Follow me:

A look Into 802.11k


802.11k (Radio Resource Measurement)

802.11k was published in 2008 and added to the IEEE 802.11-2012 standards.

Various types of measurements are defined that enable 802.11 stations to request measurements from other stations. Information that needs to be measured to optimize the radio network. For example, with 802.11k, stations are able to assess how occupied or idle a frequency channel is. 

The corresponding request and report mechanisms, and the formats of the frames through which the measurement requests and results are communicated among stations, are defined by the 802.11k amendment.

Clause 11.11 in the latest 802.11-2016 standards (p. 1709).

Why did we want to talk about 802.11k

  • It can help client devices to better roam
  • It has not always been supported on client devices
  • Clients might lie when they advertise their 802.11k capabilities…

What is really happening with 802.11k

  • Most of the time APs (or WLC) gather client radio information via specific mechanisms
  • The client devices can also request some information from the infrastructure (APs & WLC)

What type of information are we talking about?

  • Neighbor Reports: clients can request a neighbor report and learn valuable information from the infrastructure. The clients will use this information to take better roaming decisions.
  • Client Statistics: SNR, RSSI, Data rates, frame transmission, retries and errors can be communicated back to the AP & controller.
  • Channel Statistics: clients might gather noise-floor and channel-load information and send it to the infrastructure.
  • Transmit Power Control: this can be used to reduced interferences in both frequency bands

Validate that an SSID supports 802.11k

  • Capture the Beacon Frame
  • Look for the RM Enabled Capabilities IE
    • Look for the Neighbor Report Enable bit in the first RM Capabilities section

Validate that a client supports 802.11k & Neighbor Reports

  • Capture the Association Request (look at the profiler tool from WLAN Pi)
  • Look for the RM Enabled Capabilities IE
    • RM Capabilities
      • Neighbor Report Enable Bit should be set to 1

802.11k Neighbor Report Operations

The client device sends a Neighbor Report Request specifying the SSID it is currently associated with.

Here is the Neighbor Report Request Frame field format (it is an action frame):

The access point replies with a neighbor report. We have a couple of examples here:

  • The first one is empty since there is only 1 AP in the network
  • The second one shows one candidate

A Few Wireshark Filters

  • Validate if device of AP supports neighbor reports: wlan.rmcap.b1 == 1
  • Search for all the RM Enabled Information Element: wlan.tag.number == 70
  • Filter for the Neighbor Report Requests: wlan.rm.action_code == 4
  • Filter for the Neighbor Report Responses: wlan.rm.action_code == 5
  • Filter for any Resource Measurement Frames: wlan.fixed.category_code == 5


Wireless Network Engineer and Owner at SemFio Networks. CWNE #180. Living in London ON Canada, born and raised in Dijon, France.

Join the discussion

This site uses Akismet to reduce spam. Learn how your comment data is processed.


More from this show

Episode 206