Wi-Fi Frame Anatomy

Question 1

Association request

Answer 1

Purpose: Sent by station to associate with a BSS
Wireshark filter: wlan.fc.type==0x00

Question 2

Association Response

Answer 2

Purpose: Sent in response to an associate request
Wireshark filter: wlan.fc.type==0x01

Question 3

Reassociation

Answer 3

Purpose: Request is sent by a station changing association to another AP in the same ESS. I.e. roaming between APs OR reassociating with the same AP

Wireshark: wlan.fc.type==0x02

Question 4

Reassociation Response

Answer 4

Purpose: Response to the reassociation request
Wireshark Filter: *wlan.fc.type==0x03”

Question 5

Probe Request

Answer 5

Purpose: Sent by a station in order to “scan” for an SSID.
Wireshark filter: wlan.fc.type==0x04
Extra: This is how airodump-ng and other tools find the AP even if the SSID is turned off.

Question 6

Probe response

Answer 6

Purpose: sent by each BSS participating to that SSID
Wireshark filter: wlan.fc.type==0x05

Question 7

Beacon

Answer 7

Purpose: Periodic frame sent by the AP (or stations in case of IBSS) and gives information about the BSS

Wireshark filter: wlan.fc.type==0x08

Question 8

ATIM

Answer 8

Purpose: Traffic indication map for IBSS.
In a BSS, the TIM is included in the beacon.

Wireshark filter: wlan.fc.type==0x09

Meaning: Announcement Traffic Indication Message

Question 9

Disassociation

Answer 9

Purpose: Sent to terminate the association of a station
Wireshark filter: wlan.fc.type==0x0B

Question 10

Authentication

Answer 10

Purpose: Frane used to perform the 802.11 authentications.
NOT any other types of authentication.

Wireshark filter: *wlan.fc.type==0x0B”

Question 11

Deauthentication

Answer 11

Purpose: Frame terminating the authentication of a station.

Wireshark filter: wlan.fc.type==0x0C

Extra: Often used in attack tools to “bump” users off the AP using aireplay-ng or perform a Denial of Service on the AP

Question 12

Action

Answer 12

Purpose: Frame meant for sending information elements to other stations.

Wireshark filter: *wlan0.fc.type==0x0D”

Extra: When sending in a beacon it’s not possible or not the best

Question 13

PS-Poll

Answer 13

Purpose: Power-save poll frame for buffed frames after a wake-up from a station

Wireshark: wlan.fc.type==0x1A

Question 14

RTS

Answer 14

Purpose: Used to facilitate the Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) protocol.

Wireshark filter: *wlan.fc.type==0x1B”

Meaning: Request-to-Send

Question 15

CTS

Answer 15

Purpose: Frame response to RTS

Wireshark filter: *wlan.fc.type==0x1C”

Meaning: Clear-to-Send

Question 16

ACK

Answer 16

Purpose: Acknowledge frame sent to confirm receipt of a frame

Wireshark filter: wlan0.fc.type==0x1D

Question 17

Data frame

Answer 17

Purpose: Basic frame containing data

Wireshark filter: *wlan.fc.type==0x20”

Question 18

Null frame

Answer 18

Purpose: Frane meant to contain no data but flag information

Wireshark filter: wlan.fc.type==0x24

Question 19

QoS data

Answer 19

Purpose: QoS version of the data frame

Wireshark filter: wlan.fc.type==0x28

Meaning: Quality of Service data

Question 20

QoS null

Answer 20

Purpose: QoS version of of null frame

Wireshark filter: wlan.fc.type==0x2C

Meaning: Quality of Service null