The filter reference I wish existed when I started

Catches SA, DA, TA, RA - the safest way to follow a single client. More complete than wlan.sa alone.

Uplink traffic from this device specifically. Use this in Wi-Fi 7 MLO - the L-MAC address you see in frames, not the U-MAC shown in monitoring tools.

Everything associated with one AP radio. Critical for multi-AP captures - isolates a single cell.

Shows beacons, probe responses for a specific SSID. Useful for rogue AP detection - if you see two BSSIDs with the same SSID, investigate.

Start here when troubleshooting association failures. Hides data and control clutter immediately.

Every beacon = 100ms interval. Missing beacons from an AP = RF issue or AP crash. Also where BSS Color, HE/EHT capabilities live.

Shows client scanning behavior. Excessive probe requests = sticky client that won't roam. MAC randomization makes this harder to track by address.

APs answering client scans. Lots of probe responses to one client = client is being courted by multiple APs but refusing to roam.

Open system auth (2 frames) or SAE (multiple). Check the status code in frame 2 - anything non-zero is a rejection. Status 53 = PMKID invalid (802.11r failure).

Client's first formal join request. Contains RSN IE, HT/VHT/HE/EHT capabilities. The RSN IE here tells you exactly what the client actually supports - critical for WPA3 mismatch diagnosis.

Status code 0 = success. Anything else = rejection with a reason. Check wlan_mgt.fixed.status_code in the frame details.

The heartbeat of roaming. Delta time between req and resp = roam latency. Over 50ms = problem. Over 100ms = voice call dropped.

Check the reason code. Reason 3 = client left. Reason 23 = 802.1X auth failed. Reason 15 = 4-way handshake timeout. A flood of deauths from a non-AP BSSID = deauth attack.

Softer disconnect than deauth. Reason 4 = AP kicked client for inactivity. If PMF is disabled, these can be forged - check with WiFi Analyser's evil twin detector.

Where 802.11k neighbor reports, 802.11v BTM requests, and 802.11r FT actions live. High-value frames - if these are missing, your roaming stack is broken at the protocol level.

Should see exactly 4 frames per successful association. Message 1 = AP sends ANonce. Message 2 = client responds with SNonce + MIC. Message 3 = AP sends GTK. Message 4 = client ACKs. Missing frame 2 = PMKID rejected.

Filter all frames containing the RSN IE. Compare beacon RSN IE vs AssocReq RSN IE - if client's cipher list doesn't include what AP advertises, that's your downgrade.

Management Frame Protection Capable. If this bit is 0 in beacons, deauth frames can be forged. CVE-2019-15126 exploits exactly this. Check with WiFi Analyser's security audit.

Mandatory for WPA3. If MFPR=1 in beacon but MFPC=0 in client AssocReq, that client cannot join. This is a common enterprise WPA3 migration failure.

EAP-TLS, EAP-PEAP, EAP-TTLS all show here. Count the exchanges - EAP-TLS has more frames than PEAP. A sudden EAP-Failure frame = cert issue or RADIUS rejection.

AKM suite selector in RSN IE. Type 1=802.1X, 2=PSK, 3=FT-802.1X, 4=FT-PSK, 8=SAE (WPA3), 12=FT-SAE. Compare AKM in beacon vs AssocReq - mismatch means negotiation failed silently.

Must increment M1→M2→M3→M4. If M3 replay counter equals M1 replay counter (same value resent), that is a KRACK retransmission trigger - CVE-2017-13077. Patched clients reject the reinstallation. Unpatched clients reinstall the PTK, resetting the nonce.

AP is advertising 802.11r Fast Transition support. Cross-check that the client's AssocReq also shows FT support - mismatch = full re-auth on every roam.

AP nudging client to roam. If you see these and the client ignores them, that's your sticky client problem. BTM Reject response = client refused the nudge.

Client asking AP for a list of neighbor APs. If this frame is present but response is empty, your 802.11k configuration is broken. Client has to scan blind = slow roaming.

Every unicast data frame should have an ACK. Missing ACKs with retries = RF link quality problem at the receiver end.

Hidden node protection. Lots of RTS/CTS = collision avoidance overhead. In dense Wi-Fi 7 deployments with MRU, seeing more RTS/CTS than expected = OFDMA scheduling issue.

A-MPDU aggregation acknowledgement. High Block ACK count = good, aggregation is working. Absence of Block ACKs on a modern client = aggregation disabled, throughput is degraded.

The single most important health indicator. Over 10% retries = RF problem. Over 20% = critical. Check which client or AP is generating them - that tells you the direction of the problem.

Isolate retry behavior to a specific client or AP. If only one device is retrying while others aren't - it's a driver, NIC, or position issue, not the AP.

Client telling AP it's going to doze. If this flips rapidly, client is in aggressive power save mode. Can cause timing issues with latency-sensitive apps like VoIP.

Corrupted frames at the physical layer. FCS errors with high RSSI = co-channel interference, not signal strength. This is a common misdiagnosis - engineers blame distance when it's actually a neighbour AP on the same channel.

Present only in 802.11be frames. If you're qualifying a Wi-Fi 7 gateway and this IE is missing from beacons, the AP is falling back to HE mode. That's a misconfiguration, not a client issue.

6-bit value (1–63). If two overlapping APs share the same BSS Color, spatial reuse is disabled between them. That's a BSS Color collision - exactly what WiFi Analyser's BSSCOLOR_COLLISION anomaly flags.

AP has turned off BSS Color. This kills 6 GHz spatial reuse completely. Usually happens after a collision detection event. Look for a BSS Color Change Announcement frame shortly before this.

Identifies which link in an MLO setup this frame belongs to. Critical note: always filter MLO traffic by the link-specific MAC (L-MAC), NOT the MLD MAC (U-MAC) that monitoring tools show you. That's the most common MLO PCAP mistake.

First combo I run when a user says "keeps dropping." If you see deauth storms from the AP side, it's kicking the client. From the client side, client is leaving voluntarily (and often immediately re-associating elsewhere).

Probe → Auth → Assoc → EAPOL. Everything a client does to join. This is my go-to for diagnosing "client can't connect" tickets. Step through each stage and find where it stops.

Reassoc req + resp + deauths. This gives you a timeline of every roam event in the capture. Sort by time and look for overlapping deauths and reassocs - that's where roaming latency hides.

-70 dBm or better = healthy signal. Invert with < -80 to isolate weak-signal frames where retries are likely. RadioTap RSSI is the signal at the sniffer adapter - not the client or AP. Note which adapter captured when comparing values.

Frames received below -80 dBm are in the marginal zone. Combine with wlan.fc.retry == 1 to confirm RF is the cause of retries rather than congestion.

Replace 5240 with your channel. 2.4 GHz: 2412-2484. 5 GHz: 5180-5825. 6 GHz: 5945-7125. Use >= 5945 to isolate all 6 GHz traffic in a multi-band capture.

MCS 0 = BPSK 1/2 - the lowest HT/VHT rate. A client falling back to MCS 0 is telling you it's at the edge of coverage or fighting severe interference. Use != 0 to hide legacy fallback frames and see what the healthy traffic looks like.

RadioTap datarate is in 500 Kbps units - divide by 2 for Mbps. Value 12 = 6 Mbps. Management frames often appear at 6 Mbps (mandatory basic rate). Data frames at 6 Mbps = severe rate degradation.

AP scheduling uplink MU-OFDMA transmissions. Presence of Trigger Frames confirms OFDMA is active. Absence on a Wi-Fi 6 network = AP has OFDMA disabled or clients don't support it. In dense deployments this should be common - if you never see it, your AP config needs checking.

FCS errors with strong RSSI = co-channel interference, not weak signal. This is the most common misdiagnosis in RF troubleshooting. Engineers blame coverage when the real cause is an overlapping AP on the same channel destroying frames mid-transmission.

6-bit BSS Color value from the HE PPDU's RadioTap header. If two neighboring APs share the same BSS Color value, spatial reuse is disabled between them - they treat each other as same-BSS and defer unnecessarily. This is a BSS Color collision.