Station or AP can send a Deauthentication Frame when all communications are terminated (When disassociated, still a station can be authenticated to the cell). Deauthentication frame format is as shown below. It is subtype 12 (0x0c) management frame (type 0) & you can filter it using below wireshark filter.
(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0c)
Here is a capture of a Deauthentication frame. In this case client station specify reason code as 3 – Deauthenticated because sending station is leaving BSS.Once AP receive this, it should send ACK to the client station.
In the below case due to 1- Unspecified reason client has been deauthenticated.Here is another Deauth frame captured. This is triggered when I enable client management frame protection on a SSID. This time AP sending deauth to client with reason code 6 – Class 2 frame received from nonauthenticated station.
Once a station associated to an AP, either side can terminate the association at any time by sending a disassociation frame. It has the same frame format as deauthentication frame. A station can send a disassociation frame because it leave the current cell to roam to another cell. An AP could send disassociation frame because station try to use invalid parameters.(above given reason codes applicable to disassociation frames as well). You can filter disassociation frames in wireshark using below filter (subtype 10 management frames)
(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0a)
Disassociation frame’s destination address could be a Unicast MAC address or Broadcast Address. If a single station to be disassociated it can be send to client unicast MAC address. If all stations needs to be disassociated, disassociation frame can be send to broadcast MAC address.
Here is a disassociation frame send by a client station with reason code 8 – Disassociated becaues sending station is leaving.
1. CWAP Official Study Guide – Chapter 4