802.11 Packet Capture Skillz To Pay The Bills #2 – Marking All Data Frames UP 7?

By George Stafanick, Blog Contributor
Share Post

A healthcare customer of mine is looking into a Thin OS solution. The solution is intended to be mobile. I was contracted to do a device study. A device study is a series of test conducted on the device to see how it behaves on the WiFi network. Think of it as testing driving a car before buying whereby identifying any issues and partner with the vendors to get said issues fixed.

Particularly challenging is that some thin OS vendors control much of the wireless behavior and in some cases all of it. Conducting our test we find a few items we need to get a better explanation on. One item, which I'm sharing here, is the device marks all data frames with a QoS UP value of 7.

QoS is a way to differentiate priority for particular frames. Whereby giving applications that are sensitive to latency like voice a higher priority over less sensitive applications like regular old data.

In almost all cases the only way to determine and verify if a device is marking QoS is to do a frame capture. Also QoS markings are exclusive to their direction upstream or downstream. In others words just because you mark QoS upstream, meaning coming from the device to access point, doesn't mean QoS will be marked downstream.

QoS is a complicated subject. Wired and wireless QoS are two very different beasts. In a quick overview think of WiFi QoS like this ...

There are 4 buckets where frames can be placed on a wifi radio queue. In most cases where QoS marking is not configured these frames go out at a marking of 0, best effort.



These 4 buckets have 2 QoS categories. Why are there 2 values per category? It allows you to define a priority between frames in the same category. In other words, frames not marked with QoS get marked at 0. Perhaps you want to give a higher priority to a certain data application, because everything else is getting marked at 0, but you don't want to give it voice or video. You could give it a marking of 3 since by default everything goes 0. Here are the QoS groupings.

(1,2) scavenger

(0,3) best effort

(4,5) video

(6,7) voice

You might be wondering why is the QoS values and category numbering off. Why is it not 0,1,2,3,4,5,6, and 7 ?

Think about that for a moment and here is a hint: What if you want to give the lowest prioritization to particular application ? I mentioned if QoS isn't configured all frames go out 0. Say I want an application to have less priority than the default 0 setting. This is where values 1 and 2 come into play. If a radio or traffic was configured with a QoS marking of 1 or 2 it would be given a less priority.

A much more involved discussion about IFS and random backoff timers come into play and how frames get their trigger numbers. I will save that for a future blog post. For now, you know enough to be dangerous.

Where do you find the QoS markings in an 802.11 capture ? Simply open up a data frame and mouse down to the QoS Control field.


In this example the encrypted data frame you see is an ICMP ping packet we are generating from the device. Look at the QoS marking, UP7. In layman terms this ping is on a higher priority than the customers voice phones who are marking at the default UP6. Most vendors reserve UP7. It's rarely used or at least in all the testing I've done you don't see many vendors marking UP7. They use UP6.

You might find my other blogs on frame analysis helpful:

ATM15 Ten Talk "Wifi drivers and devices" by George Stefanick

Packets never lie: An in-depth overview of 802.11 frames

[ATM16] Mobile Device Roaming Behaviors and Client Troubleshooting Best Practices