// reference · severity model
WiFi Analyser Severity Model
Every anomaly WiFi Analyser detects is assigned a severity level. The model is adapted from nDPI's production risk classification (NDPI_RISK_EMERGENCY through NDPI_RISK_LOW) and collapsed to 5 levels appropriate for 802.11 MAC-layer analysis.
— Shankar K. · Derived from: ntop nDPI NDPI_PROTOCOL_CATEGORY + NDPI_RISK_* constants, field experience
// nDPI 8-level → WiFi Analyser 5-level mapping
nDPI Risk Level
NDPI_RISK_EMERGENCY
NDPI_RISK_CRITICAL
NDPI_RISK_SEVERE
NDPI_RISK_HIGH
NDPI_RISK_MEDIUM
NDPI_RISK_LOW
NDPI_RISK_INFO
NDPI_RISK_NOTICE
→
→
→
→
→
→
→
→
WiFi Analyser Level
CRITICAL
CRITICAL
HIGH
HIGH
MEDIUM
LOW
INFO
INFO
// severity levels - definitions and 802.11 examples
CRITICAL Active attack confirmed or data confidentiality breach in progress. Requires immediate investigation. Report halted on this finding.
When assigned: Two or more corroborating indicators across multiple frames. Cannot be a misconfiguration -- attack-specific frame sequence required.
SECURITY.EAPOL.KRACK M3 retransmission with nonce reuse -- active PTK reinstallation attack CVE-2017-13077
SECURITY.ROGUE_AP.EVIL_TWIN Confirmed BSSID spoofing + client association to attacker AP 4-pillar detection
SECURITY.DEAUTH.FLOOD >20 deauth frames/sec from single source MAC IEEE 802.11-2020 §11.3.4
HIGH SLA failure, confirmed security misconfiguration, or connection-breaking anomaly. Investigate before closing the PCAP.
When assigned: Single strong indicator is sufficient. SLA FAIL threshold crossed, or clear protocol violation with no benign explanation.
CONNECTIVITY.EAPOL.TIMEOUT 4-Way Handshake incomplete -- Reason 15 deauth or M2/M4 missing SLA: >2000ms = FAIL
SECURITY.WPS.EXPOSED WPS enabled on enterprise SSID -- PIN brute force attack surface CVE-2011-5053
CONNECTIVITY.ASSOC.REJECTED Association rejected with status 23/24 -- RSN IE mismatch IEEE 802.11-2020 §12.7.2
MEDIUM Performance degradation or configuration issue that impacts user experience but does not break connectivity.
When assigned: Metric exceeds WARN threshold. Retransmit rate, MCS anomaly, or timing SLA crossed but session completed.
PERFORMANCE.RETRY.HIGH_RATE Retry rate >10% -- RF link marginal or co-channel interference radiotap.dbm_antsignal
PERFORMANCE.MCS.LOW_WITH_GOOD_RSSI MCS 0-2 with RSSI >-65 dBm -- interference, not distance IEEE 802.11-2020 §19.5
NETWORK.BSS.COLOR_COLLISION Two overlapping BSSes sharing same BSS Color -- spatial reuse degraded IEEE 802.11ax §26.17.3
LOW Advisory finding. Worth noting, does not require immediate action. May indicate suboptimal configuration.
When assigned: Single weak indicator or known-benign pattern that occasionally causes issues in edge cases.
NETWORK.BSS.PMKID_CACHE_MISS STA not using cached PMKID -- unnecessary full re-auth on roam IEEE 802.11-2020 §12.7.1.3
PROTOCOL.BEACON.INTERVAL_DRIFT Beacon interval varying >5% -- AP clock jitter or load IEEE 802.11-2020 §11.1.3
CONNECTIVITY.DHCP.NAK DHCP NAK after roam -- IP conflict or subnet mismatch RFC 2131 §3.4
INFO Observation only. No action required. Provides context for understanding the PCAP environment.
When assigned: Normal protocol behaviour that is worth surfacing for situational awareness.
NETWORK.MAC.RANDOMIZATION Client using locally-administered MAC -- privacy protection active IEEE 802.11-2020 §9.4.1
PROTOCOL.BEACON.LARGE_IE_SET Beacon >512 bytes -- many SSIDs or vendor IEs present IEEE 802.11-2020 §9.3.3.2
INFO.SESSION.PASSIVE_SCAN No Probe Requests observed -- client using passive scan (6 GHz) IEEE 802.11ax §26.5
See severity classification on your PCAP
WiFi Analyser assigns a severity level to every anomaly, with the governing IEEE clause or CVE cited for each.