2
APs can’t send Data frames (including QoS-Data and all other Data frame variants) to clients that are not associated. So any FromDS Data frame to a particular unicast MAC address is a sign that that AP considers that client to be associated.
Please note that on typical networks, not all associated clients are really “on the network” and able to send/receive real traffic. That’s because clients associate before doing WPA2 authentication, and the WPA2 authentication is done via Data frames (specifically EAPOL-Key frames at the Ethernet layer). Clients can’t send/receive anything other than EAPOL-Key frames (again, these are Data frames at the 802.11 layer) until the WPA2 handshake completes successfully. Clients that fail authentication get immediately Disassociated (and 802.11-layer Deauthenticated).
So you might want to exclude EAPOL-Key frames if you are really looking for clients that are fully members in good standing on the network.
Thanks, well can i take that that a client first sends a data frame? – Shiri – 2018-03-02T09:07:24.727