How to verify whether 802.11k and 11r are enabled (via a capture)

I was chatting with my old colleague and friend Vince Folk from Vocera recently when he challenged me to name the Information Elements you would find 802.11k/r settings in.

Immediately my smugness shot to Maximum because this is something I’m very familiar with, you might even have seen my WLPC EU 2019 video analysing 802.11k/r/v. However, as the biotic hamsters in my dusty shell of a skull scurried around trying to find the grey matter holding this information my smugness waned.

When Vince finally put me out of my misery the IE names did not ring a bell with me. Not a single one! So the only reasonable course of action was to blog about it, to cement it into the aforementioned grey matter, and hopefully help someone else out too.

Now, if you’ve ever poked around the 802.11 standard document or got into 802.11 analysis you’ve no doubt noticed the convolution around naming conventions. One of the easiest examples of this is the PHY naming conventions – we all refer to it as 11ac but it is officially referred to as ‘Very High Throughput’ (VHT) in the 802.11 standard document. I won’t go into why that is, if you want to know just tweet or email me.

As a side note, if you were one of those people who thought to yourself “or Wi-Fi 5 now, muhahah” when reading the above then congratulations, people hate you. You know who you are.

Side side note, I have nothing against the new WFA brand names for Wi-Fi, I actually think it is helpful from a consumer point of view.

ANYWAY, enough ramblings! Why did I bring up the naming conventions? Because 802.11k/r are no different, and this can cause confusion when looking for them in a packet capture.

802.11k

The working group was called ‘802.11k’, and last time I checked in both Cisco and Aruba you will find this feature listed by this name. However, the feature is actually known as ‘Radio Resource Measurement‘ and “Radio Measurement” within the 802.11 standard itself (which makes things even more confusing because of the common industry term ‘Radio Resource Management’ which has nothing to do with it).

This is important because when we look at a Beacon frame we are looking for an Information Element named “RM Enabled Capability“. What do ya think the “RM” part of that stands for…? Radio Measurement.

If there is no RM Enabled Capability IE (Information Element) then 802.11k is NOT enabled on that SSID. If it is there then I think you can safely assume 802.11k is supported, but more specifically you can check to see if Neighbor Reports is Enabled under the first RM Capabilities octet.

Here is what it looks like in Wireshark

Wireshark example of RM Enabled Capabilities and Neighbor Report elements within a beacon frame

Here is what it looks like in Omnipeek (click to expand)

Omnipeek example of RM Enabled Capabilities and Neighbor Report elements in a Beacon

802.11r

What about 802.11r? Do we have the same naming confusing? Of course we do!!!

Again, the working group was 802.11r but the feature is known as ‘Fast BSS Transition’ or ‘Fast Transition‘. Cisco refer to it as ‘Fast Transition’ and Aruba refers to is as ‘802.11r’.

So what about the beacon information element? Consistent? Similar? Nope!

The beacon IE itself is called “Mobility Domain“. Easily confused with the very similar exactly same language used for a completely unrelated function within Cisco (to be clear, Cisco used the term before 802.11 did I believe). Once you dig into the Mobility Domain IE you will then see the terms ‘FT’ and ‘Fast BSS Transition’ being used.

If you do not see the Mobility Domain IE then the SSID does NOT support 802.11r. If it does exist, then you need to expand out the ‘FT Capability and Policy’ sub-element to identify whether the SSID is using ‘FT Over the Air’ or ‘FT Over the DS’. But you won’t find two separate settings, this is a binary decision, one or the other must be used. Therefore the parameter ‘Fast BSS Transition over DS’ is used to indicate which it is; Enabled obviously means that Over the DS is used, and disabled can be surmised as Over The Air is used.

Here is what it looks like within Wireshark, including the sub-element identifying that the SSID uses FT ‘Over The DS’.

Here is what it looks like within Wireshark, including the sub-element identifying that the SSID uses FT ‘Over The Air’ (because Over The DS is disabled).

Here is what it looks like within Omnipeek, including the sub-element identifying that the SSID uses FT ‘Over The DS’.

Here is what it looks like within Wireshark, including the sub-element identifying that the SSID uses FT ‘Over The Air’.

Hope that helps someone. As always, any comments welcome. And if you spot anything I’ve got wrong please let me know!

3 Replies to “How to verify whether 802.11k and 11r are enabled (via a capture)”

  1. Well my friend…I am sitting in Louisville looking at a trace, and I needed to verify 802.11k has been enabled…I googled it and whose name pops up but Mac-wifi ….so glad you can back home to Vocera

  2. Great article and I really enjoyed your WLPC EU 2019 video analysing 802.11k/r/v.

    Have you had a chance to analyse 802.11k/r/v using Cisco 9800 series controllers?

Leave a Reply

Your email address will not be published. Required fields are marked *