802.11 Beacons Revealed
Page 1 of 1
In a previous tutorial, I provided an overview of the various frame types that 802.11 stations (network cards and access points) use to support wireless data communications. In addition to data frames that carry information from higher layers, 802.11 includes management and control frames that support data transfer. The beacon frame, which is a type of management frame, provides the "heartbeat" of a wireless LAN, enabling stations to establish and maintain communications in an orderly fashion.
A typical beacon frame is approximately fifty bytes long, with about half of that being a common frame header and cyclic redundancy checking (CRC) field. As with other frames, the header includes source and destination MAC addresses as well as other information regarding the communications process. The destination address is always set to all ones, which is the broadcast Medium Access Control (MAC) address. This forces all other stations on the applicable channel to receive and process each beacon frame. The CRC field provides error detection capability.
The beacon's frame body resides between the header and the CRC field and constitutes the other half of the beacon frame. Each beacon frame carries the following information in the frame body:
- Beacon interval. This represents the amount of time between beacon transmissions. Before a station enters power save mode, the station needs the beacon interval to know when to wake up to receive the beacon (and learn whether there are buffered frames at the access point).
- Timestamp. After receiving a beacon frame, a station uses the timestamp value to update its local clock. This process enables synchronization among all stations that are associated with the same access point.
- Service Set Identifier (SSID). The SSID identifies a specific wireless LAN. Before associating with a particular wireless LAN, a station must have the same SSID as the access point. By default, access points include the SSID in the beacon frame to enable sniffing functions (such as that provided by Windows XP) to identify the SSID and automatically configure the wireless network interface card (NIC) with the proper SSID. Some access point vendors have an option to disable the SSID from being broadcast in beacon frames to reduce security issues.
- Supported rates. Each beacon carries information that describes the rates that the particular wireless LAN supports. For example, a beacon may indicate that only 1, 2, and 5.5Mbps data rates are available. As a result, an 802.11b station would stay within limits and not use 11 Mbps. With this information, stations can use performance metrics to decide which access point to associate with.
- Parameter Sets. The beacon includes information about the specific signaling methods (such as frequency hopping spread spectrum, direct sequence spread spectrum, etc.). For example, a beacon would include in the appropriate parameter set the channel number that an 802.11b access point is using. Likewise, a beacon belonging to frequency hopping network would indicate hopping pattern and dwell time.
- Capability Information. This signifies requirements of stations that wish to belong to the wireless LAN that the beacon represents. For example, this information may indicate that all stations must use wired equivalent privacy (WEP) in order to participate on the network.
- Traffic Indication Map (TIM). An access point periodically sends the TIM within a beacon to identify which stations using power saving mode have data frames waiting for them in the access point's buffer. The TIM identifies a station by the association ID that the access point assigned during the association process.
An 802.11 probe response frame is very similar to a beacon frame, except that probe responses don't carry the TIM info and are only sent in response to a probe request. A station may send a probe request frame to trigger a probe response when the station needs to obtain information from another station. A radio NIC, for instance, will broadcast a probe request when using active scanning to determine which access points are within range for possible association. Some sniffing software (e.g., NetStumbler) tools send probe requests so that access points will respond with desired info.
Beacons in action
In infrastructure networks, access points (not radio NICs) periodically send beacons. You can set the beacon interval through the access point configuration screen. In general, the beacon interval is set to 100ms, which provides good performance for most applications.
In ad hoc networks, there are no access points. As a result, one of the peer stations assumes the responsibility for sending the beacon. After receiving a beacon frame, each station waits for the beacon interval and then sends a beacon if no other station does so after a random time delay. This ensures that at least one station will send a beacon, and the random delay rotates the responsibility for sending beacons.
By increasing the beacon interval, you can reduce the number of beacons and associated overhead, but that will likely delay the association and roaming process because stations scanning for available access points may miss the beacons. You can decrease the beacon interval, which increases the rate of beacons. This will make the association and roaming process very responsive; however, the network will incur additional overhead and throughput will go down. In addition, stations using power save mode will need to consume more power because they'll need to awaken more often, which reduces power saving mode benefits.
In an idle network, beacons dominate all other traffic. A packet-monitoring tool, such as AirMagnet or AiroPeek would display a continuous stream of beacon frames. With no user-generated traffic, an occasional data frame carrying protocols used for non-802.11 purposes, such as dynamic host configuration protocol (DHCP) will appear. Of course on networks with active users, a variety of other frames, such as association requests/responses, data frames carrying Internet traffic, acknowledgements, etc., intermix between the beacons.
There are no reservations for sending beacons, and they must be sent using the mandatory 802.11 carrier sense multiple access / collision avoidance (CSMA/CA) algorithm. If another station is sending a frame when the beacon is to be sent, then the access point (or NIC in an ad hoc network) must wait. As a result, the actual time between beacons may be longer than the beacon interval. Stations, however, compensate for this inaccuracy by utilizing the timestamp found within the beacon.
The amount of overhead that the transmissions of beacon frames generate is substantial; however, the beacon serves a variety of functions. For example, each beacon transmission identifies the presence of an access point. By default, radio NICs passively scan all RF channels and listen for beacons coming from access points in order to find a suitable access point.
When a beacon is found, the radio NIC learns a great deal about that particular network. This enables a ranking of access points based on the received signal strength of the beacon, along with capability information regarding the network. The radio NIC can then associate with the most preferable access point.
After association, the station continues to scan for other beacons in case the signal from the currently-associated access point become too weak to maintain communications. As the radio NIC receives beacons from the associated access point, the radio NIC updates its local clock to maintain timing synchronization with the access point and other stations. In addition, the radio NIC will abide by any other changes, such as data rate, that the frame body of the beacon indicates.
The beacons also support stations implementing power saving mode. With infrastructure networks, the access point will buffer frames destined for sleeping stations and announce which radio NICs have frames waiting through the TIM that's part of the beacon. On the other hand, the beacon in ad hoc network marks the beginning of a period where stations buffering frames can alert sleeping stations that frames are waiting for delivery.
As you can see, beacons are very important; without them, a wireless LAN simply won't work.
Jim Geier provides independent consulting services to companies developing and deploying wireless network solutions. He is the author of the book, Wireless LANs (SAMs, 2001), and produces computer-based training courses covering wireless LANs topics.
Join Jim for discussions as he answers questions in the 802.11 Planet Forums.