802.11 PROTOCOL INTELLIGENCE

ARP Dead Window

The most common "connected but no internet" failure mode in Wi-Fi networks has nothing to do with RF, authentication, or DHCP. It is a timing gap in the ARP protocol between when a client associates and when the gateway updates its ARP cache. During this window, traffic from the gateway to the client drops silently - and nothing in the IP layer signals why.

ARP RFC 826 IEEE 802.11 MAC Interaction Production Failure Pattern

The most common 'connected but no internet' complaint after a Wi-Fi association has nothing to do with RF, DHCP, or the AP. It is an ARP timing gap at Layer 2 - and it is invisible in every log except the PCAP.

// quick wireshark filters - ARP dead window diagnosis

arp.opcode == 1 && arp.src.proto_ipv4 == arp.dst.proto_ipv4Gratuitous ARP - sender IP = target IP. The GARP a client sends after association.

arp && !arp.isgratuitousNormal ARP requests (not GARP). Standard gateway→client lookups.

dns && !dns.flags.responseDNS queries with no response pair. Unanswered queries during dead window.

http.request.uri contains "connectivitycheck"Android connectivity probe to Google. No response = dead window active at that moment.

eapol || (arp.opcode == 1 && arp.src.proto_ipv4 == arp.dst.proto_ipv4)4-Way Handshake completion + first GARP in sequence. Measure delta between M4 and GARP.

Full filter reference → /wireshark-filters

ARP - Address Resolution Protocol

ARP (RFC 826) maps a known IP address to an unknown MAC address. When a gateway needs to forward a packet to 192.168.1.42, it must know the MAC address to put in the Ethernet frame. It looks in its ARP cache - if not found, it broadcasts an ARP Request. The client responds with its MAC. This MAC is then cached (default TTL: 20 minutes on Linux, 10 minutes on Windows, varies by vendor).

STANDARD ARP EXCHANGE

Gateway (10.0.0.1)

ARP Request → (broadcast)
"Who has 10.0.0.42? Tell 10.0.0.1"

Client (10.0.0.42)

ARP Reply → (unicast)
"10.0.0.42 is at AA:BB:CC:DD:EE:FF"

Gateway caches MAC

In a stable network, this works fine - the ARP cache is warm. The dead window problem occurs specifically during the brief period after a client first associates (or reassociates after roaming), before the gateway has a fresh ARP cache entry for that client's IP+MAC pair.

The Dead Window - Step by Step

1 Client associates

802.11 auth + association completes. EAPOL 4-Way Handshake done. Client has IP (from previous DHCP or fast-reconnect). Wi-Fi icon shows connected.

2 Client sends GARP

Gratuitous ARP broadcast: "10.0.0.42 is at AA:BB:CC". Intent: update the ARP caches of ALL on-link devices, including the gateway.

3 Dead window opens

Between GARP transmission and when GARP reaches/is processed by the gateway. During this window, the gateway ARP cache may still have a stale or missing entry for this IP.

4 Client sends DNS/HTTP

Client immediately tries internet traffic. DNS query goes to gateway. Gateway forwards to upstream. Response arrives back at gateway - needs to deliver to client.

5a GARP processed - OK

Gateway already has fresh ARP entry from GARP or from client's outgoing traffic. Response delivered. "Connected, internet works." Window: 50–500 ms typical.

5b GARP dropped - FAIL

Gateway did not process GARP (rate-limited, dropped, stale cache not updated). Gateway cannot deliver response. Client sees DNS timeout. "Connected, no internet."

WHY THIS IS INVISIBLE ABOVE L2

The client's IP stack reports "connected" because the Wi-Fi association is complete and the client has an IP address. The failure occurs at the gateway's ARP layer - the gateway simply discards the response packet because it has no ARP entry for the destination. No ICMP unreachable is generated. No TCP RST is sent. The client sees only a timeout at the application layer, which may be misdiagnosed as: DNS failure, HTTP server error, Wi-Fi signal problem, or "the internet is down." The only definitive diagnosis is a simultaneous PCAP at the client AND the gateway side.

Gratuitous ARP (GARP) - The Mechanism and Its Failure Modes

A Gratuitous ARP is an ARP Request where the sender IP = target IP. The sender is not asking for a MAC - it is announcing its own IP+MAC mapping to everyone on the link. All devices that receive it should update their ARP cache for that IP.

GARP FRAME STRUCTURE (ARP Request)

Operation

1 (Request)

Sender MAC

AA:BB:CC:DD:EE:FF (client)

Sender IP

10.0.0.42 (client IP)

Target MAC

00:00:00:00:00:00 (zero)

Target IP

10.0.0.42 (same as sender - the "gratuitous" flag)

Destination ETH

FF:FF:FF:FF:FF:FF (broadcast)

When is GARP sent?

▸After DHCP lease confirmed (client gets new IP)

▸After Wi-Fi association/reassociation

▸After device wakes from sleep (some implementations)

▸After NIC driver restart or IP renewal

▸Not all OS implementations send GARP - Android is a known offender

Why does GARP fail?

▸Switch ARP inspection (DAI) may rate-limit or drop GARPs

▸Gateway ARP cache too large - GARP not processed quickly

▸Race condition: GARP arrives before gateway ARP table is ready

▸Client does not send GARP at all (OS-dependent)

▸GARP sent on wrong VLAN after roaming VLAN change

Android No-WAN-Path - The Aggravating Factor

Android devices add a second failure mode that interacts with the ARP dead window. After association, Android sends an HTTP probe to connectivitycheck.gstatic.com to test internet connectivity. If the probe fails (during the ARP dead window), Android marks the Wi-Fi network as "no internet" and may:

Route traffic via LTE/5G instead

Android silently falls back to cellular. User sees "connected" Wi-Fi but all data flows through cellular. Battery drains, data plan consumed.

Show "Connected, no internet" warning

Wi-Fi icon shows exclamation mark (!). User thinks AP/network is broken. Actually: ARP dead window resolved after 500ms, connection fine now.

Disconnect and reconnect

Some Android versions disconnect and retry association, restarting the ARP dead window cycle. Causes visible "connected → disconnected → connected" oscillation.

PCAP SIGNATURE - ANDROID NO-WAN-PATH

In a PCAP: client associates (Auth → Assoc → EAPOL M1-M4), client sends GARP, client immediately sends DNS query for connectivitycheck.gstatic.com, DNS response arrives, client sends HTTP GET to 142.250.x.x, HTTP response never arrives (ARP dead window), client retries the connectivity check 2–3 times, then switches to cellular. The entire sequence takes 1–3 seconds. Without a dual-capture (client + gateway), the gateway-side ARP failure is invisible.

Three-Failure-Mode Pattern in Wi-Fi 7 Deployments

In mixed WPA2/WPA3 Wi-Fi 7 deployments, the ARP dead window is often the third failure in a cascade that starts elsewhere:

1 PMF Compatibility Gap

Android reports MFPC=0 in Assoc Request despite connecting to a WPA3 SSID with MFPR=1. AP rejects with Status Code 30. Client retries on WPA2 SSID.

2 Roaming VLAN Change

On VLAN-per-SSID deployments, the WPA2 fallback SSID is on a different VLAN than WPA3. Client gets a new IP from the WPA2 VLAN DHCP pool.

3 ARP Dead Window

New IP + new VLAN means gateway has no ARP entry. GARP from client may not cross VLAN boundary. Internet works after ARP resolves (~1-3s) but Android has already marked the network as "no internet."

RESEARCH NOTE

This three-failure cascade (PMF compatibility gap + VLAN change + ARP dead window) was first documented through passive PCAP analysis of production Wi-Fi 7 gateway deployments, capturing the exact frame-level interaction between the 802.11 MAC layer and the ARP layer that neither the AP vendor logs nor the client OS logs expose. The ARP dead window and PMF compatibility gap are two of three failure modes analysed in ongoing IEEE 802.11 field research.

PCAP Diagnosis - Detecting the Dead Window

GARP present, immediately followed by unanswered DNS queries

Classic dead window. Client sent GARP but gateway ARP cache update was delayed. DNS query timed out before ARP resolved. Compare GARP timestamp vs first DNS response arrival.

No GARP at all after association

Client OS does not send GARP (Android common, some iOS builds). Gateway must wait for client's outgoing traffic (SYN, DNS query) to learn the MAC from the source address. First 1-2 packets from gateway to client drop.

GARP Opcode = 1 (Request) with Sender IP = Target IP

Gratuitous ARP. This is distinct from a standard ARP Request (Target IP = different host). Wireshark labels this automatically as "Gratuitous ARP".

Multiple GARP frames from same IP within 5 seconds

Client retrying GARP after no response. Some implementations retry 3× with 1-second interval. May indicate persistent gateway ARP failure.

HTTP GET to 142.250.x.x or 216.58.x.x with no response

Android connectivity check to Google's servers. No response = ARP dead window active at the time of the check. Measure delta from association complete to HTTP timeout.

WIRESHARK FILTERS

arp.opcode == 1 && arp.src.proto_ipv4 == arp.dst.proto_ipv4  // Gratuitous ARP
arp && !arp.isgratuitous                                       // Non-GARP ARP (normal requests)
dns && !dns.flags.response                                     // Unanswered DNS queries (no response pair)

Mitigations

Proxy ARP on AP/WLC

AP intercepts ARP Requests on behalf of associated clients and responds from the client's last-known MAC. Eliminates the gateway-side dead window. Defined in 802.11v (WNM). Most enterprise WLCs support this (Cisco: ip proxy-arp, Aruba: proxy-arp).

Medium - requires WLC/AP config

Reduce ARP cache TTL on gateway

Default Linux ARP cache TTL is 20 minutes. Reducing to 60–120 seconds forces more frequent ARP refresh but reduces the dead window's impact. Trade-off: more ARP traffic in dense networks.

Low - kernel parameter change

DHCP renewal triggers ARP

When client renews DHCP lease, AP/WLC can trigger an ARP update on the gateway side. Some controllers do this automatically on re-association.

Automatic in enterprise WLCs

Unsolicited ARP on client side

OS-level fix: client sends GARP 3× with 1-second intervals after every association. Reduces race condition probability. iOS and Windows do this; Android historically does not consistently.

OS-dependent - no config needed if supported

Increase Android CaptivePortal check timeout

Not a fix but a workaround: reducing Android's CaptivePortalCheckTimeout gives the ARP dead window more time to resolve before Android marks the network as "no internet." Not user-configurable on stock Android.

Low - MDM policy on managed devices

// related reference

Frame Sequences →PMF (802.11w) →Connection Failure Guide →Anomaly Taxonomy →Roaming (k/v/r) →