With 802.11ah-2016 being ratified, this is an overview of the similarities and differences of the beacon frame for beacon frames. Below is a capture performed on frequency 864MHz

Figure 1- Short Beacon

The first beacon in this capture is a full beacon with a length of 135 bytes. Just as with beacon frames in 2.4 and 5GHz, the S1G beacons use a beacon interval of 100TU. The beacon that is sent every 100TU is only a short beacon with a length of 65 bytes. However every 1000TU a full beacon is sent over the air. In between the full beacons, a short beacon is sent over the air to notity the STA the network is still available.

  • Timestamp – 4 bytes : Used to synchronize the clock of the associated station on this SSID
  • Change sequence – 1 byte : to notify stations that network information is changed on the AP, the S1G beacon will use the “Change Sequence” field
  • Next TBTT – variable : The full beacon arrival time is displayed here so the stations can wake up at this timestamp to receive the full beacon frame. All short beacons in between the full beacons will contain the same value.
  • Compressed SSID – variable : An STA can use the short beacon to associate with this SSID by using the compressed SSID in the short beacon frame.
  • The short beacon can also carry a TIM element sent every N beacons

After 1000TU a full beacon is sent over the air, below is a capture of a full beacon.

Figure 2 – Full S1G Beacon

The mandatory fields in the S1G beacon are the Timestamp which is 4 bytes and as with the short beacon we have a change sequence field to inform stations if the network configuration has changed.

S1G Beacon Compatibility Element

Below the optional parameters will be discussed for the S1G beacon

  •  S1G Beacon compatibility Information Element (213)

The frame format for this Information Element is below

An actual frame capture of a full S1G beacon looks like the capture below

Figure 3 – S1G Beacon Compatibility
  • Element ID ad length are both 1 byte
  • Compatibility information – 2 byte : Coming straight from 802.11-2020 standard, this field should contain all subfields of the capabilities Information as in a regular beacon frame. However Wireshark is not decoding this for now.

Below screen capture is for a regular beacon frame on 5GHz, the HEX value converted into binary value is 1010100010001. This is then translated in Wireshark for all subfields.

Figure 4 – Capabilities Information of a beacon frame on 5GHz

If I check the HEX value value of my S1G Beacon I see a value of 0x0001, I know now only for the subfield B0 (ESS) this will be a 1 and all other fields will be 0. If I check the S1G Beacon compabilitity field for an SSID with WPA2 security on, I can see a HEX value of 0x0011 which means the transmitter is an AP and we are using Privacy.

Figure 5 – S1G Beacon Compatibility for an SSID with WPA2
  • Beacon Interval – 2 byte : This is the number of TU between each full S1G beacon.
  • TSF Completion field : carries the 4 most significant octets of the TSF timer at the AP at the time of generation of the element carrying the TSF completion field

TIM Information Element

After the S1G Beacon Compatiblity we got the TIM element which is similar as in beacon frames we are used to work with.

Figure 6 – TIM Element

S1G Capabilities Information Element

The S1G Information Element (ID 217) contains all the information that can be advertised to the stations

Figure 7 – S1G Capabilities IE

Below is the frame format for the S1G Capabilities Information Element

  • Element ID and length or both 1 byte long
  • The S1G Capabilities Information field is 10bytes long and contains a lot of additional information that is relevant to the stations. These fields will be discovered more in depth in a later blog post but for now I wanted to share the frame format of the S1G capabilities field.
  • Supported S1G-MCS and NSS set  – 5 bytes : Just as with regular beacon frames this element is giving you the combination S1G-MCS and spatial streams that can be used by stations to transmit and receive. The frame format of this element is shown below

S1G operation Information Element (232)

Right after the S1G Capabilities the S1G Operation Element is mentioned in the S1G Beacon. The operation of S1G stations in the BSS are controlled by the S1G Operation element. Below is a capture of this S1G operation element.

Figure 8 – S1G Operation IE – Europe

The frame format for the S1G Operation element in the standard looks like the format below.

  • First you have the Element ID and the length of both 1 byte
  • S1G Operation Information – 4 bytes
  • Basic S1G-MCS and NSS Set – 2 bytes : in Wireshark this field shows up underneath the S1G Operation element

If we dive more into the S1G Operation Information field we see it is 4 bytes long and can be subdivided into the following frame format

  • Channel width – 1 byte : An S1G Station will declare its channel width capability in the supported channel width subfield of the S1G Capabilities Information field.
    • Value is 0 if the station supports 1MHz and 2MHz operation
    • Value is 1 if the station supports 1MHz, 2MHz and 4Mhz operation
    • Value is 2 if the stations supports 1MHZ, 2MHz, 4MHz and 8MHz operation
    • Value is 3 if the station supports 1MHz, 2MHz, 4Mhz, 8MHz and 16MHz

In Figure 8 – S1G Operation IE you see the channel width is set to 1 in the capture S1G Beacon. The supported channel width can also be found in the S1G capabilities Information Element

Figure 9 – Supported Channel Width of S1G STA
  • Operating Class – 1 byte : The operating class in which the BSS is operating. This operating class is an index of values for radio operation in a regulatory domain.
    • Frequencies responding to channel numbers
    • Chennel center frequencies that can be used
    • Maximum channel width that may be used
    •  Behavioral constraints

In the capture (Figure 8)  the S1G operating class is set to 6 for EUROPE according to 802.11-2020Std. If US domain is set on the S1G AP the operating class changed to a value of 2

Figure 10 – S1G Operation Class for US

Below is a table with S1G Operating Classes that may be used

  • Primary channel number – 1 byte : This indicates the channel number of  a 1 or 2 MHz primary channel
  • Channel center frequency – 1 byte : The channel center frequency can be calculated with values coming from the table of Operating classes. Channel center frequency is defined as fc inMHz

Fc (MHz) = ChannelStartingFrequency + fseparation x ChannelCenterFrequencyIndex

Fseparation is the frequency separation between channels and has the value of 0.5MHz. ChannelStartingFrequency and ChannelCenterFrequencyIndex values are provided in the S1G Operation Class table.

Short Beacon Interval

The short beacon interval was discussed earlier with the full beacon frame, the number of TU between the short beacons are presented here

Figure 11 – Short Beacon Interval Information Element

SSID parameter Set

The SSID parameter set contains the name of the SSID if this is broadcasted by the S1G AP

WMM/WME Parameter Element

The WMM Information Element is almost similar to the WMM Element we are used to when looking at regular Beacon frame.

Figure 12 – WMM Information Element in S1G Beacon

The only exception is the Update EDCA Info field, this is reserved for non-S1G stations.

  • Override field – 1 byte : is used by S1G AP to inform to S1G stations that this element overrides previously stored EDCA parameters
  • PS-Poll ACI – 2 bytes : It is used by S1G AP to inform the S1G station of the access category for sending a PS-Poll frame. The mapping is identical as in the WMM element.
  • RAW ACI – 2 bytes : It is used by S1G AP to inform the S1G station of the access category for access the WM in, it is identical to the AC parameters in the WMM Element.
  • STA type – 2 byte : indicate the type of station for which the information in the element is provided. Possible values are
    • 0 – Valid for stations, both sensor and non-sensor stations
    • 1 – for sensor stations
    • 2 – for non-sensor stations
    • 3 – reserved value for future use

This is the full beacon frame explained, each part separately.

My journey into the S1G frequency range is just beginning, I’m planning some range and performance measurements and see how this works on a frame level. Meanwhile I have been able to capture more frames where an S1G AP and S1G stations perform an association on an open network or on a WPA2 secured SSID. In a later blog we will discuss the process of association in S1G and look at the similarities and differences for the probe request/response challenge, association and 4-way handshake.

For now many thanks, if you see typo or have remarks please let me know and I will update

Similar Posts


  1. Great job on the thorough analysis of the HaLow frame formats! It’s worth noting that while the Linux kernel’s mac80211 stack is already HaLow compatible, wpa_supplicant is not yet ready.

    Linux S1G support:


    We’re currently in an interim state as far as Linux HaLow support is concerned. However, Newracom, one of the few HaLow chip manufacturers, has made things easier by developing their HaLow firmware and drivers to imitate an 802.11a Wi-Fi device. This eliminates the need for any kernel or wpa_supplicant changes. Once the kernel and wpa_supplicant gain 802.11ah support, HaLow’s frame formats and frequencies will be supported natively, opening up new protocol-specific features.

    1. Hi james, once this is possible i will be glad to test more on this.
      Have a few more tests on security and performance to go through and see what it does on a protocol level.

Leave a Reply

Your email address will not be published. Required fields are marked *