The To DS and From DS Fields

Currently I’m studying for the Certified Wireless Analysis Professional (CWAP) exam and I’m rereading the study guide and I found the chapters that examined the different fields and elements present in the MAC header most interesting. I had a rough idea, but during my studies learned a great deal more about the unique fields and elements dedicated to wireless that keep the network functioning and help packets get delivered. Two fields of particular interest are the To Distribution System (To DS) and From Distribution System (From DS) and how these fields determine if the frame is leaving or entering the wireless environment.

Distribution System

Just a quick definition of the distribution system and basically the DS is the infrastructure that connects multiple access points together to form an Extended Service Set (ESS). The DS is typically an 802.3 Ethernet wired network, but it doesn’t have to be, and the DS can even be a wireless back haul.

MAC Header & Frame Control Field

Lets now look at the MAC header which can contain four address fields. The number of address fields is a major difference between Ethernet frames, which only use two address fields, and wireless frames that could use as many as four address fields. Each address field is 6 bytes in length to hold a standard 48 bit MAC address, and most wireless frames will only use three of the address fields, and wireless frames being transmitted in a wireless distribution system would be the only frames using all four address fields.

The MAC header contains the Frame Control Field consisting of 11 sub fields (see pic below) including the To DS and From DS fields. The To DS and From DS fields are each 1 bit and can be occupied with a 1 or a 0 and there are four possible combinations using these two fields.

MAC Header

The To DS and From DS fields are important for assessing the packet since the bit combination of these fields identifies if the frame is entering or leaving the wireless environment. The fields can also show if the packet is part of an ad hoc network, or part of a wireless distribution system, and if the frame is a Management or Control frame not intended to leave the wireless environment.

To DS and From DS fields are both 0

The frame is either part of an ad-hoc network or the frame is not intended to leave the wireless environment. The screen shot below shows a Beacon Management frame with a status of not leaving the DS or network (see the highlighted line). Management and Control frames will always have the To DS and From DS fields set to 0 and are never sent to the distribution system network.

An Ad-hoc network connects multiple wireless devices together, and typically does not connect to a wired network, so there is no DS involved or requirement to have the fields set to 1.


To DS field is 1 and From DS field is 0

The frame is leaving the wireless environment and is intended for a computer on the distribution system network. For example after a wireless station authenticates it will need to obtain an IP address and that request will be forwarded by the AP to the DHCP server that resides on the distribution system network.

To DS field is 0 and From DS field is 1

The packet is entering the wireless environment coming from the DS. The screen shot below shows a Data (Type/Subtype field) frame capture in Wireshark, and the highlighted line shows the To DS and From DS fields along with a status of the frame coming from the DS to the station via the access point.


To DS and From DS fields are both 1

When both the To DS and From DS are set to 1 the packet is involved with a wireless distribution system (WDS) network. WDS networks are used to connect multiple networks together, typically for building-to-building connectivity, or a WDS can connect access points together to from a wireless mesh network.

Address Fields

As mentioned the MAC header can contain four addresses and these addresses can change depending on how the To DS and From DS fields are set. Here is quick reference for how the address fields are set for each To DS and From DS combination.

To DS and From DS are both 0

Address 1 = Destination
Address 2 = Source
Address 3 = BSSID

To DS field is 1 and From DS field is 0

Address 1 = BSSID
Address 2 = Source
Address 3 = Destination

To DS field is 0 and From DS field is 1

Address 1 = Destination
Address 2 = BSSID
Address 3 = Source

To DS and From DS are both 1

Address 1 = Receiver
Address 2 = Transmitter
Address 3 = Destination
Address 4 = Source


When observing packets in a sniffer or pen testing a wireless network It is important to look at the To DS and From DS fields to verify the direction of flow for the packet and how these fields then relate to the MAC addresses in the header.

Wireshark 802.11 Display Filters

Wireshark 802.11 frame type and subtype display filters to quickly sort packet captures.


Management Frames
Control Frames
Data Frames
Association Request
Association Response
Reassociation Request
Reassociation Response
Probe Request
Probe Response
Action Frames
Block ACK Request
Block ACK
Power Save Poll
Request to Send
Clear to Send
Data + CF ACK
Data + CF Poll
Data + CF ACK + CF Poll
Null Data
Null Data + CF ACK
Null Data + CF Poll
Null Data + CF ACK + CF Poll
QoS Data
QoS Data + CF ACK
QoS Data + CF Poll
QoS Data + CF ACK + CF Poll
Null QoS Data
Null QoS Data + CF Poll
Null QoS Data + CF ACK + CF Poll

CWNA CWSP CWAP Study Resources

General Resources

802dot11logoQuick overview of 802 legacy, 802.11a, 802.11b, 802.11g, 802.11n, and the 802.11ac draft standard.

Free Wi-Fi Learning Resources from CWNP

The CWNP Question of the Day (QOTD)

CWNP Exam Terms

CWNP Study Guide CD-ROM Downloads

Packetlife WLAN cheat sheet

Wi-Fi Alliance home page


Certified Wireless Network Administrator (CWNA) Overview of the Certificfation

CWNA Certified Wireless Network Official Study Guide: Exam PW0-105 (CWNP Official Study Guides)

Here is the link to download the updated PW0-105 CWNA exam objectives



Wi-Fi Back to Basics – 2.4 GHz Channel Planning

Wikipedia page on  WLAN Channels

802.11 Medium Access

Introduction to Wi-Fi Wireless Antennas

Wi-Fi CERTIFIED™ for WMM®-Power Save

Aerohive’s Medium Contention & Mac Sublayer WiFi 101 video (28:00)

Easy db Math in 5 Minutes

Radio Frequency Measurements (1:13)

Understanding IEEE 802.11n

Memorize 802.11 MCS values and Data rates for CWNA or CWDP (YouTube Video)


CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204 (CWSP Official Study Guides)

Here is the link to download the updated PW0-204 CWSP exam objectives

EAP Types (Excel file for my own reference)

Marcus Burton, Director of Product Development at CWNP, teaches you the 802.11 4-way handshake. (YouTube Video)

Authentication & Key Management (Marcus Burton, CWNP)

CWSP-802.11r Over-the-Air FT

White Paper (PDF download) Robust Secure Network Fast BSS Transition

White Paper (PDF download) 802.11i Authentication and Key Management

User Guide for the Cisco Secure Access Control System 5.2 (good extra reading on different flavors of EAP)

George Stefanick – CWSP Journey Chapter 5 – RSN

George Stefanick – CWSP Journey Chapter 4 – EAP, EAP, EAP, and EAP

EAP-TLS and PEAP: what they are, part 1 (YouTube Video)

EAP-TLS and PEAP: what they are, part 2 (YouTube Video)


CWAP Certified Wireless Analysis Professional Official Study Guide

CWAP Exam Objectives (PDF)


802.11 Beacons Revealed

802.11 Beacon Intervals – The Real Story

What is QAM?

CWAP – MAC Header : Frame Control

Understanding Wi-Fi Carrier Sense (Revolution Wi-Fi)

802.11 PPDU Formats

CWAP Study Guide Errata


My CWNA/CWSP/CWAP YouTube Channel

How I Studied to Pass the CNWA Certification Exam

WiFI Kiwi’s Blog – CWSP Passed!

Keys, Keys, and Even More Keys!

I thought I had a good understanding of how the WPA/WPA2 encryption key generation process worked, that was, until I read Chapter 5 of the CWSP (Certified Wireless Security Professional) Study Guide. I was definitely amazed and a little confused of what all happens in the background when a client authenticates and the encryption keys are created. Dealing mostly with personal or small office wireless environments I took a special interest in the process to generate the encryption keys in small office home office (SOHO) networks. I’m a firm believer that a strong passphrase is mandatory when using WPA/WPA2 Personal, and part of writing this blog was not only my way to fully understand the encryption key creation process, but at the same time to stress how important it is to select a completely random WPA/WPA2 passphrase. An easily guessed passphrase or a common dictionary word can expose your wireless network and connected devices to hacking or decryption of the data. The passphrase will not only authenticate clients to the access point, but it is also the initial seeding material to create the master keys that are then used to create the transient and temporal keys that encrypt the unicast data frames and broadcast and multicast frames.


Let’s start by defining the alphabet soup of letters and give some quick definitions to the important terms being used in the article.

WPA/WPA2 Passphrase: Selected by the network owner and entered as a simple ASCII character string from 8 to 63 characters. The passphrase is configured on the access point and manually entered on the client devices that will join the APs wireless network.

Authenticator: In a SOHO network this will be the access point.

Supplicant: Any device wanting to join an access points service set.

Pre-Shared key (PSK): The result when the passphrase goes through the passphrase to PSK mapping formula.

PMK (Pairwise Master Key): Is the highest order key and derived from the pre-shared key (PSK).

GMK (Group Master Key): Generated by the authenticator (access point) and is the seeding material for the group temporal key.

4-Way Handshake: Uses the pseudo-random function to create and distribute the dynamic encryption keys.

Nonce: A randomly generated value only used once.

PTK (Pairwise Transient Key): Final encryption key used to encrypt unicast data traffic.

GTK (Group Temporal Key): Final encryption key used to encrypt broadcast and multicast traffic.

Selecting the Passphrase

The first step is to choose the passphrase and enter it in the security section of the wireless routers management interface. Notice I did not say select a password! As mentioned before avoid using common dictionary words, and don’t use your name, address, phone number, pet’s names, favorite sports team name, etc… It is recommended to select a completely random passphrase and using a passphrase generator is the best option to select a random passphrase. For help on selecting a highly secure passphrase read my earlier blog post on creating a secure WPA/WPA2 passphrase.

WPA/WPA2 passphrases are static and susceptible to offline dictionary attacks, and it will become very clear why this passphrase be absolutely random for maximum security of the wireless network.

The graphic below shows the encryption key generation process and can be referenced throughout the article.

WPA/WPA2 Encryption Key Generation

WPA/WPA2 Encryption Key Generation

Passphrase to PSK Mapping

Manually enter the passphrase on the client devices that will be joining the wireless network. The passphrase authenticates the device to the APs wireless network, and behind the scenes the passphrase will go through the “passphrase to PSK mapping” function to transform it into the 256-bit Pre-Shared Key (PSK).

Here is the formula to convert a passphrase to the PSK.

PSK = PBKDF2(PassPhrase, ssid, ssidLength, 4096, 256)

The whole point of the passphrase to PSK mapping formula is to simplify configuration for the average home network user. Anyone can remember an 8 to 63 character passphrase compared to a 256-bit PSK.

Master Keys

The PSK will become the Pairwise Master Key (PMK), so basically the PSK is equal to the PMK.

The authenticator (access point) generates the Group Master Key (GMK). The GMK is derived by the authenticator and used to create the Group Temporal Key (GTK). The GTK will be used by the AP and all the authenticated clients to encrypt multicast and broadcast traffic.

4-Way Handshake

The graphic below is from Chapter 5 of the CWSP Study Guide to further explain the 4-way handshake process.


The 4-way handshake is a 4 frame exchange (not including acknowledgements) between the supplicant and the authenticator. Using a pseudo-random function (PRF) the 4-way handshake will create the Pairwise Transient Key (PTK) by combining the PMK, an authenticator nonce, a supplicant nonce, the authenticator’s MAC address (AA), and the supplicant’s MAC address (SPA).

Here is the pseudo-random function formula and below the formula is a brief description for the 4 frames exchanged during the 4-way handshake.

PTK = PRF (PMK + ANonce + SNonce + AA + SPA)

Message 1: The authenticator sends its ANonce to the supplicant. The supplicant now has all the information needed to generate the PTK using the pseudo-random function. The PTK protects the unicast data traffic.

Message 2: The supplicant will send its SNonce to the authenticator. The authenticator now has all the information needed to generate a matching PTK using the pseudo-random function.

Message 3: The authenticator generates the GTK from the GMK and transfers the GTK to the supplicant. The GTK is encrypted using the PTK and a secure exchange takes place. The GTK protects the broadcast and multicast traffic.

Message 4: An acknowledgement that the client has successfully installed the PTK and GTK.

The client is now authenticated and possesses the dynamic encryption keys and can securely send and receive traffic through the access point.


In a SOHO network the passphrase is not only used for keeping unwanted devices from joining the network, but also the seeding material to create the transient and temporal encryption keys. If an attacker obtains the passphrase they could not only join the wireless network, but they could crack the PTK encryption key. If an attacker captures a 4-way handshake exchange between a client and the access point, and with possession of the passphrase the attacker has all the variables needed to duplicate the PTK. With the PTK the attacker can decrypt any unicast encrypted data frames between the individual client and the AP. Passphrase secrecy and having a passphrase that is not susceptible to dictionary cracking methods is vital for the security of any network using WPA/WPA2 Personal.

Extra Security Note: Having one person control the passphrase is probably a harder thing to do in a home network, but in a small office environment ideally one person should know the passphrase and enter it on the devices needing to connect to the wireless network. The less people who know the passphrase the more secure the network will be!

Evil Twin Access Point Attack Explained

Anywhere public Wi-Fi is available is an opportunity for an attacker to use that insecure hot spot to attack unsuspecting victims. One specific Wi-Fi hot spot attack called an “Evil Twin” access point can impersonate any genuine Wi-Fi hot spot. Attackers will make sure their evil twin AP is just like the free hot spot network, and users are then duped when connecting to an evil twin AP and the attacker can execute numerous attacks to take advantage of the unaware victim.

The graphic below shows a typical client connection at a Wi-Fi hot spot. The user searches for the available wireless networks within range and then connects to the public Wi-Fi network. I’m simplifying the process, but the result is the user gets connected to the hot spot network which supplies a gateway to the internet. The user can now surf the web, login to web sites, check email, watch videos or stream music, etc…

Typical Hot Spot Connection

Typical Hot Spot Connection

As the user is enjoying their coffee along with the free Wi-Fi the attacker is busy setting up the evil twin AP. The Attacker is not going to have a bunch of extra hardware, and you won’t see someone with a Netgear router or antennas sticking out every where to draw attention themselves. The attacker will more than likely have a laptop to launch the attack, and they could be in the same physical space or could be launching the attack from their vehicle in the parking lot.

A typical evil twin AP attack is shown in the next graphic, and I will explain the steps in more detail.

Evil Twin AP Attack

Evil Twin AP Attack

I will start with our user, the victim, being connected to the free Wi-Fi hot spot on channel 6. You can refer to the first graphic for the typical hot spot connection.

Step 1: The attacker will set up a software AP on their laptop using free utilities from the internet. This software AP will mimic the hot spot network, and the only difference is the attacker will set up the software AP on a different channel. The software AP is a clone or the “evil twin” of the hot spot network.

Step 2: The attacker will jam the hot spot APs wireless signal. The graphic shows a hardware jamming device that blocks the physical radio frequency. The attacker could use deauthentication frames for an attack of the communication layer, but the result is to break the user’s connection with the hot spot network.

Step 3: The clients laptop, which is always scanning for a better connection (feature of wireless roaming) sees the evil twin AP advertising the same SSID network name as the hot spot network and connects.

Step 4: The attacker will have software running on their laptop to assign an IP address to the victim that just connected to the evil twin AP. Basically every device on the internet is assigned a unique IP address so network traffic is properly routed. An IP address is the equivalent of a street address the postal service uses to deliver mail.

Thrown in the mix the attacker will have a second wireless adapter plugged into their laptop to establish a connection back to the hot spot network and the attacker will bridge the software evil twin AP to the second wireless card. The traffic from any victim connecting to the evil twin AP will route through the attacker’s machine and back out to the hot spot network. The victim has no idea their traffic is now being routed through the attacker’s laptop. With the network traffic routing though the attacker they can search for passwords, credit card numbers, read emails, see the web sites being visited, etc… The attacker can also inject themselves into the middle of the conversation by editing the frames in transit.

There are two different scenarios for an evil twin attack. The first, shown in the graphic above happens when a user is already connected to the legitimate hot spot AP and gets disconnected then reconnects to the attacker’s evil twin AP thinking it is the real hot spot network. The second scenario is the attacker has the evil twin AP set up and the user connects to the fake AP thinking it is a hot spot network provided by a legitimate business. Either way the user ends up connected to the attacker’s evil twin AP.

Now for a double dose of bad news! It is difficult to notice if you’re connecting to an authentic hot spot network or an evil twin AP, and there isn’t a perfect defense against the attack. As mentioned the attacker will attempt to configure the evil twin as a precise copy of the hot spot network so users will not suspect anything is wrong. The best option when using public Wi-Fi is to have a VPN connection. VPN is short for virtual private network and a VPN will create an encrypted tunnel between your device and the VPN server. The encrypted tunnel will secure the traffic and anyone eavesdropping on your traffic or connected in the middle of your conversation can not interpret or interfere with the wireless transmissions. Plenty of companies offer personal VPN services and there is a lot of different plans and fees to choice from.

The next time you’re at the local coffee shop be a little extra observant when connecting to the free Wi-Fi network. If something doesn’t feel right you may want to trust your gut and skip connecting to the hot spot network.

Thanks for stopping by my blog and reading the post. If you’re looking for more security tips when using public Wi-Fi please read my earlier blog post Security Is Your Responsibility When Using Free Wi-Fi.

How I Studied to Pass the CWNA Certification Exam

cwna_logoHaving recently passed the Certified Wireless Network Administrator (CWNA) certification exam I wanted to share some of my study experiences and tips with anyone that could be working towards their CWNA cert. If you’re looking for the secret sauce or any insider information on the questions I saw on the exam I will not be sharing any of that, and it goes against the agreement I signed with CWNP before taking the exam. The best piece of advice I can offer is to master the different 802.11 wireless standards (802.11 prime, 802.11a, 802.11b, 802.11g, 802.11n), the frequencies and channels being used by each standard, the different RF behaviors, and what 802.11 standards are compatible. Almost everything else for the CWNA builds on these fundamentals.

There is an entry-level wireless certification from the CWNP called Certified Wireless Technology Specialist (CTWS), and if you’re new to wireless you may want to start with this certification.

Everyone learns differently, and being out of the wired and wireless networking job function for a few years I was more deliberate with my studies. All my studies were self-paced and I did not attend any classes or boot camps. This blog is a rough outline of the steps I used to study and pass the CWNA exam.

Start by downloading the CWNA exam objectives.

Then Download the CWNA common terms.

Besides the two links above the CWNP site is a great resource of information. I would definitely recommend signing up for an account and exploring the site. You should find other valuable resources on the site.

Next get a copy of the CWNA study guide and start reading! One of the first items in the study guide will be the initial assessment test. Don’t get too hung up on your score. I found there were terms and ideas presented in those questions that were completely foreign to me, but after reading the study guide I went back and retook the initial assessment test and found I had a better understanding of the material and obviously scored higher.

I actually purchased the Kindle edition of the study guide and my only complaint with the Kindle version was with the end of chapter tests. The test themselves are great, but when you go to the appendix to get the answers it would really be nice if the questions were repeated in the appendix. On the Kindle Fire I was constantly tapping to go from the question to the answer in the appendix, it was kind of a pain!

A work around on the question and answer issue is to download the CD contents for the book which included electronic versions of the practice tests. The electronic test versions are much easier to use and there is no going back and forth from the question to the answer. The CD download not only has the end of chapter tests, but three bonus 60 question practice tests, electronic flash cards, the white papers mentioned throughout the study guide, and the software installs mentioned in the study guide.

Every certification I have ever studied for there is always some memorization involved. Usually it is facts, rules, key terms, calculations, etc…, and I like to use flashcards to review and help remember these details. I would also create flash cards for items I get tripped up on. For example I was always getting the ISM 5 GHz frequency band confused with UNII-3 frequency band since there is frequency overlap between the two, so I created a flash card and threw it in my review pile until I had the differences memorized.

Instead of using 3 x 5 index flash cards I use a program called Anki for creating electronic flash cards. The really nice feature of Anki is being able to share my electronic flash card decks with multiple devices including my Kindle Fire.

If you’re on LinkedIn you can join the CWNA Study group. I posted questions to the group related to the exam or technical questions about wireless topics and always received multiple replies. Twitter is another resource where I posted several CWNA exam related questions and was able to receive answers from people who knew wireless and/or have already earned their CWNA certification.

Personal Note: A big thank you to the CWNP/wireless online community! The people I interacted with on the social networks, many of who had several CWNP certs and I would consider the wireless rock stars, were always eager to offer their own advice and tips, and were simply extraordinary to share their expertise.

After reading the study guide I then purchased the online practice tests through the CWNP web site. There is a $50 dollar cost to buy a license for the practice tests, but I really liked these tests compared to the end of chapter questions. There are four 60 question tests for a total of 240 questions, and while some of the questions are similar to the questions from the book most are different. The big positive for the online questions is the answers which are very detailed.

While working on the online practice tests I started rereading the CWNA study guide. I found the second time through I noticed details I had missed. I didn’t reread the entire study guide, just the chapters or sections that I struggled with based on my end of chapter test scores. I would then retake the end of chapter review tests, and if there was still areas I was concerned with I would either do some Google searches for more information, make flash cards, or post questions to LinkedIn or Twitter.

Some of the resources I found online or web pages that were shared with me I have collected in a resource study page on my blog.

Hopefully you can find something listed here to help with your studies, and please leave any questions or study tips in the comments section below. Good luck to those planning to take the CWNA exam!