• otw

Wi-Fi Hacking: Anatomy of Wi-Fi Frames for Hackers

Welcome back, my aspiring Wi-Fi Hackers!

In previous tutorials here at Hackers-Arise, we have demonstrated how to hack Wi-Fi (IEEE 802.11) access points using multiple techniques, including;

1. WPA2 aircrack-ng Attack

2. WPS Reaver Attack

3. Evil Twin Attack

4. PMKID Attack

5. Continuous Denial of Service (DoS) Attack

6. Evading Wi-Fi Authentication

7. Using wifiphisher to Social Engineer a Wi-Fi Password

In this tutorial, we will be examining the Wi-Fi (802.11) protocol anatomy. It's great to know how to use the tools at our disposal to hack Wi-Fi, but if you want to develop your own tools, you will need to dig deeper into the Wi-Fi protocol in order to better understand it.

The tables below enumerate each of the Wi-Fi frame types, their description, and how you can filter for each type using Wireshark.

A Bit of Background of these Different Frame Types

The tables above are a great reference, but let's take a moment to review what each of those frames do including their specific Wireshark filter (in italics beneath each description). It's important to note that tools such as airodump-ng and Kismet are capable of using these frames to provide you with key information necessary for hacking the AP.

1. An Association request is sent by a station to associate to a BSS.


2. An Association response is sent in response to an association request


3. A Reassociation request is sent by a station changing association to another AP in the same ESS (so roaming between APs, or reassociating with the same AP)


4. Reassociation response is the response to the reassociation request


5. Probe request is sent by a station in order to “scan” for an SSID (this is how airodump-ng and other tools find the AP even if the SSID is turned off).


6. Probe response is sent by each BSS participating to that SSID


7. Beacon is a periodic frame sent by the AP (or stations in case of IBSS) and giving information about the BSS


8. ATIM is the traffic indication map for IBSS (in a BSS, the TIM is included in the beacon)


9. Disassociation is sent to terminate the association of a station


10. Authentication is the frame used to perform the 802.11 authentication (and not any other type of authentication)


11. Deauthentication is the frame terminating the authentication of a station. This frame is often used in our attack tools to "bump" users off the AP using aireplay-ng or perform a Denial of Service on the AP.


12. Action is a frame meant for sending information elements to other stations (when sending in a beacon is not possible/best)


13. PS-Poll is the Power-save poll frame polling for buffered frames after a wake-up from a station


14. RTS is the request-to-send frame


15. CTS is the clear-to-send frame (often response to RTS)


16. ACK is the acknowledge frame sent to confirm receipt of a frame.


17. Data frame is the basic frame containing data


18. Null frame is a frame meant to contain no data but flag information


19. QoS (Quality of Service) data is the QoS version of the data frame


20. QoS (Quality of Service) null is the QoS version of the null frame


Wireshark Display Filters for Wi-Fi Frames

To filter for these frames in Wireshark, click on the "Expressions" tab to the right of the filter window and the following Window will open.

In the Search field near the bottom right, enter "wlan" as seen below.

Now, scroll down to the "wlan.fc.subtype" field and click on it. Select the "==" for relation and then enter the value of the frame type you want to filter for.


When trying to develop your own Wi-Fi hacking tools, it is critical to understand the frames and their purpose in this 802.11 protocol. Bookmark this page for future reference as we use this information to develop our very own Wi-Fi hacking tools!