-based and non-standard methods used to manipulate 802.11 contention using EDCA Parameter Sets.

3.4 Illustrate the frame exchange processes involved in the following for both a QoS BSS and non-QoS BSS:

3.4.1. Active and Passive Scanning

3.4.2. Authentication, Association, and Reassociation

3.4.3. Disassociation and Deauthentication

3.4.4. Roaming within an ESS

3.4.5. Acknowledgements and Block Acknowledgements

3.4.6. Data frame forwarding

3.4.7. Data frame aggregation

3.4.8. Rate Selection

• Multirate support
• Basic rates
• Dynamic rate switching
• Modulation and Coding Schemes (MCSs)

3.5 Identify and illustrate the operation and frame exchange processes involved in 802.11 security:

3.5.1. 802.11 Authentication and Association

3.5.2. WEP

3.5.3. Shared Key Authentication

3.5.4. WPA-Personal and WPA2-Personal as described in 802.11-2007, Clause 8

3.5.5. 802.1X/EAP

3.5.6. 4-Way Handshake

3.5.7. Group Key Handshake

3.5.8. Robust Security Networks

3.5.9. 802.11n security requirements

3.5.10. 802.11w Protected Management Frames

3.5.11. WIPS rogue containment

3.6 Describe the methods and frame exchange processes used in 802.11 Fast/Secure Roaming within an RSN ESS:

3.6.1. Preauthentication

3.6.2. PMK Caching

3.6.3. Opportunistic Key Caching (OKC)

3.6.4. 802.11r Fast BSS Transition (FT)

• FT Initial Mobility Domain Association
• Over-the-Air Fast BSS Transition
• Over-the-DS Fast BSS Transition

3.6.5. Understand the basic functionality of common proprietary roaming mechanisms.

3.7 Understand and illustrate the following, related to 802.11 power management:

3.7.1. Understand how Active mode works as a basic 802.11 process.

3.7.2. Describe the processes and features of Legacy Power Save mode.

3.7.3. Illustrate a detailed knowledge of WMM Power Save and Unscheduled-Automatic Power Save Delivery (U-APSD), including:

• Effect on mobile device battery life and user experience
• Relationship with WMM QoS
• Power save behavior negotiation during association
• WMM AC transmit queue configuration using WMM-PS and legacy power save
• WMM-PS client initiation of queued data retrieval from QoS APs
• Downlink data frame transmission during an EDCA TXOP
• Application layer time sync functionality
• U-APSD/WMM operation
• The role of applications in specifying power save behavior

3.7.4. Identify and define the following terms and concepts related to 802.11 power management:

• APSD
• U-APSD
• S-APSD
• TIM
• DTIM
• ATIM
• AID

3.7.5. Demonstrate a thorough knowledge of 802.11n power save mechanisms, including:

• Power Save Multi-Poll (PSMP)
• Spatial Multiplexing Power Save (SMPS)

3.7.6. Compare and contrast each power save method, demonstrating a detailed knowledge of the following:

• Benefits and/or drawbacks of each, including efficiency and flexibility
• Operational differences between each process
• WMM-PS and Legacy Power-Save client compatibility and coexistence in a QoS BSS

3.8 Understand and explain the following, as related to 802.11 protection mechanisms:

3.8.1. Explain the frames and frame exchange processes included in mixed mode PHY environments.

3.8.2. Illustrate the operation of RTS/CTS and CTS-to-Self protection.

3.8.3. Describe the operation and uses for HT protection modes including:

• Mode 0 – Pure HT
• Mode 1 – HT non-Member Protection
• Mode 2 – HT 20 MHz Protection
• Mode 3 – non-HT Mixed Mode

3.8.4. Demonstrate an understanding of the functionality of HT protection/coexistence mechanisms and modes including:

• Dual-CTS
• L-Sig TXOP Protection
• Phased Coexistence Operation (PCO)
• 40 MHz Intolerant

3.8.5. Compare and contrast each type of protection mechanism and understand the benefits, drawbacks, and purpose for each.

3.9 Demonstrate a detailed understanding of the Wi-Fi Multimedia® (WMM®) certifications and QoS concepts, including the following:

3.9.1. Explain the terminology, purpose, and functionality of the WMM® certifications and how they relate to 802.11 QoS features:

• Use of Access Categories and User Priorities
• IEEE 802.1Q priority and DSCP tagging
• Relationship to 802.11 QoS features

3.9.2. Define QoS terminology and describe functionality relating to entities and coordination functions of QoS-enabled 802.11 networks:

• Quality of Service Station (QoS STA) and non-QoS STA
• Quality of Service Basic Service Set (QoS BSS) and non-QoS BSS
• Quality of Service Access Point (QoS AP) and non-QoS AP
• Service Period (SP), Scheduled Service Period, Unscheduled Service Period, and Service Interval (SI)
• Enhanced Distributed Channel Access (EDCA)
• Block Ack Procedures
• Controlled Access Phase (CAP)

3.9.3. Define 802.11 terminology relating to QoS features of QoS-enabled 802.11 networks:

• Access Category (AC)
• Traffic Specification (TSPEC)
• Traffic Classification (TCLAS)
• Differentiated Services Code Point (DSCP)
• Admission Control
• Automatic Power Save Delivery (APSD)
• Traffic Category (TC)
• User Priority (UP)
• Traffic Stream (TS)
• Traffic Identifier (TID)
• Traffic Stream Identifier (TSID)
• Transmission Opportunity (TXOP)
• TXOP Holder

3.9.4. Illustrate the use of end-to-end QoS in an enterprise network.

3.10 Describe mechanisms related to spectrum and transmit power management:

• Transmit Power Control (TPC) procedures and frame exchanges
• Dynamic Frequency Selection (DFS) procedures and frame exchanges

3.11 Define terms and concepts and illustrate procedures related to 802.11s mesh networks:

3.11.1. Mesh BSS

3.11.2. Mesh Coordination Function (MCF)

3.11.3. Simultaneous Authentication of Equals (SAE)

3.11.4. Abbreviated Handshake

3.12 Understand the basic differences between the frame exchange processes in a BSS and an IBSS.

Spectrum Analysis and Troubleshooting: 15%

4.1 Demonstrate appropriate use, features, and configuration of professional spectrum analysis tools, including the following:

4.1.1. Locate and identify RF sources

4.1.2. Interpret and quantify the results of a spectrum analyzer trace

4.1.3. Analyzer bandwidth resolution

4.1.4. Comparison of spectrum analyzer types

• Purpose-built spectrum analyzer chipsets
• Wi-Fi chipsets with spectrum capabilities

4.2 Identify common RF device signatures, their operating frequencies, behaviors, and impact on WLAN operations:

4.2.1. 802.11 PHYs

4.2.2. Microwave ovens

4.2.3. Analog transmitters (video, voice, etc.)

4.2.4. Cordless phones

4.2.5. Bluetooth and other frequency hopping devices

4.2.6. Baby monitors

4.2.7. Signal generators and antenna test tools

4.2.8. Telemetry and other healthcare RF devices

4.2.9. Radar

4.2.10. RF-producing lighting systems

4.3 Define and describe common terms and concepts related to RF spectrum analysis:

4.3.1. Signal strength

4.3.2. SNR

4.3.3. Channel utilization

4.3.4. Duty cycle

4.3.5. Sweep cycles

4.3.6. Narrow band interference

4.3.7. Wide band interference

4.3.8. Resolution Bandwidth

4.4 Identify the purpose and illustrate proper interpretation of common types of spectrum measurement:

4.4.1. Swept Spectrograph

4.4.2. Real Time FFT

4.4.3. Utilization

4.4.4. Duty Cycle

4.5 Describe the features, purpose, and deployment strategies of distributed spectrum analyzers.

4.6 Demonstrate effective use of spectrum analyzers for network troubleshooting.

Protocol Analysis and Troubleshooting: 20%

5.1 Demonstrate appropriate application, configuration, and basic use of an 802.11 protocol analyzer:

5.1.1. Install and configure an 802.11 protocol analyzer:

• Channel selection, scanning, or multichannel support
• Define and enable appropriate filters

5.1.2. Performance optimization

5.1.3. Advanced troubleshooting

5.1.4. Security protocol and intrusion analysis

5.2 Describe features common to most 802.11 protocol analyzers:

5.2.1. Protocol decodes

5.2.2. Peer map functions

5.2.3. Conversation analysis

5.2.4. Filtering: capture and display

5.2.5. Expert functions

5.3 Demonstrate expert-level network troubleshooting using an 802.11 protocol analyzer:

5.3.1. Understand the sequence of events for expected network behavior and identify aberrations.

5.3.2. Understand the 802.11 WLAN frame structure and fields, and apply this knowledge to protocol analysis.

5.3.3. Perform event correlation.

5.3.4. Interpret and identify frame exchange processes.

5.3.5. Interpret and understand data presented by a protocol analyzer and apply this knowledge to network troubleshooting.

5.4 Explain the benefits and interpret the results of multiple-channel protocol analysis using multiple adapters and aggregation software.

5.5 Perform roaming and VoWiFi analysis using a protocol analyzer.

5.6 Describe the features, purpose, and deployment strategies of distributed protocol analyzers.

5.7 Demonstrate appropriate use, configuration, and features of wired protocol analyzers for WLAN troubleshooting.

5.8 Perform end-to-end QoS troubleshooting and analysis for WLAN optimization.

5.9 Identify common challenges related to protocol analysis:

5.9.1. PHY compatibility

5.9.2. Roaming analysis

5.9.3. Time synchronization with distributed analysis

5.9.4. Location limitations with laptop-based tools

5.10 Describe the use of syslog messages in troubleshooting network problems.

5.11 Identify common client problems and use client logs and statistics to resolve connectivity problems.

CWAP Exam Terminology

The CWNP program uses specific terminology when phrasing the questions on any of the CWNP exams. The terminology used most often mirrors the same language that is used in the IEEE 802.11-2007 standard. Although technically correct, the terminology used in the exam questions often is not the same as the marketing terminology that is used by the Wi-Fi Alliance. The most current IEEE version of the 802.11 standard is the IEEE 802.11-2007 document, which includes all the amendments that have been ratified prior to the document’s publication. Standards bodies such as the IEEE often create several amendments to a standard before “rolling up” the ratified amendments (finalized or approved versions) into a new standard.

For example, you might already be familiar with the term 802.11g, which is a ratified amendment that has now been integrated into the IEEE 802.11-2007 standard. The technology that was originally defined by the 802.11g amendment is called Extended Rate Physical (ERP). Although the name 802.11g effectively remains the more commonly used marketing terminology, any exam questions will use the technical term ERP instead of 802.11g.

Tips for Taking the CWAP Exam

Here are some general tips for taking your exam successfully:

• Bring two forms of ID with you. One must be a photo ID, such as a driver’s license. The other can be a major credit card or a passport. Both forms must include a signature.
• Arrive early at the exam center so you can relax and review your study materials, particularly tables and lists of exam-related information.
• Read the questions carefully. Do not be tempted to jump to an early conclusion. Make sure you know exactly what the question is asking.
• There will be questions with multiple correct responses. When there is more than one correct answer, a message at the bottom of the screen will prompt you to either “choose two” or “choose all that apply.” Be sure to read the messages displayed to know how many correct answers you must choose.
• When answering multiple-choice questions you are not sure about, use a process of elimination to get rid of the obviously incorrect answers first. Doing so will improve your odds if you need to make an educated guess.
• Do not spend too much time on one question. This is a form-based test; however, you cannot move backward through the exam. You must answer the current question before you can move to the next question, and after you have moved to the next question, you cannot go back and change your answer on a previous question.
• Keep track of your time. Because this is a 120-minute test consisting of 60 questions, you have an average of 2 minutes to answer each question. You can spend as much or as little time on any one question, but when 120 minutes is up, the test is over. Check your progress. After 60 minutes, you should have answered at least 30 questions. If you have not, do not panic. You will simply need to answer the remaining questions at a faster pace. If on average you can answer each of the remaining 30 questions 4 seconds quicker, you will recover 2 minutes. Again, do not panic; just pace yourself.
• For the latest pricing on the exams and updates to the registration procedures, visit CWNP’s website at www.cwnp.com.

Assessment Test

1. Which of the following are two terms that effectively describe the same item? (Choose two.)

A. PPDU

B. PSDU

C. PLCP

D. MPDU

E. MSDU

2. When a packet is passed down from the Network layer to the Data-Link layer for transmission, what is the default maximum size of the MSDU?

A. 2,308 bytes

B. 1,500 bytes

C. 1,518 bytes

D. 2,304 bytes

E. 2,346 bytes

3. A client STA is part of a BSS and is building an 802.11 frame to be transmitted to another client STA in the same BSS. When this frame is created and transmitted to the AP, how many address fields will it contain?

A. 2

B. 3

C. 4

D. The number of address fields cannot be determined. The number of fields will depend upon the network address of the final destination.

4. What data rate and modulation can be used to transmit the Short PLCP Header?

A. 6 Mbps, BPSK

B. 12 Mbps, QPSK

C. 1 Mbps, DBPSK

D. 2 Mbps, DQPSK

E. 24 Mbps, 16-QAM

5. Although clause 19 devices support data rates of 6, 9, 12, 18, 24, 36, 48, and 54 Mbps, the standard requires them to support only three data rates. What are those three rates? (Choose three.)

A. 6

B. 9

C. 12

D. 18

E. 24

F. 36

6. Layer 2 retransmissions occur when frames become corrupted. What are some of the causes of layer 2 retries? (Choose all that apply.)

A. Multipath

B. Low SNR

C. Co-channel interference

D. RF interference

E. Adjacent cell interference

7. How many different protocol versions of 802.11 technology are currently defined by the IEEE?

A. Onem

B. Two

C. Three

D. Four

E. Many different protocols

8. Name the process by which 802.11 stations dynamically adjust their power level.

A. DFS

B. TPC

C. BSS

D. CFB

9. What is the name given to the period during which station traffic benefits from a negotiated QoS level with the AP?

A. Service period

B. Service interval

C. TCLAS service

D. TSPEC service

10. What is the name given to the information element that specifies the details of the type of encryption and authentication in use in a WPA/WPA2-compatible cell?

A. RSN

B. Privacy

C. Cipher

D. Security

11. What is the name of the field that provides information on the number of stations and current load on the AP?

A. BSS Load Element

B. Duty Cycle Element

C. Station Count Element

D. ERP Element

12. What is the name of the element used by APs to order stations to stop sending signals?

A. Quiet

B. Deauthentication

C. Power Save

D. DELTS

13. When an RTS frame is transmitted, the Duration value is set to include the duration of which of the following?

A. 3 SIFS, CTS frame, Data frame, ACK frame

B. 2 SIFS, Data frame, ACK frame

C. 3 SIFS, RTS frame, CTS frame, Data frame, ACK frame

D. 2 SIFS, Data frame, ACK frame

14. In which of the following frames does the Duration/ID field contain an AID as opposed to a Duration value?

A. RTS

B. CTS

C. Block ACK Request

D. PS-Poll

E. ACK

15. When an ACK frame is generated, the receiver address (RA) field is copied from which address field of the frame that is being acknowledged?

A. Address1

B. Address2

C. Address3

D. Address4

16. In which of the following unicast scenarios would a non-QoS frame be transmitted instead of a QoS frame? (Choose all that apply.)

A. A non-QoS station transmits a frame to a QoS station.

B. A non-QoS station transmits a frame to a non-QoS station.

C. A QoS station transmits a frame to a QoS station.

D. A QoS station transmits a frame to a non-QoS station.

17. When capturing a packet with the TO DS field set to 1 and the FROM DS field set to 0, what address information does the Address1 field contain? (Choose all that apply.)

A. RA

B. DA

C. TA

D. SA

E. BSSID

18. When A-MPDU is implemented, which of the following is true? (Choose all that apply.)

A. The individual MPDUs within an A-MPDU must all have the same receiver address.

B. The individual MPDUs must all be of the same 802.11e QoS category.

C. A-MPDU requires the use of block acknowledgments.

D. If encryption is enabled, all the MPDUs are encrypted together.

E. The individual MPDUs within an A-MPDU must all have the same receiver address.

19. Name the interframe space that comes from the 802.11e amendment.

A. AIFS

B. DIFS

C. EIFS

D. PIFS

20. What is the name given to the quiet periods that make up the random backoff timer?

A. Slot times

B. Interframe spaces

C. CCA idle periods

D. NAV times

21. What is the name given to the series of frames sent by a QoS AP or station that has won arbitration?

A. CFB

B. MSDU

C. NAV

D. TXOP

22. Which of the following are power management methods specified in 802.11 amendments? (Choose three.)

A. 802.11b Power Save Polling

B. 802.11e Automatic Power Save Delivery

C. 802.11n Power Save Multi-Poll

D. 802.11n Spatial Multiplexing Power Save

23. When a station goes into Power Save mode, which of the following states may a station enter into? (Choose all that apply.)

A. Doze

B. Idle

C. Receive

D. Transmit

24. Which power management method involves the station notifying the AP of its changes from active mode to Power Save mode in order to retrieve buffered unicast frames?

A. Power Save Polling

B. APSD

C. Scheduled PSMP

D. SMPS

25. When Jane visits Aunt Marg’s house and connects to her WEP-encrypted network, what is the maximum size of the MSDU frame?

A. 1500

B. 1512

C. 2304

D. 2312

E. 2320

F. 2324

26. At her office, Rita uses WPA-PSK with TKIP to connect to her corporate network. What is the maximum size of the MSDU frame?

A. 1500

B. 1512

C. 2304

D. 2312

E. 2320

F. 2324

27. WLAN protocol analyzers often display CCMP-encrypted data frames as a TKIP-encrypted data packet because the format of the 8-byte CCMP header is basically identical to the format of the 8-byte TKIP header. The RSN information element will identify which cipher is used. The RSN information element is not found in which of the following frames?

A. Beacon frames

B. Probe response frames

C. Data frames

D. Association request frames

E. Reassociation request frames

28. What is the name of the additional MAC header field defined by the 802.11n amendment?

A. HT Information field

B. HT Control field

C. HT Capabilities field

D. HT Operations field

29. Which of the following is true regarding A-MSDUs?

A. All MSDUs must be of the same QoS access category.

B. The maximum size of an A-MSDU is greater than an A-MPDU.

C. Encryption is applied to each MSDU separately.

D. Only non-AP STAs can use A-MSDUs.

30. The Transmit Beamforming Capabilities field is part of which information element?

A. HT information element

B. HT 20/40 BSS Coexistence element

C. HT Operation element

D. HT Capabilities element

31. When purchasing a spectrum analyzer, which of the following are options or features that you would evaluate to differentiate between models? (Choose all that apply.)

A. Frequency

B. Form factor

C. Resolution

D. DFS/TPC support

E. Supporting software

32. What is the name of the information that is added to the 802.11 frame that is taken from the RF to bit transition process, which includes date and time stamps, a channel stamp, a signal stamp, and a noise stamp?

A. Receiver data

B. Radio Header

C. Radio Data field

D. Radiotap Header

E. RF Header

33. In RF monitor mode, how will a wireless network adapter operate?

A. Can capture traffic from only the BSS to which it is associated

B. Can capture traffic from all BSSs without affecting normal network operation

C. Becomes a completely passive listening device, and normal network operation is disabled

D. Uses time division multiplexing to split its time between listening and transmitting; network operation will be slower

34. What is the purpose of a network analyzer’s expert system?

A. Automatic detection of network events, errors, and problems

B. Automatic configuration of access points’ channel and power levels

C. Packet replay for network testing and baselines

D. Rogue device location

35. Which of the following metrics indicate the quality of a VoIP call? Choose all that apply.

A. RTP response time

B. MOS

C. TTL

D. R-Factor

Answers to Assessment Test

1. B, D. The PLCP Service Data Unit (PSDU) is a view of the MPDU from the other side. The MAC layer refers to an 802.11 frame as the MPDU, while the Physical layer refers to this same 802.11 frame as the PSDU. For more information, see Chapter 1.

2. D. 802.11 frames are capable of transporting frames with an MSDU payload of 2,304 bytes of upper-layer data as per the 802.11 standard. This maximum size can be configured and be reduced. For more information, see Chapter 1.

3. B. An 802.11 frame has up to four address fields. In most instances, only three address fields are actually needed. The fourth field is used when the frame is being transmitted across a wireless distribution system (WDS). For more information, see Chapter 1.

4. D. Like the Long PLCP Preamble, the Short PLCP Preamble is transmitted using DBPSK; however, the Short PLCP Header is transmitted using 2Mbps Differential Quadrature Phase Shift Keying (DQPSK). For more information, see Chapter 2.

5. A, C, E. The mandatory PHYs are ERP-OFDM and ERP-DSSS/CCK. To achieve the higher data rates, a PHY technology called Extended Rate Physical OFDM (ERP-OFDM) is mandated. Data rates of 6, 9, 12, 18, 24, 36, 48, and 54 Mbps are possible using this technology, although the IEEE requires only the data rates of 6, 12, and 24 Mbps. For more information, see Chapter 2.

6. A, B, D, E. If any portion of a unicast frame is corrupted, the cyclic redundancy check (CRC) will fail, and the receiving 802.11 radio will not return an ACK frame to the transmitting 802.11 radio. If an ACK frame is not received by the original transmitting radio, the unicast frame is not acknowledged and will have to be retransmitted. The MAC header of 802.11 frames contains a Retry field. If the Retry field is set to a value of 1 in either a management or data frame, the transmitting radio is indicating that the frame being sent is a retransmission. Multipath, RF interference, low SNR, hidden nodes, mismatched power settings, near/far problems, and adjacent cell interference may all cause layer 2 retransmissions. Co-channel interference usually does not cause retries but does add unnecessary medium contention overhead. For more information, see Chapter 3.

7. A. The MAC headers of all 802.11 frames contain a Protocol Version field. This field is simply used to indicate which protocol version of 802.11 technology is being used by the frame. Currently, all 802.11 frames have the value always set to 0 in the Protocol Version field. All other values are reserved. In other words, there is currently only one version of 802.11 technology. In the future, the IEEE could define another version of 802.11 technology that would not be backward compatible with the current version 0. For more information, see Chapter 3.

8. B. Transmit Power Control allows stations to reduce their power level so as not to disturb neighboring radars. For more information, see Chapter 4.

9. A. Stations requesting a QoS level for their traffic send an ADDTS request frame describing the traffic stream with TSPEC and optional TLCAS fields. When the QoS level is granted, the station traffic benefits from the negotiated QOS level for a given service period (SP). The SP can be repeated at regular intervals, called service intervals (SIs). For more information, see Chapter 4.

10. A. The RSN information element specifies the details of the encryption (WEP, TKIP, or CCMP) and authentication (PSK or 802.1X/EAP) in use in the WPA/WPA2-compatible cell. For more information, see Chapter 4.

11. A. The BSS Load Element, often called QBSS Load Element, provides information on the cell load from the AP point of view: station count and AP utilization (in%). For more information, see Chapter 4.

12. A. In an 802.11h-compliant deployment, APs can use the Quiet element in action frames or beacons to stop stations from sending signals on the current channel. For more information, see Chapter 4.

13. A. When an RTS frame is transmitted, the Duration value is set to include the following in order: SIFS ⇒ CTS ⇒ SIFS ⇒ DATA ⇒ SIFS ⇒ ACK. For more information, see Chapter 5.

14. D. When a PS-Poll frame is transmitted, the Duration/ID field contains the station’s AID, which is used by the AP to identify the station. For more information, see Chapter 5.

15. B. The Address2 field that contains the transmitter address is used by the acknowledging station to populate the receiver address (RA) field. For more information, see Chapter 5.

16. A, B, D. The only time when a QoS frame would be transmitted is when a QoS station is sending a frame to another QoS station. For more information, see Chapter 6.

17. A, E. Address1 always represents the receiver address. In this instance, the frame is being transmitted from a station to an access point, in which case Address1 also represents the BSSID. For more information, see Chapter 6.

18. A, B, C, E. If encryption is enabled, then each MPDU is encrypted individually. The MPDUs are then passed down to the PLCP sublayer where two or more MPDUs are placed in a single PPDU. The individual MPDUs within an A-MPDU must all have the same receiver address. Also, the individual MPDUs must all be of the same 802.11e QoS access category. A-MPDU also requires the use of block acknowledgments. For more information, see Chapter 6.

19. A. AIFS was introduced with the 802.11e amendment. DIFS, EIFS, and PIFS come from the 802.11 standard. For more information, see Chapter 7.

20. A. Slot times make up the random backoff timer. Interframe spaces precede the random backoff timer. CCA idle periods and NAV times are not quiet periods. For more information, see Chapter 7.

21. A. A contention-free burst (CFB) is a series of frames sent by a QoS AP or station that has won arbitration. The MSDU is a single frame of data. The NAV is the virtual carrier sense. The TXOP is a window of time where a CFB may be transmitted. For more information, see Chapter 7.

22. B, C, D. 802.11e APSD, 802.11n PSMP, and 802.11n SMPS are all power management methods from 802.11 amendments. There is no such thing as 802.11b PSP. For more information, see Chapter 8.

23. A, B, C, D. When a station is in Power Save mode, it can be in any power state. For more information, see Chapter 8.

24. B. APSD (specifically U-APSD) involves the station notifying the AP of changes in power management mode in order to retrieve buffered unicast frames.

Power save polling is not a power management method, but 802.11 power management does use PS-Poll frames to retrieve buffered data. 802.11 power management would not be a correct answer here because PS-Poll frames do not involve the changing of mode.

Scheduled PSMP is defined only for contention-free periods where APs control station activity.

SMPS involves stations not using spatial multiplexing as a way to limit power consumption. Power management modes are not affected. For more information, see Chapter 8.

25. D. Remember that WEP encrypts the MSDU upper-layer payload that is encapsulated in the frame body of an MPDU. The MSDU payload has a maximum size of 2,304 bytes. Because the IV adds 4 octets and the ICV also adds 4 octets, when WEP is enabled, the entire size of the body inside an 802.11 data frame is expanded by 8 bytes to a maximum of 2,312 bytes. In other words, WEP encryption adds 8 bytes of overhead to an 802.11 MPDU. For more information, see Chapter 9.

26. F. Because of the extra overhead from the IV (4 bytes), Extended IV (4 bytes), MIC (8 bytes), and ICV (4 bytes), a total of 20 bytes of overhead is added to the frame body of a TKIP-encrypted 802.11 data frame. When TKIP is enabled, the entire size of the frame body inside an MPDU is expanded by 20 bytes to a maximum of 2,324 bytes. In other words, TKIP encryption adds 20 bytes of overhead to an 802.11 MPDU. For more information, see Chapter 9.

27. C. The format of the 8-byte CCMP header is basically identical to the format of the 8-byte TKIP header (IV/Extended IV) used by TKIP. Therefore, most protocol analyzers cannot distinguish between TKIP-encrypted data frames and CCMP-encrypted data frames. However, you can always determine which cipher is being used by looking at a field called the RSN information element. The RSN information element is found in four different 802.11 management frames: beacon management frames, probe response frames, association request frames, and reassociation request frames. For more information, see Chapter 9.

28. B. The 802.11n amendment adds a new field to the 802.11 MAC header, called the HT Control field. The HT Control field is 4 octets long and follows the QoS Control field in the 802.11 MAC header. For more information, see Chapter 10.

29. A. An 802.11n access point using A-MSDU aggregation would receive multiple 802.3 frames, remove the 802.3 headers and trailers, and then wrap the multiple MSDU payloads into a single 802.11 frame for transmission. The size of an A-MSDU must not exceed a maximum length of 7935 bytes, which is much lower than the maximum length of an A-MPDU, which is 64 KB. The entire aggregated frame can be encrypted by using either TKIP or CCMP. It should be noted, however, that the individual MSDUs must all be of the same 802.11e QoS access category. For more information, see Chapter 10.

30. D. The HT Capabilities element has a Transmit Beamforming Capabilities field 4 octets in length that is used to advertise the beamforming capabilities of an HT STA. For more information, see Chapter 10.

31. A, B, C, E. In addition to these, other factors are price, hardware platform, and Wi-Fi integration. For more information, see Chapter 11.

32. D. The wireless NIC will use some of the specific information gleaned from the RF to bit transition process to actually add information to the wireless frame. This additional information is added at the receiving station and is in addition to the bits sent from the source. This added information is called the Radiotap Header. It includes date and time stamps, a channel stamp, a signal stamp, and a noise stamp. For more information, see Chapter 11.

33. C. A wireless network adapter is placed into a special mode called RF monitor mode by custom drivers written by network analyzer vendors. The wireless network adapter is placed into RF monitor mode during a packet capture, and the adapter becomes completely passive, allowing it to spend all its time capturing packets and thus ensuring it does not miss any. While in RF monitor mode, normal network operation is disabled. The custom driver should enable network operation once the analyzer has finished capturing packets. For more information, see Chapter 12.

34. A. Expert analysis is the automatic detection of network events, errors, and problems by the analyzer. The detected events can produce trigger notifications to alert the network administrator to a problem. For more information, see Chapter 12.

35. B, D. The mean opinion score (MOS) is a value from 1 to 5 that indicates the perceived quality of a call. The MOS scores displayed by your protocol analyzer are calculated from another quality metric that you will also see displayed in your protocol analyzer called R-Factor. R-Factor is calculated from measurable information such as jitter packet loss and latency. For more information, see Chapter 12.