Deauthentication Frame
Station or AP can send a Deauthentication Frame when all communications are terminated (When disassociated, still a station can be authenticated to the cell). Deauthentication frame format is as shown below. It is subtype 12 (0x0c) management frame (type 0) & you can filter it using below wireshark filter.
(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0c)
Frame body of Deauth frame contains following
1. Reason Code (2 byte)
2. Vendor Specific Information (one or more)
3. 802.11w (MFP) info
Here is a capture of a Deauthentication frame. In this case client station specify reason code as 3 – Deauthenticated because sending station is leaving BSS.Once AP receive this, it should send ACK to the client station.
Here is another deauthentication frame, where in this instance reason code 4 – Disassoicated due to Inactivity.
In the below case due to 1- Unspecified reason client has been deauthenticated.
Here is another Deauth frame captured. This is triggered when I enable client management frame protection on a SSID. This time AP sending deauth to client with reason code 6 – Class 2 frame received from nonauthenticated station.
Here is the complete list of Reason Codes as per IEEE 802.11-2012 standard.(table 8.36)
Disassociation Frame
Once a station associated to an AP, either side can terminate the association at any time by sending a disassociation frame. It has the same frame format as deauthentication frame. A station can send a disassociation frame because it leave the current cell to roam to another cell. An AP could send disassociation frame because station try to use invalid parameters.(above given reason codes applicable to disassociation frames as well). You can filter disassociation frames in wireshark using below filter (subtype 10 management frames)
(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0a)
Disassociation frame’s destination address could be a Unicast MAC address or Broadcast Address. If a single station to be disassociated it can be send to client unicast MAC address. If all stations needs to be disassociated, disassociation frame can be send to broadcast MAC address.
Here is a disassociation frame send by a client station with reason code 8 – Disassociated becaues sending station is leaving.
Here is another disassociation frame sent by AP to client station. (This is triggered when I shut down the WLAN from controller). In this case reason code 1- Unspecified Reason.
If you are using Cisco products, then from debug outputs you will able to find out Deatuenticaton or Deassociation Reason codes. Refer this documents to find out the valid codes Cisco has implemented
802.11 Association Status, 802.11 Deauth Reason codes
References
1. CWAP Official Study Guide – Chapter 4
Related Posts
1. 802.11 Management Frame Types
2. 802.11 Beacon Frame
3. 802.11 Action Frames
4. 802.11 Authentication Frame
mrn-cciew 
Great Article. I always have some unspecified reason errors on my WLC. On both Association and Authentication area. what is the most generic reason for this?
and of course I didn’t shut down the WLC 🙂
Thanks again for sharing information
Hi, Nice article. In this article in the below sentence you have mistakenly mentioned as authentication frame instead of de-authentication frame.
“Here is a capture of a authentication frame. In this case client station specify reason code as 3 – Deauthenticated because sending station is leaving BSS.Once AP receive this, it should send ACK to the client station.”
Thank you very much Deva for pointing this out. I have corrected that now
Rasika
Nice explanation. I have a confusion:-
1) In case of AP, STA send WLAN_REASON_DEAUTH_LEAVING while in case of WiFi Direct, GC sends WLAN_REASON_DISASSOC_STA_HAS_LEFT.
Why such a difference?
WiFi Direct connection is same as AP connection. Then why at one place, DEAUTH is used and in other place DISASSOC is used.
2) Isnt WiFi Direct same as ESS/IBSS?
Thanks in advance for your replies.
Hi Nayarasi,
I have been following up your blog posts on 802.11,it helps understanding the concepts. Appreciate your efforts.
I have been working on a embedded Wi-Fi client application (drivers are provided by thirdparty), and came across few association failures. Would like to hear your inputs from you.
In the four way handshake, I do see that after receiving EAPOL Message-3, the STA has sent an de-authentication frame with Reason code as “Information element in 4-Way Handshake different from (Re)Association Request/Probe
Response/Beacon frame”. My questions are
1. Which information element is differing, is it RSN?
2. I should compare the IE’s against which frames
3. Could i be because of bug in driver?
Pingback: Wifi Hacking using ESP8266 – hackelectro
Pingback: ESP8266 Deauther | TheGioiNgam | Hacking & Security
Pingback: Hackaday Prize Entry: Don’t Build This | Hackaday
Pingback: Hackaday Prize Entry: Don’t Build This – High Tech Newz
Pingback: Hackaday Prize Entry: Don't Build This |
What mostly is the reason for AP sending Deauth to Wireless clients with this reason code.
Reason code: Class 3 frame received from nonassociated STA (0x0007)
Pingback: Understanding Evil Twin AP Attacks and How to Prevent Them | Elteni
Hi Nayarasi,
My client device is connected to the router using 5G wifi and it is working fine, but if I reboot the router and once the router is up and running I can see
the client device is trying to connect to the router. But the connection is failing because the router is deauthenticating the connection and reason is given as “class 3 frame received from nonassociated sta”.
From the wireshark log I can see the authentication response and associate response are successful.
If I reboot my client device then everything starts to work fine again.
What could be reason for this authentication.
Thanks
Cijoy
Hi Cijoy Varghese – did you get bottom of this issue?
thank you a lot, this is a great content.
You are welcome Khirou, glad info helped you..
Rasika
could you please help to simulate scenario in order to send deauth with reason code 4.
Hi Divya,
Sorry, I am not sure about that. If you have access to those simulation tools, I think best to check with the vendor of that product
HTH
Rasika
Hi
Can deauth happen before four way handshake?
In State machine point of view, 4 way handshake take places after state 3
State1 – Unauthenticated/Unassocaited
State2 – Authenticated/Unassociated
State3 – Authenticated/Associated (802.1X port closed)
:
V
State4 – Authenticated/Associated (802.1X port Open)
So deauth frames can be seen before 4 way handshake (ie from State 2 or State3 to go back to state 1)
HTH
Rasika