Classify an 802.11 frame from its control byte

Overview

Read byte 0, shift right by 2, mask with 0x3, map to 0/1/2/-1.

Why it matters

Every other byte in the frame depends on which type you're looking at. Classification is step 1.

Lesson

Why this matters

Every 802.11 (Wi-Fi) frame starts with a two-byte Frame Control field. Bits 2–3 of the first byte encode the frame type: management, control, or data. Reading that field is what every Wi-Fi forensics tool does before it knows which layout the rest of the frame has.

This exercise is read-only and works on a fixture: a pre-captured frame header bundled into the harness. We do not put any NIC into monitor mode.

What the bits look like

byte 0    7 6 5 4 3 2 1 0
          ^^^^^^^^^^^^^^^^
          subtype  type  protocol-version

So type = (byte0 >> 2) & 0x3:

• 0 → Management (beacon, probe, association)
• 1 → Control (RTS, CTS, ACK)
• 2 → Data
• 3 → Reserved → return -1

Your job

Implement int classify_frame(const uint8_t *hdr) that returns 0, 1, or 2 for the three valid types, or -1 for reserved or NULL input.

Common mistakes

• Reading from the wrong bit position. Bits 0–1 are the protocol version, not the type.
• Forgetting to mask with 0x3 after the shift.
• Allowing NULL through.

What this is NOT

• A radiotap parser. Real captures have a radiotap header in front of the 802.11 header; that's a separate module.
• An attack tool. There's no injection here — we only classify.

Summary

One byte, two bit operations, four possible values, three valid.

Practice with these exercises

• Classify an 802.11 frame as mgmt/ctrl/data