In this post, we will take a look at the ‘
beacon frames
‘ of Wi-Fi 7 and explore the additional IEs (Information Elements). Starting from 802.11n, you will notice two key information elements: the “
Capability Element
” and the “
Operations Element
“. Typically, both the AP (beacons, Probe Res, Association Res) and clients (Probe Req, Association Req) include the “
Capability Element
” to advertise their capabilities. However, the “
Operations Element
” is only advertised by the AP to inform clients about the operational conditions of the BSS
802.11n – “HT Capabilities” and “HT Operations”
802.11ac – “VHT Capabilities” and “VHT Operations”
802.11ax – “HE Capabilities” and “HE Operations”
802.11be – “EHT Capabilities” and “EHT Operations”
Based on the easiest way to capture all Wi-Fi 7 traffic (you can refer to my Wi-Fi PCAP related posts for more details), I used a Cisco 9178 AP managed by Meraki for this testing. The test setup is very simple, as shown below, and here (mrk-9178-be200-wifi7.pcap) is the PCAP captured for this analysis.
Here is a beacon frame of the “MRK-PSK” SSID operating on CH85@80MHz in the 6GHz band and CH36@40MHz in the 5GHz band. You can filter beacon frames containing the SSID name “MRK-PSK” using the display filter below.
((
wlan.fc.type_subtype == 0x0008
) &&
(wlan.fc.type == 0
)) && (
wlan.ssid == 4d:52:4b:2d:50
)
You can see beacon frames on 5GHz include all those HT/VHT/HE/EHT Capabilities and Operations element
If you see a beacon frame on the 6GHz band, you will only see HE and EHT elements, as 6GHz is not backward compatible with OFDM (which is the technology behind HT and VHT). You may notice that on 6GHz, multiple SSID capabilities are advertised in a single beacon frame (as opposed to having separate beacon frames for each SSID), which includes the ‘
Multiple BSSID
‘ element.
‘
EHT Capabilities
‘ element is organized into “MAC” and “PHY” capabilities like in HE. In that way, you can easily understand the MAC and PHY layer-related information in a PCAP. It also listed supported EHT-MCS and Nss set. As you can see below Cisco 9178 indicates they support MCS 0 to 13 with the max spatial stream of 4. If you like to see the client’s EHT capabilities, you can look at the same information element in the “
Association Request
” frames (you will see they support 2SS, MCS 0-13 in both 80MHz and 160MHz).
Examples of a few PHY capabilities are highlighted below. You can use these bits to filter and determine if the AP supports 320MHz or if it supports MCS 14 or 15, for example.
In the ‘
EHT Operation
‘ element you will see ‘
EHT Operation Parameters
‘ and ‘
Basic EHT-MCS and Nss Set
‘. In this PCAP, the AP which operates in CH85@80MHz indicates (with b0 to b7 set 11) that all EHT stations in the cell must support MCS 0-9 in 1SS. I have shown the ‘
HE Operation
‘ element to compare the details of EHT and HE elements.
Addition to above ‘
EHT Capabilities
‘ and ‘
EHT Operations
‘ elements, there are few other information elements can present in beacon frames.
Multi-Link
– indicates multi-link capability and control info
Multi-Link Traffic Indication
– indicates a list of per-link traffic indication bitmap for clients
TID-To-Link Mapping
– indicates links on which frames belonging to each TID can be exchanged
Channel Usage
–
Quiet element
– defines an interval during which no transmission occurs in the channel
In our PCAP, you can see both ‘
Multi-Link
‘ and ‘
Multi-Link Traffic Indication
‘ elements are present. We will look at ‘Multi-Link’ elements in detail in an upcoming blog post using a few examples of Wi-Fi 7 client types.
Another thing to note about EHT beacon frames is that they should be protected. Once beacon protection is enabled, it is indicated in the ‘
Extended Capability
‘ element by setting bit 84 (Octet 11) to 1. So, in EHT stations, the integrity of the EHT beacon frames must verified, and the required negotiation takes place during the 4-Way Handshake process (BIGTK). Therefore, the client device must enable beacon protection when the AP advertises support for it on the SSID.
In Wi-Fi 7, it is mandatory for the AP to support it, and once the AP enables it, the client station must adhere to that
.
You can use the ‘
Beacon Protection
‘ bit to filter EHT beacon frames in a given capture (simply drag and drop it into the Wireshark display filter area). You will see all those beacon frames coming from the same MAC address (BSSID), which is not the case for HT/VHT/HE, where each radio typically has a unique BSSID. In Wi-Fi 7, to support MLO, both the AP and clients are required to have a common MAC address (know as
Upper MAC
) across all radio bands.
We will look at the
Multi-Link
element in detail in the next post.
Related Posts
1. Wi-Fi PCAP with Meraki
2. Wi-Fi PCAP with UniFi
3. Wi-Fi PCAP with Mist
4. Wi-Fi PCAP with Ekahau
5. Wi-Fi 7 Overview