RSN-IE (Robust Security Network Information Element) is an optional field of variable length that can be found in 802.11 management frames.RSN element has an element ID of 48 & present in below different management frames
1. Beacon frames.(send by AP)
2. Probe Response frames.(send by AP)
3. Association Request frames.(send by Client)
4. Reassociation Request frames (Send by client)
All 802.11 radios will use one cipher (pairwise) suit for unicast encryption & another cipher(group) for encrypting multicast/broadcast traffic. Below are the different cipher suite values.
00-0F-AC-04 (CCMP) is the default
00-0F-AC-02 (TKIP) is optional.
When station supports several ciphers, it always chooses the stronges one first (ie CCMP, TKIP, WEP-104, WEP-40)
RSN-IE also used to indicate what authentication methods are supported. The Authentication Key Management (AKM) suite indicate whether the station support 802.1X or PSK authentication. Below are the 3 different AKM suite values depend on the Authentication method used.
00-0F-AC-03 (FT over 802.1X)
Here is the structure of RSN element.
Here is a beacon frame.You can filter Beacon frames in wireshark using (wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x08) filter. As you can see below both Group & Pairwise cipher is CCM-AES (00-0F-AC-04) & AKM suite is PSK (00-0F-AC-02)
Here is a Reassociation Reuest frame. You can filter these frames using (wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x02) wireshark filter. As you can see it uses AKM suite of 00-0F-AC-01 (802.1X) & CCM-AES (00-0F-AC-04) encryption ciphers.