My neighbour is actively trying WPS pins on my router - I know because the "WiFi/WPS" LED on my router lit up when I have permanently turned it off! I double checked the setting using the router admin page through ethernet and it confirmed LED's were off (except during WPS negotiation, which overrides the off setting). Note, it's a Tenda AC10 router.
Additionally all my 5Ghz devices got disconnected, I'm not sure if it's because of aggressive WPS packets or a simultaneous deauth flood was issued.
I need to track down the WPS packets and pin-point the MAC address the attempts were issued from. I tried using the "WPS" display filter in Wireshark as well as the "eap.wps.code" filter, no packets were found AS the packets were being recorded!
The same also occurred a couple of days back when I was trying WPS attempts against my own device and couldnt see the same frames with the "WPS" display filter in WiresharkI I dropped the issue since I had - in theory - disabled WPS on my AP's so considered it a smaller problem.
Please let me know the exact display filters to use to detect WPS pin attempts in some kind of a flood attack.