Glossary
Numbers
4-Way Handshake Under the 802.11i amendment, two stations (STAs) must establish a procedure to authenticate and associate with each other as well as create dynamic encryption keys through a process known as the 4-Way Handshake.
802.11-2007 standard On March 8, 2007, the most current iteration of the standard was approved: IEEE Std. 802.11-2007. This new standard is an update of the IEEE Std. 802.11-1999 revision. The following documents have been rolled into this latest revision, providing users with a single document that has all the amendments published to date. This new standard includes the following:
IEEE Std. 802.11-1999 (R2003)
IEEE Std. 802.11a-1999
IEEE Std. 802.11b-1999
IEEE Std. 802.11d-2001
IEEE Std. 802.11g-2003
IEEE Std. 802.11h-2003
IEEE Std. 802.11i-2004
IEEE Std. 802.11j-2004
IEEE Std. 802.11e-2005
802.11g protected mode See protection mechanism.
802.11e An approved 802.11 amendment that defines QoS enhancements.
802.11n The 802.11n-2009 amendment defines high throughput (HT) clause 20 radios that use multiple-input multiple-output (MIMO) technology in unison with Orthogonal Frequency Division Multiplexing (OFDM) technology.
802.1p A protocol that defines eight levels of priority for 802.3 wired networks.
802.1X The 802.1X standard is a port-based access control standard. 802.1X provides an authorization framework that allows or disallows traffic to pass through a port and thereby access network resources. An 802.1X framework may be implemented in either a wireless or wired environment. The three main components of an 802.1X framework are the supplicant, the authenticator, and the authentication server.
A
access point The CWNP definition is a half-duplex wireless device with switch-like intelligence. In reality, an access point is simply a hub with a radio card and an antenna. Access point radios must contend for the half-duplex medium in the same fashion as the client station radio cards.
acknowledgment (ACK) The ACK frame is one of the six control frames and one of the key components of the 802.11 CSMA/CA media access control method. Because 802.11 is a wireless medium that cannot guarantee successful data transmission, the only way for a station to know that a frame it transmitted was properly received is for the receiving station to notify the transmitting station. This notification is performed using an ACK. The ACK frame is a very simple frame consisting of 14 octets of information.
Active mode Active mode is the default power management mode for most 802.11 stations. When a station is set for Active mode, the wireless station is always ready to transmit or receive data. Active mode is sometimes referred to as Continuous Aware mode, and it provides no battery conservation. In the MAC header of an 802.11 frame, the Power Management field is 1 bit in length and is used to indicate the power-management mode of the station. A value of 0 indicates that the station is in Active mode. Stations running in Active mode will achieve higher throughput than stations running in Power Save mode, but the battery life will typically be much shorter.
add traffic stream (ADDTS) frames This is used to carry TSPEC and optionally TCLAS elements to set up and maintain traffic streams.
adjacent channel This is the next or previous numbered channel.
adaptive rate selection This is also known as dynamic rate shifting, dynamic rate selection, or automatic rate selection. It is a process that client stations use to shift to lower-bandwidth capabilities as they move away from an access point and to higher-bandwidth capabilities as they move toward an access point. The objective is upshifting and downshifting for rate optimization and improved performance.
Advanced Encryption Standard (AES) The AES algorithm, originally named the Rijndael algorithm, is a block cipher that offers much stronger protection than the RC4 streaming cipher. AES is used to encrypt 802.11 wireless data by using an encryption method known as counter mode with Cipher Block Chaining Message Authentication Code (CCMP). The AES algorithm encrypts data in fixed data blocks with choices in encryption key strength of 128, 192, or 256 bits.
Aggregate MAC Protocol Data Unit (A-MPDU) This is a frame aggregation technique that combines multiple frames into a single frame transmission. All the 802.11 frames (MPDUs) do not need to have the same destination address. Also, the data payload of each MPDU is encrypted separately by using the multiple dynamic encryption keys that are unique between the access point and each individual client.
Aggregate MAC Service Data Unit (A-MSDU) A frame aggregation technique that combines multiple MSDU payloads into a single frame transmission. The aggregated MSDUs will have a single destination when wrapped together in a single frame. Multiple MSDUs are encrypted by using the same dynamic encryption key.
all-band interference All-band interference is RF interference that occurs across the entire frequency range that is being used. The term all-band interference is typically associated with frequency-hopping spread spectrum (FHSS) communications that disrupt HR-DSSS and/or ERP-OFDM channel communications.
amplitude This is the height, force, or power of a wave; it is often referred to as signal strength.
amplitude modulation See amplitude shift keying (ASK).
amplitude shift keying (ASK) ASK varies the amplitude, or height, of a signal to represent the binary data. ASK is a current state technique, where one level of amplitude can represent a 0 bit and another level of amplitude can represent a 1 bit.
announcement traffic indication message (ATIM) This is a unicast frame that is used in an IBSS network when Power Save mode is enabled. If a station has buffered data for another station, it will send an ATIM frame to the other station, informing it that it must stay awake until the next ATIM window so that it can receive the buffered data. Any station that either has buffered data for another station or has received an ATIM will stay awake so that the buffered data can be exchanged.
antenna selection (ASEL) This is a method to increase signal diversity by dynamically selecting which antennas to use when an STA has more antennas than radio chains.
arbitration interframe space (AIFS) The AIFS is used for WLANs that support 802.11e QoS.
ARC4 This is a stream cipher that was designed by Ron Rivest of RSA Security in 1987. RSA never released the algorithm, so unofficial versions of it are often referred to as Arcfour or ARC4, which stands for “Alleged RC4.”
Arcfour See ARC4.
associated After a station has authenticated with the access point, the next step is for it to associate with the access point. When a client station associates, it becomes a member of a basic service set (BSS). Association means that the client station can send data through the access point and on to the distribution system medium.
association request This is the first frame sent in the association phase from the requesting station to the AP (or a station in an IBSS).
association response After reception of the Association Request frame, if the AP is granting access to the cell, the association response frame is sent.
association identifier (AID) Any time a station associates to an access point, the station receives an association identifier (AID). The access point uses this AID to keep track of the stations that are associated and the members of the BSS.
authentication Authentication is the verification of user identity and credentials. Users must identify themselves and present credentials, such as usernames and passwords or digital certificates. More secure authentication systems exist that require multifactor authentication where at least two sets of different credentials must be presented.
authentication algorithm number This field in the authentication frame describes which authentication system is used (0 for Open System and 1 for Shared Key).
authentication frame This validates the device type, verifying that the requesting station has proper 802.11 capabilities to join the cell.
authentication server (AS) When an 802.1X/EAP solution is deployed, an authentication server validates the credentials of the supplicant that is requesting access and notifies the authenticator that the supplicant has been authorized. The authentication server will maintain a user database or may proxy with an external user database to authenticate user credentials.
Authentication Transaction Sequence Number A 2-byte field that indicates the current state of progress through the multistep authentication transaction.
authenticator When an 802.1X/EAP solution is deployed, a device that blocks or allows traffic to pass through its port entity is known as the authenticator. Authentication traffic is normally allowed to pass through the authenticator while all other traffic is blocked until the identity of the supplicant has been verified.
authenticator nonce (ANonce) This random numerical value is generated one time only and is used by the authenticator during a 4-Way Handshake frame exchange.
automatic rate selection A process that client stations use to shift to lower-bandwidth capabilities as they move away from an access point and to higher-bandwidth capabilities as they move toward an access point. The objective of ARS is upshifting and downshifting for rate optimization and improved performance.
B
basic rates This is the set of data rates that a client station must be capable of communicating with in order to associate with an access point successfully. Basic rates are required rates with a basic service set (BSS).
basic service set (BSS) The 802.11 standard defines three topologies known as service sets. One topology, known as the basic service set (BSS), involves communications between a single access point and client stations that are associated with the access point.
basic service set identifier (BSSID) The BSSID address is a 48-bit (6-octet) MAC address used as a unique identifier of a basic service set. In either a BSS or ESS topology, the BSSID address is simply the MAC address of a single access point. In an IBSS topology, the BSSID address is a virtual address.
basic service set (BSS) load element This provides information on the cell load, from the AP point of view. It is typically sent by the AP (although the 802.11 standard does not restrict it to APs only) and used by the receiving stations to decide how to roam.
beacon interval This field in the beacon management frame represents the number of time units (TUs) between target beacon transmission times (TBTTs).
beacon management frame This is one of the most important 802.11 frame types, commonly referred to as the beacon. Beacons are essentially the heartbeat of the wireless network. They are sent only by the access point of a basic service set. Client stations transmit beacons only when participating in an IBSS, also known as ad hoc mode.
best effort This is the third highest priority access category used with 802.11 QoS.
bit A bit is a basic unit of information storage and communication.
bit error rate (BER) This is a counter used to keep track of transmission errors. There are some very detailed and high-level mathematical ways of showing BER, but to keep it simple, it is essentially counting all the bits sent and comparing that value with the number of bits that showed errors. The result works out to be the number of errors per total bits sent.
Bitmap Control This is one of the TIM information element fields. The Bitmap Control field is 1 byte that has two purposes. The first bit of the byte is used only in a DTIM beacon, and its purpose is to indicate whether broadcast/multicast frames are buffered at the AP.
Bitmap OffsetThe remaining seven bits of the bitmap control, which may have any value between 0 and 127, are used as a space saver.
block acknowledgment (BA) Introduced in the 802.11e amendment, the block acknowledgment mechanism improves channel efficiency by aggregating several acknowledgments into one single acknowledgment.
block acknowledgment request (BlockAckReq) frame The originator requests acknowledgment of all the outstanding QoS data frames by sending a BlockAckReq frame.
broadcast address This group address indicates all stations that belong to the network.
buffer This is temporary memory on the AP used for storing data that could not be delivered because of Power Save mode.
buffer size This is also referred to as the capture buffer size. It is an allocation of memory (RAM) that will be reserved for the packet capture.
byte This is a unit of digital information comprised of 8 bits.
C
Capability Information field This is a 2-octet field contained in many management frames that contains a number of subfields that are used to indicate requested or advertised optional capabilities.
calculation fields These are all the fields of the MAC header and frame body that the frame check sequence is calculated over.
capture filters These are filters applied to the packet stream before the packets enter the capture buffer. Anything filtered out at capture time is not stored and therefore cannot be recovered later.
carrier frequency This is the nominal frequency of a carrier wave.
carrier sense This check is performed by an STA to see whether the medium is busy.
Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) This is the media access control method used by 802.11 networks. Four mechanisms are used together to ensure that only one station is transmitting at any given time on the half-duplex RF medium. The four mechanisms are physical carrier-sense, virtual carrier-sense, interframe spaces, and the random back-off algorithm.
CBC See cipher-block chaining.
CBC-MAC See cipher-block chaining message authentication code.
CCM See counter mode with Cipher Block Chaining Message Authentication Code (CCMP).
CF-End frame This is a 20-octet frame that is used to indicate the end of a contention-free period.
CF-End+CF-Ack frame This is a 20-octet frame that is used to indicate the end of a contention-free period and acknowledge receipt of a frame.
channel scanning This is analysis that captures traffic on all selected channels, spending a short amount of time on each channel before moving to the next one.
channel switch announcement This is used by the AP to inform the cell that all stations had to move to another channel because radar was detected on the current frequency.
chips This is a series of bits that represent a single bit of data. To prevent confusion, the data is referred to as a bit, and the series of bits are referred to as chips instead of bits.
chipping This process of converting a single data bit into a sequence of bits known as chips is often called spreading or chipping.
cipher-block chaining This is a mode of operation for a block cipher in which a sequence of bits is encrypted as a single unit or block with a cipher key applied to the entire block.
cipher-block chaining message authentication code This is a layer 2 authentication and integrity method.
clear channel assessment (CCA) This is a layer 1 process that determines whether the RF medium is busy. 802.11 radios cannot transmit if the RF medium is busy.
clear to send (CTS) See request to send/clear to send (RTS/CTS).
complementary code keying (CCK) This is a spreading/coding technique used by 802.11b cards to provide higher data rates (HR-DSSS).
contention free (CF) This is an optional 802.11 operating mode when PCF medium access method is implemented and operating. Although defined by the standard, CF and PCF medium access method have not been implemented.
contention-free period (CFP) This occurs when the access point is functioning in PCF mode. During the contention-free period, the access point polls only clients in PCF mode about their intention to send data. This is a method of prioritizing clients.
contention-free burst The data frame transmissions within a TXOP are called a contention-free burst (CFB).
contention window After a station has waited while performing both virtual and physical carrier senses, the station may contend for the medium during a window of time known as the contention window.
control frames Control frames help with the delivery of the data frames. Control frames must be able to be heard by all stations; therefore, they must be transmitted at one of the basic rates. Control frames are also used to clear the channel, acquire the channel, and provide unicast frame acknowledgments. They contain only layer 2 header information.
controlled port This is a virtual port used during 802.1X/EAP authentication. The authenticator maintains two virtual ports: an uncontrolled port and a controlled port. The uncontrolled port allows EAP authentication traffic to pass through, while the controlled port blocks all other traffic until the supplicant has been authenticated.
Control Wrapper frame The Control Wrapper frame is a new control frame introduced by the 802.11n amendment. Its purpose is to carry other control frames along with an HT Control field.
convolutional coding This is a form of error correction. Convolutional coding is not part of OFDM but rather part of 802.11a and 802.11g. It is a forward error correction (FEC) that allows the receiving system to detect and repair corrupted bits. There are many levels of convolutional coding.
counter mode with Cipher Block Chaining Message Authentication Code (CCMP) This is the default encryption method defined under the 802.11i amendment. This method uses the Advanced Encryption Standard (AES) cipher. CCMP/AES uses a 128-bit encryption key size and encrypts in 128-bit fixed-length blocks. An 8-byte message integrity check (MIC) is used that is considered much stronger than the one used in TKIP. CCMP/AES is the default encryption method defined by WPA2.
CTR See counter mode with Cipher Block Chaining Message Authentication Code (CCMP).
CTS-to-self A protection mechanism for mixed-mode environments. One of the benefits of using CTS-to-self over RTS/CTS as a protection mechanism is that the throughput will be higher, because there are fewer frames being sent.
cycle This wave form starts at the center; climbs in energy to the highest point, called the peak; returns to the center; then drops to the weakest point, called the trough; and finally returns to the center point.
cyclic redundancy check (CRC) This is an error-detecting code.
D
Data-Link layer This is the second layer of the OSI model. The Data-Link layer is subdivided into two sublayers: the upper LLC sublayer and the lower MAC sublayer.
data encoding This is the process of spreading data across a channel.
data frames 802.11 data frames carry the layer 3–7 MSDU payload. The MSDU is usually encrypted for data privacy purposes.
deauthentication frame This is a notification frame used to terminate an authentication. Because authentication is a prerequisite for association, disassociation will also occur. Deauthentication cannot be refused by either party.
decibel (dB) Decibel is derived from the term bel. It is a measurement of the ratio between two powers: decibels = 10 × log10(P1/P2).
delivery traffic indication message (DTIM) This is a special type of TIM that is used to ensure that all stations are awake when multicast or broadcast traffic is sent.
delete traffic stream (DELTS) frame This is a traffic stream deletion frame sent from the station or the AP.
delta time This is the time difference between transmitted frames.
destination address (DA) The MAC address that is the final destination of the frame.
de-spreads This means converting a chip sequence back into a single data bit.
differential binary phase shift keying (DBPSK) This is a modulation technique used to transmit 802.11 DSSS data at 1 Mbps.
differential quadrature phase shift keying (DQPSK) This is a modulation technique used to transmit 802.11 DSSS data at 2 Mbps.
differentiated service code point (DSCP) This is used to indicate QoS in the IP header. This uses the 8 eight priority levels as main markers and adds 3 three other bits to determine subpriorities called drop precedences.
direct sequence parameter set element An element used by both DSSS and OFDM systems on both 2.4 GHz and 5 GHz spectrums that indicates the current channel.
direct sequence spread spectrum (DSSS) This is a spread spectrum technology originally specified in the 802.11 standard. Provides 1 Mbps and 2 Mbps RF communications using the 2.4 GHz ISM band. DSSS 802.11 radio cards are often known as clause 15 devices.
direct sequence spread spectrum-OFDM (DSSS-OFDM) This is an optional PHY defined by the 802.11g ratified amendment.
disassociation frame This is an 802.11 notification frame used to terminate an association. Disassociation is considered a polite way of terminating the association. Disassociation cannot be refused by either party.
display filters Also known as postcapture filters, these filters are applied to the stored packets, hiding the unwanted packets from view, while retaining them for future use.
distributed analysis This is analysis using wireless sensors or remote capture devices to monitor the wireless environment and report their statistics/packets to an analyzer or server.
distributed coordination function (DCF) CSMA/CA is provided by DCF, which is the mandatory access method of the 802.11 standard.
distributed coordination function (DCF) interframe space This is a period of time used with DCF clear channel assessment. During a contention period, if the medium is continuously idle for a DCF Interframe Space (DIFS) duration, only then should it transmit a frame.
delivery traffic indication map (DTIM) count One of the TIM information element fields, this count indicates the number of incremental beacon frames until the next DTIM beacon.
delivery traffic indication map (DTIM) period This is the number of beacon frames between DTIM beacons.
distribution system (DS) The DS is a system used to interconnect a set of basic service sets (BSSs) and integrated local area networks (LANs) to create an extended service set (ESS). The DS consists of a medium used for transporting traffic as well as services used for transporting traffic.
distribution system medium (DSM) The DSM is a logical physical medium used to connect access points. Normally, the DSM is an 802.3 Ethernet backbone; however, the medium can also be wireless or some other type of medium.
distribution system service (DSS) This is a system service built inside an autonomous access point or WLAN controller usually in the form of software. The distribution system service is used to transport 802.11 traffic.
doze When Power Save is enabled, this is the energy conservation move.
driver This is software that tells the operating system or a program how to communicate with a hardware device.
Dual CTS Dual CTS sets the Network Allocation Vector (NAV) in STAs that do not support STBC and STAs that can only associate and communicate used STBC because of their physical distance away from the AP.
Duration/ID field This is a field in an 802.11 frame header that is typically used to set the NAV timer in other stations. This is used with virtual carrier sense.
dwell time This is a defined amount of time that the FHSS system transmits on a specific frequency before it switches to the next frequency in the hop set. The local regulatory body typically limits the amount of dwell time.
dynamic frequency selection (DFS) This is used for spectrum management of 5 GHz channels for 802.11a radio cards. The European Radio communications Committee (ERC) originally mandated that radio cards operating in the 5 GHz band implement a mechanism to avoid interference with radar systems as well as provide equable use of the channels. The DFS service is used to meet the ERC regulatory requirements. This requirement has since become a requirement of other regulatory bodies, such as the FCC in the United States.
dynamic rate shifting See automatic rate selection.
dynamic rate switching (DRS) See automatic rate selection.
E
end-of-service period (ESOP) This is a 1-bit subfield of the QoS Control field that is used by the hybrid coordinator (HC) to indicate the end of the current service period (SP).
Enhanced Distributed Channel Access (EDCA) As defined by the 802.11e amendment, Enhanced Distributed Channel Access (EDCA) is an extension to DCF. The EDCA medium access method provides for the prioritization of traffic via the use of 802.1d priority tags.
energy detection This is a power-level measurement that varies between devices. If modulated bits are detected at this level, the CCA will go busy for 15 microseconds.
Exclusive-OR (XOR) Part of an exclusive disjunction, this type of logical disjunction on two operands results in a value of true if exactly one of the operands has a value of true.
expert analysis This is the automatic detection of network events, errors, and problems by an analyzer.
ExpressCard This hardware standard is replacing PCMCIA cards.
extended interframe space (EIFS) If a previously received frame contains an error, then the transmitting station must wait an EIFS duration instead of DIFS before transmitting.
Extended Rate Physical (ERP) This is a Physical layer specification (PHY) defined for clause 19 radios. This PHY operates in the 2.4 GHz ISM band and uses ERP-OFDM to support data rates of 6 Mbps to 54 Mbps. ERP/DSSS/CCK technology is used to maintain backward compatibility with HR-DSSS (clause 18) radios and DSSS (clause 15) radios.
Extended Rate Physical DSSS/CCK 802.11g clause 19 radios must maintain backward compatibility with 802.11 (DSSS only) and 802.11b (HR-DSSS) radios. A Physical layer (PHY) technology called Extended Rate Physical DSSS (ERP-DSSS/CCK) is used for backward compatibility and for supporting the data rates of 1, 2, 5.5, and 11 Mbps. This PHY layer operates in the 2.4 GHz ISM band.
Extended Rate Physical OFDM (ERP-OFDM) This is a Physical layer (PHY) technology used by 802.11g clause 19 radios to achieve greater bandwidth. This uses OFDM as defined in the 802.11a amendment. Therefore, data rates of 6, 9, 12, 18, 24, 36, 48, and 54 Mbps are possible using OFDM technology. This PHY layer operates in the 2.4 GHz ISM band.
Extended Rate Physical PBCC (ERP-PBCC) This is an optional PHY defined by the 802.11g ratified amendment for clause 19 radios.
extended service set (ESS) The 802.11 standard defines three topologies known as service sets. One topology, known as the extended service set (ESS), involves communications between multiple access points that share a network infrastructure. An ESS is one or more basic service sets that share a distribution system medium.
extended service set identifier (ESSID) This is the logical network name of an extended service set, also known as a service set identifier (SSID).
extended supported rates element This is used in conjunction with the supported rates element to identify the supported rates.
Extensible Authentication Protocol (EAP) The Extensible Authentication Protocol (EAP) is used to provide user authentication for an 802.1X port-based access control solution. EAP is a flexible layer 2 authentication protocol that resides under Point-to-Point Protocol (PPP).
Extensible Authentication Protocol (EAP) – PEAPv0 (EAP-MSCHAPv2) Microsoft’s EAP-PEAPv0 (EAP-MSCHAPv2) is the most common form of PEAP. The protocol used for user authentication inside the tunnel is EAP-MSCHAPv2. The credentials used for this version of PEAP are usernames and passwords. Client-side certificates are not used and are not supported.
Extensible Authentication Protocol (EAP) PEAPv0 (EAP-TLS) A type of PEAP from Microsoft, EAP-PEAPv0 (EAP-TLS) uses the EAP-TLS protocol for the inner tunnel authentication method. EAP-TLS requires the use of a client-side certificate. The client-side certificate is validated inside the TLS tunnel. No username is used for validation because the client-side certificate serves as the user credentials.
Extensible Authentication Protocol (EAP) PEAPv1 (EAP-GTC) This is Cisco’s implementation of PEAP authentication. EAP-PEAPv1 (EAP-GTC) uses EAP-Generic Token Card (EAP-GTC) for the inner-tunnel authentication.
Extensible Authentication Protocol (EAP) Transport Layer Security (EAP-TLS) Defined in RFC 5216, this is a widely used security protocol, largely considered one of the most secure EAP methods used in WLANs today. It requires the use of client-side certificates in addition to a server certificate.
FT 4-way handshake This occurs during the first association. The PTK and GTK encryption keys are created during the FT 4-Way Handshake, and the 802.1X controlled port is unblocked.
FT action frame This is sent over the air between the STA and the current AP. The action frame is used as a transport mechanism for data that is destined for the target AP.
FT initial mobility domain association The FT action frames are sent over the air between the STA and the current AP. The Action frame is used as a transport mechanism for data that is destined for the target AP.
fast basic service set transition (FT) This is a set of fast secure roaming mechanisms defined by the 802.11r-2008 amendment.
Fast basic service set transition information element (FTIE) This includes information needed to perform the FT authentication sequence during a fast BSS transition.
fast Fourier transform (FFT) This is a more efficient algorithm for calculating a Fourier transform.
fast Fourier transform (FFT)-Duty Cycle This view displays the percentage of the time the ambient RF signal is higher than the noise floor.
Forty MHz intolerant When the Forty MHz Intolerant subfield is set to 1, it prohibits the use of 40MHz channels. An access point that receives frames with the Forty MHz Intolerant bit set, or reports it, is not allowed to operate a 20/40 MHz BSS.
Fourier transform (FT) This is a process of taking a known curve and performing a calculation to derive its equation.
fixed channel analysis This is analysis that locks the wireless NIC on to one channel, enabling it to capture all 802.11-encoded traffic on the selected channel.
forward error correction (FEC) This is a technology that allows a receiving system to detect and repair corrupted bits.
fragment burst This is a burst of fragments in which the transmitting station takes control of the medium and does not release it until all fragments are transmitted.
Fragment Number subfield This is a field that is part of a fragmented frame that contains a 4-bit number assigned to each fragment of an MSDU.
fragmentation threshold This is the threshold value at which an MSDU will be
fragmented.
frame This is a unit of data at the Data-Link layer.
frame aggregation Frame aggregation allows multiple smaller MSDUs or MPDUs to be grouped together into a single frame, reducing the amount of overhead that would have been necessary for each individual frame.
frame body This is part of the MPDU that is considered the unit of data of the frame.
frame check sequence (FCS) This is the extra characters added to a frame and used for error detection and correction.
frame control field This is a 16-bit field that includes information about the frame being sent and specific protocol operations.
frame subtypes Each of the frame types is divided into multiple subtypes, with each subtype providing a different function and having a different frame structure.
frame types 802.11 defines three different frame types: control frames, data frames, and management frames.
free space path loss (FSPL) This is the loss of signal energy caused by the natural broadening of the waves, often referred to as beam divergence.
frequency This is a term describing a behavior of waves. How fast the waves travel—or more specifically, how many waves are generated over a one-second period of time—is known as frequency.
frequency domain This is the representation of a graph where the horizontal axis is calibrated by frequency.
frequency hopping spread spectrum (FHSS) This is a spread spectrum technology that was first patented during World War II. FHSS was used in the original 802.11 standard and provided 1 Mbps and 2 Mbps RF communications using the 2.4 GHz ISM band. FHSS works by using a small frequency carrier space to transmit data and then hopping to another small frequency carrier space and transmitting data and then to another frequency, and so on.
From DS field This 1-bit field is part of the Frame Control field, indicating whether the frame is originating from the distribution system (DS).
G
gain Also known as amplification, gain is the increase of amplitude or signal strength. The two types of gain are active gain and passive gain.
group address This is a multiple destination address, which could be used by one or more stations on a network.
group key handshake This is used only to issue a new group temporal key (GTK) that has already formed previous security associations. Effectively, the Group Key Handshake is identical to the last two frames of the 4-Way Handshake. The purpose of the Group Key Handshake is to deliver a new GTK to all client stations that already have an original GTK generated by an earlier 4-Way Handshake.
group master key (GMK) This is part of the 4-Way Handshake that is randomly created on the access point/authenticator and is used to create the group temporal key (GTK).
group temporal key (GTK) This is used to encrypt all broadcast and multicast transmissions between the access point and multiple client stations.
guard interval The guard interval (GI) is the time that a transmitter waits between sending symbols. Short GI is 400 nanoseconds vs. the traditional GI of 800 nanoseconds.
H
hertz (Hz) This is a standard measurement of frequency, which was named after the
German physicist Heinrich Rudolf Hertz. An event that occurs once in 1 second is equal to 1 Hz. An event that occurs 325 times in 1 second is measured as 325 Hz.
heuristic-based expert analysis This is analysis that looks for patterns in the traffic flow and compares them to a set of rules. Traffic that does not conform to these rules is reported.
high throughput (HT) High throughput (HT) provides PHY and MAC enhancements to support wireless throughput of 100 Mbps and greater. HT is defined by the 802.11n amendment for clause 20 radios.
high throughput (HT) protection modes There are four protection modes used by 802.11n to ensure backward compatibility with older 802.11 a/b/g radios.
high-rate DSSS (HR-DSSS) The 802.11b 5.5 and 11 Mbps speeds are known as high-rate DSSS (HR-DSSS).
honeypot This is a trap set for potential hackers to detect and possibly counteract unauthorized access of a computer network.
hop time In a frequency-hopping spread spectrum network, this is the amount of time it takes for the transmitter to change from one frequency to another.
hopping sequence This is a predefined hopping pattern or set used in frequency hopping spread spectrum. The hopping sequence comprises a series of small carrier frequencies, or hops. Instead of transmitting on one set channel or finite frequency space, an FHSS radio card transmits on a sequence of subchannels called hops. Each time the hop sequence is completed, it is repeated.
hops These consist of a series of small carrier frequencies used by frequency hopping spread spectrum radios.
HT capabilities element This contains a number of fields that are used to advertise optional HT capabilities of an HT STA. It is present in beacon, association request, association response, reassociation request, reassociation response, probe request, and probe response frames.
HT Control field The HT Control field carries important PHY and MAC information regarding link adaptation, antenna selection, and calibration among other information.
HT-Greenfield This is one of the new PPDU formats defined by the 802.11n amendment.
HT-mixed This is one of the new PPDU formats defined by the 802.11n amendment
Hybrid Coordination Function (HCF) The 802.11e amendment defines enhanced medium access methods to support QoS requirements. Hybrid Coordination Function (HCF) is an additional coordination function that is applied in an 802.11e QoS wireless network. HCF has two access mechanisms to provide QoS: Enhanced Distributed Channel Access (EDCA) and Hybrid Coordination Function Controlled Channel Access (HCCA).
Hybrid Coordination Function Controlled Channel Access (HCCA) As defined by the 802.11e amendment, Hybrid Coordination Function Controlled Channel Access (HCCA) is similar to PCF. HCCA gives the access point the ability to provide for prioritization of stations via a polling mechanism. Certain client stations are given a chance to transmit before others.
HT operation element The HT Operation Element is found in beacon, (re)association response, and probe response frames transmitted by an AP. The operation of HT STAs in the BSS is controlled by the HT Operation element.
I
idle This is one of the three awake states that a station can operate in, when Power Save mode is enabled.
independent basic service set (IBSS) The 802.11 standard defines three topologies known as service sets. One topology, known as an independent basic service set (IBSS), involves direct communications between 802.11 client stations without the use of an access point. An 802.11 IBSS network is also known as a peer-to-peer network or an ad hoc network.
individual address This is an address assigned to a unique station on the network (also known as a unicast address).
industrial, scientific, and medical (ISM) The ISM bands are defined by the ITU-T in S5.138 and S5.150 of the radio regulations. Although the FCC ISM bands are the same as defined by the ITU-T, the usage of these bands in other countries may be different because of local regulations. The 900 MHz band is known as the industrial band, the 2.4 GHz band is known as the scientific band, and the 5.8 GHz band is known as the medical band. It should be noted that all three of these bands are license-free bands, and there are no restrictions on what types of equipment can be used in any of the three ISM bands.
The ISM bands are as follows:
902–928 MHz (26 MHz wide)
2.4000–2.4835 GHz (83.5 MHz wide)
5.725–5.875 GHz (150 MHz wide)
information elements These variable-length fields are optional in the body of a management frame.
information fields These are fixed-length mandatory fields in the body of a management frame.
initialization vector (IV) The IV is utilized by the RC4 streaming cipher that WEP encryption uses. The IV is a block of 24 bits that is combined with a static key. It is sent in clear text and is different on every frame. The effective key strength of combining the IV with the 40-bit static key is 64-bit encryption. TKIP uses an extended IV.
inner identity EAP methods that use tunneled authentication have two supplicant identities. These two supplicant identities are often called the outer identity and inner identity. The outer identity is effectively a bogus username, and the inner identity is the true identity of the supplicant.
interframe space (IFS) This is a period of time that exists between transmissions of wireless frames.
integrity check value (ICV) This is a data integrity checksum that is computed on data before encryption. The ICV is used to prevent data from being modified.
International Organization for Standardization (ISO) The ISO is a global, nongovernmental organization that identifies business, government, and societal needs and develops standards in partnership with the sectors that will put them to use. The ISO is responsible for the creation of the Open Systems Interconnection (OSI) model, which has been a standard reference for data communications between computers since the late 1970s. The OSI model is the cornerstone to data communications, and understanding it is one of the most important and fundamental tasks a person in the networking industry can undertake. The layers of the OSI model are as follows:
Layer 1—Physical
Layer 2—Data-Link
Layer 3—Network
Layer 4—Transport
Layer 5—Session
Layer 6—Presentation
Layer 7—Application
J
jammer This is a device that generates nonmodulated signals into the air with the intent of disrupting legitimate modulated signals.
jitter This is a variation of latency.
L
L-SIG TXOP protection This is an optional Physical layer protection mechanism, which uses the L-SIG (Legacy Signal) field in the HT-mixed PPDU Header.
latency Latency is the time it takes to deliver a packet from the source device to the destination device.
Lightweight Directory Access Protocol (LDAP) This is an application protocol for querying and modifying directory services running over TCP/IP. LDAP-compliant databases are often used with RADIUS solutions during proxy authentication.
listen interval This is a field in association and reassociation requests used to indicate to the AP how often a station in Power Save mode wakes to listen to beacon management frames.
Logical Link Control (LLC) This is the upper portion of the Data-Link layer in the IEEE 802.2 Logical Link Control (LLC) sublayer, which is identical for all 802-based networks, although not used by all IEEE 802 networks.
Long PPDU This is a PPDU consisting of a 144-bit PLCP Preamble, which consists of a 128-bit Sync field and a 16-bit Start of Frame Delimiter (SFD).
M
MAC header This is part of the MPDU that contains frame control information, duration information, addressing, and sequence control information.
MAC Protocol Data Unit (MPDU) This is an 802.11 frame. The components include a MAC header, an MSDU (data payload), and a trailer.
MAC Service Data Unit (MSDU) The MSDU contains data from the LLC and layers 3–7. A simple definition of the MSDU is the data payload that contains the IP packet plus some LLC data.
management frame protection (MFP) These are techniques used to deliver management frames in a secure manner with the hope of preventing many layer 2 denial-of-service attacks.
management frame protection capable (MFPC) This is a bit that an STA uses to advertise that it is capable of using protected management frames but does not require them.
management frame protection required (MFPR) This is a bit that an STA uses to advertise that it requires the use of protected management frames.
management frames A majority of the frame types in an 802.11 network are this type. Management frames are used by wireless stations to join and leave the network. Another name for an 802.11 management frame is a Management MAC Protocol Data Unit (MMPDU). Management frames do not carry any upper-layer information. There is no MSDU encapsulated in the MMPDU frame body, which carries only layer 2 information fields and information elements.
Management MAC Protocol Data Unit (MMPDU) This is another name for an 802.11 management frame.
maximum transmission unit (MTU) This is the largest-size packet or frame that can be transmitted across the network. The size varies depending on the protocol.
mean opinion score (MOS) This is a type of VoIP analysis that uses a value from 1 to 5, which indicates the perceived quality of a call.
Media Access Control (MAC) This is the bottom portion of the Data-Link layer, which is identical for all 802.11-based networks.
Message Integrity Check Code (MIC) TKIP uses a data integrity check known as the Message Integrity Code (MIC) to mitigate known bit-flipping attacks against WEP. The MIC is sometimes referred to by the nickname Michael. This is also sometimes referred to as a message integrity check.
Microsoft Point-to-Point Encryption (MPPE) MPPE is a 128-bit encryption method that uses the RC4 algorithm. MPPE is used with Point-to-Point Tunneling Protocol (PPTP) VPN technology.
milliwatt (mW) This is a unit of power equal to 1/1000 of a watt.
mixed mode This is the default operational mode of most 802.11g access points. Support for both DSSS/HR-DSSS and ERP is enabled; therefore, both 802.11b and 802.11g clients can communicate with the access point. See protection mechanism.
mobility domain This is a set of basic service sets (BSSs), within the same extended service set (ESS), that support fast BSS transitions between themselves.
mobility domain controller (MDC) Some WLAN vendors refer to their WLAN controllers as MDCs.
mobility domain information element (MDIE) This is used to indicate the existence of a mobility domain as well as the method of fast BSS transition.
mobility domain identifier (MDID) field This is a unique identifier of the group of APs that constitute a mobility domain.
mobility domain information element (MDIE) This is used to indicate the existence of a mobility domain as well as the method of fast BSS transition.
modulation Modulation is manipulating a signal so that the receiving station has a way of distinguishing 0s and 1s.
modulation and coding schemes (MCS) As mandated by the 802.11n-2009 amendment, data rates for clause 20 HT radios are defined by multiple variables known as modulation coding schemes (MCSs). Non-HT radios that used OFDM technology (802.11a/g) defined data rates of 6 Mbps to 54 Mbps based on the modulation that was used. HT radios, however, define data rates based on numerous factors, including modulation, the number of spatial streams, channel size, and guard interval.
More Data field This is a 1-bit field used with Power Save mode to indicate whether the access point has more buffered data for the station.
More Data flag See More Data field.
More Fragments field This is a 1-bit field used with fragmentation to indicate whether there are more fragmented frames waiting to be transmitted.
multicast-group address This is an address used by an upper-layer entity to define a logical group of stations.
multichannel aggregation This is analysis that takes capture streams from multiple adapters and aggregates them into one capture. Typically each adapter is configured for a different channel.
multipath This is a propagation phenomenon that results in two or more paths of a signal arriving at a receiving antenna at the same time or within nanoseconds of each other.
multiple-input multiple-output (MIMO) This is any RF communications system that uses multiple antennas at both the transmitter and receiver to improve communication performance. MIMO communications are used by 802.11n radios.
N
narrow-band A small narrow-band or range of RF energy grouped tightly around a defined frequency.
near/far This is when a low-powered client station that is a great distance from the access point could become an unheard client if other high-powered stations are very close to the access point. The transmissions of the high-powered stations can raise the noise floor to a higher level at which the lower-powered station cannot be heard. This scenario is referred to as the near/far problem.
Network Allocation Vector (NAV) This timer mechanism maintains a prediction of future traffic on the medium based on the Duration value information seen in a previous frame transmission. When an 802.11 radio is not transmitting, it is listening. When the listening radio hears a frame transmission from another station, it looks at the header of the frame and determines whether the Duration/ID field contains a Duration value or an ID value. If the field contains a Duration value, the listening station will set its NAV timer to this value. The listening station will then use the NAV as a countdown timer, knowing that the RF medium should be busy until the countdown reaches 0.
network interface card (NIC) This is a computer hardware adapter that interfaces the computer to a network.
noise floor This is a measurable level of background noise. This is often compared to received signal amplitudes. See signal-to-noise ratio (SNR).
nonce This is a random or pseudorandom value issued in an authentication protocol to ensure that previous communications cannot be reused in replay attacks.
nonadjacent channel This is any channel after an adjacent channel.
non-HT PPDU This is a PPDU defined by the 802.11n amendment, often referred to as a legacy format because it was originally defined by clause 17 of the 802.11-2007 standard for OFDM transmissions.
nonoverlapping channels When defined by DSSS, these are channels that have at least 30 MHz of spacing between the center frequencies. When defined by HR-DSSS, these are channels that have at least 25 MHz of spacing between the center frequencies.
null data frame Client stations sometimes use null data frames to enable or disable Power Save mode, which is indicated by a bit in the frame control field. The use of the null data frame allows a station to communicate with another device without requiring it to transmit data.
O
octet This is a series of 8 bits used to form a single byte.
Open System authentication Open System authentication is the simpler of the two 802.11 authentication methods. It provides authentication without performing any type of client verification. It is essentially an exchange of hellos between the client and the access point.
Order field This is a single bit set to 1 in any non-QoS data frame when a higher layer has requested that the data be sent using a strictly ordered class of service, which tells the receiving station that frames must be processed in order. The field is set to 0 in all other frames.
organizationally unique identifier (OUI) This is a 24-bit number that is purchased from and registered with the Institute of Electrical and Electronics Engineers (IEEE). It is intended to be an identifier uniquely given to a vendor, manufacturer, or other organization that reserves a block of each possible type of derivative identifier (such as MAC addresses) for the exclusive use of the assignee.
Orthogonal Frequency Division Multiplexing (OFDM) Orthogonal Frequency Division Multiplexing is one of the most popular communications technologies used in both wired and wireless communications. As part of 802.11 technologies, OFDM is specified in the 802.11a and 802.11g amendments and can transmit at speeds of up to 54 Mbps. OFDM technology is also used by 802.11n HT radios. OFDM transmits across separate, closely and precisely spaced frequencies, often referred to as subcarriers.
over-the-air fast BSS transition The client station communicates directly with the target AP using standard 802.11 authentication with the FT authentication algorithm. The PMK-R1 key is the seeding material for the over-the-air fast BSS transition process that creates the final pairwise transient key (PTK).
over-the-DS fast BSS transition Client station sends an FT Action request frame to the original AP. The FT Action request frame is forwarded over the distribution system (DS), which is the wired infrastructure. The target AP responds to the client station over the DS with an FT Action response frame.
outer identity See inner identity.
P
packet This is a unit of data at the network layer.
packet analysis This means decoding frames to determine content, frame type, origin, and destination.
packet slicing This feature allows you to capture a selected amount or piece of a packet, not the entire packet. This is often used with packet streams that are encrypted, since the encrypted data is often unusable and therefore extraneous.
packet spoofing This means creating and transmitting fake traffic with the intent of masquerading as a different device, disrupting service, or compromising a device or network.
pairwise master key (PMK) This is a cryptographic key that is used to derive lower-
level keys.
pairwise transient key (PTK) Used to encrypt all unicast transmissions between a client station and an access point, each PTK is unique between each individual client station and the access point. Every client station possesses a unique PTK for unicast transmissions between the client STA and the AP. PTKs are used between a single supplicant and a single authenticator.
partial virtual bitmap This is one of the TIM information element fields. It is a series of flags (bits set to either a 1 or a 0) indicating whether each associated station has unicast frames buffered at the AP.
PC Card The PC Card standard specifies three types of PC Cards. The three card types are the same length and width and use the same 68-pin connector. The thickness of the cards are as follows: Type I = 3.3 mm, Type II = 5.0 mm, and Type III = 10.5 mm.
PCMCIA See Personal Computer Memory Card International Association.
peer map This is a visual representation of which STAs are communicating with each other. Lines between peers indicate communication.
Personal Computer Memory Card International Association (PCMCIA) PCMCIA is an international standards body and trade association. The PCMCIA has more than 100 member companies and was founded in 1989 to establish standards for peripheral cards and to promote interchangeability with mobile computers. A PCMCIA adapter is also known as a PC Card. A radio card can be used in any laptop or handheld device that has a PC Card slot. Most PC Cards have integrated antennas. Some cards have only external antenna connectors, while others have external antennas and external connectors.
phased coexistence operation (PCO) This is an optional 802.11n mode of operation that divides time and alternates between 20 MHz and 40 MHz transmissions.
physical carrier sense This is performed constantly by all stations that are not transmitting or receiving data. It determines whether a frame transmission is inbound for a station to receive or whether the medium is busy before transmitting. This is known as the clear channel assessment (CCA).
Physical layer This is the first layer of the OSI model. The Physical layer is divided into two sublayers. The upper portion of the Physical layer is known as the Physical Layer Convergence Procedure (PLCP) sublayer, and the lower portion is known as the Physical Medium Dependent (PMD) sublayer.
Physical Layer Convergence Procedure (PLCP) This is the upper portion of the Physical layer. PLCP prepares the frame for transmission by taking the frame from the MAC sublayer and creating the PLCP Protocol Data Unit (PPDU).
Physical Medium Dependent (PMD) This is the lower portion of the Physical layer. The PMD sublayer modulates and transmits the data as bits.
pilot carriers These are OFDM subcarriers used as references for phase and amplitude by the demodulator, allowing the receiver to compensate for distortion of the OFDM signal.
plain text This is unencrypted information or data.
PLCP header Part of the PLCP Protocol Data Unit (PPDU), this header is 48 bits long and contains the Signal (8 bits), Service (8 bits), Length (16 bits), and CRC (16 bits).
PLCP Preamble This is a string of 0 and 1 bits that are used to synchronize incoming transmissions.
PLCP Protocol Data Unit (PPDU) When the PLCP receives the PSDU, it prepares the PSDU to be transmitted and creates the PLCP Protocol Data Unit (PPDU). The PLCP adds a preamble and PHY header to the PSDU.
PLCP Service Data Unit (PSDU) This is equivalent to the MPDU. The MAC layer refers to the frame as the MPDU, whereas the Physical layer refers to this same frame as the PSDU.
Point Coordination Function (PCF) This is an optional 802.11 medium access method that uses a form of polling. Although defined by the standard, the medium access method has not been implemented.
point coordinator (PC) The polling device in an 802.11 PCF network.
port spanning This is also known as port mirroring. A network switch is configured to send a copy of all traffic traveling on the access point’s port on the switch to another port that has an analyzer connected to it.
power management field This is a single-bit field in the 802.11 MAC header that is used by a client station to notify the AP that the station is going into Power Save mode.
power management flag See power management field.
Power Save mode This is an optional mode for 802.11 stations. A wireless station can shut down some of the transceiver components for a period of time to conserve power. The station indicates that it is using Power Save mode by changing the value of the Power Management field to 1.
Power save multi-poll (PSMP) This power management method builds on scheduled automatic power save delivery (S-APSD). S-APSD comes from the 802.11e amendment. It is the power management method primarily defined for networks that use hybrid coordination function (HCF) controlled channel access (HCCA).
Power save poll (PS-Poll) frame When Power Save mode is enabled, if an access point has buffered data for a station when the station wakes up, the station will send a 20-octect frame to the access point, notifying the access point that the station is awake. When the access point receives the PS-Poll frame, it will send the buffered unicast frame to the station.
Pre-robust security network associations (pre-RSNAs) The 802.11-2007 standard defines WEP as a legacy encryption method.
probe request This is an 802.11 management frame that is transmitted during active scanning. A client station that is looking for an SSID sends a probe request. Access points that hear the probe request will send a probe response, notifying the client of the access points’ presence. If a client station receives probe responses from multiple access points, signal strength and quality characteristics are typically used by the client station to determine which access point has the best signal and thus to which access point it should connect.
probe response An 802.11 management frame that is transmitted during active scanning. After a client station sends a probe request, access points that hear the probe request will send a probe response, notifying the client of the access points’ presence. The information that is contained inside the body of a probe response frame is the same information that can be found in a beacon frame, with the exception of the traffic indication map (TIM).
processing gain This is the task of adding additional, redundant information to data. In this day and age of data compression, it seems strange that we would use a technology that adds data to our transmission, but by doing so, the communication is more resistant to data corruption. The system converts 1 bit of data into a series of bits that are referred to as chips.
protocol decodes Network analyzers can decode hundreds of network protocols, and these protocol decodes are used to decode the captured packets.
Protected frame field This is a single-bit field used to indicate whether the MSDU payload is encrypted. Originally the field was called the WEP bit.
protection mechanism For the legacy 802.11 DSSS stations, 802.11b HR-DSSS stations and 802.11g ERP stations to coexist, the ERP stations enable a protection mechanism, also known as protected mode. RTS/CTS or CTS-to-Self is used by the ERP stations to avoid interfering with the DSSS and HR-DSSS stations.
Protocol version field A consistent 2-bit field indicates which protocol version of 802.11 is being used by the frame.
pseudo-random function (PRF) This hashes various inputs to derive a pseudorandom value and expands a key and a seed to a pseudorandom output, usually of a variable length.
Q
quadrature amplitude modulation (QAM) This modulation technique is a hybrid of phase and amplitude modulation. It is used for transmission of OFDM 24 Mbps, 36 Mbps, 48 Mbps, and 54 Mbps data by 802.11a and 802.11g radios.
quality of service (QoS) This is an attempt to prioritize and provide certain levels of predictable throughput along a shared access medium.
quality of service data frame This is any Data Type frame where the most significant bit (MSB) of the Subtype field (bit b7) is set to 1. This bit is defined as the quality of service (QoS) subfield, specifying that the frame is a QoS data frame.
QoS control field This 16-bit field identifies the traffic category (TC) or traffic stream (TS) to which the frame belongs and various other QoS-related information about the frame.
quality-of-service basic service set (QBSS) This 802.11 basic service set provides quality of service (QoS). An infrastructure QBSS contains an 802.11e-compliant access point.
Queensland Attack This DoS attack exploits the CCA functionality in a WLAN, making devices believe the medium is busy and not allowing the devices to transmit since they are forced to back off.
R
R-Factor This metric is calculated from measureable information such as jitter, packet loss, and latency. R-Factor is a value in a range from 0 to 100.
Radiotap RF information that is grabbed from the RF to Bit transition process by the wireless NIC and then added to the wireless frame. The Radiotap Header includes date and time stamps, a channel stamp, signal stamp, and a noise stamp.
random backoff During the CSMA/CA process, after waiting for a DIFS period of inactivity, a random backoff value is chosen, and the STA proceeds to count down for this period of time.
RC4 The RC4 algorithm is a streaming cipher used in technologies that are often used to protect Internet traffic, such as Secure Sockets Layer (SSL). The RC4 algorithm is used to protect 802.11 wireless data and is incorporated into two encryption methods known as WEP and TKIP.
reason code This field is used to indicate the reason that an unsolicited notification management frame of type Disassociation, Deauthentication, DELTS, DELBA, or DLS Teardown was generated.
reassociation When a client station decides to roam to a new access point, it will send a reassociation request frame to the new access point. It is called a reassociation, not because it is reassociating to the access point but because it is reassociating to the SSID of the wireless network.
reassociation request This frame is sent by a station to an access point (never from an AP to a station or from a station to a station in an IBSS) and is used when the station is already associated to the ESS and wants to associate to another access point connecting to the same ESS.
reassociation response After reception of the reassociation request frame, if the AP is granting access to the cell, the reassociation response frame is sent.
receive This is one of the two core functions of the wireless network. The other is transmit.
receive DTIMS This station setting can enable or prevent the station from receiving DTIM beacons.
receive sensitivity The amount of signal a wireless station must receive in order to distinguish between data and noise.
received amplitude The received signal strength is most often referred to as received amplitude. RF signal strength measurements taken during a site survey is an example of received amplitude.
received channel power indicator (RCPI) This 802.11 signal measurement consists of an 8-bit value ranging from 0 to 220, incrementing by .5 dB. The RCPI values begin at –110 dBm and increment to 0 dBm.
received signal strength This is a measurement of the amount of signal received.
received signal strength indicator (RSSI) This optional 802.11 parameter has a value from 0 to 255. It is designed to be used by the hardware manufacturer as a relative measurement of the RF power that is received. The RSSI is one of the indicators that is used by a wireless device to determine whether another device is transmitting, also known as a clear channel assessment (CCA).
receiver The receiver is the final component in the wireless medium. The receiver takes the carrier signal that is received from the antenna and translates the modulated signals into 1s and 0s. It then takes this data and passes it to the computer to be processed.
receiver address (RA) This is the MAC address of the 802.11 radio that receives the incoming transmission from the transmitting station.
regulatory domain authority Local regulatory domain authorities of individual countries or regions define the spectrum policies and transmit power rules.
Remote Authentication Dial-In User Service (RADIUS) A networking protocol that provides centralized authentication, authorization, and accounting (AAA) management.
remote engine Remote engines are software services that run on dedicated hardware or existing servers. Packet capture, filtering, decoding, and analysis are all performed on the engine. All packets are stored on the engine or attached storage. The analyst can connect to an engine, configure captures, and perform analysis from a console application. The console application has the same look and feel as a local portable analyzer; however, only small screen updates are sent back across the network and not the packets.
Retry field This is a single-bit field of the Frame Control field indicating whether the frame is being retransmitted (1) or whether it is an original transmission of the frame (0).
Request to send See request to send/clear to send (RTS/CTS).
request to send/clear to send (RTS/CTS) This mechanism performs a NAV distribution and helps prevent collisions from occurring. This NAV distribution reserves the medium prior to the transmission of the data frame. RTS/CTS can be used to discover hidden node problems. RTS/CTS is one of the two protection mechanisms used in mixed-mode environments.
Reverse Direction (RD) protocol This improves the efficiency of data transfer between STAs. Legacy devices must contend for access to the medium before initiating a data transfer. When using the RD protocol, an STA, having obtained a Transmit Opportunity (TXOP), may grant other stations the opportunity to transmit data back within the same TXOP, without requiring the responding STA to contend for the medium before transmission.
RF monitor mode This is a special operating mode in which a wireless card becomes a passive monitoring device and cannot transmit. In this mode, wireless NICs listen to all 802.11 encoded signals on the channel on which they are currently monitoring, and normal wireless network operation is disabled.
reduced interframe space (RIFS) This is a new interframe space that is used in 802.11n and is even shorter in time than an SIFS. A RIFS interval can be used in place of an SIFS interval, resulting in less overhead during a frame burst.
Rijndael algorithm This is a cipher developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen.
robust security network (RSN) A robust security network (RSN) is a network that only allows for the creation of robust security network associations (RSNAs). An RSN utilizes CCMP/AES encryption as well as 802.1X/EAP authentication.
robust security network associations (RSNAs) As defined by the 802.11i security amendment, two stations (STAs) must establish a procedure to authenticate and associate with each other as well as create dynamic encryption keys through a process known as the 4-Way Handshake. This association between two stations is referred to as a robust security network association (RSNA).
robust security network information element (RSNIE) Often referred to simply as the RSN information element, an information element is an optional field of variable length that can be found in 802.11 management frames. The RSN information element can identify the encryption capabilities of each station. The RSN information element will also indicate what whether 802.1X/EAP authentication or preshared key (PSK) authentication is being used.
S
scheduled automatic power save delivery (S-APSD) This is an enhanced power management method introduced by the IEEE 802.11e amendment.
security associations (SA) This is the establishment of shared security information between two network devices to support secure communication.
Sequence number field A 12-bit number assigned sequentially by the sending station to each MSDU and MMPDU. The value range is 0 to 4095.
service set identifier (SSID) The SSID is a logical name used to identify an 802.11 wireless network. The SSID wireless network name is the logical name of the WLAN. The SSID can consist of as many as 32 characters and is case sensitive.
service set identifier (SSID) element This is present in all beacons, probe requests, probe responses, association requests, and reassociation requests. The element ID is 0. The length section defines the length of the SSID string, in octets. The SSID string is a text string, with each character being coded over one octet. It contains as many octets as it has characters, with a maximum of 32 characters.
service periods Contiguous periods of time scheduled at regular intervals, during which one or more downlink unicast frames can be sent to the station and/or one or several unicast uplink frames can be polled from the station. This is used to provide expected QoS levels.
Shared Key authentication The more complex of the two 802.11 authentication methods. Shared Key authentication uses WEP to authenticate client stations and requires that a static WEP key be configured on both the station and the access point. In addition to WEP being mandatory, authentication will not work if the static WEP keys do not match. The authentication process is similar to Open System authentication but includes a challenge and response between the AP and client station.
short guard interval See guard interval.
short interframe space (SIFS) This is a short gap or period of time that is used during the transmission of data.
Short PPDU This is a PPDU consisting of a 72-bit PLCP Preamble, which consists of a 56-bit Sync field and a 16-bit Start of Frame Delimiter (SFD).
Signal field This is a field in the PLCP Header that indicates which modulation method will be used to transmit the PSDU portion of the PPDU.
signal strength This is the magnitude of the electric field at a reference point that is a significant distance from the transmitting antenna.
signal-to-noise ratio (SNR) The SNR is the difference in decibels between a received signal and the background noise. The SNR is an important value because if the background noise is too close to the received signal, data can get corrupted and retransmissions will increase.
simple data frame This is an 802.11 data frame whose subtype is data. Simple data frames carry MSDU payloads.
single-input single-output (SISO) This is a system that makes use of a single radio chain.
slot time This is a period of time that differs between the different spread spectrum technologies. It is a large enough time to allow for receive-to-transmit radio turnaround, MAC processing, and clear channel assessment (CCA).
SM power save See spatial multiplexing power save (SMPS).
source address (SA) This is the MAC address of the original sending station.
spatial multiplexing (SM) MIMO radios transmit multiple radio signals at the same time. Each independent signal is known as a spatial stream, and each unique stream can contain different data. SM increases overall throughput.
spatial multiplexing power save (SMPS) High throughput stations are able to transmit multiple data streams at once by using spatial multiplexing in order to increase throughput or extend range, but that causes a drain in battery life. SMPS involves disabling spatial multiplexing temporarily so that batter life can be extended.
Space-Time Block Coding (STBC) This is a method to improve the reliability of data transfer by transmitting different copies of the data stream from different antennas. This adds a level of redundancy to data communication. By increasing the signal quality, the range is also increased.
spectral mask This is a frequency spectrum template.
spectrum analysis Locating sources of interference in the 2.4 GHz ISM and 5 GHz UNII bands is considered mandatory when performing an 802.11 wireless site survey. Using a spectrum analyzer to determine the state of the RF environment within a certain frequency range is known as spectrum analysis.
spectrum analyzer Spectrum analyzers are frequency domain measurement devices that can measure the amplitude and frequency space of electromagnetic signals. A spectrum analyzer is a tool that should always be used to locate sources of interference during an 802.11 wireless site survey. Spectrum analyzers are also used for security purposes to locate layer 1 DoS attacks. Most spectrum analyzers are stand-alone devices, but distributed solutions exist that can be used as layer 1 intrusion detection systems.
spread spectrum Spread spectrum transmission uses more bandwidth than is necessary to carry its data. Spread spectrum technology takes the data that is to be transmitted and spreads it across the frequencies that it is using.
spreading This is the process of converting a single data bit into a sequence. It is also known as chipping.
Start of Frame Delimiter (SFD) This is a 16-bit portion of the PPDU that indicates that the information found in the PLCP Header is being transmitted next.
station (STA) The main component of an 802.11 wireless network is the radio card, which is referred to by the 802.11 standard as a station (STA). The radio card can reside inside an access point or be used as a client station.
station service (SS) This is one of two major categories of 802.11 services used by all 802.11 client stations including access points.
station-to-station link (STSL) This is a direct link established between two stations.
status code This is a field in the ADDTS response action frame. This accepts or rejects the stream and specifies why. The reasons can range from a lack of bandwidth to wrong parameters.
subcarriers OFDM transmits across separate, closely and precisely spaced frequencies referred to as subcarriers.
Subtype See frame subtypes.
Subtype field This 4-bit field indicates the subtype of the frame.
supplicant When an 802.1X/EAP solution is deployed, a host with software that is requesting authentication and access to network resources is known as the supplicant.
supported rates This is the set of data rates that the access point will use when communicating with an associated station.
Supplicant nonce (SNonce) This is a random numerical value that is generated one time only and is used by the supplicant during a 4-Way Handshake frame exchange.
swept spectrogram A spectrum analysis plot is a waterfall plot that converts the dB values to color and then plots a single, 1-pixel tall line at the bottom of the swept spectrogram plot. Then when the next set of data arrives, this process is repeated, with all the previous data being pushed up the stack by one row of pixels. If the sampling interval is one second, in order to look back at what occurred 10 seconds ago, you simply need to look up 10 pixels from the bottom, and you will see the RF energy information that was received in the past.
Sync field This is part of the PPDU that alerts the receiver that a potentially receivable signal is present.
T
Temporal Key (TK) The temporal encryption key used to encrypt/decrypt the MSDU payload of 802.11 data frames between the supplicant and the authenticator.
Temporal Key Integrity Protocol (TKIP) TKIP is an enhancement of WEP encryption that addresses many of the known weaknesses of WEP. TKIP starts with a 128-bit temporal key that is combined with a 48-bit initialization vector (IV) and source and destination MAC addresses in a complicated process known as per-packet key mixing. TKIP also uses sequencing and uses a stronger data integrity check known as the message integrity check (MIC). TKIP is the mandatory encryption method under WPA and is optional under WPA2.
Temporal Key Integrity Protocol (TKIP) countermeasures Countermeasures are used to protect against active attacks against the TKIP MIC.
Temporal Key Integrity Protocol (TKIP) mixed transmit address and key (TTAK) After the 128-bit temporal key is created, the two-phase key mixing process begins. A 48-bit TKIP sequence counter (TSC) is generated and broken into 6 octets labeled TSC0 (least significant octet) through TSC5 (most significant octet). Phase 1 key mixing combines the appropriate temporal key (pairwise or group) with the TSC2 through TSC5 octets of the TKIP sequence counter as well as the transmit address (TA). The TA is the MAC address of the transmitting 802.11 radio. The output of the Phase 1 key mixing is the creation of the TKIP-mixed transmit address and key (TTAK).
threshold-based expert analysis This expert analysis system collects network statistics and compares them to configured threshold values. When the statistics exceed the configured threshold, an expert event is triggered, and a notification is sent.
time domain This is the representation of a graph where the horizontal axis is calibrated by time.
time stamp This is an 8-byte field in the beacon and probe response frames, containing a value representing the time on the access point, which is the number of microseconds the AP has been active. The stations in the cell use the time stamp value to adjust their own clock.
To DS field This 1-bit field is part of the Frame Control field, indicating whether the frame is being sent to the distribution system (DS).
traffic identifier (TID) This is used by QoS to specify differentiated services on a per-MSDU basis.
traffic indication map (TIM) The traffic indication map (TIM) is used when stations have enabled Power Save mode. The TIM is a list of all stations that have undelivered data buffered on the access point waiting to be delivered. Every beacon will include the AID of the station until the data is delivered.
transition security network (TSN) An 802.11 wireless network that allows for the creation of prerobust security network associations (pre-RSNAs) as well as RSNAs is known as a transition security network. A TSN supports 802.11i-defined security as well as legacy security, such as WEP, within the same BSS.
transmit This is one of the two core functions of the wireless network. The other is receive.
transmit address (TA) This is the MAC address of the transmitting 802.11 radio.
transmit beamforming (TxBF) This means multiple antennas are connected to a signal processor. The processor feeds the individual antennas with signals of different relative phases, creating a directed beam of RF signal aimed at the client device. The 802.11n draft amendment proposes this as an optional PHY capability. The technology uses phased-array antenna technology and is often referred to as smart antenna technology.
transmit opportunity (TXOP) This is a limited-duration controlled access phase, providing contention-free transfer of QoS data.
transmit opportunity (TXOP) holder During TXOP operations, the TXOP holder has unfettered access to the channel for data frame transmissions.
transmit opportunity (TX) limit This is the duration of the TXOP interval.
transmit power control (TPC) This is part of the 802.11h amendment. TPC is used to regulate the power levels used by 802.11a radio cards. The ERC and the FCC mandate that radio cards operating in the 5 GHz band use TPC to abide by a maximum regulatory transmit power and are able to alleviate transmission power to avoid interference. The TPC service is used to meet the ERC and FCC regulatory requirements.
transmit spectrum mask A mask that defines the frequencies and power levels that a transmission signal and its sidebands must operate within.
transmitter address (TA) The MAC address of an 802.11 radio that is transmitting the frame onto the half-duplex 802.11 medium.
Transport Layer Security (TLS) This is a cryptographic protocol normally used to provide secure communications. Just like SSL, the TSL protocol uses end-to-end encryption at the Transport layer of the OSI model.
traffic specification (TSPEC) This is a field of the ADDTS request frame that contains the set of parameters that define in detail the characteristics and QoS expectations of a traffic flow, such as packet size, quantity, expected rate, and so on.
type See frame types.
Type field This is a 2-bit field indicating the type of the frame.
U
uncontrolled port This is a virtual port used during 802.1X/EAP authentication. The authenticator maintains two virtual ports: an uncontrolled port and a controlled port. The uncontrolled port allows EAP authentication traffic to pass through, while the controlled port blocks all other traffic until the supplicant has been authenticated.
unicast This is a transmission that is directed to a unique or individual station.
unicast address This is a destination address on a frame assigned to a unique station.
Unlicensed National Information Infrastructure (UNII) The IEEE 802.11a amendment designated OFDM data transmissions within the frequency space of the 5 GHz UNII bands. The 802.11a amendment defined three groupings, or bands, of UNII frequencies, known as UNII-1 (lower), UNII-2 (middle), and UNII-3 (upper). All three of these bands are 100 MHz wide, and each has four channels. The IEEE 802.11h amendment introduced the capability for 802.11 radios to transmit in a new frequency band called UNII-2 Extended with 11 more channels. The 802.11h amendment effectively is an extension of the 802.11a amendment.
The UNII bands are as follows:
UNII- 1 (lower) is 5.15–5.25 GHz.
UNII-2 (middle) is 5.25–5.35 GHz.
UNII-2 Extended is 5.47-5.725 GHz.
UNII-3 (upper) is 5.725–5.825 GHz.
unscheduled automatic power save delivery (U-APSD) This is an enhanced power-management method introduced by the IEEE 802.11e amendment. The Wi-Fi Alliance’s WMM Power Save (WMM-PS) certification is based on U-APSD.
V
video This is the second highest access category used with 802.11e QoS.
virtual carrier sense This is a CSMA/CA mechanism used by listening 802.11 stations. When the listening radio hears a frame transmission from another station, it looks at the header of the frame and determines whether the Duration/ID field contains a Duration value or an ID value. If the field contains a Duration value, the listening station will set its NAV timer to this value. The listening station will then use the NAV as a countdown timer, knowing that the RF medium should be busy until the countdown reaches 0.
voice This is the highest access category used with 802.11e QoS.
Voice over IP (VoIP) This stands for Voice over Internet Protocol and is the transmission of voice conversations over a data network using TCP/IP protocols.
Voice over Wi-Fi (VoWiFi) Any software or hardware that uses Voice over IP communications over an 802.11 wireless network is known as VoWiFi. Because of latency concerns, VoWiFi requires QoS mechanisms to function properly in an 802.11 BSS.
W
waterfall plot See swept spectrogram.
wavelength This is the distance between similar points on two back-to-back waves. When measuring a wave, the wavelength is typically measured from the peak of a wave to the peak of the next wave.
Wi-Fi Alliance The Wi-Fi Alliance is a global, nonprofit industry trade association with more than 300 member companies. The Wi-Fi Alliance is devoted to promoting the growth of wireless LANs (WLANs). One of the Wi-Fi Alliance’s primary tasks is to ensure the interoperability of WLAN products by providing certification testing. During the early days of the 802.11 standard, the Wi-Fi Alliance further defined the 802.11 standard and provided a set of guidelines to ensure compatibility among vendors. Products that pass the Wi-Fi certification process receive a “Wi-Fi CERTIFIED” certificate.
Wi-Fi Protected Access (WPA) Prior to the ratification of the 802.11i amendment, the Wi-Fi Alliance introduced Wi-Fi Protected Access (WPA) certification as a snapshot of the not-yet-released 802.11i amendment, supporting only the TKIP/RC4 dynamic encryption key management. 802.1X/EAP authentication was required in the enterprise, and passphrase authentication was required in a SOHO environment.
Wi-Fi Protected Access 2 (WPA2) WPA2 is based on the security mechanisms that were originally defined in the IEEE 802.11i amendment defining a robust security network (RSN). Two versions of WPA2 exist: WPA2-Personal defines security for a small-office home-office (SOHO) environment, and WPA2-Enterprise defines stronger security for enterprise corporate networks. Each certified product is required to support WPA2-Personal or WPA2-Enterprise.
Wi-Fi Protected Setup (WPS) Wi-Fi Protected Setup defines simplified and automatic WPA and WPA2 security configurations for home and small-business users.
wildcard BSSID This is an address of all 1s (hex FF:FF:FF:FF:FF:FF), making the address a broadcast address.
Wired Equivalent Privacy (WEP) WEP is a layer 2 encryption method that uses the RC4 streaming cipher. The original 802.11 standard defined 64-bit and 128-bit WEP. WEP encryption has been cracked and is not considered a strong encryption method.
wireless distribution system (WDS) Although the distribution system (DS) typically uses a wired Ethernet backbone, it is possible to use a wireless connection instead. A wireless distribution system (WDS) can connect access points together, using what is referred to as a wireless backhaul. WLAN bridges, repeaters, and mesh access points all use WDS connectivity.
wireless intrusion detection system (WIDS) A WIDS is a client/server solution that is used to monitor constantly for 802.11 wireless attacks such as rogue APs, MAC spoofing, layer 2 DoS, and so on. A WIDS usually consists of three components: a server, sensors, and monitoring software. Wireless intrusion detection uses policies and alarms to classify attacks properly and to alert administrators to potential attacks.
wireless intrusion prevention system (WIPS) A WIPS is a wireless intrusion detection system (WIDS) that is capable of mitigating attacks from rogue access points. WIPS use spoofed deauthentication frames, SMNP, and proprietary methods effectively to render a rogue access device useless and to protect the network backbone.
wireless local area network (WLAN) The 802.11 standard is defined as a wireless local area network technology. Local area networks provide networking for a building or campus environment. The 802.11 wireless medium is a perfect fit for local area networking simply because of the range and speeds that are defined by the 802.11 standard and its amendments. The majority of 802.11 wireless network deployments are indeed local area networks (LANs) that provide access at businesses and homes.
wireless probes These are remote sensors that typically look like access points and are installed in remote locations. Analysts can use these sensors to remotely capture packets and send them across the network to the network analyzer.
wireless sensor This monitors the wireless environment 24/7 and sends its statistics to a centralized server. A consolidated view of wireless security and performance can be accessed from a console application.