Deauthentication Frame
Station or AP can send a Deauthentication Frame when all communications are terminated (When disassociated, still a station can be authenticated to the cell). Deauthentication frame format is as shown below. It is subtype 12 (0x0c) management frame (type 0) & you can filter it using below wireshark filter.
(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0c)
Frame body of Deauth frame contains following
1. Reason Code (2 byte)
2. Vendor Specific Information (one or more)
3. 802.11w (MFP) info
Here is a capture of a Deauthentication frame. In this case client station specify reason code as 3 – Deauthenticated because sending station is leaving BSS.Once AP receive this, it should send ACK to the client station.
Here is another deauthentication frame, where in this instance reason code 4 – Disassoicated due to Inactivity.
In the below case due to 1- Unspecified reason client has been deauthenticated.
Here is another Deauth frame captured. This is triggered when I enable client management frame protection on a SSID. This time AP sending deauth to client with reason code 6 – Class 2 frame received from nonauthenticated station.
Here is the complete list of Reason Codes as per IEEE 802.11-2012 standard.(table 8.36)
Disassociation Frame
Once a station associated to an AP, either side can terminate the association at any time by sending a disassociation frame. It has the same frame format as deauthentication frame. A station can send a disassociation frame because it leave the current cell to roam to another cell. An AP could send disassociation frame because station try to use invalid parameters.(above given reason codes applicable to disassociation frames as well). You can filter disassociation frames in wireshark using below filter (subtype 10 management frames)
(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0a)
Disassociation frame’s destination address could be a Unicast MAC address or Broadcast Address. If a single station to be disassociated it can be send to client unicast MAC address. If all stations needs to be disassociated, disassociation frame can be send to broadcast MAC address.
Here is a disassociation frame send by a client station with reason code 8 – Disassociated becaues sending station is leaving.
Here is another disassociation frame sent by AP to client station. (This is triggered when I shut down the WLAN from controller). In this case reason code 1- Unspecified Reason.
If you are using Cisco products, then from debug outputs you will able to find out Deatuenticaton or Deassociation Reason codes. Refer this documents to find out the valid codes Cisco has implemented
802.11 Association Status, 802.11 Deauth Reason codes
References
1. CWAP Official Study Guide – Chapter 4
Related Posts
1. 802.11 Management Frame Types
2. 802.11 Beacon Frame
3. 802.11 Action Frames
4. 802.11 Authentication Frame
Great Article. I always have some unspecified reason errors on my WLC. On both Association and Authentication area. what is the most generic reason for this?
and of course I didn’t shut down the WLC 🙂
Thanks again for sharing information
Hi, Nice article. In this article in the below sentence you have mistakenly mentioned as authentication frame instead of de-authentication frame.
“Here is a capture of a authentication frame. In this case client station specify reason code as 3 – Deauthenticated because sending station is leaving BSS.Once AP receive this, it should send ACK to the client station.”
Thank you very much Deva for pointing this out. I have corrected that now
Rasika
Nice explanation. I have a confusion:-
1) In case of AP, STA send WLAN_REASON_DEAUTH_LEAVING while in case of WiFi Direct, GC sends WLAN_REASON_DISASSOC_STA_HAS_LEFT.
Why such a difference?
WiFi Direct connection is same as AP connection. Then why at one place, DEAUTH is used and in other place DISASSOC is used.
2) Isnt WiFi Direct same as ESS/IBSS?
Thanks in advance for your replies.
Hi Nayarasi,
I have been following up your blog posts on 802.11,it helps understanding the concepts. Appreciate your efforts.
I have been working on a embedded Wi-Fi client application (drivers are provided by thirdparty), and came across few association failures. Would like to hear your inputs from you.
In the four way handshake, I do see that after receiving EAPOL Message-3, the STA has sent an de-authentication frame with Reason code as “Information element in 4-Way Handshake different from (Re)Association Request/Probe
Response/Beacon frame”. My questions are
1. Which information element is differing, is it RSN?
2. I should compare the IE’s against which frames
3. Could i be because of bug in driver?
Pingback: Wifi Hacking using ESP8266 – hackelectro
Pingback: ESP8266 Deauther | TheGioiNgam | Hacking & Security
Pingback: Hackaday Prize Entry: Don’t Build This | Hackaday
Pingback: Hackaday Prize Entry: Don’t Build This – High Tech Newz
Pingback: Hackaday Prize Entry: Don't Build This |
What mostly is the reason for AP sending Deauth to Wireless clients with this reason code.
Reason code: Class 3 frame received from nonassociated STA (0x0007)
Pingback: Understanding Evil Twin AP Attacks and How to Prevent Them | Elteni
thank you a lot, this is a great content.
You are welcome Khirou, glad info helped you..
Rasika