Thursday, December 20, 2012

Wi-Fi Probing Behavior and Configured Data Rates

Today, I'd like to highlight what happens under-the-covers when a client tries to connect to an AP after data rates have been manipulated. Specifically, I'm talking about the probing behavior of both the client and the AP. If you've ever wondered how this works, I'm here to tell you about it today!

A standard WLAN best practice to improve performance is to disable low data rates on the APs in an enterprise network. This helps to increase overall network capacity by eliminating overhead caused from management frames sent out at the lowest configured Basic data rate, and to ensure data frames aren't sent at the low data rates which consume large amounts of airtime for application traffic.

First, let's briefly describe how probing works in a legacy WLAN deployment, when the AP supports all 802.11b data rates (1, 2, 5.5, 11 Mbps). In this scenario, the client sends out a Probe Request at the lowest data rate it supports, typically 1 Mbps. The AP will issue a Probe Response back to the client, again at 1 Mbps. They both understand each other, life is happy!

Now let's examine what happens when data rates have been manipulated on an AP, for instance all 802.11b data rates have been disabled and 6 Mbps is now the lowest Basic data rate.

Probe Request and Response Behavior
After Data Rate Manipulation

The client probes at 1 Mbps (as usual) since it doesn't know "what's out there" yet. It's trying to discover all the nearby APs that it could connect to and what their capabilities are. So, it sends out the Probe Request at the lowest data rate it supports to achieve the maximum visibility and trigger all nearby APs to respond.

Probe Request at 1 Mbps

Now, what our AP with manipulated data rates does is the interesting part. Even though it can properly receive and decode the client's Probe Request at 1 Mbps, it is only configured to support 802.11g/n data rates (6 Mbps and higher). So what does it do? It issues a Probe Response at it's configured lowest data rate. After all, the configuration policy now states that all 802.11b data rates are disabled, so let's respond to the client at our lowest Basic data rate of 6 Mbps. If the client is 802.11g capable it will still be able to decode the frame and process the response. We also inform the client in the Probe Response of the supported rates and which ones are mandatory (the meaning of 'Basic' rate).

Probe Response at 6 Mbps

Therefore, the probe response behavior of APs is directly tied to the configured Basic data rates; APs always respond at the lowest Basic data rate, NEVER a disabled data rate. Think about the implications this has on WLAN network operation:

  • Clients that don't support the lowest Basic data rate can't connect to the WLAN. In this example, 802.11b-only clients that don't support 802.11g/n would not be able to connect.
  • Clients that have too low an SNR to decode the lowest Basic data rate won't be able to connect to the WLAN; they won't be able to decode the response frame from the AP. Data rate manipulation can effectively be used to limit the size and "association range" of a Wi-Fi access point (but not the "coverage range" since the signal still travels just as far and can cause interference even though it can't be decoded). Now think about the implications on association range if we made 18 Mbps the lowest Basic data rate.
It's worth noting that 802.11n requires at-least one legacy 802.11a/b/g data rate configured as a Basic data rate. Therefore, WLAN vendors that have the ability to allow only 802.11n clients and reject legacy 802.11a/b/g clients do so through other methods unrelated to data rate manipulation, typically by rejecting association requests by clients that don't advertise support for 802.11n MCS rates.



  1. What are you using for this capture and output? Doesn't look like Wireshark.

  2. Wildpackets Omnipeek, highly recommend!

  3. If I want to correctly disable all legacy b data rates and support g only in my Cisco environment, would I select 12Mbps as 'required', all higher rates as 'supported' and 6Mbps as 'supported' as well?
    Thanks Andrew!

    1. Disable 1, 2, 5.5, and 11 Mbps. Of the remaining data rates between 6 - 54 Mbps you need at least one Mandatory. Which one or more you select needs to be based on your RF design and site survey to ensure adequate coverage without any gaps. Other multicast and capacity factors play a role on this decision as well.

  4. Hi,
    What version of Omnipeek are you using?

  5. Andrew, if a client don't ACK to probe response (because cannot decode it) - will AP retry this frame to client? This is poor behavior, i think...

  6. Andrew, if a client don't ACK to probe response (because cannot decode it) - will AP retry this frame to client? This is poor behavior, i think...