WLAN Analysis with Wireshark (Frame Section, Part I)

In a generic 802.11 Wireshark capture, we shall be able to identify the information consisting the following sessions:

• Frame (number)
• Radiotap Header
• 802.11 radio information
• IEEE 802.11 Frame (could be Beacon, Data, Probe Response…)
• IEEE 802.11 Wireless LAN

It should look very similar like the diagram as displayed below.

Under the section of Frame (number), there are also numerous sub-fields displaying the information regarding this specific frame.

For example, the encapsulation type being used is IEEE 802.11, (wireless frame).

Epoch, also known as Unix timestamps, is the number of seconds (not milliseconds!) that have elapsed since January 1, 1970 at 00:00:00 GMT (1970-01-01 00:00:00 GMT). When this article is written, its Epoch time is

This frame is arrived on July 18, 2019 11:40AM Taipei Time, where, of course, we are in Taipei when this exercise was conducted.

Since this is the first packet, as a result, “Time delta from previous captured frame” and “Time delta from previous displayed frame” should be zero.

The frame length and capture length appear to be same in each frame, despite the fact that it should be identical from each other.

Each of the Wireshark capture file may contain frames in different length. In the menu of Statistics --> Packet Lengths, you should be able to recognize the summary of Packet Lengths in this capture file.

They are sorted by different statistic range, as you can you, the largest Packet Length, in below collections, is 1686, which is fallen into the section of "1,280~2,559," a very small percentage of frames being collected out of this capture file.

The protocols indicated in this frame is a WLAN_Radio.