Use 802.11 BlockAck to Predict the Data Flow in a WiFi Network Without Seeing the Data Frames

The 802.11 Block Acknowledgement frame (BlockAck) is a powerful frame to predict the data flow in a WiFi network, both when the data frames are visible in a frame capture and not.

Let us use Wireshark and the I/O Graph to visualize it

You have a wireless capture from a wireless network. This capture can have the data frames in it or not.
In this blog, I will use a capture from a WiFi6E network (6GHz) where the control and management frames are sent with legacy 802.11a frame format and the data frames are sent with 802.11ax frame format. The capturing NIC is not capable to capture the 802.11ax data frames, so the only frames we have in the capture is the frames sent with legacy frame format, 802.11a. This is mainly managements and control type of frames
This can happen with all types of wireless frame captures where the capturing device is not capable to capture some of the frames.
The frame capture is done by Josh Schmelzie.

Open the pcap the first time
When I open the pcap the first time I will look for frames between the AP and the selected client/station. One of the TXOPs looks like this:

Picture 1: A TXOP without captured Data frames

As we can see, this captured TXOP consists of Request To Send (RTS), Clear To Send (CTS), and 802.11 BlockAck. Not any data frames. But if you look into the left red rectangle showing Time, delta displayed, there is a jump of 140 microseconds between the CTS and the BlockAck. And because of the presence of the BlockAck, there must have been sent some data frames which are not captured.

802.11 BlockAck Packet Detail
If we look at the BlockAck frame in the Wireshark Packet detail window it looks like this:

Picture 2: 802.11 BlockAck Packet Detail

The red rectangles shows this

  • A receiver and a transmitter MAC address. We will late use these to filter for BlockAck for either downlink or uplink data frames
    • If the client is the RA-address it is a BlockAck for uplink data frames
    • If the client is the TA-address it is BlockAck for downlink data frames
  • It is a Compressed BlockAck with Immediate Acknowledgement Required. This means it is an Acknowledgement frame that can Acks several sub-frames from an A-MPDU and that the BlockAck is sent directly after receiving the data frames
  • TID (Traffic Identifier). TID is related to the QoS marking of frames. This is outside the scope of this article. For now, we are interested in the data frames sent with QoS-marking of Best Effort and has TID-value of 0
  • Starting Sequence Number. Dependent on which type of BlockAck type is been used it could have different values. In this example, it describes the first Sequence Number of the received data frame in this TXOP.
  • The BlockAck Bitmap shows in this example that the receiver has correctly received three sequence numbers and it expects the sequence number of 1645 to be the first in the next TXOP
  • I have written a blog article where I describe the two different BlockAck Bitmap types, look here

So now we know, for this TXOP, the receiver has received data frames in an A-MPDU consisting of three sequence numbers (1642-1644). And we know the traffic identifier (TID) is in category 0, which means Best Effort traffic. And the client address is an RA-address, which means it is a BlockAck for uplink data frames

Making a display filter to show only selected frames
If we spin further on these BlockAck and make a display filter that filter on BlockAck in this direction and with TID=0 for this particular client it would look like this:

Picture 3: Filtered on BlockAck with TID=0 for a particular client

The display filter is this one:

wlan.fc.type_subtype==25 and wlan.ra==22:70:a3:04:5d:67 and == 0x0

I have added columns for Starting Sequence number, BlockAck Bitmap, and TID-info.
As we can see, the Starting Sequence number increases for each BlockAck
With this display filter active it is possible to scroll up/down and look at the pattern of Starting Sequence number, but let us use I/O Graphs i Wireshark

Using Wireshark I/O Graph to visualize data flow by looking at BlockAck Starting Sequence number
The selected display filter in Wireshark will follow when you start I/O Graph under Statistics. After starting the I/O Graphs you should do this in the lower window, for the selected graph line

  • Change Graph Name to something meaningful. Since my filter is for BlockAck with the client as receiver address (RA), this is for uplink data frames. Therefore UL Data
  • The display filter is the one from Wireshark
  • I have also changed the color to red
  • In style, the default is Line. In this example, you can change between Line and Dot and see the difference. I use Dot
  • Y Axis. Here you tell what type of number the Y Axis shall show. The default is packet. Since we want to look at starting sequence number we must change it to MAX (Y field)
  • Y Field. Now we must describe which values we want to show on the Y axis. We want to show Starting Sequence number. The easiest way to do this is to go into the Packet detail window and point with the mouse on the line showing Starting Sequence number, left-click and select Copy/Field Name. And paste it in the Y Field.
  • Interval. The default is 1 sec. It is important to change this to 1ms

It should look like this:

Picture 4: I/O Graph Control Window

If we now look at the upper part of the I/O Graph windows it looks like this:

Picture 5: Flow of BlockAck Starting Sequence number for uplink data

What do we see

  • Each red dot is the Starting Sequence number from each BlockAck from the AP to the client for this particular TID-category
  • The Starting Sequence number goes from 0 to 4095 and then restart at 0
  • From approx 6 sec to approx 12 sec it seems like there has been a steady upstream data flow (from client to AP). The dots are pretty close so it indicates a relatively small number of sequence numbers in each TXOP.
  • From approx 12 sec to approx 35 sec there have only been two BlockAcks, and after 35 sec there is some data traffic UL
  • Since the hop in the starting sequence number is small between the last BlockAck at 12 sec and the next at 25 sec there is no BlockAck hidden in other not captured frames. The jump is only 1, from 3254 to 3255.
  • Remember that is only for TID category 0. It can have been traffic in other TID categories.
  • Remark: In this example, there is a small number of sequence numbers in each TXOP. If you test with SpeedTest or file transfer, each TXOP consist usually of a much higher amount of sequence number and the gap between each dot would have increased.

The other direction
In the above example, the BlockAck had the client as the “RA” (receiver address), which means the BlockAck was for uplink data flow. If we in the lower window of I/O Graph makes a copy of the line and only change the RA-address to TA-address we will see the flow in the other direction, the downlink data flow. This one is green. Like this:

Picture 6: Flow of BlockAck Starting Sequence number in both directions

What about the other client in the capture
The capture also consists of another client which is receiving/sending data frames to/from the AP based on the TXOPs we see in the capture. Let us quickly also make some graph of its traffic by only copy line in the I/O Graph and implement the other client’s MAC address. It looks like this:

Picture 7: Flow of BlockAck Starting Sequence number for two clients in both directions

The first client is the red and green ones and the other client’s flow is shown with yellow and blue.
As we can see, the two clients have different traffic pattern

I have in this blog showed how we can use information in the 802.11 BlockAck frames to predict and visualize data flow between the AP and a client only by looking at the BlockAck Starting Sequence number.
And this is done without seeing any data frames in the capture
This can be done independently of the data frames are captured or not.

In later blogs, I will use this knowledge to predict the flow of OFDMA data frames without capturing the actual data frames

2 thoughts on “Use 802.11 BlockAck to Predict the Data Flow in a WiFi Network Without Seeing the Data Frames

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s