// viz · beamforming sounding

Beamforming Sounding Procedure

Every time a Wi-Fi 5/6/6E/7 access point beamforms toward a client, it runs a sounding sequence to measure the channel. The client's response — the Compressed Beamforming Report — is transmitted in plaintext by design. Step through the full sequence, decode the MIMO Control field, and understand why this matters for privacy.

— Shankar K. · Source: IEEE 802.11be-2024 §9.4.1.51, 802.11ac-2013 §8.5.23 · Wireshark: wlan.fc.type == 0 && wlan.fc.subtype == 14

// start here

Beamforming steers Wi-Fi signals toward a specific client instead of broadcasting in all directions. To steer, the AP needs to know the channel — which walls, objects, and people the signal passes through. It finds out by sending a training packet (the NDP), and the client sends back a compressed measurement matrix (the BFI). That measurement is public. Anyone with a Wi-Fi adapter in monitor mode can read it.

Beamformer

The AP (transmitter)

The device that steers the signal. Needs channel measurements to compute a steering matrix. Initiates sounding.

Beamformee

The client (receiver)

The device being steered toward. Measures the channel from the training packet and sends back quantized feedback.

BFI

Beamforming Feedback Information

The compressed channel measurement in the Compressed Beamforming Report. Quantized Givens rotation angles. Transmitted unencrypted.

 // how to read this
Toggle SU (single user) vs MU (multi-user) to see how the AP polls multiple clients.
    Press ▶ Play for the full animation or Next → to step one frame at a time.
    The red highlighted step is where BFI leaves the client unencrypted — visible to any passive monitor in range.

// mode

Speed

📡

Beamformer

Access Point

AP state

Ready to start

💻

Beamformee

Client

Client state

// compressed beamforming report -- frame decode

The Compressed Beamforming Report (CBR) is an Action No Ack frame (management type 0, subtype 14). It carries a MIMO Control field followed by the compressed steering matrix as quantized Givens rotation angles. Every field below is visible in plaintext to any passive monitor in range.

802.11 MAC Header (24 bytes)
  Frame Control:  type=0 (mgmt), subtype=14 (Action No Ack)
  Duration/ID:    0x0000
  Address 1 (DA): AP BSSID  -- destination is the AP
  Address 2 (SA): Client MAC -- source is the beamformee
  Address 3:      AP BSSID
  Sequence Control: [seq num]

Frame Body:
  Category:       21 (VHT) / 30 (HE) / 36 (EHT)
  Action:         0  (Compressed Beamforming / CQI)
  MIMO Control:   [3 or 6 bytes -- see next accordion]
  CBF Matrix:     [variable -- quantized Givens angles]
  MU Exclusive:   [variable -- MU-MIMO only]

No encryption wrapper. No WPA2/3 CCMP around this frame.
It is transmitted as plaintext by IEEE 802.11 design.

IEEE 802.11be Section 9.4.1.51 -- EHT MIMO Control (6 bytes)

Bit layout (little-endian, B0 = LSB):
  B0-B2   (3 bits): Nc Index   -- number of columns (Nc) = field + 1
  B3-B5   (3 bits): Nr Index   -- number of rows (Nr) = field + 1
  B6-B8   (3 bits): BW         -- 0=20 1=40 2=80 3=160 4=320 MHz
  B9      (1 bit):  Grouping   -- subcarrier grouping (Ng)
  B10-B11 (2 bits): Codebook   -- quantization bits (phi, psi)
  B12     (1 bit):  Feedback Type -- 0=SU, 1=MU
  ...

Live example from AT&T Wi-Fi 7 gateway capture (wintercoming):
  Raw MIMO Control: 31 03 d0 bf 1d 28
  Nc Index = 1  -> Nc = 2 spatial streams
  Nr Index = 6  -> Nr = 7 AP Rx antennas
  BW       = 4  -> 320 MHz channel width

The CBR matrix that follows: 3,126 bytes of Givens angles.
Each angle encodes a rotation in the beamforming matrix space
describing how your physical environment deflects the radio waves.

BFI is unencrypted by IEEE 802.11 design.

Common misconception: "beamforming" implies ray-like directed signals.
CBR does not encode ray-traced paths. The Givens rotation angles (phi, psi)
are a compressed quantisation of V -- the right singular matrix from the
SVD decomposition H = U-Sigma-V* of the full channel matrix H. They encode
the angular geometry of the multipath environment, not geometric ray paths.
BFId trains its RNN directly on the phi/psi time series without any
propagation model. The "beams" in beamforming feedback are a mathematical
abstraction in matrix space, not physical ray-optical beams.

CBR frames are Action No Ack management frames (type=0, subtype=14).
Management frame encryption in 802.11 is provided by PMF (802.11w), which
protects specific unicast management categories -- Deauthentication,
Disassociation, and select Action frame types. Action No Ack frames carrying
CBR are not in the PMF-protected list in any 802.11 revision. Encrypting them
would require a standards amendment adding CCMP coverage to CBR frames --
no such amendment exists as of 802.11be-2024 or 802.11bf-2025.

What this means in practice
---------------------------
Any Wi-Fi adapter in monitor mode that is on the same channel as
your AP can capture every CBR frame from every client associated
to that AP. No association needed. No MITM needed. Purely passive.

The CBR frame carries:
  - The client's MAC address (in the 802.11 header)
  - The MIMO Control field (Nc, Nr, BW)
  - 3,000-4,000 bytes of quantized Givens angles per frame
  - Transmitted at 4-10 Hz continuously while the client is active

BFId (Todt, Morsbach, Strufe; ACM CCS 2025)
---------------------------
Researchers at KIT KASTEL (Karlsruhe Institute of Technology)
demonstrated that BFI alone is sufficient to identify individuals:

  Dataset: 197 participants
  Accuracy: 99.5% +/- 0.38%
  Hardware: standard Wi-Fi (no modified drivers, no CSI extraction)
  Method: recurrent neural network on raw BFI time series
  Advantage over CSI: one passive monitor captures BFI from ALL
    clients simultaneously (multiple perspectives), outperforming
    per-client CSI approaches for large populations

Reference: DOI 10.1145/3719027.3765062 (ACM CCS 2025, Taipei)

// mimo control decoder -- paste your own hex

Paste the 6-byte MIMO Control field from a CBR frame captured in Wireshark and decode it live. Copy from the packet bytes panel after filtering for wlan.fc.type == 0 && wlan.fc.subtype == 14.

MIMO Control hex (6 bytes)

Example: 31 03 d0 bf 1d 28 (AT&T Wi-Fi 7 capture, May 2026)

// privacy implications -- bfid attack (acm ccs 2025)

Every client associated to a Wi-Fi 5, 6, 6E, or 7 access point with beamforming enabled is continuously broadcasting its spatial fingerprint to the AP. This fingerprint encodes the geometry of everything between the antenna and the client — walls, furniture, and the human body. KIT KASTEL researchers demonstrated 99.5% person identification accuracy from BFI alone, without any association, without modified drivers, and without any special hardware.

No association needed

The attacker's adapter captures BFI passively, without connecting to the network.

No device required

The identified person does not need to carry a Wi-Fi device. Other associated devices on the network generate BFI that encodes room occupancy.

Works at 4-10 Hz

BFI arrives multiple times per second. A 60-second capture provides hundreds of data points per client.

Better than CSI

BFI-based identification outperforms CSI (channel state information) at large population sizes because multiple client perspectives are captured simultaneously.

BFId: Identity Inference Attacks Utilizing Beamforming Feedback Information —
      Julian Todt, Felix Morsbach, Thorsten Strufe — KASTEL Security Research Labs, KIT —
      ACM CCS 2025 — DOI: 10.1145/3719027.3765062

// edge cases the standard walkthrough won\'t tell you

NDP is not captured in monitor mode

Null Data Packets have no PSDU. Most monitor mode captures miss them entirely because they have no frame body to decode. You see the NDP Announcement and the CBR response but not the NDP itself. The sounding trigger is inferred.

CBR rate varies by AP firmware

Some APs sound every client every 100ms. Others use traffic-triggered sounding (only when sending data). High-density deployments with many clients reduce per-client sounding frequency to manage airtime.

MU-MIMO polling order is significant

In MU mode, the first client in the NDP Announcement responds immediately after the NDP (no BRP needed). Each subsequent client waits for an explicit Beamforming Report Poll. If a client misses the BRP, the AP cannot beamform to it in that exchange.

EHT vs HE vs VHT category numbers differ

VHT CBR: Category 21, Action 0. HE CBR: Category 30, Action 0. EHT CBR: Category 36, Action 0. The frame shape is similar but the MIMO Control field width and bit layout change. EHT MIMO Control is 6 bytes; VHT is 3 bytes.

Compressed vs uncompressed beamforming

802.11n introduced uncompressed beamforming (rarely implemented, high overhead). 802.11ac switched to explicit compressed beamforming only. The compression uses Givens rotations to represent the precoding matrix compactly. The compression is what makes BFI useful for sensing -- it acts as a noise filter.

// wireshark filters

Filter	What it catches	Standard
wlan.fc.type == 0 && wlan.fc.subtype == 14	All Action No Ack frames including CBR	802.11-2024
wlan.action.category == 21	VHT CBR only (Wi-Fi 5 and above)	802.11ac-2013 Table 8-38
wlan.action.category == 30	HE CBR only (Wi-Fi 6)	802.11ax-2021
wlan.action.category == 36	EHT CBR only (Wi-Fi 7)	802.11be-2024
wlan.vht.action == 0	VHT Compressed Beamforming action	802.11ac-2013 Sec.8.5.23

// learner's guide

from the field "Why is my wireless IDS seeing unexpected action frames?"

// the scenario

An enterprise WLAN admin notices their WIDS flagging a high volume of Action No Ack frames between clients and APs in the 6 GHz band. The frames are large (2,000-4,000 bytes), periodic, and originate from every associated client. No authentication anomaly. No deauth flood. Health score drops on the monitoring system.

// what's actually happening

These are EHT Compressed Beamforming Reports (Category 36, Action 0). The AP is running the sounding procedure to maintain steering matrices for every active client. In a dense deployment with many 6 GHz clients and a high-antenna-count AP (Nr=7 or more), the combined airtime for CBR frames can be significant. Each 3,134-byte CBR at 4 Hz per client occupies real airtime at the lowest MCS available (broadcast/management rate).

// how this visualizer helps

The sounding procedure step shows exactly what the AP sends (NDPA, NDP) and what it receives (CBR). The MIMO Control decoder shows you how many antennas and streams the AP is measuring per client, directly from the captured hex. The privacy risk section explains why this traffic cannot be encrypted at the link layer and what an external observer can infer from it.

// still watch out for

Not all large Action No Ack frames are CBR. 802.11bf Sensing Measurement Report frames (Category 63) have the same frame type and subtype. Check byte 0 of the frame body (the Category field) to distinguish: 36=EHT CBR, 30=HE CBR, 63=Sensing Measurement Report.

basic The AP sends a training packet; the client tells it what the channel looks like

Beamforming means the AP focuses its Wi-Fi signal toward a specific device rather than broadcasting in all directions. To do this, the AP needs to know which way to aim. It finds out by sending a special training packet called a Null Data Packet (NDP) — a frame with no payload, just training symbols that let the client measure the channel.

The client measures how the NDP arrived — what the channel looks like between them — and sends a compressed summary back to the AP. That summary is called the Compressed Beamforming Report (CBR), and the channel information inside it is the Beamforming Feedback Information (BFI).

The AP uses the BFI to compute a steering matrix, then starts sending toward the client using that matrix. This improves throughput, especially over distance. The sounding procedure repeats periodically to track changes in the channel.

intermediate NDPA, NDP, BRP, CBR -- the full sounding sequence

The sounding sequence begins when the AP transmits a VHT/HE/EHT NDP Announcement frame (NDPA). This is a management Action frame (not an Action No Ack) that announces which clients should provide feedback. Each client is listed by AID, along with the number of feedback streams it should report. A SIFS after the NDPA, the AP transmits the actual Null Data Packet (NDP) — a PPDU containing multiple LTF (Long Training Field) symbols per spatial stream, but no PSDU. The NDP is what the client measures.

In SU-MIMO, there is only one client. It responds with a CBR immediately after the NDP (no poll needed). In MU-MIMO, the first client responds immediately; subsequent clients each wait for an explicit Beamforming Report Poll (BRP) from the AP. This polling ensures only one client transmits at a time on the shared channel.

The CBR contains the MIMO Control field (Nc, Nr, BW, Grouping, Codebook) followed by the compressed steering matrix as quantized Givens rotation angles. The compression uses Givens factorization of the precoding matrix; the bit widths of phi and psi angles are determined by the Codebook field. Larger antennas, more spatial streams, and wider bandwidths produce larger CBR frames — a 7-antenna AP with 2 streams at 320 MHz produces approximately 3,134 bytes of Givens data per sounding event.

advanced Givens compression, sensing attack surface, and proposed mitigations

Givens rotation compression. The precoding matrix V is factored into a product of Givens rotation matrices. Each rotation is parameterized by two angles (phi, psi), quantized to b-phi and b-psi bits respectively. b-phi is determined by the Codebook field in MIMO Control (2 or 4 bits); b-psi = b-phi - 2. The quantized angles are packed LSB-first into the CBR body in a specific order defined by the spec (sweeping over subcarrier groups, then antenna pairs). The compression has an important side effect for sensing: it acts as a noise filter, eliminating per-subcarrier noise that contaminates raw CSI measurements. This is why BFId achieves HIGHER accuracy than CSI-based methods at large population sizes.

Why BFI outperforms CSI for sensing. CSI is measured at the receiver side and requires driver-level access (nexmon, PicoScenes) to extract. Each device requires its own hardware-modified driver. BFI is the same information but at the sender side, broadcast in plaintext. One passive monitor captures BFI from every associated client simultaneously, providing multiple spatial perspectives of the same room — effectively a multi-antenna sensing array at zero cost to the attacker. BFId showed that this multi-perspective advantage compensates for the coarser quantization compared to raw CSI.

Proposed mitigations. The BFId researchers call for privacy protections in 802.11bf. The most technically complete proposal (arXiv 2512.18529, Dec 2025) introduces a differential-privacy quantizer applied to Givens angles: instead of deterministic rounding, angles are quantized with calibrated noise (epsilon-DP stochastic quantizer). The mechanism is standards-compatible (same bit-width output as the normal quantizer), admits closed-form sensitivity bounds in angular representation, and degrades beamforming gain by less than 1 dB in simulation. No commercial router firmware had shipped this as of May 2026.

802.11bf and BFI. IEEE 802.11bf (ratified September 2025) defines an explicit sensing framework using dedicated Sensing Measurement Request / Response / Report frames. This is a separate mechanism from beamforming sounding BFI. However, 802.11bf sensing also uses NDPs and can optionally report CSI via Sensing Measurement Report frames. The BFId attack uses beamforming sounding BFI (Category 30/36, present since Wi-Fi 5) — not 802.11bf sensing frames — and works on any Wi-Fi 5/6/7 network regardless of 802.11bf support.

// share this page

// also on this site

← previous

viz

MU-MIMO Beamforming

next →

viz

MLO 4-Way Handshake

SK

— Shankar K., Wi-Fi engineer, Irving TX
 Building WiFi Analyser V2 · CWNA-109 in progress · one post every two weeks 

// leave a comment