Computer Network 📂 Wireless · 2 of 3 26 min read

802.11 Management Frames

Deep-dive into Wi-Fi Management frames — every subtype, the anatomy of Beacons and Probe Requests, how SSID/MAC leak your history, status and reason codes, Information Elements, and MAC randomization. Includes an animated Evil Twin attack diagram, Wireshark filters, and three real cases — the GRU's 2018 OPCW hack, Marriott's $600K deauth fine, and Evil Twin attacks in the wild.

Section 01

The Story That Explains 802.11 Management Frames

The Nightclub Bouncer and Their Clipboard
Imagine a busy nightclub. A bouncer stands at the door with a clipboard. Every few seconds, he shouts the club's name into the street ("The Blue Lounge — open, over-21, £5 cover"). People walking past who like the sound of it come over, show ID, get their names ticked off, and are given a wristband. When they leave, the bouncer notes them out. If a fight breaks out, he grabs someone by the collar and physically throws them out — no discussion.

Every one of those actions — announcing the venue, checking IDs, issuing wristbands, logging exits, ejecting troublemakers — is a Management frame in Wi-Fi. The bouncer never touches the actual conversations happening inside the club (that's Data frames), and never manages the queue physics of who talks when (that's Control frames). His entire job is administering membership.

Understanding this one analogy is 80% of understanding 802.11 Management frames.

Management frames are the category of 802.11 frames identified by Type = 00 in the Frame Control field. They handle everything about the wireless connection itself — discovery, joining, leaving, and identity — but never carry your actual data. They are also the frames most involved in Wi-Fi attacks that have made international headlines, because for most of Wi-Fi's history they were sent in the clear with no authentication whatsoever.

💡
Why Management Frames Matter More Than You Think

A quiet, idle laptop with Wi-Fi turned on will still transmit and receive hundreds of Management frames per minute — asking "are any of my saved networks nearby?", listening for Beacons, refreshing associations. Every one of those frames is a potential leak or attack surface if handled naively.


Section 02

The Complete Management Subtype Map

Management frames all share Type = 00, but the 4-bit Subtype field tells the radio exactly which management job is being done. Here is the complete list you'll actually see in a modern capture.

SubtypeHexFrame NameWho Sends ItPurpose
00000x00Association RequestClient (STA)"I'd like to formally join your network"
00010x01Association ResponseAccess Point"Welcome — here's your AID" (or refused)
00100x02Reassociation RequestClient"I'm roaming — please move me from that AP to you"
00110x03Reassociation ResponseAccess Point"OK, I've picked up your session"
01000x04Probe RequestClient"Is any network within earshot? Answer me directly"
01010x05Probe ResponseAccess Point"Yes I am — here are my details"
10000x08BeaconAccess PointBroadcast advertisement, ~10 per second
10010x09ATIMClient (ad-hoc)Announcement in ad-hoc mode (rarely seen)
10100x0ADisassociationEither side"I'm leaving the network — polite goodbye"
10110x0BAuthenticationEither sideIdentity handshake (host of WPA3's SAE exchange)
11000x0CDeauthenticationEither side"Get off — session terminated immediately"
11010x0DActionEither sideExtended requests — Block ACK setup, radio measurements, etc.

Section 03

Anatomy of a Beacon Frame — Every Byte Explained

The Beacon (subtype 0x08) is the most-transmitted management frame on Earth. Every AP sends one roughly every 100 milliseconds. It is what puts a network name in your Wi-Fi list without you doing anything.

📡 Beacon Frame — Layer by Layer
MAC Hdr
Address 1: ff:ff:ff:ff:ff:ff (broadcast — everyone hears it). Address 2: AP's MAC address (source). Address 3: BSSID (identical to Address 2 in a standard AP).
Timestamp
8-byte counter of the AP's internal clock in microseconds since it powered on. Every client uses this to synchronise its own clock with the AP — critical for sleep timing.
Beacon Interval
2 bytes, expressed in "time units" of 1024 µs. Default 100 TU ≈ 102.4 ms — that's why routers broadcast about ten times a second.
Capability Info
2 bytes of on/off flags: is this an AP or ad-hoc? Is encryption ("Privacy") required? Is short preamble supported? etc.
SSID IE
Tagged element carrying the network name (up to 32 bytes). A "hidden" network sends this with length 0.
Rates IE
Supported data rates in Mbps — 1, 2, 5.5, 11, 6, 9, 12, 18, 24, 36, 48, 54. Rates with the high bit set are mandatory.
DS Param
Which channel this AP is on (1–14 in 2.4 GHz).
TIM
Traffic Indication Map — a bitmap telling sleeping clients whether the AP has buffered data waiting for them to wake up and grab.
RSN IE
Robust Security Network — cipher suites (CCMP/GCMP) and authentication method (PSK / SAE / 802.1X). This is where a beacon actually says "I am WPA2" or "I am WPA3".
Vendor IEs
Optional extensions — WPS info, Apple Airplay hints, Wi-Fi Alliance certifications. Vendor IEs are also a fingerprint attackers use to tell APs apart.

Section 04

Probe Requests — How Your Phone Leaks Its History

When your device is not connected to Wi-Fi, it does not just sit and wait for Beacons. It actively transmits Probe Request frames (subtype 0x04) asking "is anyone I know here?". Older devices did this by literally naming every saved network in the request itself — a passive listener at an airport could reconstruct where you had been by watching your phone shout for "Starbucks_London", "OfficeGuest_Paris", and "Airbnb_Reception_Berlin".

🚫 Old Behaviour (pre-2014)
Probe ContainsLeaks
Directed SSID: "HomeWiFi_Smith"Home network name
Directed SSID: "BA_Lounge_LHR"Recent travel
Real MAC addressUnique device identity
Vendor IE fingerprintDevice manufacturer
✅ Modern Behaviour (iOS 14+, Android 10+)
Probe ContainsLeaks
Wildcard SSID (broadcast)Almost nothing
Locally-administered random MACRotates per network
Randomized sequence numbersHarder to correlate
Fewer distinguishing IEsHarder to fingerprint
🔒
The "Locally-Administered" Bit

A MAC address has 48 bits. The second-least-significant bit of the first byte is the locally-administered flag. If it is 1, the MAC is randomised or manually set — not the factory-burned one. Every randomised MAC generated by iOS or Android has this bit set, which is how you can tell a real MAC from a randomised one at a glance.


Section 05

Authentication & Association — Status Codes

Once a device has found a network via Beacon or Probe Response, it goes through two handshakes: Authentication (proving identity) followed by Association (formally joining). Both request/response pairs carry a Status Code field that tells you whether the step succeeded — and if not, why.

Status CodeMeaningWhen You'd See It
0SuccessfulNormal join — the vast majority of frames
1Unspecified failureVague — often driver-side incompatibility
10Cannot support all capabilitiesClient requested a mode the AP does not offer
12Association denied — other reasonMAC filtering, AP full, etc.
154-Way Handshake timeoutWrong Wi-Fi password (WPA/WPA2/WPA3)
17AP unable to handle additional STAsAccess point is at its client-count limit
37Request declinedEnterprise 802.1X policy refusal

Section 06

Deauthentication & Disassociation — Reason Codes

Deauthentication (subtype 0x0C) is the "you're out, now" frame. Disassociation (subtype 0x0A) is its politer sibling — the authentication state is preserved, only the current session is dropped. Both carry a Reason Code saying why.

ReasonMeaningTypical Trigger
1Unspecified reasonGeneric — often what attack tools send
2Previous authentication no longer validSession key expired or rotated
3Deauth because leavingSent when a client roams away legitimately
4Disassoc due to inactivityIdle timeout — client went silent too long
5AP unable to handle all STAsAP is overloaded, dropping clients
6Class 2 frame from non-authenticated STAProtocol violation
7Class 3 frame from non-associated STAProtocol violation
154-Way Handshake timeoutKey negotiation failed
⚠️
The Forgery Problem

Until 802.11w (2009) added Protected Management Frames, anyone with a Wi-Fi radio in monitor mode could forge a deauthentication frame claiming to be from your AP, and your device would obey it without question. This one design decision is the root cause of every deauth-based attack in the news since 2010.


Section 07

Information Elements — The TLV Payload System

Everything inside a Management frame's body is packed as Information Elements (IEs) in a classic Type-Length-Value structure. This is how Wi-Fi has stayed extensible for 25 years — a new feature just gets a new IE number without breaking old parsers.

📚 IE Structure — Byte by Byte
Tag
1 byte — element ID (0 = SSID, 1 = Rates, 3 = DS, 48 = RSN, 221 = Vendor Specific, etc.)
Length
1 byte — number of bytes in the value that follows (0 to 255)
Value
Variable — the actual content, formatted per that specific tag's spec

Example — Encoding the SSID "HomeWiFi"

# Raw bytes on the air
00   # Tag: SSID (element ID 0)
08   # Length: 8 bytes follow
48 6F 6D 65 57 69 46 69   # 'H' 'o' 'm' 'e' 'W' 'i' 'F' 'i'

Example — Hidden Network (SSID cloaking)

00   # Tag: SSID
00   # Length: 0 — network name deliberately omitted
# No value bytes at all
👁️
"Hidden" Networks Are Not Hidden

A cloaked SSID is only missing from Beacon frames. The moment any client legitimately connects to that network, its own Probe Request contains the real name in cleartext. Anyone in radio range can capture it. Hiding the SSID is a convention, not a security control.


Section 08

Animated Diagram — An Evil Twin Attack Step by Step

This is the attack that ties SSID, MAC address, and deauthentication together. Watch how a rogue access point uses all three Management frame concepts to hijack a victim.

😈 Evil Twin — 4-Phase Attack Timeline
Legitimate AP ("CoffeeShop") Victim laptop Evil twin AP (rogue) Frames in flight
AP LEGIT AP V VICTIM E EVIL TWIN Beacon: SSID="CoffeeShop" BSSID=AA:BB:CC:11:22:33 Phase 1 — normal beacon Clones SSID + spoofs MAC ← Phase 2 — clone identity Forged Deauth Reason=1 claiming to be legit AP Phase 3 — kick victim off Assoc Request → strongest "CoffeeShop" Phase 4 — victim rejoins the wrong network
Loop repeats every 9 seconds. Because SSID and MAC (BSSID) are both trivially cloneable and deauth frames were unauthenticated in WPA2, this whole sequence works with off-the-shelf tools. WPA3's Protected Management Frames (PMF) requirement is designed specifically to block Phase 3.

Section 09

Practical Example — Reading Management Frames in Wireshark

Filters — Catch Only What You Want

# All management frames
wlan.fc.type == 0

# Only Beacons
wlan.fc.type_subtype == 0x08

# Only Probe Requests — see what devices are asking for
wlan.fc.type_subtype == 0x04

# Only Deauth frames — highlight potential attacks
wlan.fc.type_subtype == 0x0c

# Beacons for a specific SSID
wlan.fc.type_subtype == 0x08 and wlan.ssid == "HomeWiFi"

# Any frame claiming to come from a specific AP MAC
wlan.sa == aa:bb:cc:11:22:33
Sample decoded deauthentication frame
IEEE 802.11 Deauthentication, Flags: ........ Type/Subtype: Deauthentication (0x000c) Frame Control Field: 0xc000 Version: 0 Type: Management frame (0) Subtype: 12 <- deauth To DS: False From DS: False Protected flag: False Duration: 314 microseconds Receiver address: 3c:22:fb:47:0b:11 (victim device) Transmitter address: aa:bb:cc:11:22:33 (spoofed AP address) BSS Id: aa:bb:cc:11:22:33 Fixed parameters (2 bytes) Reason code: Unspecified reason (0x0001)
🔍
The Reason-Code-1 Fingerprint

Attack tools like aireplay-ng and Wi-Fi Pineapple firmware almost always emit deauthentication frames with Reason Code 1 ("Unspecified"). Real APs typically send more specific codes (3, 4, 15). A sudden burst of Reason-Code-1 deauths in a capture is the single most reliable signature of an active deauth attack.


Section 10

Real-World Cases — When Management Frames Made the News

Russian GRU Officers Caught Running a Wi-Fi Attack From a Car Boot
On 4 October 2018, the BBC and Dutch authorities revealed that four officers of Russia's GRU military-intelligence Unit 26165 had been intercepted in April 2018 attempting a "close access" cyber operation against the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague. They parked a hired Citroën outside the OPCW headquarters with a high-gain Wi-Fi antenna, a battery bank, and specialised equipment in the boot.

According to the U.S. Department of Justice indictment later filed against the same officers, the same kit had already been used in Rio de Janeiro, Lausanne, and Kuala Lumpur against anti-doping bodies and the MH17 investigation team. The technique relied on exactly what this tutorial covers: capturing Beacons and Probe Requests to map the target's networks, spoofing SSIDs and MAC addresses to impersonate trusted APs, and injecting deauthentication frames to force targeted devices onto rogue networks the attackers controlled.
Marriott Fined $600,000 for Weaponising Deauthentication Frames
The U.S. Federal Communications Commission announced on 3 October 2014 that Marriott International would pay a $600,000 civil penalty for using its Wi-Fi intrusion-detection system's containment feature at the Gaylord Opryland Hotel and Convention Center in Nashville to transmit deauthentication frames at guests' personal mobile hotspots. The frames used the exact subtype 0x0C covered in Section 06.

Guests kicked off their own hotspots by these forged deauth frames were then forced to pay Marriott between $250 and $1,000 per device to use the hotel's Wi-Fi. The FCC Enforcement Bureau later issued a formal advisory stating that Section 333 of the Communications Act prohibits weaponising management frames this way, regardless of whether the equipment was originally sold as a "security" product.
"Evil Twin" Attacks at Airports and Coffee Shops
Security researchers and journalists have repeatedly demonstrated that setting up a fake access point which advertises the same SSID as a nearby public hotspot (an "Evil Twin") reliably attracts hundreds of victim connections within minutes. In one demonstration cited by CovertSwarm, a journalism team's rogue AP tricked 4,499 Wi-Fi clients into associating in a single event.

The reason the attack keeps working is baked into the design of Management frames: SSID strings and MAC addresses in Beacons are cleartext identifiers with no cryptographic binding to the network operator. Any radio can transmit any SSID. Client devices are then trained to auto-associate to whichever AP advertising a saved SSID has the strongest signal — a default that rewards the closer, louder attacker.

Section 11

Defences — What Actually Works

🛡️
Protected Management Frames (802.11w)
Signs Deauth, Disassoc, and Action frames with a Management-frame integrity key. Forged deauths from Section 06 simply fail the check and are dropped.
Mandatory under WPA3
🔒
WPA3 SAE (Dragonfly Handshake)
Replaces the WPA2 4-Way Handshake with a Simultaneous Authentication of Equals — resistant to offline password cracking and Evil Twin credential capture.
Type 0x0B — Authentication
📶
MAC Randomization
iOS 14 and Android 10 rotate the client MAC per SSID. Kills long-term device tracking across shops and cities based on Probe Request MACs.
Locally-administered bit
📡
Wireless IDS / WIPS
Monitors the air for duplicate BSSIDs, sudden channel changes, or Reason-Code-1 deauth floods and alerts the operator or shuts the rogue AP down.
e.g. Cisco WIPS, Aruba AirWave
Hidden SSID
Provides no protection — Probe Requests from associated clients leak the name anyway, and any attacker can capture it in seconds.
security theatre
MAC Address Filtering
Trivially defeated — the attacker sniffs one allowed MAC from an unencrypted header, then clones it. Header addresses are never encrypted.
security theatre

Section 12

Golden Rules

🌟 Management Frame — Non-Negotiable Rules
1
Never trust a MAC address in a Management frame. Every address in the header (Addr 1/2/3/BSSID) is unauthenticated on pre-WPA3 networks. Cloning is trivial — Section 08's Evil Twin depends on it.
2
Hidden SSIDs are a convention, not security. As soon as any client connects, its Probe Requests broadcast the name in the clear.
3
A burst of Deauth frames with Reason Code 1 from your AP's MAC is almost never legitimate — treat it as an active attack until proven otherwise.
4
Enable 802.11w Protected Management Frames on every enterprise SSID. It is mandatory under WPA3 and free defence against every deauth-flood tool since 2010.
5
When reading Beacons, always parse the RSN Information Element — that is where the network's actual security mode lives. The Privacy bit alone tells you almost nothing about which cipher is in use.
6
Assume any Wi-Fi device you carry leaks its history via Probe Requests unless you have explicitly confirmed MAC randomization is enabled. On iOS check Settings > Wi-Fi > [network] > Private Address; on Android look for Randomized MAC.