, , ,

Deauthentication Frame
Station or AP can send a Deauthentication Frame when all communications are terminated (When disassociated, still a station can be authenticated to the cell). Deauthentication frame format is as shown below. It is subtype 12 (0x0c) management frame (type 0)  & you can filter it using below wireshark filter.

(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0c)

CWAP - Mgmt-Deauth-05Frame body of  Deauth frame contains following
1. Reason Code (2 byte)
2. Vendor Specific Information (one or more)
3. 802.11w (MFP) info

Here is a capture of a Deauthentication frame. In this case client station specify reason code as 3 – Deauthenticated because sending station is leaving BSS.Once AP receive this, it should send ACK to the client station.

CWAP - Mgmt-Deauth-06Here is another deauthentication frame, where in this instance reason code 4 – Disassoicated due to Inactivity.

CWAP - Mgmt-Deauth-07In the below case due to 1- Unspecified reason client has been deauthenticated.CWAP - Mgmt-Deauth-08Here is another Deauth frame captured. This is triggered when I enable client management frame protection on a SSID. This time AP sending deauth to client with reason code 6 – Class 2 frame received from nonauthenticated station.

CWAP - Mgmt-Deauth-11Here is the complete list of Reason Codes as per IEEE 802.11-2012 standard.(table 8.36)

CWAP - Mgmt-Deauth-01CWAP - Mgmt-Deauth-02CWAP - Mgmt-Deauth-03CWAP - Mgmt-Deauth-04

Disassociation Frame
Once a station associated to an AP, either side can terminate the association at any time by sending a disassociation frame. It has the same frame format as deauthentication frame. A station can send a disassociation frame because it leave the current cell to roam to another cell. An AP could send disassociation frame because station try to use invalid parameters.(above given reason codes applicable to disassociation frames as well). You can filter disassociation frames in wireshark using below filter (subtype 10 management frames)

(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0a)

Disassociation frame’s destination address could be a Unicast MAC address or Broadcast Address. If a single station to be disassociated it can be send to client unicast MAC address. If all stations needs to be disassociated, disassociation frame can be send to broadcast MAC address.

Here is a disassociation frame send by a client station with reason code 8 – Disassociated becaues sending station is leaving.

CWAP - Mgmt-Deauth-09Here is another disassociation frame sent by AP to client station. (This is triggered when I shut down the WLAN from controller). In this case reason code 1- Unspecified Reason.

CWAP - Mgmt-Deauth-10If you are using Cisco products, then from debug outputs you will able to find out Deatuenticaton or Deassociation Reason codes.  Refer this documents to find out the valid codes Cisco has implemented

802.11 Association Status, 802.11 Deauth Reason codes

1. CWAP Official Study Guide – Chapter 4

Related Posts

1. 802.11 Management Frame Types
2. 802.11 Beacon Frame
3. 802.11 Action Frames
4. 802.11 Authentication Frame