802.11h — Spectrum Management (5 GHz)
Why it exists: Early 5 GHz Wi-Fi risked interfering with radar and other incumbents. 802.11h added mechanisms so Wi-Fi could legally share 5 GHz.
What it adds
- DFS (Dynamic Frequency Selection):
- AP listens for radar before using a DFS channel (CAC pre-check), and vacates the channel if radar is detected.
- Sends Channel Switch Announcement (CSA) frames to move clients gracefully.
- TPC (Transmit Power Control):
- AP/clients adjust transmit power to meet regional EIRP limits and reduce interference.
- Includes Power Constraint and TPC Report elements in beacons/management frames.
Where you see it (Aruba): DFS enablement and events, channel moves, ARM/Radio profiles managing EIRP, logs that show radar hits/CAC timing. Mandatory on DFS channels.
802.11e — QoS Enhancements
Why it exists: “Old” Wi-Fi treated all frames equally—bad for latency-sensitive voice/video.
What it adds (key pieces)
- WMM (Wi-Fi Multimedia) — Wi-Fi Alliance profile derived from 802.11e; universally deployed.
- EDCA (Enhanced Distributed Channel Access): Four access categories with different contention parameters: Voice (AC_VO), Video (AC_VI), Best-Effort (AC_BE), Background (AC_BK).
- QoS Control field in MAC header; DSCP↔WMM mapping.
- HCCA / TSPEC / Admission Control (less common in the wild): Optional, centrally scheduled access; call admission control (CAC) based on traffic specs.
- Block ACK: Acknowledge many frames at once (efficiency).
- (U-)APSD: Power-save for clients while maintaining QoS.
Where you see it (Aruba): WMM on SSIDs (default on), DSCP↔WMM mapping, optional voice/video admission control with TSPEC, airtime-fairness features, U-APSD toggles.
802.11i — Robust Security (RSN/WPA2)
Why it exists: WEP was broken. 802.11i defined modern Wi-Fi security.
What it adds
- RSN (Robust Security Network): The security architecture visible as the RSN Information Element in beacons/probes.
- Key hierarchy & handshakes:
- 802.1X/EAP (Enterprise) and PSK (Personal) authentication methods (AKM suites).
- 4-Way Handshake to derive PTK/GTK from the PMK; Group Key updates.
- Ciphers: CCMP (AES) is the strong, modern default; TKIP retained only for backward-compatibility.
- (Related but separate later work: 802.11w PMF protects management frames; WPA3/SAE came later—built atop the RSN framework.)
Where you see it (Aruba): SSID security profile selecting WPA2-Enterprise (802.1X) or WPA2-PSK, cipher suites (AES-CCMP), PMK caching/OKC, 4-way handshake/EAPOL exchanges in captures.
How they’re related (big picture)
| Layer | 802.11h | 802.11e | 802.11i |
|---|---|---|---|
| Problem solved | Regulatory coexistence in 5 GHz | Traffic prioritization & latency | Confidentiality, integrity, authentication |
| Main mechanisms | DFS, TPC, CSA | WMM/EDCA, TSPEC/CAC, Block-ACK, (U-)APSD | RSN/AKMs, 4-way handshake, CCMP/TKIP |
| Effect on users | AP may change channels; power levels adapt | Voice/video gets airtime priority | Secure association and encrypted data |
| Typical status today | Required on DFS channels | WMM is ubiquitous; TSPEC optional | WPA2-AES standard; WPA3 increasingly common |
They stack, not replace:
Example: a 5 GHz SSID carrying VoIP calls with WPA2-Enterprise runs DFS/TPC (11h), prioritizes voice via WMM/EDCA (11e), and secures traffic with RSN/CCMP (11i) simultaneously.
Practical Aruba tips
- 11h: Prefer non-DFS channels where radar is common; let ARM manage EIRP and DFS moves; monitor DFS events/CACs.
- 11e: Keep WMM enabled, map DSCP→AC properly, enable voice CAC on dedicated voice SSIDs if you truly need admission control.
- 11i: Use WPA2-Enterprise (AES-CCMP) or WPA3 where possible; avoid TKIP; enable PMF (802.11w)—required for WPA3, recommended for WPA2.
802.11h/11e/11i in Wireshark: A Practical pcap Checklist (DFS/TPC, QoS, RSN)
802.11h — DFS/TPC (5 GHz spectrum management)
Where to look
- Beacons / Probe Responses (AP announces capabilities and constraints)
- Action frames (Spectrum Management) when the AP moves channels or exchanges TPC info
- Association Responses (may repeat constraints/country information)
What to expand in Wireshark (Packet Details)
- IEEE 802.11 wireless LAN management frame → Tagged parameters:
- Country (lists allowed channels & power)
- Power Constraint (11h) — AP tells clients the local EIRP limit offset
- TPC Report (11h) — reported tx power/RSSI (seen in spectrum mgmt exchanges)
- Channel Switch Announcement (CSA) (11h) — shows New channel and Switch count
- Extended CSA (11h, optional) — same idea, extended format
- Quiet (11h) — announces quiet periods (for measurements/radar detection)
(Common element IDs by spec: Power Constraint=32, TPC Report=35, CSA=37, Quiet=40, Extended CSA=60.)
Quick filters
wireshark复制编辑# See channel moves as they happen
wlan_mgt.csa || wlan_mgt.ext_channel_switch
# Show spectrum-management action frames
wlan_mgt.category_code == 0 # "spectrum management" action category
# Beacons only (then inspect tagged parameters for Country/Power Constraint/etc.)
wlan.fc.type_subtype == 0x08
802.11e — QoS / WMM
Where to look
- Beacons / Probe Responses (EDCA parameters via WMM/WME element)
- Association Requests (client advertises QoS support)
- Data frames (QoS Control field present)
- Block ACK / Block ACK Request control frames
What to expand
- Beacon / Probe Response → WMM/WME Information/Parameter Element
- Access categories (AC_VO, AC_VI, AC_BE, AC_BK) with AIFSN/CWmin/CWmax/TXOP
- QoS Data frames → QoS Control field (TID, EOSP, Ack policy)
- Block ACK / Block ACK Request fields (11e efficiency feature)
- (U-)APSD flags (power-save enhancements)
(WMM is a Wi-Fi Alliance profile derived from 11e; it appears as a Vendor-Specific IE with OUI 00:50:F2 and “WME/WMM”.)
Quick filters
wireshark复制编辑# Any QoS data frames (will have the QoS Control field)
wlan.qos == 1
# Beacons that advertise WMM/WME (vendor IE with Microsoft OUI 00:50:f2 type 2)
wlan.tag.oui == 00:50:f2 && wlan.tag.vendor.type == 2
# Block Ack / Block Ack Request control frames
wlan.ba || wlan.bar
802.11i — RSN / WPA2 security
Where to look
- Beacons / Probe Responses (RSN Information Element—cipher suites & AKMs)
- Association Requests/Responses (negotiated RSN params)
- EAPOL (4-Way Handshake after association)
- Group Key Handshake (periodic GTK updates)
What to expand
- RSN Information Element (RSN IE)
- Pairwise ciphers (e.g., CCMP (AES), GCMP on newer gear; avoid TKIP)
- AKM suites (PSK, 802.1X/EAP, SAE, etc.)
- RSN Capabilities (PMF/802.11w capable/required bits)
- EAPOL Key frames (handshake messages 1–4; replay counters, nonces, MIC)
(RSN IE is the standardized element; older WPA-only appears as a vendor IE. The RSN IE is Element ID 48.)
Quick filters
wireshark复制编辑# Show the RSN IE quickly (Element ID 48)
wlan.tag.number == 48
# EAPOL (4-Way Handshake)
eapol
# If you also want to catch older WPA vendor IEs (less common today)
wlan.tag.oui == 00:50:f2 && wlan.tag.vendor.type == 1
Putting it together (fast workflow)
- Filter for a Beacon
wlan.fc.type_subtype == 0x08- Expand Tagged parameters → confirm:
- RSN IE (802.11i): cipher & AKM suites, PMF bits
- WMM/WME Parameter Element (802.11e): EDCA ACs
- Country / Power Constraint / (E)CSA / Quiet (802.11h)
- Expand Tagged parameters → confirm:
- Check association
wlan.fc.type_subtype in {0x00,0x01}(Assoc Req/Resp)- Make sure client and AP negotiated the same RSN settings and QoS.
- Watch the security handshake
eapol- Confirm 4-way completes, ciphers match RSN IE.
- Verify QoS in data path
wlan.qos == 1- Expand QoS Control for TID; check EDCA behavior if needed.
- Look for
wlan.ba || wlan.barfor Block ACK activity.
- Observe DFS/TPC events (if on DFS channels)
wlan_mgt.csa || wlan_mgt.ext_channel_switch- You’ll see new channel and a countdown before the move.
Bonus tips
- In Aruba, you’ll also see CSA/DFS moves in the controller/AP logs; pair those timestamps with your pcap to correlate events.
- For PMF (802.11w), look inside the RSN Capabilities bits in the RSN IE (look for “Management Frame Protection capable/required”).
- When validating DSCP↔WMM mappings, capture both sides (air + wired) and compare the WMM AC/TID in 802.11 vs DSCP/802.1p on the wired egress.