// reference · 802.11 wireshark filters

The filter reference I wish existed when I started

Every filter I've typed more than 10 times in 15 years. Searchable. Copyable. With notes on what each one actually tells you — not just what the spec says it does.

— Shankar K., Wi-Fi engineer, Irving TX

// my daily drivers — filters I open Wireshark with
wlan.fc.retry == 1
First thing I apply. High retry count = RF problem or driver issue. Never roam before checking this.
eapol
Isolates the 4-way handshake immediately. If you see <4 frames, the auth failed. Frame 2 missing = PMKID issue.
wlan.fc.type_subtype == 0x0c || wlan.fc.type_subtype == 0x0a
Deauth OR disassoc. If you see a burst of these for one client — you have a roaming storm or an evil twin.
wlan.fc.type_subtype == 0x02 || wlan.fc.type_subtype == 0x03
Reassoc req + resp. This is what roaming looks like. Count the time between them — that's your roam latency.
addresses
wlan.addr == XX:XX:XX:XX:XX:XXcopy
All frames for a device
Catches SA, DA, TA, RA — the safest way to follow a single client. More complete than wlan.sa alone.
wlan.ta == XX:XX:XX:XX:XX:XXcopy
Transmitter address
Uplink traffic from this device specifically. Use this in Wi-Fi 7 MLO — the L-MAC address you see in frames, not the U-MAC shown in monitoring tools.
wlan.bssid == XX:XX:XX:XX:XX:XXcopy
All traffic on a BSSID
Everything associated with one AP radio. Critical for multi-AP captures — isolates a single cell.
wlan_mgt.ssid == "YourSSID"copy
Filter by SSID name
Shows beacons, probe responses for a specific SSID. Useful for rogue AP detection — if you see two BSSIDs with the same SSID, investigate.
management frames
wlan.fc.type == 0copy
All management frames
Start here when troubleshooting association failures. Hides data and control clutter immediately.
wlan.fc.type_subtype == 0x08copy
Beacon frames
Every beacon = 100ms interval. Missing beacons from an AP = RF issue or AP crash. Also where BSS Color, HE/EHT capabilities live.
wlan.fc.type_subtype == 0x04copy
Probe requests
Shows client scanning behavior. Excessive probe requests = sticky client that won't roam. MAC randomization makes this harder to track by address.
wlan.fc.type_subtype == 0x05copy
Probe responses
APs answering client scans. Lots of probe responses to one client = client is being courted by multiple APs but refusing to roam.
wlan.fc.type_subtype == 0x0bcopy
Authentication frames
Open system auth (2 frames) or SAE (multiple). Check the status code in frame 2 — anything non-zero is a rejection. Status 53 = PMKID invalid (802.11r failure).
wlan.fc.type_subtype == 0x00copy
Association requests
Client's first formal join request. Contains RSN IE, HT/VHT/HE/EHT capabilities. The RSN IE here tells you exactly what the client actually supports — critical for WPA3 mismatch diagnosis.
wlan.fc.type_subtype == 0x01copy
Association responses
Status code 0 = success. Anything else = rejection with a reason. Check wlan_mgt.fixed.status_code in the frame details.
wlan.fc.type_subtype == 0x02 || wlan.fc.type_subtype == 0x03copy
Reassociation req + resp
The heartbeat of roaming. Delta time between req and resp = roam latency. Over 50ms = problem. Over 100ms = voice call dropped.
wlan.fc.type_subtype == 0x0ccopy
Deauthentication
Check the reason code. Reason 3 = client left. Reason 23 = 802.1X auth failed. Reason 15 = 4-way handshake timeout. A flood of deauths from a non-AP BSSID = deauth attack.
wlan.fc.type_subtype == 0x0acopy
Disassociation
Softer disconnect than deauth. Reason 4 = AP kicked client for inactivity. If PMF is disabled, these can be forged — check with WiFi Analyser's evil twin detector.
wlan.fc.type_subtype == 0x0dcopy
Action frames
Where 802.11k neighbor reports, 802.11v BTM requests, and 802.11r FT actions live. High-value frames — if these are missing, your roaming stack is broken at the protocol level.
security / eapol
eapolcopy
All EAPOL frames (4-way handshake)
Should see exactly 4 frames per successful association. Message 1 = AP sends ANonce. Message 2 = client responds with SNonce + MIC. Message 3 = AP sends GTK. Message 4 = client ACKs. Missing frame 2 = PMKID rejected.
wlan.rsn.iecopy
RSN Information Element present
Filter all frames containing the RSN IE. Compare beacon RSN IE vs AssocReq RSN IE — if client's cipher list doesn't include what AP advertises, that's your downgrade.
wlan_mgt.rsn.capabilities.mfpc == 1copy
PMF capable (MFPC bit)
Management Frame Protection Capable. If this bit is 0 in beacons, deauth frames can be forged. CVE-2019-15126 exploits exactly this. Check with WiFi Analyser's security audit.
wlan_mgt.rsn.capabilities.mfpr == 1copy
PMF required (MFPR bit)
Mandatory for WPA3. If MFPR=1 in beacon but MFPC=0 in client AssocReq, that client cannot join. This is a common enterprise WPA3 migration failure.
eapcopy
EAP frames (802.1X enterprise)
EAP-TLS, EAP-PEAP, EAP-TTLS all show here. Count the exchanges — EAP-TLS has more frames than PEAP. A sudden EAP-Failure frame = cert issue or RADIUS rejection.
roaming · 802.11r / k / v
wlan_mgt.fixed.capabilities.spec_man == 1copy
FT capability advertised
AP is advertising 802.11r Fast Transition support. Cross-check that the client's AssocReq also shows FT support — mismatch = full re-auth on every roam.
wlan_mgt.fixed.action_code == 7copy
BTM Request (802.11v)
AP nudging client to roam. If you see these and the client ignores them, that's your sticky client problem. BTM Reject response = client refused the nudge.
wlan_mgt.fixed.action_code == 4copy
Neighbor Report Request (802.11k)
Client asking AP for a list of neighbor APs. If this frame is present but response is empty, your 802.11k configuration is broken. Client has to scan blind = slow roaming.
control frames
wlan.fc.type_subtype == 0x1dcopy
ACK frames
Every unicast data frame should have an ACK. Missing ACKs with retries = RF link quality problem at the receiver end.
wlan.fc.type_subtype == 0x1b || wlan.fc.type_subtype == 0x1ccopy
RTS + CTS frames
Hidden node protection. Lots of RTS/CTS = collision avoidance overhead. In dense Wi-Fi 7 deployments with MRU, seeing more RTS/CTS than expected = OFDMA scheduling issue.
wlan.fc.type_subtype == 0x18 || wlan.fc.type_subtype == 0x19copy
Block ACK Request + Block ACK
A-MPDU aggregation acknowledgement. High Block ACK count = good, aggregation is working. Absence of Block ACKs on a modern client = aggregation disabled, throughput is degraded.
retries / errors
wlan.fc.retry == 1copy
All retry frames
The single most important health indicator. Over 10% retries = RF problem. Over 20% = critical. Check which client or AP is generating them — that tells you the direction of the problem.
wlan.fc.retry == 1 && wlan.addr == XX:XX:XX:XX:XX:XXcopy
Retries for one device
Isolate retry behavior to a specific client or AP. If only one device is retrying while others aren't — it's a driver, NIC, or position issue, not the AP.
wlan.fc.pwrmgt == 1copy
Power management bit set
Client telling AP it's going to doze. If this flips rapidly, client is in aggressive power save mode. Can cause timing issues with latency-sensitive apps like VoIP.
wlan.fcs.status == "Bad"copy
FCS errors (bad frames)
Corrupted frames at the physical layer. FCS errors with high RSSI = co-channel interference, not signal strength. This is a common misdiagnosis — engineers blame distance when it's actually a neighbour AP on the same channel.
wi-fi 7 / 6 ghz / bss color
wlan_mgt.eht_capabilitiescopy
EHT Capabilities IE (Wi-Fi 7)
Present only in 802.11be frames. If you're qualifying a Wi-Fi 7 gateway and this IE is missing from beacons, the AP is falling back to HE mode. That's a misconfiguration, not a client issue.
wlan_mgt.he.operation.bss_colorcopy
BSS Color value
6-bit value (1–63). If two overlapping APs share the same BSS Color, spatial reuse is disabled between them. That's a BSS Color collision — exactly what WiFi Analyser's BSSCOLOR_COLLISION anomaly flags.
wlan_mgt.he.operation.bss_color_disabled == 1copy
BSS Color disabled
AP has turned off BSS Color. This kills 6 GHz spatial reuse completely. Usually happens after a collision detection event. Look for a BSS Color Change Announcement frame shortly before this.
wlan_mgt.mlo.common.link_idcopy
MLO Link ID
Identifies which link in an MLO setup this frame belongs to. Critical note: always filter MLO traffic by the link-specific MAC (L-MAC), NOT the MLD MAC (U-MAC) that monitoring tools show you. That's the most common MLO PCAP mistake.
daily combinations
(wlan.fc.type_subtype == 0x0c || wlan.fc.type_subtype == 0x0a) && wlan.addr == XX:XX:XX:XX:XX:XXcopy
All disconnects for one client
First combo I run when a user says "keeps dropping." If you see deauth storms from the AP side, it's kicking the client. From the client side, client is leaving voluntarily (and often immediately re-associating elsewhere).
wlan.addr == XX && (wlan.fc.type_subtype == 0x04 || wlan.fc.type_subtype == 0x0b || wlan.fc.type_subtype == 0x00 || wlan.fc.type_subtype == 0x01 || eapol)copy
Complete join sequence for one client
Probe → Auth → Assoc → EAPOL. Everything a client does to join. This is my go-to for diagnosing "client can't connect" tickets. Step through each stage and find where it stops.
wlan.fc.type_subtype == 0x02 || wlan.fc.type_subtype == 0x03 || wlan.fc.type_subtype == 0x0ccopy
Roaming events overview
Reassoc req + resp + deauths. This gives you a timeline of every roam event in the capture. Sort by time and look for overlapping deauths and reassocs — that's where roaming latency hides.
Find these automatically in WiFi Analyser
Upload a PCAP and get 212+ protocol checks — no filter typing required. The tool applies all of the above automatically and flags anomalies for you.
try it free ↗
SK
Shankar K., Wi-Fi engineer, Irving TX
Building WiFi Analyser V2 · CWNA-109 in progress · one post every two weeks
// share this page
// also on this site
reference
MCS Rate Calculator
reference
Status & Reason Code Lookup
downloads
Frame Lab — free PCAPs
← previous
reference
MCS Rate Calculator
next →
reference
Status & Reason Code Lookup
SK
Shankar K., Wi-Fi engineer, Irving TX
Building WiFi Analyser V2 · CWNA-109 in progress · one post every two weeks