Beacon Explorer — Student Guide (S-Guide)

📶

What Is Beacon Explorer and why does it matter?

Beacon Explorer is an interactive reference for understanding 802.11 Beacon management frames — the heartbeat of every wireless network. Every AP broadcasts beacons up to 10 times per second. Each beacon contains dozens of Information Elements (IEs) that describe the AP's capabilities, security configuration, supported speeds, and much more. This tool maps every IE from fixed header fields through the latest 802.11be (Wi-Fi 7) EHT elements onto a color-coded, clickable grid. Click any element to read its field definitions, spec references, and analysis tips.

💡

Why this matters: Understanding beacon frames is a foundational skill for Wi-Fi analysis, troubleshooting, and design. A beacon tells you almost everything about a BSS before you even associate to it.

2 · The Interface at a Glance

2.1 Frame Structure Bar

At the top of the page is a compact diagram of the full 802.11 Beacon MMPDU — from Frame Control to FCS. It shows how the MAC Header, Frame Body (fixed fields and variable-length IEs), and MAC Trailer fit together. This is the big picture before you drill into individual elements.

2.2 Generation Filter Bar

Directly below the header is a row of colored toggle buttons — one per Wi-Fi generation. Click to hide or show all IEs for that generation. Use All Off then click one generation to isolate only those elements. Fastest way to answer: What did 802.11ax add over 802.11ac?

2.3 IE Grid

The main area displays all Information Elements as a color-coded grid. Each tile shows:

Position number — sequential order in the frame
Short name — abbreviated label
EID — Element ID from the spec

2.4 Detail Panel

Click any IE tile to open the detail panel. The panel contains:

Amendment badge — which 802.11 generation introduced this IE
EID and size — element identifier and typical byte length
Purpose — one-sentence explanation
Fields / Subfields table — every field, its size, and its meaning
Analysis Tips — practical capture analysis guidance

2.5 Search

The search bar filters the grid in real time. Search by name (SSID), Element ID (EID 48), amendment (HE, VHT), or any keyword in field descriptions — including terms like beamforming, OFDMA, or PMF.

2.6 Keyboard Navigation

With the detail panel open, use the ← → arrow keys to step through adjacent IEs. Press Escape to close the panel.

3 · Color Coding by Generation

Every IE tile is color-coded by IEEE amendment. Learning these colors lets you instantly read a beacon's generation profile before reading element names.

Generation	Color	Key Elements
Fixed Fields (1–3)	Yellow	Timestamp, Beacon Interval, Capability Info — always present
Base 802.11	Green	SSID, Rates, TIM, Country, RSN, ERP, BSS Load, EDCA, RNR…
802.11n (HT / Wi-Fi 4)	Blue	HT Capabilities (EID 45), HT Operation (EID 61)
802.11ac (VHT / Wi-Fi 5)	Purple	VHT Capabilities (EID 191), VHT Operation (EID 192)
802.11ax (HE / Wi-Fi 6)	Orange	HE Capabilities, HE Operation, TWT, BSS Color, MU EDCA…
802.11be (EHT / Wi-Fi 7)	Cyan	EHT Capabilities, EHT Operation, Multi-Link Element, T2LM
802.11s (Mesh)	Lt. Green	Mesh ID, Mesh Config, Mesh Awake Window…
802.11u (Hotspot 2.0)	Teal	Interworking, Advertisement Protocol, Roaming Consortium
Vendor Specific	Grey	EID 221 — OUI-prefixed proprietary extensions (WMM, WPS, P2P)

4 · Key Information Elements to Know

Study these first — they are the most commonly analyzed IEs in real-world captures.

4.1 Fixed Fields (Elements 1–3)

#1 · Fixed · 8 bytes

Timestamp

8-byte TSF counter in microseconds. All STAs in a BSS sync their clocks to the AP's timestamp. Used for power-save wake timing and FTM ranging.

#2 · Fixed · 2 bytes

Beacon Interval

Target time between beacons in Time Units (1 TU = 1024 µs). Default 100 TU ≈ 102.4 ms.

#3 · Fixed · 2 bytes

Capability Info

16-bit bitmask. ESS=1 (infrastructure AP), Privacy=1 (encryption required), QoS=1 (WMM active), Short Slot Time=1 (9 µs, modern mode).

4.2 Security Elements

#17 · EID 48 · variable

RSN — Robust Security Network

The most important security IE. Contains cipher suites, AKM methods (PSK=WPA2, SAE=WPA3, 802.1X=Enterprise), and PMF capability bits. Absent = Open network.

#75 · EID ext 5 · variable

RSNXE — RSN Extension

Bit 1 = SAE Hash-to-Element (enhanced WPA3), bit 3 = Transition Disable (no WPA2 downgrade), bit 8 = OCI protection.

#96 · EID 76 · variable

MME — Management MIC Element

Only present when PMF is active (802.11w / WPA3). MIC protects the beacon from injection or tampering.

4.3 Load and QoS Elements

#18 · EID 11 · 5 bytes

BSS Load

Station count, channel utilization (0–255, 255=100% busy), and available admission capacity. The fastest single-IE load check.

#19 · EID 12 · 18 bytes

EDCA Parameters

WMM access category parameters for BK/BE/VI/VO. Controls who gets priority access to the medium.

#15 · EID 42 · 1 byte

ERP Info

2.4 GHz only. Use Protection=1 means a legacy 802.11b device is forcing CTS-to-self on all OFDM frames — a major throughput killer.

4.4 Capability Elements by Generation

#33/#34 · EID 45/61

HT Capabilities / HT Operation (802.11n)

Spatial stream count, 40 MHz secondary channel, HT protection mode (mode 3 = legacy STAs present — highest overhead).

#56/#57 · EID 191/192

VHT Capabilities / VHT Operation (802.11ac)

Channel width (80/160/80+80 MHz), MU Beamformer, MCS 0–9 per spatial stream. VHT Operation gives actual center frequency.

#77/#78 · EID ext 35/36

HE Capabilities / HE Operation (802.11ax / Wi-Fi 6)

TWT, BSS Color, OFDMA, 1024-QAM (MCS 10/11), MU Beamformer, 6 GHz Operation Info. The richest IE in a Wi-Fi 6 beacon.

#97/#98 · EID ext 108/106

EHT Capabilities / EHT Operation (802.11be / Wi-Fi 7)

4096-QAM (MCS 12/13), 320 MHz channels (6 GHz), Disabled Subchannel Bitmap (preamble puncturing). §9.4.2.323 / §9.4.2.321.

4.5 Wi-Fi 7 Multi-Link Elements

#99 · EID ext 107 · §9.4.2.322

Multi-Link Element (MLE)

Cornerstone of MLO. Contains the MLD MAC Address (unified AP identity across all bands), EML capabilities, and Per-STA Profile subelements describing non-beaconing links.

#100 · EID ext 109 · §9.4.2.324

T2LM — TID-to-Link Mapping

Defines which traffic types (voice, video, data) are steered to which links. Default Link Mapping=1 means no explicit restriction — all TIDs use all links.

5 · Guided Exercises

Complete these exercises using Beacon Explorer. Click the relevant IE tile and use the detail panel to answer.

Reading a Security Profile

Filter to show only Base 802.11 elements. Click the RSN tile (#17).

What AKM Suite value indicates WPA3-Personal (SAE)?
What two RSN Capabilities bits together indicate PMF is required (not just optional)?
Which companion IE would you check to confirm SAE Hash-to-Element is supported?
If there is no RSN IE in a beacon, what does that tell you about the network?

Identifying a Congested AP

Search for load. Click through BSS Load, HE BSS Load, and Extended BSS Load.

What field in BSS Load tells you how many clients are connected?
What Channel Utilization value indicates approximately 50% busy?
What does HE BSS Load (EID ext 47) add that BSS Load does not?
If Available Admission Capacity is 0, what does that mean for WMM-AC voice calls?

Mapping 802.11ax Features

Toggle off all generations except 802.11ax (HE). Count the visible tiles.

How many 802.11ax-specific IEs are visible?
Click HE Operation (#78). What field provides the BSS Color value, and how many bits does it use?
Click TWT (#79). What is the difference between Individual TWT and Broadcast TWT?
Click Spatial Reuse (#82). What is OBSS PD, and why does it improve throughput in dense deployments?

Wi-Fi Generation Detection

Use the checklist below to determine an unknown AP's highest supported generation.

IE Present in Beacon	Indicates	Observed?
HT Capabilities (EID 45)	802.11n or later (Wi-Fi 4+)
VHT Capabilities (EID 191)	802.11ac or later (Wi-Fi 5+)
HE Capabilities (EID ext 35)	802.11ax or later (Wi-Fi 6+)
HE Operation w/ 6 GHz Info	802.11ax on 6 GHz (Wi-Fi 6E+)
EHT Capabilities (EID ext 108)	802.11be (Wi-Fi 7)
Multi-Link Element (EID ext 107)	802.11be MLO capable (Wi-Fi 7)

6 · Common Analysis Scenarios

"Why is 2.4 GHz throughput so low?"

Check #15 ERP Info — Use Protection=1 = legacy 802.11b device triggering CTS-to-self on every OFDM frame
Check #35 20/40 Coexistence — Intolerant bit = AP forced to 20 MHz only
Check #34 HT Operation — HT Protection mode 3 (non-HT mixed) = highest-overhead mode

"Is this a WPA3 network?"

Check #17 RSN — AKM Suite 00:0F:AC:8 = SAE (WPA3-Personal)
Check RSN Capabilities — MFPC=1 AND MFPR=1 = PMF required (WPA3)
Check #75 RSNXE — Transition Disable bit = no WPA2 downgrade allowed
Check #96 MME — present = PMF active, protecting management frames

"Does this AP support fast roaming?"

Check #29 Mobility Domain Element — MDID present = 802.11r FT supported
Check #28 RM Enabled Capabilities — Neighbor Report bit = 802.11k supported
Check #37 Extended Capabilities — byte 2 bit 3 = BSS Transition (802.11v)
Check #63 RNR — advertises neighboring APs; required for 6 GHz discovery from 5 GHz beacons

7 · Quick Reference — Element ID Lookup

Frequently referenced Element IDs in the 802.11-2024 specification.

EID	Name	EID	Name
0	SSID	1	Supported Rates
3	DSSS Parameters	5	TIM
7	Country	11	BSS Load
12	EDCA Parameters	32	Power Constraint
35	TPC Report	37	Channel Switch (CSA)
42	ERP Info	45	HT Capabilities
48	RSN	50	Extended Rates
54	Mobility Domain	59	Supported Op Class
61	HT Operation	70	RM Enabled Cap
71	Multiple BSSID	76	MME
127	Extended Capabilities	191	VHT Capabilities
192	VHT Operation	201	RNR
221	Vendor Specific	Ext 5	RSNXE
Ext 35	HE Capabilities	Ext 36	HE Operation
Ext 38	MU EDCA	Ext 39	Spatial Reuse
Ext 42	BSS Color Change	Ext 47	HE BSS Load
Ext 106	EHT Operation	Ext 107	Multi-Link Element
Ext 108	EHT Capabilities	Ext 109	T2LM

All EID ext values verified against IEEE 802.11-2024 Table 9-130 and 802.11be-2024 amendment. Session 15.