Skip to main content
Version: 1.1.x

Frame Types

A 802.11 ("WiFi") frame (think of it like a packet in the higher network layers) carries information about it's own type. With this information, devices know how to parse it and what content to expect.

These types are called:

  • type
  • subtype

The type is a high level category and the subtype further specifies the type of frame. Each type and subtype have a number assigned to them.

The following type values exist:

  • management
    • Unencrypted frames used to, for example, advertise existence of a network or to associate with an access point.
  • control
    • Assisting with the delivery of all frames. For example power saving coordination, requesst-to-send/clear-to-send, ...
  • data
    • Data delivery
  • extension
    • Reserved for special use-cases and future use.

In practice, nzyme will only record management frames. The other frame types are not relevant for the security mechanisms nzyme deploys.

Let's look at the relevant subtypes of the management frames:

Subtype: beacon#

Wireshark query: wlan.fc.type_subtype == 0x08

  • Access points send beacon frames periodically to announce their presence and to help synchronize member stations of the same network.
  • Your “Networks in range” list behind the WiFi icon is built by listening for beacon frames

Subtype: probe-request#

Wireshark query: wlan.fc.type_subtype == 0x04

  • Your devices are sending probe requests for networks they joined at some point in the past to see if they are around. For example, your phone might be checking if a Starbucks WiFi or United_WiFi is in range right now.
  • It’s also used to pick the best access point to connect to if there are several in range.
  • There are more uses that are not relevant for nzyme or WiFi security.

Subtype: probe-response#

Wireshark query: wlan.fc.type_subtype == 0x05

  • Answer to probe-request frames. An access point replying, “Yes, I’m here”.

Subtype: authentication#

Wireshark query: wlan.fc.type_subtype == 0x0B

  • First step when attempting to join a wireless network
  • Being authenticated restricts the ability to send or receive in a network.
  • Different exchange of frames happens depending on the network type (for example WEP or WPA). The exact authentication sequence is well documented and not relevant for our session today.

Subtype: association-request#

Wireshark query: wlan.fc.type_subtype == 0x00

  • Sent after successful authentication with an access point. Last step of joining a wireless network.
  • Allocates resources on AP and synchronizes both stations.

Subtype: association-response#

Wireshark query: wlan.fc.type_subtype == 0x01

  • Acceptance or rejection of association request
  • If successful, it includes the association ID of the requester, together with information about supported data rates etc
  • Requester can start to use other 802.11 frame types (data and control) if association was successful.

Subtype: deauthentication#

Wireshark query: wlan.fc.type_subtype == 0x0C

  • Unidirectional announcement of a station to another station, indicating that it wishes to terminate communications.
  • Must be accepted. Takes effect immediately.
  • Comes with a reason code. Example reasons are “Previous authentication no longer valid” or “Requested from peer STA as the STA is leaving the BSS (or resetting)”

Subtype: disassociation#

Wireshark query: wlan.fc.type_subtype == 0x0A

  • Graceful disconnect from a wireless network / AP.
  • This way resources can be freed immediately and station can be removed from the association table without waiting for a timeout.

Further reading#

With these frame types in mind, go read more about common attacks and how to detect them with nzyme.