// viz · mlo 4-way handshake

MLO 4-Way Handshake Visualizer

One handshake, one PTK at the MLD level, separate group keys per link. Step through M1 to M4 with every MLO-specific KDE rendered byte by byte, toggle MLO vs non-MLO to see exactly what changes, and read the failure signatures Wi-Fi 7 introduces.

— Shankar K. · Source: IEEE 802.11be-2024 §12.7, WPA3 Specification v3.2 · Wireshark: eapol && wlan.eht.multi_link

// start here

A non-MLO 4-way handshake gives you one PTK and one GTK. A Wi-Fi 7 MLO client running across 2.4, 5, and 6 GHz uses ONE 4-way handshake to set up the whole multi-link association — a single PTK at the MLD level protects every unicast frame on every link, but each link gets its own GTK, IGTK, and BIGTK for broadcasts and management. Use the toggle below to flip between MLO and non-MLO and watch every message change.

PMK

Pairwise Master Key

Same as non-MLO. Derived from PSK + SSID, or from 802.1X / RADIUS. Never transmitted. Lives at the MLD level in MLO.

MLD Association

Multi-Link setup

Before the 4-way runs, the client and AP exchange Auth + Assoc carrying the Multi-Link element advertising which links each side supports.

MLD MAC vs Link MAC

Two address namespaces

Each link has its own MAC. The MLD has a separate virtual MAC. PTK derivation in MLO binds to MLD MACs; per-link KDEs carry link MACs.

 // how to read this
Toggle MLO vs Non-MLO below to compare the same M1-to-M4 exchange side by side. Press ▶ Play for the full animation, or Next → to step one message at a time.
    Each step expands the Key Data Elements as Wireshark sees them: byte-level KDEs in MLO mode, classic key-data blocks in non-MLO.
    In Challenge mode, advance with Play or Next until you reach the target step — the challenge auto-completes when you get there.

// mode

Speed

// or play in browser

Tip: Google UK English Male or Microsoft David sound best. Pick from voice selector above.

📡

Authenticator

MLD Access Point

AP state

Ready to start

💻

Supplicant

MLD Client

Client state

// ptk derivation -- ieee 802.11be § 12.7.1.6.2

PTK = PRF(PMK, ANonce || SNonce || Min(A,S) || Max(A,S))

In MLO mode

A = AP MLD MAC
S = Client MLD MAC
Single PTK protects every unicast frame on every link.

In Non-MLO mode

A = AP MAC (single link)
S = Client MAC (single link)
PTK protects unicast on that single link.

AP MLD MAC (A)

Client MLD MAC (S)

ANonce (AP, 32B)

SNonce (Client, 32B)

// derived PTK (384b) -- display-only PRF surrogate, NOT cryptographically valid

Real PTK uses HMAC-SHA-1 (CCMP-128) or HMAC-SHA-384 (GCMP-256, with KCK2 / KEK2). The values above are a deterministic hash for teaching purposes only.

// mlo kde byte-level decoder

Click each KDE below to expand the byte-level view as Wireshark renders it. These KDEs only appear in MLO mode — toggle to MLO above to see them in the animation.

Tag: Vendor Specific: IEEE 802.11: MAC Address KDE
  Tag Number: Vendor Specific (221)
  Tag length: 10
  OUI: 00:0f:ac (IEEE 802.11)
  Vendor Specific OUI Type: 3  (MAC Address KDE)
  Data Type: MAC Address KDE (3)
  MAC Address: aa:bb:cc:dd:ee:00     <-- AP MLD MAC in M1
                                      <-- Client MLD MAC in M2

Tag: Vendor Specific: IEEE 802.11: MLO Link KDE
  Tag Number: Vendor Specific (221)
  Tag length: 14
  OUI: 00:0f:ac (IEEE 802.11)
  Vendor Specific OUI Type: 15  (MLO Link KDE)
  Data Type: MLO Link KDE (15)
  Link ID: 0x0                      <-- link 0 (2.4 GHz)
  RSNE / RSNXE Info: 0x00
  MAC Address: 11:22:33:44:55:60    <-- per-link MAC for this link

  (Same KDE repeats for each active link in M2, one per Link ID.)

Tag: Vendor Specific: IEEE 802.11: MLO GTK KDE
  Tag Number: Vendor Specific (221)
  Tag length: 27
  OUI: 00:0f:ac (IEEE 802.11)
  Vendor Specific OUI Type: 16  (MLO GTK KDE)
  Data Type: MLO GTK KDE (16)
  .... ..01 = Key ID: 0x1
  .... .0.. = Tx: False
  ...0 .... = Reserved: 0x0
  0010 .... = LinkID: 0x2           <-- THIS is the link binding
  PN: 0
  GTK: 1171cb4428937a98f89db07933ad02e4

Tag: Vendor Specific: IEEE 802.11: MLO IGTK KDE
  Tag length: 29
  Vendor Specific OUI Type: 17  (MLO IGTK KDE)
  Key ID: 0x0004
  IPN: 0
  0010 .... = LinkID: 0x2
  IGTK: cb4bbd24283e08d03142 7f0eacd88511

Tag: Vendor Specific: IEEE 802.11: MLO BIGTK KDE
  Vendor Specific OUI Type: 18  (MLO BIGTK KDE)
  (same shape as IGTK, beacon protection key per link)

WPA Key Data Padding: dd000000
[KCK: 11ffa10a569455fe10934577f954fcfd]
[KEK: 035b5cb0b3c3ad7490fd69b1052366f2]

// why per-link GTK?

Reason 1: Legacy clients

An MLO AP also serves non-MLO Wi-Fi 4 / 5 / 6 clients that connect to one link only. Those clients need a GTK valid for that specific link's broadcast domain.

Reason 2: Independent key rotation

A 6 GHz link can rotate its GTK without forcing 2.4 GHz and 5 GHz to roll keys. Reduces broadcast-traffic disruption.

Operational consequence: each link maintains its own GTK + IGTK + BIGTK triplet, each tagged with a Link ID in the KDE. A broadcast frame on Link 0 cannot be decrypted by a device only holding Link 1's GTK, by design.

// edge cases the spec walkthrough won't tell you

EMLMR PN-space sharing

Under Enhanced Multi-Link Multi-Radio operation, the single PTK at MLD level is paired with a SHARED packet-number (PN) space across all simultaneously-active links. If firmware does not synchronize PN updates across the radio chain, replay-counter desync can surface on one link while the others continue normally. Observable in PCAP as PN regression on one link, PN advancing normally on others, both encrypted with the same PTK.

KCK2 / KEK2 with GCMP-256

WPA3 with GCMP-256 + SAE-PT + 256-bit AKM uses 512-bit PTK output instead of 384-bit. The extension introduces KCK2 (24 bytes) and KEK2 (32 bytes) for MIC and key-wrap operations on Management Frame Protection. MLO with this cipher suite uses MIC field length 32 bytes (HMAC-SHA-384) instead of 16 bytes (HMAC-SHA-1).

Link recovery state

When one link of an MLD fails and recovers, the GTK rotation on that link does NOT trigger a full 4-way handshake. The AP unicasts a Group Key Handshake (M5 / M6, 2-way group handshake) delivering the new GTK via MLO GTK KDE for the recovered link only. PTK is untouched.

0x0010 Link ID prefix

The Link ID byte inside MLO GTK / IGTK / BIGTK KDE uses bit positions 4 to 7 (high nibble) for the link ID itself. Bits 0 to 3 are reserved. So a Link ID value of 0x2 renders in Wireshark as bit-field "0010 .... = LinkID: 0x2" -- the 0x0010 prefix is bit-position notation, not an offset.

PMF binding to Link ID

Even when Beacon Protection and Management Frame Protection are negotiated at the MLD level, the actual IGTK and BIGTK are PER LINK. A management frame received on Link 0 is verified against Link 0’s IGTK regardless of which link the handshake completed on. Implementation bugs that conflate "PMF at MLD" with "IGTK shared across links" produce silent MIC verification failures.

Non-MLO legacy client fallback

If a client capable of MLO chooses to associate as non-MLO with an MLO-capable AP (driver decision or capability mismatch), the handshake runs in classic mode with only per-link MAC and per-link keys. The AP must NOT include MLO KDEs in M1 or M2 even though it is MLO-capable. PCAP signature: standard 4-way handshake, no MLO Link KDE, no MLO GTK KDE. This is correct behavior, not a downgrade attack.

// mlo handshake failure analysis -- what to look for in wireshark

EAPOL pattern in PCAP	Root cause	Reason code	Fix
M1 with MAC Address KDE, M2 with only per-link MAC (no MAC Address KDE)	Client driver does not implement MLO 4-way. Falls back to classic.	15 -- 4-way timeout	Update client driver. Verify wpa_supplicant >= 2.11.
M2 missing one or more MLO Link KDEs	Client failed to set up all advertised links. Common with EMLSR on power-constrained devices.	17 -- IE mismatch	Investigate per-link RF condition.
M3 missing MLO GTK KDE for one Link ID	AP per-link GTK generation failure or driver bug.	15 -- 4-way timeout	AP firmware update.
All MLO GTK KDEs have same Link ID	AP firmware bug in KDE assembly. Broadcasts decrypt across wrong link.	(silent)	Vendor escalation. Reproduce with single-link A/B test.
M3 valid MLO KDEs but client sends M4 with classic PTK install	Client treats handshake as non-MLO despite KDE presence.	(silent)	Client driver bug. Affects per-link broadcast reception.
Reason 15 only on 6 GHz link, 2.4 + 5 GHz handshakes succeed	6 GHz mandates PMF. Client does not advertise MFPC=1 in 6 GHz capability.	15	Enable PMF on client for 6 GHz.
M3 received twice, both with Install=1	KRACK variant in MLO context. AP firmware bug.	(silent)	AP firmware update per IEEE 802.11-2020 §12.7.6.6.

Diagnose MLO handshake failures in your PCAP

WiFi Analyser detects missing MLO KDEs, per-link GTK mismatches, MLO PTK derivation anomalies, and the EMLMR PN-space desync pattern automatically.

try it free ↗

// learner's guide

from the field "Wi-Fi 7 client connects but only sees half the broadcasts"

// the scenario

A Wi-Fi 7 phone associates with an MLO AP successfully. Unicast traffic works fine across all three bands. But the phone never receives mDNS advertisements from the printer on the local subnet. Other devices on the same SSID see the printer fine.

// what's actually happening

The MLO handshake completed and the phone installed the unified PTK at the MLD level. Unicast frames work. But the AP firmware bug assembled the same Link ID into both 2.4 GHz and 5 GHz MLO GTK KDEs in M3, so the phone installed only one GTK (overwrite) and only decrypts broadcasts on one link. The printer broadcasts mDNS on the link the phone is not listening on. To the user it looks like an mDNS / Bonjour issue.

// how this feature helps

A packet capture shows the MLO GTK KDEs in M3 with identical Link IDs. The visualizer renders the byte-level KDE so you can spot the duplication immediately. Comparing across vendors, you can see whose firmware assembles MLO GTK KDEs correctly with sequential Link IDs (0, 1, 2) and whose does not.

// still watch out for

Some MLO clients deliberately install the same GTK across links if the AP advertises MLD-level group key (a Wi-Fi 7 extension still in spec draft). Check the AP's RSN extension capabilities before flagging identical Link IDs as a bug. Cloud-managed APs are the most common offenders in 2026 deployments — firmware update lags.

basic One handshake covers all three bands, separate keys for broadcasts

A Wi-Fi 7 device with Multi-Link Operation can be on 2.4 GHz, 5 GHz, and 6 GHz at the same time with the same AP. They run ONE 4-way handshake to set this up, not three. The pairwise key that protects unicast traffic (the PTK) is the same across all three bands.

But each band gets its own group key for broadcast traffic (the GTK). That is the new part. The AP tells the client "here is GTK for Link 0 (2.4 GHz), here is GTK for Link 1 (5 GHz), here is GTK for Link 2 (6 GHz)" all in Message 3 of the handshake, packaged as separate Key Data Elements.

To prove all of this works, the client's MIC in Message 4 is computed using the new PTK. If the AP can verify that MIC, both sides have proven they derived the same PTK from the same PMK, MLD MAC addresses, and nonces.

intermediate MLD MAC addresses, MAC Address KDE, and per-link MLO Link KDE

The PTK in MLO is computed exactly like classic 4-way: PTK = PRF(PMK, ANonce, SNonce, Min(A,S), Max(A,S)). The difference is A and S. In classic 4-way, A is the AP MAC and S is the client MAC. In MLO, A is the AP MLD MAC and S is the client MLD MAC. The MLD MAC is a virtual MAC that identifies the device as a multi-link entity; each link has its own MAC, but the MLD MAC is what the handshake binds to.

The AP MLD MAC is told to the client in Message 1 via the MAC Address KDE (Key Data Element, OUI 00:0f:ac, type 3). This field does not exist in classic 4-way. The client's MLD MAC is told back in Message 2 via the same KDE type.

Message 2 also includes one MLO Link KDE per active link. Each MLO Link KDE has a Link ID (0, 1, 2 for 2.4 / 5 / 6 GHz typically), RSNE / RSNXE info, and the per-link MAC address. This tells the AP "these are the links I want active under this MLD."

After Message 3, where per-link GTK / IGTK / BIGTK arrive, the client installs the single PTK once and the per-link group keys once each. Unicast frames between this AP and client on any link use the same PTK; broadcasts on Link 0 use Link 0's GTK; broadcasts on Link 1 use Link 1's GTK; etc.

advanced EMLMR PN-space, KCK2 / KEK2, link recovery, and Beacon Protection

EMLMR PN-space sharing. Under Enhanced Multi-Link Multi-Radio, the single PTK at MLD level is paired with a SHARED packet-number space across all simultaneously-active links. Firmware must synchronize PN updates across the radio chain. If it does not, replay-counter desync surfaces on one link while the others continue normally, both encrypted with the same PTK. Wireshark exposure: wlan.ccmp.pn across frames on the same TID.

KCK2 / KEK2 with GCMP-256. WPA3 with GCMP-256 + SAE-PT + 256-bit AKM produces a 512-bit PTK split as KCK2 (24 bytes) + KEK2 (32 bytes) + TK. MIC field in EAPOL frames extends to 32 bytes (HMAC-SHA-384) instead of 16 bytes. Many MLO deployments in 2026 still use CCMP-128 with the 384-bit PTK; the GCMP-256 + MLO combination is correct per spec but uncommon in shipped firmware.

Link recovery via Group Key Handshake. When one link fails and recovers, the AP refreshes that link's GTK via the 2-way Group Key Handshake (M5 / M6, also called the EAPOL-Key Group exchange). PTK is untouched. PCAP signature: standalone EAPOL-Key Group message with Key Type = 0, no SNonce, MLO GTK KDE present for the recovered Link ID. Confusingly similar to a re-key but does not regenerate the PTK.

Beacon Protection per link. Each link's BIGTK protects that link's beacons independently. A forged beacon advertising malicious parameters on Link 0 (e.g., a channel-switch to a jammed channel) fails MIC verification at clients holding Link 0's BIGTK and is dropped. The same client on Link 1 continues normally. Wi-Fi 7 mandates Beacon Protection; many Wi-Fi 6E APs already implement it.

R-TWT interaction with EAPOL in MLO. Restricted TWT can be scheduled per link in MLO. EAPOL frames during the MLO 4-way handshake contend for airtime normally on whichever link the handshake runs on. In a heavily R-TWT-scheduled BSS, M3 retries can queue behind R-TWT-protected traffic. Vendor mitigation varies; some firmware maps EAPOL to a high-priority Access Category to bypass R-TWT queuing.

Wireshark MLO handshake forensics. eapol && wlan.eht.multi_link filters MLO handshake traffic, wlan_rsna_eapol.keydes.data.type == 16 finds MLO GTK KDE in M3, wlan_rsna_eapol.keydes.data.type == 15 finds MLO Link KDE in M2, wlan_rsna_eapol.keydes.data.type == 3 finds MAC Address KDE, wlan.eht.multi_link.control.type == 0 identifies Basic Multi-Link element.

// share this page

// also on this site

← previous

viz

MU-MIMO Beamforming

next →

ie

Beacon IE Decoder

SK

— Shankar K., Wi-Fi engineer, Irving TX
 Building WiFi Analyser V2 · CWNA-109 in progress · one post every two weeks 

// leave a comment