There are a bunch of different 802.11 Wi-Fi standards, e.g. 802.11a, 802.11b, 802.11g, 802.11n etc. that all support different speeds. Wi-Fi frames are generally categorised as one of the following:
- Data frames – carry the actual application data
- Control frames – coordinate when its safe to send/reduce collisions
- Management frames – handle connection discovery/setup/tear down (e.g. AP discovery, association, disassociation)
My question is about whether all these frames, and specifically management frames, are transmitted at the fastest supported speed available, or whether certain classes of frames are transmitted at some lowest common denominator speed. I have noticed that when I put an 802.11b/g only device into monitor mode and capture traffic over the air, I still see management frames (e.g. association/disassociation) being transmitted between my phone and AP which are both 802.11n, even though 802.11n has a higher transfer rate. So I am imagining one of two possibilities:
- My 802.11n phone/AP had to negotiate a slower speed for some reason and that's why I can see their frames on my 802.11b/g monitoring device.
- Management frames (and perhaps control frames also?) are sent at a lower speed, and it's only data frames that are transmitted faster with newer 802.11 standards.
The reason I would like to know which one of these two possibilities (or perhaps a third possibility) is the case is that I want to capture management frames, and need to know whether using an 802.11b/g card is going to lead to me missing some frames sent at higher speeds than the monitoring card can observe. If management frames are indeed sent at a slower rate, then it's all good. If I just happen to be seeing the management frames because my phone/AP have negotiated a slower rate though, then I need to reconsider what card I use for packet capture.
Best Answer
The 802.11 standards generally don't dictate which speeds various frames should be sent at. It's left as an implementation detail for the implementors. However, multicast (and thus also broadcast) frames generally have to be sent at a Basic Rate -- that is, one of the rates the AP marked as mandatory for all clients of that AP to support if they want to associate to that AP. That's the only way to be sure those frames are received by all clients, and you have to do that with multicasts because they're not Ack'd at the 802.11 layer.
Since many of the management frames you care about are either multicasts (like Beacons and Probe Requests) or are sent before compliance with the Basic Rate Set has been fully negotiated (such as Auths and Assoc's), it's pretty common to see those go out at low rates.
I commonly see implementations send most Management frames at the lowest Basic Rate: generally 1mbps in 2.4GHz where the old 802.11-1997 DSSS rates can be used, and 6mbps in 5GHz where the 802.11a rates the the lowest.
However, if you really want to have the best chance at capturing everything, you should be doing your capture on a card whose capabilities meet or exceed the capabilities of the AP and client you want to capture. Some management frames, such as Action frames (including the "Add Block Ack" a.k.a. "ADDBA" frame crucial to proper 802.11n operation) are often unicast, and as such may go at whatever the max speed the client and AP can support.
So if you're buying a card today to capture everything, you should get a 3 spacial stream 802.11n card capable of doing 40MHz channels (HT40) in either band (look for "450mbps" on the box, because that's the top data rate really available on the market today). Also expect to buy an 802.11ac card in the coming months once those really start hitting the market. The few 802.11ac client solutions available now in June of 2012 seem to be a bit on the premature side and probably aren't worth your time. But by this time next year at the latest, there should be some decent 11ac cards available.