HaLow Beacon frame explained

With 802.11ah-2016 being ratified, this is an overview of the similarities and differences of the beacon frame for beacon frames. Below is a capture performed on frequency 864MHz

Figure 1- Short Beacon

The first beacon in this capture is a full beacon with a length of 135 bytes. Just as with beacon frames in 2.4 and 5GHz, the S1G beacons use a beacon interval of 100TU. The beacon that is sent every 100TU is only a short beacon with a length of 65 bytes. However every 1000TU a full beacon is sent over the air. In between the full beacons, a short beacon is sent over the air to notity the STA the network is still available.

  • Timestamp – 4 bytes : Used to synchronize the clock of the associated station on this SSID
  • Change sequence – 1 byte : to notify stations that network information is changed on the AP, the S1G beacon will use the “Change Sequence” field
  • Next TBTT – variable : The full beacon arrival time is displayed here so the stations can wake up at this timestamp to receive the full beacon frame. All short beacons in between the full beacons will contain the same value.
  • Compressed SSID – variable : An STA can use the short beacon to associate with this SSID by using the compressed SSID in the short beacon frame.
  • The short beacon can also carry a TIM element sent every N beacons

After 1000TU a full beacon is sent over the air, below is a capture of a full beacon.

Figure 2 – Full S1G Beacon

The mandatory fields in the S1G beacon are the Timestamp which is 4 bytes and as with the short beacon we have a change sequence field to inform stations if the network configuration has changed.

S1G Beacon Compatibility Element

Below the optional parameters will be discussed for the S1G beacon

  •  S1G Beacon compatibility Information Element (213)

The frame format for this Information Element is below

An actual frame capture of a full S1G beacon looks like the capture below

Figure 3 – S1G Beacon Compatibility
  • Element ID ad length are both 1 byte
  • Compatibility information – 2 byte : Coming straight from 802.11-2020 standard, this field should contain all subfields of the capabilities Information as in a regular beacon frame. However Wireshark is not decoding this for now.

Below screen capture is for a regular beacon frame on 5GHz, the HEX value converted into binary value is 1010100010001. This is then translated in Wireshark for all subfields.

Figure 4 – Capabilities Information of a beacon frame on 5GHz

If I check the HEX value value of my S1G Beacon I see a value of 0x0001, I know now only for the subfield B0 (ESS) this will be a 1 and all other fields will be 0. If I check the S1G Beacon compabilitity field for an SSID with WPA2 security on, I can see a HEX value of 0x0011 which means the transmitter is an AP and we are using Privacy.

Figure 5 – S1G Beacon Compatibility for an SSID with WPA2
  • Beacon Interval – 2 byte : This is the number of TU between each full S1G beacon.
  • TSF Completion field : carries the 4 most significant octets of the TSF timer at the AP at the time of generation of the element carrying the TSF completion field

TIM Information Element

After the S1G Beacon Compatiblity we got the TIM element which is similar as in beacon frames we are used to work with.

Figure 6 – TIM Element

S1G Capabilities Information Element

The S1G Information Element (ID 217) contains all the information that can be advertised to the stations

Figure 7 – S1G Capabilities IE

Below is the frame format for the S1G Capabilities Information Element

  • Element ID and length or both 1 byte long
  • The S1G Capabilities Information field is 10bytes long and contains a lot of additional information that is relevant to the stations. These fields will be discovered more in depth in a later blog post but for now I wanted to share the frame format of the S1G capabilities field.
  • Supported S1G-MCS and NSS set  – 5 bytes : Just as with regular beacon frames this element is giving you the combination S1G-MCS and spatial streams that can be used by stations to transmit and receive. The frame format of this element is shown below

S1G operation Information Element (232)

Right after the S1G Capabilities the S1G Operation Element is mentioned in the S1G Beacon. The operation of S1G stations in the BSS are controlled by the S1G Operation element. Below is a capture of this S1G operation element.

Figure 8 – S1G Operation IE – Europe

The frame format for the S1G Operation element in the standard looks like the format below.

  • First you have the Element ID and the length of both 1 byte
  • S1G Operation Information – 4 bytes
  • Basic S1G-MCS and NSS Set – 2 bytes : in Wireshark this field shows up underneath the S1G Operation element

If we dive more into the S1G Operation Information field we see it is 4 bytes long and can be subdivided into the following frame format

  • Channel width – 1 byte : An S1G Station will declare its channel width capability in the supported channel width subfield of the S1G Capabilities Information field.
    • Value is 0 if the station supports 1MHz and 2MHz operation
    • Value is 1 if the station supports 1MHz, 2MHz and 4Mhz operation
    • Value is 2 if the stations supports 1MHZ, 2MHz, 4MHz and 8MHz operation
    • Value is 3 if the station supports 1MHz, 2MHz, 4Mhz, 8MHz and 16MHz

In Figure 8 – S1G Operation IE you see the channel width is set to 1 in the capture S1G Beacon. The supported channel width can also be found in the S1G capabilities Information Element

Figure 9 – Supported Channel Width of S1G STA
  • Operating Class – 1 byte : The operating class in which the BSS is operating. This operating class is an index of values for radio operation in a regulatory domain.
    • Frequencies responding to channel numbers
    • Chennel center frequencies that can be used
    • Maximum channel width that may be used
    •  Behavioral constraints

In the capture (Figure 8)  the S1G operating class is set to 6 for EUROPE according to 802.11-2020Std. If US domain is set on the S1G AP the operating class changed to a value of 2

Figure 10 – S1G Operation Class for US

Below is a table with S1G Operating Classes that may be used

  • Primary channel number – 1 byte : This indicates the channel number of  a 1 or 2 MHz primary channel
  • Channel center frequency – 1 byte : The channel center frequency can be calculated with values coming from the table of Operating classes. Channel center frequency is defined as fc inMHz

Fc (MHz) = ChannelStartingFrequency + fseparation x ChannelCenterFrequencyIndex

Fseparation is the frequency separation between channels and has the value of 0.5MHz. ChannelStartingFrequency and ChannelCenterFrequencyIndex values are provided in the S1G Operation Class table.

Short Beacon Interval

The short beacon interval was discussed earlier with the full beacon frame, the number of TU between the short beacons are presented here

Figure 11 – Short Beacon Interval Information Element

SSID parameter Set

The SSID parameter set contains the name of the SSID if this is broadcasted by the S1G AP

WMM/WME Parameter Element

The WMM Information Element is almost similar to the WMM Element we are used to when looking at regular Beacon frame.

Figure 12 – WMM Information Element in S1G Beacon

The only exception is the Update EDCA Info field, this is reserved for non-S1G stations.

  • Override field – 1 byte : is used by S1G AP to inform to S1G stations that this element overrides previously stored EDCA parameters
  • PS-Poll ACI – 2 bytes : It is used by S1G AP to inform the S1G station of the access category for sending a PS-Poll frame. The mapping is identical as in the WMM element.
  • RAW ACI – 2 bytes : It is used by S1G AP to inform the S1G station of the access category for access the WM in, it is identical to the AC parameters in the WMM Element.
  • STA type – 2 byte : indicate the type of station for which the information in the element is provided. Possible values are
    • 0 – Valid for stations, both sensor and non-sensor stations
    • 1 – for sensor stations
    • 2 – for non-sensor stations
    • 3 – reserved value for future use

This is the full beacon frame explained, each part separately.

My journey into the S1G frequency range is just beginning, I’m planning some range and performance measurements and see how this works on a frame level. Meanwhile I have been able to capture more frames where an S1G AP and S1G stations perform an association on an open network or on a WPA2 secured SSID. In a later blog we will discuss the process of association in S1G and look at the similarities and differences for the probe request/response challenge, association and 4-way handshake.

For now many thanks, if you see typo or have remarks please let me know and I will update

My first 802.11ah frames

While we are all looking up into the 6GHz frequency range i was wondering what was happening on the other side of the frequency range, more specific in the Sub-1GHz space. On November 2, 2021 Wi-Fi Alliance started to certify products for Sub-1 Ghz operation. https://www.wi-fi.org/news-events/newsroom/wi-fi-certified-halow-delivers-long-range-low-power-wi-fi However the amendment was already published by IEEE on May 5, 2017

Because of my interest in the 802.11 standard i was wondering how similar or how different the frames look if we compare Sub-1GHz frames with frames coming from a 2.4/5Ghz access point. In my journey to look for equipment that can perform 802.11ah, or HaLow as they call it also. I was hoping to find some equipment i could get my hands on by checking the Wi-Fi alliance product finder and look for certified hardware. The only hardware that i could find was some development boards, after some research i learned that the Newracom equipment was the easiest to get my hands on. I found them at the Alfa Networks website together with Raspberry Pi 3+ and 4, massive thanks to the people at Newracom for the guidance.

The 3 modules certified by Wi-Fi alliance for 802.11ah / HaLow

After going through the setup process a few times and with big help from the HaLow support team of Alfa networks i got 2 RPi up and running. Peter MacKenzie also pointed me to a set of wireless security camera’s working on 802.11ah to perform some real live testing. Today i got everything finally working and all was up and running, ready to put my HaLow sniffer to work. I scanned the Sub-1Ghz spectrum and saw some activity on 925MHz.

Example of Radiotap header and 802.11 radio information of an Action frame

Almost all frames i captured until now are Action frames with a radiotap header, 802.11 radio information and layer 2 MAC info. From the 802.11 radio information we can see the PHY-type is 802.11ah or S1G and the frequency it was captured on is 925Mhz although it says 9250. In the 900MHz spectrum we notice S1G is usign OFDM-based waveforms to send information through the air. S1G is built upon the 802.11ac standard, all frames captured so far contain A-MPDU information and

In the S1G section of the radiotap header we can see the PPDU format of the S1G frame, it has a channel width of 2MHz and is using a long guard interval.

S1G section from Radiotap header

These are my first observations from my first 802.11ah frame captures, i will be testing a lot more on performance and security on 802.11ah equipment. There is more to come in the next coming days or weeks …

If you find errors or when you have remarks, do not hesitate to contact me and i will update the information