Tags

,

802.11 Management Frames have MAC header with 3 addresses fields in it. If it is 802.11a/b/g then it has 24 byte MAC header where as if it is 802.11n management frame it has 28 byte (additional 4 byte HT control field) MAC header as shown below (page 124-125, CWAP Official Study Guide)

CWAP-Mgt Frame-01There are 12 management frame subtypes defined by 802.11-2007 standard shown below (page 125 – CWAP study guide).

CWAP-Mgt Frame-02In wireshark you can use this subtype to filter those management traffic. Below shows those filters & sample of management frame for each of those subtypes.

1. Association Request

(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x00)

CWAP-Mgt Frame-032. Association Response

(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x01)

CWAP-Mgt Frame-043. Reassociation Request

(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x02)

CWAP-Mgt Frame-054. Reassociation Response

(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x03)

CWAP-Mgt Frame-065. Probe Request

(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x04)

CWAP-Mgt Frame-076. Probe Response

(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x05)

CWAP-Mgt Frame-087. Beacon

(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x08)

CWAP-Mgt Frame-098. Announcement Traffic Indication MessageATIM

(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x09)

CWAP-Mgt Frame-109. Disasociation

(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0a)

CWAP-Mgt Frame-1110. Authentication

(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0b)

CWAP-Mgt Frame-1211. Deauthentication

(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0c)

CWAP-Mgt Frame-1312. Action

(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0d)

CWAP-Mgt Frame-1413. Action No ACK

(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0e)

CWAP-Mgt Frame-15References
1. CWAP Official Study Guide – Chapter 4