Networking · 10.01.2025

WiFi Physical Layer - From Electromagnetic Waves To Bytes

The Question Nobody Answers

I was reading the 802.11 spec for the third time (yes, I have problems), and I kept hitting the same wall. Every tutorial, every book, every course starts the same way:

"The MAC layer receives frames..."

Wait. RECEIVES from where? How did those frames get there? What happened before the MAC layer saw anything?

Everyone talks about MAC addresses, frame formats, and collision detection. But nobody explains the actual physics of how your WiFi adapter converts invisible electromagnetic waves oscillating at 2.4 billion times per second into the bytes that your operating system can read.

It took me two weeks to piece this together from RF engineering papers, chipset datasheets, and learning about quadrature demodulation and OFDM symbol timing. Finally, I understood the magic that happens before Layer 2 even exists.

This is that story - the complete journey from antenna to MAC layer.

The Problem: Electromagnetic Waves Aren't Digital

Here's the fundamental challenge: WiFi transmits information as electromagnetic waves - continuously varying electric and magnetic fields propagating through space at the speed of light. But your computer needs discrete bits: 0s and 1s.

The Gap Between Physics And Computation:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

What's Actually In The Air:
 ╱╲ ╱╲ ╱╲ ╱╲ ╱╲
 ╱ ╲ ╱ ╲ ╱ ╲ ╱ ╲ ╱ ╲ Continuous electromagnetic
 ╱ ╲╱ ╲╱ ╲╱ ╲╱ ╲ wave at 2.4 GHz
 
 Amplitude, phase, and frequency varying
 continuously over time...

What Your Computer Needs:
 01001000 01100101 01101100 01101100 01101111
 
 Discrete digital bits representing
 "Hello" in ASCII

HOW do we get from one to the other?

The answer involves multiple stages of signal processing, each solving a specific problem. Let's build this up step by step.

Stage 1: The Antenna - Converting EM Fields To Voltage

Your WiFi antenna is just a piece of metal - usually a wire or printed circuit board trace cut to a specific length. But this simple piece of metal does something remarkable: it converts electromagnetic radiation into voltage.

How Antennas Work

When an electromagnetic wave passes by a conductor, the oscillating electric field causes electrons in the metal to move back and forth. This creates a tiny alternating current - typically in the microvolt range.

Antenna As EM Field Detector:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Electromagnetic Wave Approaching:
 E-field
 ↕
 ╱╲ ↕ ╱╲
 ╱ ╲ ↕ ╱ ╲ Wave traveling →
 ╱ ╲ ↕ ╱ ╲
 ↕
 
Antenna (piece of wire):
 │←─ λ/4 ─→│
 ▓▓▓▓▓▓▓▓▓▓ ← Conductor
 
E-field pushes electrons up and down:
 
 t=0: ↑ e⁻ flow High voltage at top
 │
 ▓
 
 t=T/2: ↓ e⁻ flow High voltage at bottom
 │
 ▓

Result: AC voltage at ~2.4 GHz
Amplitude: ~1-100 microvolts (very weak!)

Why λ/4 length? At 2.4 GHz, the wavelength λ is:

λ=cf=3×108 m/s2.4×109 Hz=0.125 m=12.5 cm\lambda = \frac{c}{f} = \frac{3 \times 10^8 \text{ m/s}}{2.4 \times 10^9 \text{ Hz}} = 0.125 \text{ m} = 12.5 \text{ cm}

A quarter-wavelength (λ/4) antenna is about 3.1 cm - this length resonates at the desired frequency, maximizing energy capture.

The Signal Is Incredibly Weak

At this point, we have a problem: the signal from the antenna is tiny. At -70 dBm (a typical WiFi signal strength), the power is:

P=10(70/10) mW=0.0000001 mW=100 picowattsP = 10^{(-70/10)} \text{ mW} = 0.0000001 \text{ mW} = 100 \text{ picowatts}

That's 0.0000000001 watts. To put this in perspective, a single grain of rice falling from your desk to the floor has about 100,000 times more energy.

We need to amplify this signal without adding too much noise.

Stage 2: RF Front-End - Amplification And Frequency Conversion

The RF front-end is the analog circuitry that processes the raw antenna signal. It has three main jobs:

Job 1: Low Noise Amplification (LNA)

The first component the signal hits is the Low Noise Amplifier (LNA). This is a carefully designed amplifier that boosts the signal by 10-20 dB (10x to 100x in voltage) while adding minimal noise.

Low Noise Amplifier:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Input from Antenna: Output to Mixer:
~10 microvolts ~500 microvolts
 
 ╱╲╱╲ ╱╲ ╱╲ ╱╲
 ╱ ╲ ──→ [LNA] ──→ ╱ ╲ ╱ ╲ ╱ ╲
 Weak Stronger, but same frequency

Gain: ~20 dB (100x voltage)
Noise Figure: ~2 dB (adds minimal noise)

Why "Low Noise"?
Any noise added here gets amplified by ALL
subsequent stages. The LNA determines the
overall receiver sensitivity.

The LNA's design is critical. If it adds too much noise, the signal-to-noise ratio (SNR) drops, and you lose data. Good LNAs use special low-noise transistors (like GaAs FETs) and careful impedance matching.

Job 2: Bandpass Filtering

After amplification, the signal goes through a bandpass filter that removes frequencies outside the WiFi band:

Bandpass Filter:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

 Filter Response
 │ ┌─────┐
 │ │ │ Pass: 2.4-2.5 GHz
Gain│ │ │
 │ │ │
 │ ───────┘ └───── Reject: everything else
 └─────────────────────→ Frequency
 2.4 GHz 2.5 GHz

Removes:
- Cellular signals (800-2000 MHz)
- Bluetooth (overlaps, but filtered after mixing)
- Harmonics and spurious signals
- Out-of-band interference

This filter is typically implemented with SAW (Surface Acoustic Wave) filters - tiny quartz crystals that mechanically resonate at specific frequencies.

Job 3: Frequency Downconversion (Mixing)

Here's where it gets interesting. We can't digitize a 2.4 GHz signal directly - that would require an ADC sampling at 5+ GHz, which is expensive and power-hungry. Instead, we use mixing to shift the signal down to a lower frequency.

A mixer multiplies the input signal with a locally generated signal (from a Local Oscillator or LO):

Frequency Mixing (Mathematical):
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

RF signal: sin(2π × 2.437 GHz × t) ← Channel 6
LO signal: sin(2π × 2.400 GHz × t) ← Local oscillator

Mixer multiplies them:
sin(A) × sin(B) = ½[cos(A-B) - cos(A+B)]

Result has TWO frequencies:
1. Sum: 2.437 + 2.400 = 4.837 GHz ← Filtered out
2. Difference: 2.437 - 2.400 = 0.037 GHz = 37 MHz ← Keep this!

We've shifted the signal from 2.437 GHz down to 37 MHz!
This is called the Intermediate Frequency (IF).

Visual representation:

Downconversion Process:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

 RF Input Local Oscillator
 2.437 GHz 2.400 GHz
 │ │
 │ │
 └──────►[MIXER]◄───────┘
 │
 ▼
 IF Output: 37 MHz
 (Much easier to digitize!)

Why is this useful? A 37 MHz signal can be digitized with a much cheaper ADC sampling at ~100 MHz, instead of needing a multi-GHz ADC.

Quadrature Downconversion (I/Q Signals)

Modern WiFi receivers use quadrature downconversion - they create two copies of the signal, mixed with local oscillators that are 90° out of phase:

I/Q Downconversion:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

 RF Input (2.437 GHz)
 │
 ┌───────────────┴───────────────┐
 │ │
 ▼ ▼
 [MIXER] [MIXER]
 ▲ ▲
 │ │
 cos(2π×LO×t) sin(2π×LO×t)
 (0° phase) (90° phase)
 │ │
 ▼ ▼
 I channel (In-phase) Q channel (Quadrature)
 
Result: Complex signal representation
I(t) + j×Q(t) captures both amplitude AND phase!

This I/Q representation is crucial because WiFi uses phase modulation - different phases represent different bit patterns. The I/Q signals together give us complete information about both amplitude and phase.

Stage 3: Analog-to-Digital Conversion (ADC)

Now we have two analog signals (I and Q) at a manageable frequency (~37 MHz). Time to convert them to digital.

How ADCs Work

An Analog-to-Digital Converter samples the continuous voltage at regular intervals and converts each sample to a digital number:

ADC Operation:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Analog I signal:
 ╱╲ ╱╲ ╱╲
 ╱ ╲ ╱ ╲ ╱ ╲ Continuous voltage
 ╱ ╲╱ ╲╱ ╲

ADC samples at intervals:
 ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ← Sample clock

Digital output (8-bit ADC):
 ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓
 192 220 245 255 245 220 192 155

Now we have numbers!
Each sample = 8 bits = 1 byte
Sample rate: ~100 MHz = 100 million samples/sec

Key ADC specifications:

  1. Resolution: Number of bits (typically 8-12 bits for WiFi)
  • 8 bits = 256 levels (0-255)
  • 10 bits = 1024 levels
  • More bits = better signal representation
  1. Sample Rate: How often we sample (Nyquist: ≥2× signal bandwidth)
  • WiFi bandwidth: 20 MHz channel
  • Required sample rate: ≥40 MHz
  • Actual: ~100 MHz (oversampling for better performance)
  1. Dynamic Range: Ratio between largest and smallest signal
  • Limited by ADC resolution and noise
  • Typically 60-80 dB for WiFi receivers

Quantization Noise

ADCs introduce quantization error - the difference between the actual voltage and the nearest digital level:

Quantization Error:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Analog signal: ───╱─── Actual value: 3.7 V
 
ADC levels: 4.0 ───── ← Level 4
 3.5 ───── ← Level 3 (closest)
 3.0 ───── ← Level 2

Output: 3 (level 3 = 3.5V)
Error: 3.7 - 3.5 = 0.2V

This error looks like noise to the system.
More bits = smaller steps = less error.

For an n-bit ADC, the quantization noise power is approximately:

Quantization Noise=Vpp212×22n\text{Quantization Noise} = \frac{V_{pp}^2}{12 \times 2^{2n}}

Where VppV_{pp} is the peak-to-peak voltage range. More bits mean exponentially less noise.

Stage 4: Digital Baseband Processing - The DSP Magic

Now we have digital I/Q samples streaming in at 100 million samples per second. But they're still just numbers - we need to extract the actual data bits. This is where the Digital Signal Processor (DSP) comes in.

OFDM: The Modulation Scheme

WiFi uses OFDM (Orthogonal Frequency Division Multiplexing). Understanding OFDM is key to understanding how bits become radio waves and back again.

The basic idea: Instead of transmitting on one frequency, split the channel into many narrow subcarriers and transmit data in parallel:

OFDM Subcarriers:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

20 MHz Channel (e.g., Channel 6):
├────────────────────────────────────────────┤
│ │
│ 52 subcarriers (48 data + 4 pilot): │
│ │
│ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │
│ └─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─┴─ │
│ Each subcarrier: 312.5 kHz wide │
└────────────────────────────────────────────┘

Each subcarrier carries data independently!
If one subcarrier has interference, the others
are unaffected.

Each subcarrier uses QAM (Quadrature Amplitude Modulation) to encode bits:

QAM Constellation (16-QAM):
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

 Q (Imaginary)
 ▲
 │
 • • • • Each dot = 4 bits (16 possibilities)
 │
 • • • • Position encodes data:
─────────────────────► I (Real)
 • • • • Amplitude AND phase both matter!
 │
 • • • • Example:
 │ Top-right = "1111"
 Bottom-left = "0000"

The I/Q samples we digitized represent the
position in this constellation!

Higher data rates use denser constellations:

  • BPSK: 1 bit per symbol (2 points)
  • QPSK: 2 bits per symbol (4 points)
  • 16-QAM: 4 bits per symbol (16 points)
  • 64-QAM: 6 bits per symbol (64 points)
  • 256-QAM (802.11ac): 8 bits per symbol (256 points!)

FFT: Separating The Subcarriers

To extract data from all 52 subcarriers, the DSP performs a Fast Fourier Transform (FFT):

FFT Extracts Subcarrier Data:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Time-domain I/Q samples: Frequency-domain data:
(what the ADC gives us) (after FFT)

 ╱╲╱╲╱╲╱╲╱╲╱╲╱╲ Sub0 Sub1 Sub2 ... Sub51
 ╱ ╲ FFT │ │ │ │
╱ ╲ ────► ▓ ▓ ▓ ... ▓
 │ │ │ │
80 samples Amplitude & phase
(one OFDM symbol) for each subcarrier

Each subcarrier's amplitude and phase
tells us the QAM symbol → data bits!

The FFT converts a time-domain signal (voltage varying over time) into a frequency-domain representation (amplitude and phase at each frequency). This is exactly what we need to decode OFDM.

FFT parameters for WiFi:

  • FFT size: 64 points (52 used, 12 guard bands)
  • Symbol duration: 4 microseconds
  • Guard interval: 0.8 microseconds (prevents inter-symbol interference)

Channel Estimation And Equalization

The radio channel isn't perfect - signals bounce off walls, interfere with each other, and suffer from frequency-dependent attenuation. The DSP needs to correct for this.

How channel estimation works:

Channel Estimation Process:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

1. Transmitter sends known pattern (Preamble):
 Pilot subcarriers with known amplitude/phase
 
2. Receiver compares received vs expected:
 
 Expected: │ │ │ │ Known pilot symbols
 ▓ ▓ ▓ ▓
 
 Received: │ │ │ │ Distorted by channel
 ▓ ▓ ▓ ▓
 
3. Calculate channel response:
 H(f) = Received / Expected
 
4. Apply inverse to data symbols:
 Corrected Data = Received Data / H(f)
 
This removes channel distortion!

WiFi frames include pilot tones (4 subcarriers with known values) in every OFDM symbol, allowing continuous channel tracking.

Forward Error Correction (FEC)

Even after all this processing, some bits will be wrong due to noise. WiFi uses convolution coding and Viterbi decoding to fix errors:

Convolutional Encoder (Transmit Side):
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Input: 1 bit Output: 2 bits (rate 1/2 code)
 │
 ▼
 [Shift Register + XOR gates]
 │
 ├──────► Bit 1 ┐
 │ ├─► Transmitted
 └──────► Bit 2 ┘

For every 1 input bit, transmit 2 bits.
This redundancy allows error correction!

Viterbi Decoder (Receive Side):
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Received: 11 00 10 11 ... (with some errors)
 │
 ▼
 [Viterbi Algorithm]
 Finds most likely transmitted sequence
 even if some bits are flipped!
 │
 ▼
Output: 1 0 1 1 ... (corrected data)

The Viterbi algorithm uses the redundancy to correct errors. With rate 1/2 coding, it can fix bursts of several bit errors.

Deinterleaving And Descrambling

Finally, the corrected bits go through:

  1. Deinterleaving: Reverses the bit interleaving that spreads burst errors across multiple symbols
  2. Descrambling: Reverses the scrambling that prevents long runs of 0s or 1s
Final Decoding Steps:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Viterbi output → Deinterleave → Descramble → Raw bits!

Example after all processing:
01001000 01100101 01101100 01101100 01101111
 H e l l o

We've gone from electromagnetic waves to ASCII!

Stage 5: MAC Layer - Frame Detection And Validation

Now we have a stream of bits. But how do we know where one frame starts and another ends? This is where Layer 2 (MAC) processing begins.

Preamble Detection

Every WiFi frame starts with a preamble - a known bit pattern used for synchronization:

802.11 Frame Structure:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

┌─────────┬─────────┬──────────────┬─────┐
│Preamble │ Header │ Payload │ FCS │
│(Known) │(MAC info)│ (Data) │(CRC)│
└─────────┴─────────┴──────────────┴─────┘
 ▲
 │
 └─ DSP watches for this pattern in the
 bit stream to detect frame start

Preamble contains:
- Short training symbols (10 repetitions)
- Long training symbols (2 repetitions) 
- SIGNAL field (rate, length)

When DSP sees this pattern → "Frame detected!"

The MAC hardware has a correlator that continuously searches for the preamble pattern:

Correlator Operation:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Incoming bit stream:
...000110110010110110110110110110110010110...
 └──────────┘
 Preamble pattern detected!
 
Correlator output:
 ▲
 │ Peak when pattern matches!
 ─────┼─────
 │
 
 When peak detected:
 1. Lock symbol timing
 2. Start decoding header
 3. Parse frame

Address Filtering (The Part Monitor Mode Bypasses!)

After preamble detection, the MAC hardware decodes the frame header and checks the destination address:

MAC Address Filtering:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Frame Header Decoded:
┌────────────┬────────────┬────────────┐
│ Frame Ctrl │ Duration │ Addr 1 │
├────────────┼────────────┼────────────┤
│ Addr 2 │ Addr 3 │ Seq Ctrl │
└────────────┴────────────┴────────────┘
 │ │ │
 │ └────────────┼─ Destination MAC
 └─────────────────────────┘

MAC Hardware Checks:
┌─────────────────────────────────┐
│ Is Addr1 == My MAC? │
│ OR Addr1 == Broadcast? │
│ OR Addr1 == Multicast I joined? │
└────────┬──────────────┬─────────┘
 │ │
 YES NO
 │ │
 ▼ ▼
 Pass to OS Drop frame ← MANAGED MODE
 ← MONITOR MODE: Pass anyway!

This is the filter that monitor mode disables! In managed mode, the firmware drops frames not addressed to you. In monitor mode, it passes everything.

How The Chipset Knows What Channel To Use

Now for your specific question: how does the MAC layer tell the radio what channel to use?

The interaction happens through register writes to the chipset:

Channel Selection Process:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Driver (Software):
 │
 │ iw dev wlan0 set channel 6
 │
 ▼
Writes to chipset registers:
 ┌────────────────────────────┐
 │ Channel Register: 0x06 │ ← MAC tells radio
 │ Center Freq: 2437 MHz │
 │ Bandwidth: 20 MHz │
 └────────────────────────────┘
 │
 ▼
RF Synthesizer (PLL):
 ┌────────────────────────────┐
 │ VCO (Voltage Controlled │
 │ Oscillator) tunes to │
 │ 2437 MHz ± 10 MHz │
 └────────────────────────────┘
 │
 ▼
Local Oscillator frequency changes:
 Old: 2400 MHz → New: 2437 MHz
 │
 ▼
Mixer now downconverts 2437 MHz signals
instead of 2412 MHz signals!
 │
 ▼
Different channel received!

Under the hood, the radio has a Phase-Locked Loop (PLL) that generates the Local Oscillator frequency:

PLL Channel Tuning:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

 Reference
 Oscillator
 (Crystal)
 40 MHz
 │
 ▼
 ┌──────────────┐
 │ Phase │
 │ Detector │
 └──────┬───────┘
 │
 ┌──────────────┘
 │
 ▼
 [Loop Filter]
 │
 ▼
┌────────────────┐
│ VCO │
│ Output: 2437MHz│ ← Generates LO signal
└───────┬────────┘
 │
 ├──────────────► To Mixer
 │
 ▼
 [÷ 60.925] ← Divider
 │
 └─────────┐
 │
 ┌────────┴────────┐
 │ Feedback to │
 │ Phase Detector │
 └─────────────────┘

PLL divider ratio sets frequency:
2437 MHz = 40 MHz × 60.925

Different channel = different divider ratio

How the radio filters the channel:

Once tuned to 2437 MHz, the mixer shifts signals near 2437 MHz down to baseband (near 0 Hz). Signals far from 2437 MHz get shifted to very high frequencies and are filtered out:

Channel Filtering By Downconversion:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Channel 1: 2412 MHz ─┐
Channel 6: 2437 MHz ─┼─ Multiple signals present
Channel 11: 2462 MHz ─┘

LO tuned to 2437 MHz (Channel 6):

Ch1: 2412 - 2437 = -25 MHz ← Far from 0 Hz
Ch6: 2437 - 2437 = 0 MHz ← Near 0 Hz (baseband)
Ch11: 2462 - 2437 = +25 MHz ← Far from 0 Hz

After mixing:
 ╱╲ ╱╲
 ─────────╱ ╲╱ ╲───────── Frequency
 -25MHz 0 +25MHz
 │ │
 └───────┬───────┘
 [Lowpass Filter]
 │
 ▼
 ╱╲ ╱╲
 ╱ ╲╱ ╲ Only Ch6 remains!
 0

The lowpass filter removes everything except
signals near 0 Hz (i.e., near our LO frequency).
This IS the channel filter!

So channel selection is just changing the LO frequency. The lowpass filter after the mixer automatically rejects signals from other channels because they end up far from baseband after mixing.

CRC Validation

Finally, the MAC hardware computes a CRC-32 (Cyclic Redundancy Check) over the frame and compares it to the FCS (Frame Check Sequence) field at the end:

FCS Validation:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Frame received:
┌──────────┬──────────────┬──────────┐
│ Header │ Payload │ FCS │
│ │ │ (4 bytes)│
└──────────┴──────────────┴──────────┘
 │ │ │
 └────────────┴──────────────┘
 │
 Compute CRC-32 over this
 │
 ▼
 Calculated: 0xA3B5C7D9
 Received: 0xA3B5C7D9
 │
 ▼
 Match! 
 │
 ▼
 Frame Valid - pass to driver
 
If CRC doesn't match:
 Frame Corrupted - increment error counter, drop

In monitor mode, you'll often see frames with bad FCS. These are frames that were corrupted by noise or interference. Managed mode would drop them, but monitor mode passes them up so you can see that errors are occurring.

Putting It All Together: The Complete Pipeline

Let's trace a single frame through the entire stack:

Complete WiFi Receive Path:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

1. ANTENNA (Physical Layer - Radio)
 EM wave @ 2.437 GHz → ~10 µV AC voltage
 │
 ▼
2. LNA (RF Front-End)
 10 µV → 500 µV (20 dB gain)
 │
 ▼
3. BANDPASS FILTER
 Remove out-of-band interference
 │
 ▼
4. MIXER (Downconversion)
 2.437 GHz → 37 MHz (using 2.400 GHz LO)
 Split into I and Q channels
 │
 ▼
5. ADC (Analog → Digital)
 Continuous voltage → 100 MS/s digital samples
 I samples: [192, 220, 245, 255, ...]
 Q samples: [128, 155, 180, 192, ...]
 │
 ▼
6. FFT (Digital Baseband - DSP)
 Time domain → Frequency domain
 Extract 52 subcarrier amplitudes & phases
 │
 ▼
7. CHANNEL EQUALIZATION
 Correct for channel distortion using pilots
 │
 ▼
8. QAM DEMODULATION
 Constellation points → Bit patterns
 │
 ▼
9. VITERBI DECODING (FEC)
 Correct bit errors using redundancy
 │
 ▼
10. DEINTERLEAVE & DESCRAMBLE
 Reverse transmit-side processing
 │
 ▼
11. FRAME DETECTION (MAC Layer)
 Correlator finds preamble in bit stream
 │
 ▼
12. HEADER DECODE
 Extract frame type, addresses, length
 │
 ▼
13. ADDRESS FILTER ← BYPASSED IN MONITOR MODE
 Check if frame is for us
 │
 ▼
14. FCS VALIDATION
 Verify CRC-32 checksum
 │
 ▼
15. DRIVER
 Add RadioTap header with metadata
 │
 ▼
16. OPERATING SYSTEM
 Frame available to applications!
 │
 ▼
17. WIRESHARK
 You see the packet!

Why This Matters

Understanding this pipeline explains so many things that seemed mysterious before:

Why Signal Strength Matters

Every stage has noise. The LNA adds noise. The ADC adds quantization noise. If the signal is weak, the SNR is poor, and:

  • The FFT gives inaccurate subcarrier amplitudes
  • QAM demodulation makes wrong decisions
  • Viterbi can't correct all errors
  • FCS validation fails → frames dropped

The first stage (LNA) is most critical - noise added there gets amplified by everything after.

Why Channel Width Matters

Wider channels (40 MHz, 80 MHz, 160 MHz) mean:

  • More subcarriers carrying data in parallel
  • Higher data rates
  • BUT more susceptible to frequency-selective fading
  • AND more chance of interference from other networks

Why Monitor Mode Can't Decrypt WPA2

By the time the MAC layer sees a frame, the encryption has already been removed by... nothing. Decryption happens at Layer 2, and monitor mode bypasses the normal frame handling.

WPA2-encrypted frames are decrypted using keys derived from the 4-way handshake. Without those keys, the payload remains encrypted gibberish. Monitor mode just captures what's in the air - it doesn't magically give you decryption keys.

Why Some Adapters Can't Do Monitor Mode

Monitor mode requires:

  1. Firmware support: The chipset must respond to commands to disable address filtering
  2. Driver support: The OS driver must implement the mode switch
  3. Hardware capabilities: Some cheap chipsets physically can't pass all frames to the host (buffer limitations)

Chipsets like the Atheros AR9271 were designed with these features specifically for research and testing purposes.

The Layer 1/Layer 2 Boundary

So where exactly is the boundary between Layer 1 (Physical) and Layer 2 (Data Link)?

OSI Layer Boundary In WiFi:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

LAYER 1 (Physical):
 - Antenna
 - RF front-end (LNA, mixer, filter)
 - ADC
 - OFDM demodulation (FFT)
 - Channel estimation
 - FEC decoding
 - Bit timing & synchronization
 │
 │ Boundary: Raw bit stream
 │
 ▼
LAYER 2 (Data Link - MAC Sublayer):
 - Frame detection (preamble correlation)
 - Header parsing
 - Address filtering ← Monitor mode affects this!
 - FCS validation
 - Frame buffering
 - Retransmission logic (if needed)
 - Association management

The key insight: Layer 1 delivers a stream of bits. Layer 2 organizes those bits into frames and decides which frames to keep.

Monitor mode is a Layer 2 feature that affects how Layer 2 filters the frames that Layer 1 delivers.

Conclusion: The Magic Is Just Physics And Math

When I started this journey, WiFi seemed like magic. Invisible signals turning into data? How?

Now I see it's just a carefully designed pipeline:

  • Physics (EM waves inducing current in antenna)
  • Analog electronics (amplification, mixing, filtering)
  • Signal processing (ADC, FFT, equalization)
  • Information theory (modulation, FEC)
  • Digital logic (frame detection, address filtering)

Each stage solves a specific problem, and together they bridge the gap between electromagnetic waves and digital bits.

When you enable monitor mode, you're just telling stage 13 (address filtering) to take a break. But you get to see the results of stages 1-12 doing their incredible work - converting invisible 2.4 GHz radiation into structured 802.11 frames.

The next time someone talks about "packets in the air," you'll know exactly what that means: electromagnetic energy at 2.4 GHz, amplitude- and phase-modulated using OFDM, that your adapter's RF front-end, ADC, and DSP are working together to decode into bits, which the MAC layer is organizing into frames for you to capture.

It's not magic. It's just really, really clever engineering.

Questions about quadrature demodulation? Want to know more about the PLL internals? Wondering why I didn't explain interleaving in detail? Leave a comment - this stuff goes deep, and I had to draw the line somewhere!

All notes