In a previous post I have given a high level overview of how Wi-Fi direct works. This follow up post now goes one step further and shows how a Wi-Fi direct connection is established between two devices. Unfortunately the Wi-Fi direct specification is not freely available (poor behavior by the Wi-Fi alliance in my opinion). However, for those of you who'd like to dig even deeper I can recommend these pages on the Microsoft developer network. Also, Wireshark comes in handy for tracing the connection establishment process, and my findings below are based on these.
From a protocol point of view a Wi-Fi direct connection is established using already existing mechanisms in a number of steps:
In a first step, the two devices that are to connect directly have to find each other. This is done by sending standard Wi-Fi probe request and response frames that include the Wi-Fi direct specific generic SSID “DIRECT-” and further Wi-Fi direct capability information. A device answering with a probe response frame uses the same SSID and includes vendor specific tagged information elements to also identify itself as a Wi-Fi direct device and gives further information such as its direct mode capabilities, device type and a name in readable format that can be presented to the user.
During the following Service Discovery phase the devices can then optionally exchange higher layer service information via Provision Discovery Request / Response action frames that carry information supplied by UPNP , Bonjour and other higher layer protocols. Action frames are Wi-Fi management messages and are used as no IP connectivity between the devices exists at this point in time. This allows devices to inquire about services offered by other devices before connectivity is established. The procedure is optional, however, and it can be observed in practice that it is not necessarily used.
Once the user of one of the devices has decided to establish a direct connection it is necessary to decide which device should play the role of the Group Owner (GO), i.e. which device should become the access point. This is done during the Group Owner Negotiation procedure: Again, Wi-Fi management messages (action frames) are used to perform this operation that consists of a three way handshake. In practice it can be observed that the device that is contacted by another device sets the negotiation parameters in a way that it becomes the GO.
After the three way handshake the GO device will reconfigure its Wi-Fi chip into access point mode. The other device waits for beacon frames being broadcast that includes an SSID with a Wi-Fi direct identifier and the name of the other device that was also contained in the earlier probe response frame. Once these are found the device performs and Open Authentication and Association Request as per normal Wi-Fi procedures. Next, security parameters are negotiated via EAP and EAPOL messaging. These protocols are also used during ordinary WPS (Wireless Protected Setup) security context negotiation, i.e. existing functionality is re-used for this step of establishing a link as well. Once the security parameters have been exchanged, a standard WPA2 connection is established between the two devices.
In a final step, the client device requests an IP address from the GO access point in the same way as it would request an IP address form a standard access point. Once the IP address has been acquired the Wi-Fi direct link is established and can now be used by higher layer applications. As the connection is based on the IP protocol applications can work over Wi-Fi direct networks and also over traditional Wi-Fi access point based networks without any modifications to this part of the application logic.