Wireshark Filters: 802.11 Retries

Wireshark filters help drill down to useful information among what can feel like a massive, overwhelming stream. Especially useful when doing 802.11 protocol analysis where the incoming frames can quickly accumulate to many thousands in a very short timeframe.

My favourite Wireshark filter of all time is the WLAN Retry filter. My favourite way to use it is with the I/O Graph. I really like to understand the detected retransmitted frames vs the total number of frames captured. It's really easy to visualise this.

First off - the filter for WLAN Retries is:
wlan.fc.retry == 1

Using this filter as a display filter of a 802.11 frame capture will show only frames that have the Retry bit set in the Frame Control Field in the MAC header.

If you have a frame selected you can tell if it is being re-transmitted by checking the flags exposed in the first IEEE 802.11 decode field below the 802.11 Radio Information - this is displayed in the Packet Details view within Wireshark. An example is shown below where the 'R' Flag is set on the currently selected Deauthentication frame.

I've written about the Wireshark I/O Graph before. You can find this in the Statistics menu as I/O Graph. Within the I/O Graph window you are able to add custom filters which will be visualised. The default line graph shows 'All packets' which in this case represent every frame captured. Typically the y-axis of the graph represents Packets per second so the 'All packets' line indicates the number of 802.11 frames captured per second on the captured Wi-Fi channels.

I like to add my WLAN Retries display filter as a new red line so I can see it in high contrast to the default 'All packets' line. See an exampled below.

In this capture a high proportion of the frames captured had the Retry bit set. They were frames being re-transmitted many times by a Wi-Fi station.

A high retry rate can often indicate that something in the WLAN is unhealthy. This might be a particular station, the medium (the channel and associated frequency), an Access Point or something else.

The retry filter is a useful tool in your Wi-Fi Professional tool-belt. Keep learning! Share your favourite Wireshark display filters below.