Glossary

These are the wireless terms used throughout this manual, defined the way they actually behave on the air and in the 802.11 standard. Each entry is deliberately short; follow the cross-links for the full protocol or attack page.

AP (Access Point) is the radio that beacons a network and bridges its clients onto a wired or routed segment. In Tala WTE every network you start on the Networks page is a real AP run by hostapd.

Station (STA) is any client device that associates to an AP - a phone, a laptop, or an attacker's adapter. The AP and its associated stations together form a Basic Service Set.

SSID (Service Set Identifier) is the human-readable network name, up to 32 bytes. On the New Network form it is the SSID Name field.

ESSID (Extended SSID) is the same network name viewed across multiple APs that share it; in practice the terms SSID and ESSID are used interchangeably for the broadcast name.

BSSID (Basic SSID) is the AP radio's MAC address, the unique 48-bit identifier that distinguishes one physical AP from another even when several broadcast the same SSID. Attack tools target a network by BSSID, not by name.

Beacon is the management frame an AP broadcasts roughly ten times a second to advertise its SSID, supported rates, channel, and security parameters (the RSN information element). A Hidden Network beacons an empty SSID instead, which is obscurity, not security.

Probe Request is the frame a station sends to discover networks, either broadcast ("anyone there?") or directed at a named SSID. Directed probes are how a hidden SSID leaks: a client that knows the name puts it on the air for anyone listening.

Monitor mode is a radio mode in which an adapter captures all 802.11 frames in range without associating to any network, passing raw management, control, and data frames up to tools like airodump-ng. It is the prerequisite for nearly every capture-based attack in this manual.

Deauthentication is a management frame that tells a station it has been disconnected. In plain WPA2 these frames are unauthenticated, so an attacker can forge them to knock a client off and force it to reassociate, replaying the four-way handshake for capture. Protected Management Frames close this gap.

EAPOL (Extensible Authentication Protocol over LAN) is the link-layer transport that carries the four-way handshake frames. Captured EAPOL is what offline crackers feed to hashcat -m 22000.

Four-way handshake is the EAPOL exchange in which an AP and a station each prove they hold the same PMK and jointly derive fresh session keys, without ever sending the passphrase. Its weakness is that the captured frames let an attacker test passphrase guesses offline. See WPA2-Personal.

PSK (Pre-Shared Key) is the model where every client uses one shared secret. The Passphrase field on the form (8 to 63 characters for WPA/WPA2) is the input; hostapd emits it as wpa_passphrase with wpa_key_mgmt=WPA-PSK.

PMK (Pairwise Master Key) is the root key for a session. Under PSK it is derived from the passphrase and SSID with PBKDF2; under SAE it is negotiated fresh each time, giving forward secrecy. The PMK is never transmitted.

PTK (Pairwise Transient Key) is the per-session key bundle derived during the four-way handshake from the PMK plus both nonces and both MAC addresses. It splits into keys for encrypting unicast data and for protecting the handshake itself.

GTK (Group Temporal Key) is the shared key the AP distributes to all associated stations to encrypt broadcast and multicast traffic. It is delivered, wrapped, inside the handshake.

Nonce is a number used once: a random value each side contributes so the derived PTK is unique per session. Reusing a nonce is the root cause of the key reinstallation class of attacks (CVE-2017-13077).

ANonce is the nonce the AP (authenticator) sends in handshake message 1. SNonce is the nonce the station (supplicant) returns in message 2. Both feed the PTK derivation.

MIC (Message Integrity Code) is the keyed checksum on each handshake frame that proves the sender holds the correct PTK. A cracker confirms a guessed passphrase by recomputing the MIC and matching the captured one.

PMKID (PMK Identifier) is a value derived from the PMK that an AP may place in the RSN information element of handshake message 1. When present it enables a clientless crack: capture it with hcxdumptool and grind it offline. The PMKID Exposed toggle (WPA2-Personal only) controls whether the lab AP advertises it. See WPA2-Personal.

KDE (Key Data Encapsulation) is the type-length-value container used inside EAPOL key frames to carry items such as the GTK and the RSN PMKID; hostapd emits the PMKID as an RSN PMKID KDE in message 1/4.

CCMP (Counter Mode with CBC-MAC Protocol) is the mandatory WPA2 cipher: AES-128 providing confidentiality, integrity, and replay protection. hostapd emits it as rsn_pairwise=CCMP. See WPA2-Personal.

GCMP (Galois/Counter Mode Protocol) is the AES-GCM cipher used by WPA3-Enterprise in its 192-bit suite as GCMP-256, paired with the BIP-GMAC-256 management-frame cipher.

TKIP (Temporal Key Integrity Protocol) was the 2003 stopgap that wrapped RC4 with per-packet key mixing and the Michael MIC as a firmware-level fix for WEP. It is legacy and weak; hostapd emits it as wpa_pairwise=TKIP. See WPA.

RC4 is the stream cipher underneath both WEP and TKIP. Its keystream biases are what make WEP recoverable in minutes and weaken TKIP.

IV (Initialization Vector) is the per-frame value mixed into a stream cipher's key. WEP's 24-bit IV is far too small: it repeats, and the statistical relationship between weak IVs and the key (the 2001 FMS attack) is the core WEP break. See WEP.

RSN IE (Robust Security Network Information Element) is the block in beacons and association frames that advertises the AKM suites and ciphers an AP supports. Suppressing or rewriting it is the lever behind transition-mode downgrade attacks.

RSNXE (RSN Extension Element) advertises newer capabilities such as SAE Hash-to-Element and protected beacons. In WPA3-Transition the AP carries both the RSN IE and the RSNXE so WPA2 and WPA3 clients can each find their path.

SAE (Simultaneous Authentication of Equals), also called Dragonfly, is the password-authenticated key exchange that replaces PSK in WPA3-Personal. It derives a fresh PMK each session, giving forward secrecy and resistance to offline dictionary attacks; hostapd emits it as wpa_key_mgmt=SAE. The 2019 Dragonblood findings (CVE-2019-9494) targeted early variable-time implementations and are fixed upstream.

PMF (Protected Management Frames), standardized in 802.11w-2009, cryptographically protects management frames so forged deauthentication and disassociation no longer work. hostapd writes it as ieee80211w: 0 disabled, 1 optional, 2 required. WPA3 requires it; WPA2 leaves it optional.

OWE (Opportunistic Wireless Encryption), defined in RFC 8110, gives open networks per-client encryption with no passphrase by running an unauthenticated Diffie-Hellman exchange. It stops passive eavesdropping but not an active rogue AP, since there is no authentication.

EAP (Extensible Authentication Protocol), RFC 3748, is the authentication framework used by enterprise Wi-Fi. The AP relays EAP between the client and a RADIUS server and never sees the credentials itself; hostapd emits wpa_key_mgmt=WPA-EAP. See WPA2-Enterprise.

RADIUS (Remote Authentication Dial-In User Service), RFC 2865, is the backend AAA protocol the AP queries to authenticate each user. Tala WTE runs FreeRADIUS against an LDAP directory; the form's EAP Identity and EAP Password must be a real directory user. RADIUS over UDP without a Message-Authenticator is forgeable (CVE-2024-3596).

PEAP (Protected EAP) wraps an inner method, usually MSCHAPv2, inside a server-side TLS tunnel. If a client skips server-certificate validation it will hand its MSCHAPv2 exchange to a rogue RADIUS, which is the classic enterprise credential-harvest path. See WPA2-Enterprise.

EAP-TTLS (Tunneled TLS) is similar to PEAP: it builds a TLS tunnel and then carries an inner authentication exchange, supporting a wider range of legacy inner methods. It shares PEAP's dependence on strict server-cert validation.

EAP-TLS authenticates both sides with X.509 certificates inside TLS, with no password to phish. It is the strongest common EAP method and is mandated by WPA3-Enterprise in its 192-bit suite.

DFS (Dynamic Frequency Selection) is the requirement on certain 5 GHz channels to listen for radar and vacate if detected, per ETSI EN 301 893 and FCC rules. The Channel dropdown marks these channels "DFS"; an AP on one may pause to perform a channel-availability check before beaconing.

Regulatory domain is the country's rule set governing which channels and power levels are legal. hostapd sets country_code with ieee80211d=1; without it the world domain "00" marks 5 GHz channels "no IR" (no beaconing), so the AP cannot start. Tala WTE defaults the domain to US.

ITU-R (International Telecommunication Union, Radiocommunication Sector) is the United Nations body whose Radio Regulations treaty sets the worldwide framework for spectrum, which national regulators then turn into binding domestic rules. See Spectrum and Regulation.

U-NII (Unlicensed National Information Infrastructure) is the set of 5 and 6 GHz unlicensed bands (U-NII-1 through U-NII-8) that Wi-Fi uses outside the 2.4 GHz ISM band. Some U-NII bands require DFS or AFC. See Spectrum and Regulation.

AFC (Automated Frequency Coordination) is the database system that lets a 6 GHz access point use standard power on U-NII-5 and U-NII-7 without interfering with incumbent fixed links, by checking its location against protected receivers. See RF, Density and Tuning.

EIRP (Effective Isotropic Radiated Power) is the total radiated power in the strongest direction, transmitter power plus antenna gain, and the quantity regulatory power limits are written against. See Antennas and MIMO.

FCC ID is the identifier on a device's label (grantee code plus product code) that ties it to its equipment authorization; it can be looked up to find a device's test reports and supported bands. See Spectrum and Regulation.

FSPL (Free-Space Path Loss) is the signal loss from spreading alone, with no obstacles; it rises with the square of both distance and frequency, which is why higher bands reach less far. See RF, Density and Tuning.

CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) is the 802.11 rule that radios listen before transmitting and defer while the channel is busy, so a shared channel's airtime is divided among everyone who can hear it. See RF, Density and Tuning.

CCI (Co-Channel Interference) is contention between APs on the same channel that can hear each other: not corruption, but shared airtime. ACI (Adjacent-Channel Interference) is the worse case, where overlapping channels corrupt each other's frames because CSMA/CA cannot arbitrate them. Good channel planning trades ACI for CCI on purpose. See RF, Density and Tuning.

Channel bonding combines adjacent 20 MHz channels into wider 40, 80, 160, or 320 MHz channels for more throughput, at the cost of fewer non-overlapping channels and a higher noise floor. See RF, Density and Tuning.

MCS (Modulation and Coding Scheme) is the index that sets how many bits each radio symbol carries; higher MCS rates need a higher SNR to decode, so distant clients fall back to lower ones. See RF, Density and Tuning.

SNR (Signal-to-Noise Ratio) is the margin of the wanted signal over the noise floor at the receiver; it determines the highest data rate a link can hold. See RF, Density and Tuning.

OFDMA (Orthogonal Frequency-Division Multiple Access), introduced with Wi-Fi 6, lets one transmission serve several clients at once by assigning each a slice of the channel (a resource unit), which improves efficiency in dense areas. See The Future of Wireless.

dBi is antenna gain relative to an ideal isotropic radiator; an antenna does not create power, it concentrates it, so higher dBi means a narrower beam reaching farther. See Antennas and MIMO.

Omnidirectional antennas radiate evenly around the horizontal plane (low gain, even coverage); directional antennas (patch, yagi, sector) concentrate energy into a forward main lobe (high gain, narrow beam). See Antennas and MIMO.

MIMO (Multiple-Input Multiple-Output) uses several antennas and parallel spatial streams to multiply throughput. MU-MIMO (Multi-User MIMO) serves several clients simultaneously on those streams. See Antennas and MIMO.

Beamforming steers an antenna array's combined signal toward a specific client, raising its received power and rate without raising total transmit power. See Antennas and MIMO.

MLO (Multi-Link Operation) is the Wi-Fi 7 feature that lets a client use several bands or channels at once for higher throughput and lower latency. See The Future of Wireless.

TWT (Target Wake Time) lets a client and AP schedule when the client must be awake to transmit, saving battery; it arrived with Wi-Fi 6. See Standards and Generations.

QAM (Quadrature Amplitude Modulation) is the modulation that packs bits into each symbol; each generation raises the order (256-QAM, 1024-QAM, 4096-QAM) for more bits per symbol when the SNR allows. See Standards and Generations.

Non-ionizing radiation is electromagnetic radiation, including all Wi-Fi and cellular RF, whose photons cannot break chemical bonds or strip electrons; the ionizing threshold lies up in the ultraviolet range. See Wireless and Health.

SAR (Specific Absorption Rate) is the rate the body absorbs RF energy, in watts per kilogram; it is the quantity exposure limits are written against (the US phone limit is 1.6 W/kg over 1 gram of tissue). See Wireless and Health.

ICNIRP (International Commission on Non-Ionizing Radiation Protection) sets the internationally harmonized RF exposure guidelines that many countries adopt. IARC Group 2B is the "possibly carcinogenic to humans" strength-of-evidence category into which the WHO's cancer agency placed RF fields in 2011. See Wireless and Health.

Faraday cage (and the portable Faraday bag) is a conductive enclosure whose surface currents cancel the field inside, blocking RF in and out; it blocks a frequency only when any openings are far smaller than that frequency's wavelength. See Wireless and Health.

Shielding effectiveness is how much an enclosure attenuates a signal, in decibels; skin depth is the thin surface layer of a conductor that RF currents ride in, which shrinks with frequency and is why thin metal shields at GHz. See Wireless and Health.

IMSI catcher (cell-site simulator, "Stingray") is a device that impersonates a cell tower so nearby phones connect to it and reveal their identity and approximate location. CSLI (Cell-Site Location Information) is the time-stamped record a carrier generates each time a phone talks to a tower. See Wireless and Health.

MAC randomization is the phone feature that presents a different, random Wi-Fi MAC address per network to blunt cross-venue tracking via probe requests; it is a strong default but not a complete guarantee. See Wireless and Health.

BLE (Bluetooth Low Energy) is the low-power Bluetooth variant whose periodic advertisements drive beacons and crowd-sourced finding networks (such as Find My and AirTags), and which can be used for proximity tracking. See Wireless and Health.