A 802.11 ("WiFi") frame (think of it like a packet in the higher network layers) carries information about it's own type. With this information, devices know how to parse it and what content to expect.
These types are called:
type is a high level category and the
subtype further specifies the type of frame. Each
have a number assigned to them.
type values exist:
- Unencrypted frames used to, for example, advertise existence of a network or to associate with an access point.
- Assisting with the delivery of all frames. For example power saving coordination, requesst-to-send/clear-to-send, ...
- Data delivery
- Reserved for special use-cases and future use.
In practice, nzyme will only record
management frames. The other frame types are not relevant for the security
mechanisms nzyme deploys.
Let's look at the relevant
subtypes of the
wlan.fc.type_subtype == 0x08
- Access points send beacon frames periodically to announce their presence and to help synchronize member stations of the same network.
- Your “Networks in range” list behind the WiFi icon is built by listening for beacon frames
wlan.fc.type_subtype == 0x04
- Your devices are sending probe requests for networks they joined at some point in the past to see if they are around. For example, your phone might be checking if a Starbucks WiFi or United_WiFi is in range right now.
- It’s also used to pick the best access point to connect to if there are several in range.
- There are more uses that are not relevant for nzyme or WiFi security.
wlan.fc.type_subtype == 0x05
- Answer to
probe-requestframes. An access point replying, “Yes, I’m here”.
wlan.fc.type_subtype == 0x0B
- First step when attempting to join a wireless network
- Being authenticated restricts the ability to send or receive in a network.
- Different exchange of frames happens depending on the network type (for example WEP or WPA). The exact authentication sequence is well documented and not relevant for our session today.
wlan.fc.type_subtype == 0x00
- Sent after successful authentication with an access point. Last step of joining a wireless network.
- Allocates resources on AP and synchronizes both stations.
wlan.fc.type_subtype == 0x01
- Acceptance or rejection of association request
- If successful, it includes the association ID of the requester, together with information about supported data rates etc
- Requester can start to use other 802.11 frame types (data and control) if association was successful.
wlan.fc.type_subtype == 0x0C
- Unidirectional announcement of a station to another station, indicating that it wishes to terminate communications.
- Must be accepted. Takes effect immediately.
- Comes with a reason code. Example reasons are “Previous authentication no longer valid” or “Requested from peer STA as the STA is leaving the BSS (or resetting)”
wlan.fc.type_subtype == 0x0A
- Graceful disconnect from a wireless network / AP.
- This way resources can be freed immediately and station can be removed from the association table without waiting for a timeout.
With these frame types in mind, go read more about common attacks and how to detect them with nzyme.