Understanding Deauthentication Frames in Wi-Fi Captures
Like in a horror movie, "kill kill kill kill" ... "deauth deauth deauth."
Picture from MetaAI
If you’ve ever opened a Wi-Fi packet capture in Wireshark and seen endless Deauthentication frames, you might wonder: What do these mean, and should I be worried? Let’s break it down step by step so you can recognize what’s normal and what’s a red flag in your wireless environment.
🛑 What is a Deauthentication Frame?
A Deauthentication (Deauth) frame is a management frame in the 802.11 protocol. It’s used to formally end a connection between a client and an access point (AP).
Think of it like a “goodbye” handshake.
It tells both sides: We’re done with this session.
After receiving one, the client is expected to disconnect and, if needed, start a new authentication process.
In healthy networks, you’ll see a few deauth frames when devices roam (moving from one AP to another) or when a user disconnects (e.g., turning Wi-Fi off on their phone).
🔁 Why Do I See Thousands of Deauth Frames?
If you capture and notice thousands of deauth frames in a short period, it often indicates:
Normal but noisy environment
Many devices connecting/disconnecting (e.g., in a busy office, lecture hall, or café).
Power-saving clients (phones) waking up, dropping, and rejoining.
Misbehaving client or AP
A buggy driver or firmware that can’t hold a stable connection.
An AP with overloaded radios kicking off clients.
Security attack: Deauth Flood
Attackers can spoof deauth frames to knock clients off Wi-Fi.
This is a classic part of WPA/WPA2 cracking (forcing clients to reauthenticate).
That’s why thousands of repeats are worth investigating.
🧰 How to Spot Deauth Frames in Wireshark
Use this Wireshark display filter to find them:
wlan.fc.type_subtype == 12
This shows you only deauthentication frames. You’ll see the Source and Destination MAC addresses, plus optional reason codes.
🧾 Example: What It Looks Like
Here’s a simplified, easier-to-read capture line with made-up MAC addresses:
No. Time Source Destination Protocol Length Info
21991 10.857458 12:34:56:78:9A:BC AB:CD:EF:12:34:56 802.11 74 Deauthentication, SN=1995, FN=0, Flags=....R...
Source:
12:34:56:78:9A:BC(the client)Destination:
AB:CD:EF:12:34:56(the AP)Info: Deauthentication frame, including sequence numbers
This shows the client being deauthenticated by the access point. In a real capture, you might see thousands of lines like this, which could indicate roaming activity, a misbehaving device, or, in rare cases, a deauth attack.
📊 Common Wi-Fi Deauth Reason Codes
Reason codes explain why the deauth happened. Here are some you’ll often see:
1 Unspecified Catch-all. Could be driver bugs or generic disconnects.
2 Previous authentication no longer valid Client or AP lost state. May indicate session timeout.
3 Station is leaving (or has left)Normal if a user turned Wi-Fi off or roamed away.
4 Disassociated due to inactivity. Client wasn’t sending traffic, AP dropped it. Normal for idle phones.
5 Class 2 frame received from non-authenticated station. Usually a client sending data before finishing handshake.
6 Class 3 frame received from non-associated station
7 Similar to 6, but client tried to send data without being associated.
8 Disassociated because sending station is leaving BSS. Often normal, but repeated bursts may indicate roaming issues.
9 Disassociated due to insufficient bandwidth. Can happen if AP is overloaded.
👉 You can add wlan.reason_code as a column in Wireshark so you don’t have to open each frame individually.
🧪 How to Investigate Further
Check reason codes – They’ll explain why the deauth occurred.
Look for retries – Too many retries (
wlan.fc.retry == 1) can show bad RF conditions.Correlate with RSSI – Use signal strength to see if the client was simply out of range.
Check for patterns –
Many clients affected? Could be AP issue or attack.
One client repeatedly affected? Likely a device driver/firmware or range issue.
🚨 When to Suspect a Deauth Attack
A normal network has some deauth frames, but watch for these red flags:
Burst of hundreds/thousands in a very short time.
Affecting multiple clients simultaneously.
Clients suddenly reauthenticating right after.
If you suspect an attack, check AP logs and consider enabling Management Frame Protection (802.11w) if supported.
✅ Key Takeaways
Some deauth is normal — it’s part of how Wi-Fi sessions end.
Thousands of repeats = problem — could be roaming chaos, AP/client bugs, or attacks.
Reason codes are your friend — they explain why a disconnect happened.
Wireshark filters make it easy (
wlan.fc.type_subtype == 12).
With practice, you’ll start to distinguish between “normal chatter” and genuine issues in your Wi-Fi captures.