top of page
  • Writer's pictureotw

Wi-Fi Hacking: Anatomy of Wi-Fi Frames for Hackers

Updated: Dec 30, 2022

Welcome back, my aspiring Wi-Fi Hackers!

In previous tutorials here at Hackers-Arise, we have demonstrated how to hack Wi-Fi (IEEE 802.11) access points using multiple techniques, including;

In this tutorial, we will be examining the Wi-Fi (802.11) protocol anatomy. It's great to know how to use the tools at our disposal to hack Wi-Fi, but if you want to develop your own tools, you will need to dig deeper into the Wi-Fi protocol in order to better understand it.

The tables below enumerate each of the Wi-Fi frame types, their description, and how you can filter for each type using Wireshark.

A Bit of Background of these Different Frame Types

The tables above are a great reference, but let's take a moment to review what each of those frames do including their specific Wireshark filter (in italics beneath each description). It's important to note that tools such as airodump-ng and Kismet are capable of using these frames to provide you with key information necessary for hacking the AP.

1. An Association request is sent by a station to associate to a BSS.


2. An Association response is sent in response to an association request


3. A Reassociation request is sent by a station changing association to another AP in the same ESS (so roaming between APs, or reassociating with the same AP)


4. Reassociation response is the response to the reassociation request


5. Probe request is sent by a station in order to “scan” for an SSID (this is how airodump-ng and other tools find the AP even if the SSID is turned off).


6. Probe response is sent by each BSS participating to that SSID


7. Beacon is a periodic frame sent by the AP (or stations in case of IBSS) and giving information about the BSS


8. ATIM is the traffic indication map for IBSS (in a BSS, the TIM is included in the beacon)


9. Disassociation is sent to terminate the association of a station


10. Authentication is the frame used to perform the 802.11 authentication (and not any other type of authentication)


11. Deauthentication is the frame terminating the authentication of a station. This frame is often used in our attack tools to "bump" users off the AP using aireplay-ng or perform a Denial of Service on the AP.


12. Action is a frame meant for sending information elements to other stations (when sending in a beacon is not possible/best)


13. PS-Poll is the Power-save poll frame polling for buffered frames after a wake-up from a station


14. RTS is the request-to-send frame


15. CTS is the clear-to-send frame (often response to RTS)


16. ACK is the acknowledge frame sent to confirm receipt of a frame.


17. Data frame is the basic frame containing data


18. Null frame is a frame meant to contain no data but flag information


19. QoS (Quality of Service) data is the QoS version of the data frame


20. QoS (Quality of Service) null is the QoS version of the null frame


Wireshark Display Filters for Wi-Fi Frames

To filter for these frames in Wireshark, click on the "Expressions" tab to the right of the filter window and the following Window will open.

In the Search field near the bottom right, enter "wlan" as seen below.

Now, scroll down to the "wlan.fc.subtype" field and click on it. Select the "==" for relation and then enter the value of the frame type you want to filter for.


When trying to develop your own Wi-Fi hacking tools, it is critical to understand the frames and their purpose in this 802.11 protocol. Bookmark this page for future reference as we use this information to develop our very own Wi-Fi hacking tools!

10,478 views1 comment

Recent Posts

See All

1 Comment

Jan 03, 2023

Do you suspect your spouse of cheating, are you being overly paranoid or seeing signs of infidelity…Then he sure is cheating: I was in that exact same position when I met Henry through my best friend James who helped me hack into my boyfriend’s phone, it was like a miracle when he helped me clone my boyfriend’s phone and I got first-hand information from his phone. Now I get all his incoming and outgoing text messages, emails, call logs, web browsing history, photos and videos, instant messengers(facebook, whatsapp, bbm, IG etc) , GPS locations, phone taps to get live transmissions on all phone conversations. if you need help contact his gmail on ,, and you can also , whatsap…

bottom of page