101
0/228
Loading content...
Perhaps no aspect of the 802.11 frame structure causes more confusion than the address fields. While Ethernet frames have exactly two addresses (source and destination), 802.11 frames can have up to four addresses, and their interpretation changes based on the To DS and From DS bits in the Frame Control field.
This complexity stems from a fundamental architectural difference: in wireless networks, the access point (AP) serves as a relay between wireless stations and the wired infrastructure. A frame traveling from one wireless station to another must pass through the AP, requiring the frame to encode not just the ultimate source and destination, but also the intermediate relay addresses.
Understanding address fields is essential for anyone analyzing WiFi captures, debugging connectivity issues, or implementing wireless protocols. Let's unravel this complexity systematically.
By the end of this page, you will master the four address field scenarios (To DS/From DS combinations), understand the difference between transmitter/receiver and source/destination addresses, trace frame flow through infrastructure and WDS topologies, and interpret address fields in real packet captures.
Before diving into the four scenarios, we must clearly distinguish the address types used in 802.11. Confusing these terms leads to misunderstanding frame flow.
Physical vs. Logical Addresses:
| Address | Full Name | Description | Scope |
|---|---|---|---|
| RA | Receiver Address | MAC address of the station that should receive and process this over-the-air transmission | Single wireless hop |
| TA | Transmitter Address | MAC address of the station that transmitted this frame over the air | Single wireless hop |
| DA | Destination Address | Final destination of the payload (MAC Service Data Unit - MSDU) | End-to-end |
| SA | Source Address | Original source of the payload (MSDU) | End-to-end |
| BSSID | Basic Service Set ID | Unique identifier for the BSS (typically the AP's MAC address) | BSS identification |
Critical Distinction:
In point-to-point communication (station directly to its AP), RA equals DA and TA equals SA. But when frames traverse multiple hops (through the AP to another station) or bridge through WDS, these addresses diverge.
Address Field Layout:
802.11 MAC Header Address Fields: ┌────────────────────────────────────────────────────────────────────┐│ Field │ Size │ Always Present? │ Contents Vary By │├────────────────────────────────────────────────────────────────────┤│ Address 1 │ 6 bytes │ Yes │ Frame type ││ Address 2 │ 6 bytes │ Yes* │ Frame type ││ Address 3 │ 6 bytes │ Yes* │ To DS / From DS bits ││ Address 4 │ 6 bytes │ No** │ To DS=1 AND From DS=1 │└────────────────────────────────────────────────────────────────────┘ * Address 2 and 3 absent in some control frames (ACK, CTS)** Address 4 only present when both To DS and From DS are set (WDS mode) Physical Position in Frame (after Duration/ID):┌──────────┬──────────┬──────────┬──────────┬─────────────────────────┐│ Address 1│ Address 2│ Address 3│ Seq Ctrl │ Address 4 (if present) ││ 6 bytes │ 6 bytes │ 6 bytes │ 2 bytes │ 6 bytes │└──────────┴──────────┴──────────┴──────────┴─────────────────────────┘Regardless of the To DS/From DS combination, Address 1 always contains the address of the station that should receive the frame. This allows hardware to quickly filter frames by checking Address 1 against its own MAC address or the broadcast address.
When both To DS and From DS are zero, the frame is transmitted in an Independent Basic Service Set (IBSS)—also known as ad-hoc mode—or it's a management frame. In this scenario, there is no access point mediating communication.
Address Interpretation:
| Field | Contains | Description |
|---|---|---|
| Address 1 | DA (Destination Address) | MAC address of the receiving station or broadcast |
| Address 2 | SA (Source Address) | MAC address of the transmitting station |
| Address 3 | BSSID | BSS identifier (randomly generated in IBSS) |
| Address 4 | Not present | — |
IBSS Topology (Ad-hoc Network): ┌──────────────────────────────────────────────────────────────┐ │ IBSS │ │ BSSID: 02:11:22:33:44:55 │ │ │ │ Station A Station B │ │ AA:AA:AA:AA:AA:AA ←──────────────────→ BB:BB:BB:BB:BB:BB │ │ Direct Communication │ │ (no AP needed) │ └──────────────────────────────────────────────────────────────┘ Station A sends data to Station B: Frame Control: Type=Data, To DS=0, From DS=0┌─────────────────┬────────────────────────────────────────────────┐│ Address 1 (DA) │ BB:BB:BB:BB:BB:BB (Station B - receiver) │├─────────────────┼────────────────────────────────────────────────┤│ Address 2 (SA) │ AA:AA:AA:AA:AA:AA (Station A - sender) │├─────────────────┼────────────────────────────────────────────────┤│ Address 3 (BSSID)│ 02:11:22:33:44:55 (IBSS identifier) │└─────────────────┴────────────────────────────────────────────────┘ Station B responds with ACK:┌─────────────────┬────────────────────────────────────────────────┐│ Address 1 (RA) │ AA:AA:AA:AA:AA:AA (Station A - ACK receiver) │└─────────────────┴────────────────────────────────────────────────┘Note: ACK frames only contain Address 1Management Frames and To DS/From DS:
Management frames also use To DS=0, From DS=0 regardless of whether they're in infrastructure or IBSS mode. The address interpretation is:
| Frame Type | Address 1 | Address 2 | Address 3 |
|---|---|---|---|
| Beacon | Broadcast (FF:...:FF) | BSSID (AP MAC) | BSSID |
| Probe Request | Broadcast | Requesting STA | Wildcard or specific BSSID |
| Probe Response | Requesting STA | BSSID | BSSID |
| Authentication | Receiving STA/AP | Sending STA/AP | BSSID |
| Association Req | BSSID (AP) | Client STA | BSSID |
| Association Resp | Client STA | BSSID (AP) | BSSID |
In IBSS mode, the BSSID is randomly generated by the station that initiates the network, with the local bit (bit 1 of byte 0) set to 1 to indicate a locally administered address. Other stations joining the IBSS adopt this BSSID.
When a wireless station sends data toward the Distribution System (DS)—meaning the wired network or another BSS—it sets To DS=1 and From DS=0. This is the most common scenario for upstream traffic from clients to the network.
Address Interpretation:
| Field | Contains | Description |
|---|---|---|
| Address 1 | BSSID (RA) | The AP's MAC address—immediate receiver of the frame |
| Address 2 | SA (TA) | The station's MAC address—source and transmitter |
| Address 3 | DA | Final destination—may be on wired network or same BSS |
| Address 4 | Not present | — |
Infrastructure BSS - Station to AP: ┌─────────────────────────────────────────────────────────────────┐ │ │ │ Access Point Internet │ │ BSSID: AP:AP:AP:AP:AP:AP ═══════════════════════► │ │ ▲ │ │ │ Wireless │ │ │ Frame │ │ │ │ │ Station A │ │ AA:AA:AA:AA:AA:AA │ │ │ │ Destination: Server 55:55:55:55:55:55 (on wired network) │ └─────────────────────────────────────────────────────────────────┘ Station A sends HTTP request to server on wired network: Frame Control: Type=Data, To DS=1, From DS=0┌─────────────────┬────────────────────────────────────────────────┐│ Address 1 (BSSID/RA)│ AP:AP:AP:AP:AP:AP (AP receives this frame) │├─────────────────┼────────────────────────────────────────────────┤│ Address 2 (SA/TA)│ AA:AA:AA:AA:AA:AA (Station A is source) │├─────────────────┼────────────────────────────────────────────────┤│ Address 3 (DA) │ 55:55:55:55:55:55 (Server is final destination)│└─────────────────┴────────────────────────────────────────────────┘ The AP processes this frame and:1. Strips the 802.11 header2. Creates an Ethernet frame with SA=AA:AA:AA:AA:AA:AA, DA=55:55:55:55:55:553. Sends onto the wired networkSame-BSS Communication:
When Station A communicates with Station B within the same BSS, the frame still goes through the AP:
This is why the AP must be operational for infrastructure mode communication—even between stations that could theoretically reach each other directly.
Key Insight: In this scenario, the AP's MAC address (BSSID) appears in Address 1, allowing the AP's hardware to quickly identify frames destined for it. The true destination is in Address 3, which the AP reads after accepting the frame.
The To DS bit is part of the unencrypted Frame Control field. An attacker monitoring traffic can identify stations (Address 2) and their traffic destinations (Address 3) even with payload encryption enabled. This metadata exposure is a fundamental limitation of 802.11.
When the Access Point sends data to a wireless station—traffic coming from the Distribution System—it sets To DS=0 and From DS=1. This is the downstream traffic pattern from network to clients.
Address Interpretation:
| Field | Contains | Description |
|---|---|---|
| Address 1 | DA (RA) | Destination station's MAC—immediate receiver |
| Address 2 | BSSID (TA) | AP's MAC address—transmitter of this frame |
| Address 3 | SA | Original source—may be on wired network or another STA |
| Address 4 | Not present | — |
Infrastructure BSS - AP to Station: ┌─────────────────────────────────────────────────────────────────┐ │ │ │ Server Access Point │ │ 55:55:55:55:55:55 ════════════► BSSID: AP:AP:AP:AP:AP:AP │ │ │ │ │ │ Wireless │ │ │ Frame │ │ ▼ │ │ Station A │ │ AA:AA:AA:AA:AA:AA │ │ │ └─────────────────────────────────────────────────────────────────┘ AP sends HTTP response from server to Station A: Frame Control: Type=Data, To DS=0, From DS=1┌─────────────────┬────────────────────────────────────────────────┐│ Address 1 (DA/RA)│ AA:AA:AA:AA:AA:AA (Station A receives this) │├─────────────────┼────────────────────────────────────────────────┤│ Address 2 (BSSID/TA)│ AP:AP:AP:AP:AP:AP (AP transmitted this) │├─────────────────┼────────────────────────────────────────────────┤│ Address 3 (SA) │ 55:55:55:55:55:55 (Server was original source) │└─────────────────┴────────────────────────────────────────────────┘ Station A's wireless NIC:1. Checks Address 1 matches its MAC ✓2. Checks Address 2 matches its associated AP's BSSID ✓3. Passes frame up the stack with SA=55:55:55:55:55:55, DA=AA:AA:AA:AA:AA:AAStation-to-Station via AP (Complete Flow):
Let's trace a complete data exchange between two wireless stations in the same BSS:
Station A (AA:...) wants to send to Station B (BB:...)
AP BSSID: AP:AP:AP:AP:AP:AP
Frame 1: Station A → AP
To DS=1, From DS=0
Addr1=AP:AP:... (RA) Addr2=AA:AA:... (SA/TA) Addr3=BB:BB:... (DA)
Frame 2: AP → Station A (ACK)
Control frame, Addr1=AA:AA:... (RA)
Frame 3: AP → Station B
To DS=0, From DS=1
Addr1=BB:BB:... (DA/RA) Addr2=AP:AP:... (TA) Addr3=AA:AA:... (SA)
Frame 4: Station B → AP (ACK)
Control frame, Addr1=AP:AP:... (RA)
Notice how the addresses shift as the frame transits the AP. Address 3 carries the 'other' address in both directions.
When traffic goes from Station A (BSS1) through AP1, to AP2, and finally to Station B (BSS2), the wired section uses standard Ethernet addressing. Each wireless hop uses the appropriate To DS/From DS configuration for its direction.
The Wireless Distribution System (WDS) enables access points to communicate with each other wirelessly, extending network coverage without wired backhaul. When both To DS and From DS are set, the frame requires all four address fields because we need to track:
Address Interpretation:
| Field | Contains | Description |
|---|---|---|
| Address 1 | RA | Receiving AP's MAC address |
| Address 2 | TA | Transmitting AP's MAC address |
| Address 3 | DA | Final destination station's MAC |
| Address 4 | SA | Original source station's MAC |
WDS Topology - Two APs Bridging: ┌─────────────────────────────────────────────────────────────────────────┐ │ │ │ Station A WDS Link Station B │ │ AA:AA:AA:AA:AA:AA (Wireless) BB:BB:BB:BB:BB:BB │ │ │ │ │ │ │ │ │ │ │ │ ▼ │ ▼ │ │ ┌────────────┐ │ ┌────────────┐ │ │ │ AP1 │◄══════════════╪════════════════════► AP2 │ │ │ │ A1:A1:... │ │ │ A2:A2:... │ │ │ └────────────┘ WDS Bridge └────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────────────┘ Station A sends data to Station B (across WDS): Step 1: Station A → AP1 (Normal infrastructure frame) To DS=1, From DS=0 Addr1=A1:A1:... (AP1) Addr2=AA:AA:... (STA A) Addr3=BB:BB:... (STA B) Step 2: AP1 → AP2 (WDS frame - ALL FOUR ADDRESSES) To DS=1, From DS=1 ┌─────────────────┬────────────────────────────────────────────────┐ │ Address 1 (RA) │ A2:A2:A2:A2:A2:A2 (AP2 receives this) │ ├─────────────────┼────────────────────────────────────────────────┤ │ Address 2 (TA) │ A1:A1:A1:A1:A1:A1 (AP1 transmitted this) │ ├─────────────────┼────────────────────────────────────────────────┤ │ Address 3 (DA) │ BB:BB:BB:BB:BB:BB (Station B is destination) │ ├─────────────────┼────────────────────────────────────────────────┤ │ Address 4 (SA) │ AA:AA:AA:AA:AA:AA (Station A was source) │ └─────────────────┴────────────────────────────────────────────────┘ Step 3: AP2 → Station B (Normal infrastructure frame) To DS=0, From DS=1 Addr1=BB:BB:... (STA B) Addr2=A2:A2:... (AP2) Addr3=AA:AA:... (STA A)WDS Link Types:
| Configuration | Description | Use Case |
|---|---|---|
| Point-to-Point | Two APs bridged | Building-to-building link |
| Point-to-Multipoint | One AP, multiple remote APs | Hub-and-spoke network extension |
| Bridge with clients | AP serves clients AND bridges | Coverage extension with client service |
| Mesh (802.11s) | Dynamic AP-to-AP paths | Self-healing mesh networks |
WDS Limitations:
IEEE 802.11s mesh networks use the four-address format extensively. Each mesh point (MP) forwards frames toward the destination, with Address 1/2 tracking the current hop and Address 3/4 tracking the end-to-end path. The Mesh Control field (in the frame body) provides additional routing information.
The following comprehensive table summarizes all address field interpretations. This is the authoritative reference for address decoding:
| To DS | From DS | Address 1 | Address 2 | Address 3 | Address 4 | Scenario |
|---|---|---|---|---|---|---|
| 0 | 0 | DA (Destination) | SA (Source) | BSSID | (not present) | IBSS, Management frames |
| 0 | 1 | DA (Destination) | BSSID (Transmitter) | SA (Source) | (not present) | AP to Station |
| 1 | 0 | BSSID (Receiver) | SA (Source/Transmitter) | DA (Destination) | (not present) | Station to AP |
| 1 | 1 | RA (Receiver AP) | TA (Transmitter AP) | DA (Destination) | SA (Source) | WDS (AP to AP) |
Quick Reference Rules:
Control frames use fewer addresses:\n- ACK/CTS: Only Address 1 (RA) — the station receiving the acknowledgment\n- RTS: Address 1 (RA) and Address 2 (TA)\n- PS-Poll: Address 1 (BSSID) and Address 2 (TA)\n- Block Ack Request/Block Ack: Address 1 and Address 2
Let's apply our knowledge to real packet capture analysis. In Wireshark, 802.11 frames display address fields with helpful labels, but understanding the underlying structure helps when labels are ambiguous or when analyzing raw hex.
Example 1: QoS Data Frame (Station to AP)
Frame 1: QoS Data, Flags=........T. IEEE 802.11 QoS Data, Flags: ........T. Frame Control Field: 0x8841 .... ..00 = Version: 0 .... 10.. = Type: Data frame (2) 1000 .... = Subtype: 8 [QoS Data] Flags: 0x41 .... ...1 = To DS: Frame directed to DS (1) ◄── Station to AP .... ..0. = From DS: Frame not from DS (0) ...0 .... = More Fragments: No ..0. .... = Retry: No .1.. .... = PWR MGT: STA will go to sleep .000 0000 0000 0000 = Duration: 0 microseconds Receiver address: aa:bb:cc:dd:ee:ff (AP BSSID) ◄── Address 1 Transmitter address: 11:22:33:44:55:66 (Client) ◄── Address 2 Destination address: 77:88:99:aa:bb:cc (Server) ◄── Address 3 Interpretation: - Client 11:22:33:44:55:66 is sending - To AP aa:bb:cc:dd:ee:ff - For delivery to server 77:88:99:aa:bb:cc on wired networkExample 2: QoS Data Frame (AP to Station)
Frame 2: QoS Data, Flags=.......F. IEEE 802.11 QoS Data, Flags: .......F. Frame Control Field: 0x8802 .... ..00 = Version: 0 .... 10.. = Type: Data frame (2) 1000 .... = Subtype: 8 [QoS Data] Flags: 0x02 .... ...0 = To DS: Frame not directed to DS (0) .... ..1. = From DS: Frame from DS (1) ◄── AP to Station Receiver address: 11:22:33:44:55:66 (Client) ◄── Address 1 Transmitter address: aa:bb:cc:dd:ee:ff (AP BSSID) ◄── Address 2 Source address: 77:88:99:aa:bb:cc (Server) ◄── Address 3 Interpretation: - AP aa:bb:cc:dd:ee:ff received from wired network - Transmitting to client 11:22:33:44:55:66 - Original source was server 77:88:99:aa:bb:ccUseful filters:\n- wlan.addr == AA:BB:CC:DD:EE:FF — Any address field matches\n- wlan.sa == AA:BB:CC:DD:EE:FF — Source address matches\n- wlan.da == AA:BB:CC:DD:EE:FF — Destination address matches\n- wlan.ta == AA:BB:CC:DD:EE:FF — Transmitter address matches\n- wlan.ra == AA:BB:CC:DD:EE:FF — Receiver address matches\n- wlan.bssid == AA:BB:CC:DD:EE:FF — BSSID matches
Certain MAC addresses have special meaning in 802.11 networks:
Broadcast Address:
Multicast Addresses:
Locally Administered Addresses:
Null Address:
| Address Pattern | Meaning | Context |
|---|---|---|
| FF:FF:FF:FF:FF:FF | Broadcast | All stations receive |
| 01:xx:xx:xx:xx:xx | Multicast (bit 0 = 1) | Group delivery |
| x2:xx, x6:xx, xA:xx, xE:xx | Locally administered (bit 1 = 1) | Non-OUI assigned |
| 00:00:00:00:00:00 | Null/unspecified | Wildcard in scanning |
| 01:80:C2:00:00:0x | Spanning Tree | Bridge protocol frames |
To prevent tracking, modern devices use randomized MAC addresses when probing for networks. These are locally administered addresses that change periodically. When associating to a known network, the device may use its real MAC or a consistent per-network randomized address. This complicates network management but improves user privacy.
We've thoroughly explored the four-address architecture of 802.11 frames. Here are the essential takeaways:
What's Next:
The next page explores the Duration Field—the key to virtual carrier sensing and NAV-based medium reservation. We'll examine duration calculations for different frame types, the contention-free period duration values, and how duration attacks work.
You now have comprehensive knowledge of 802.11 address fields across all network topologies. This understanding is essential for packet capture analysis, network troubleshooting, and protocol implementation.