// writing

Things I've had to figure out myself

Field notes from 15 years of Wi-Fi. No textbook covers what happens when the real world collides with the spec. Every post includes a sample PCAP — open it in WiFi Analyser and reproduce what I found.

802.11be · wi-fi 7
MLO doesn't roam — it negotiates. Here's the difference in the frames.
Your tools are reading the wrong MAC address. The MLD MAC is not the one to filter on.
coming soon
+ pcap included
pcap · eap-tls
EAP-TLS failures in 5 minutes: the three patterns that cover 90% of cases
Cert expiry, handshake abort, silent timeout. They all look like association failure.
coming soon
+ pcap included
security · rogue ap
Evil twin detection beyond SSID name matching
BSSID vendor mismatch, RSSI delta, cipher downgrade, beacon rate. SSID is the last thing I trust.
coming soon
+ pcap included
802.11r · roaming
Why your 802.11r deployment is failing — reading status code 53 in Wireshark
Your controller says roam successful. Your PCAP says status 53. Here is what that means, why controllers miss it, and how to find it in two minutes.
April 2026
read →
6 ghz · bss color
Your 6 GHz is slower than it should be. BSS Color collision is probably why.
Spatial reuse only works if color assignment is correct. In dense deployments it rarely is.
coming soon
+ pcap included
capacity · beacon · 802.11e
QBSS Load: the one IE your engineers never check
Channel utilisation lives in every Beacon. Your engineers are running speed tests while the AP is advertising 87% utilisation in plain sight.
coming soon
rf · legacy phy · 802.11b
Why one 802.11b device cuts your AP throughput in half
One legacy client triggers ERP protection mode. CTS-to-self before every OFDM frame. 30-50% throughput reduction for every other client in the BSS.
coming soon
troubleshooting · retransmissions
The retransmission trap: RF, driver, or congestion
wlan.fc.retry == 1 is always the first filter. It never tells you why. Three-step PCAP workflow to tell the difference.
coming soon
802.11h · dfs · radar
The 30 seconds after a DFS event
Your AP goes silent. Clients disconnect. The dashboard says offline. Here is the exact CAC sequence and what to check when it keeps happening.
coming soon
arp · layer 2 · android
ARP dead window: why the fix is Proxy ARP, not DHCP
Every engineer tries to fix this by tweaking DHCP. DHCP is not the problem. Here is what actually is, and what fixes it.
coming soon
802.11r · roaming · fast transition
8 frames that tell you whether 802.11r actually fired
Your controller says 802.11r is enabled. Your PCAP tells a different story. Eight frames to check in sequence.
coming soon
pcap series · session 1
PCAP Series #1 — Monitor mode on macOS, Linux, WLANPi
Before you can read a single management frame you need monitor mode working. The one channel selection mistake everyone makes.
coming soon
pcap series · session 2
PCAP Series #2 — Reading Beacon IEs
RSN IE cipher suites, HT/HE capabilities, QBSS Load. Comparing Beacon vs AssocReq side by side in Wireshark.
coming soon
pcap series · session 3
PCAP Series #3 — Diagnosing association failure
Five failure points. One filter sequence. How to find exactly which frame failed in under two minutes.
coming soon
pcap series · session 4
PCAP Series #4 — The 4-Way Handshake in PCAP
What each EAPOL message carries, what each field proves, and what its absence means.
coming soon
pcap series · session 5 · 6 ghz
PCAP Series #5 — Why clients won't move to 6 GHz
RNR IE, BTM steering, WPA3 block. Four-step PCAP diagnosis for silent band steering failure.
coming soon
One post, every two weeks. No filler.
Protocol analysis, Wi-Fi 7 field notes, and new PCAPs for the Frame Lab.