Is it possible to read NAS ID and Mobility Domain of third-party router?

This is not a fully OpenWRT-question. I have few routers with OpenWRT installed which are using 802.11r and have same "Mobility Domain" and "NAS ID".

Now there is one more powerful router on which (unfortunately) OpenWRT cannot be installed so far.

There are no settings related to 802.11r in its limited Etisalat interface, but obviously
it has 802.11r enbled.

WiFi analyzer shows this

+FT !!!

I guess if it would be possible to sniff out the "Mobility Domain" i could put the same on all my OpenWRT devices and roaming would work.

1 Like

precisely, how to read WIFI MDID

If you're familiar with Wireshark - the location is explained:

The number is represented as a hexdecimal value.


It seems so.

1 Like

Many thanks, it was it. Here is the captured packet from Arcadyan router

And here is from OpenWRT router

Interesting thing though:

Mobility Domain had to be set as "6400" to become 0x0064 which seems little weird

And "NAS ID": OpenWRT inserts "3"'s before each character, so
"633465353301" became "363333343635333533333031"

just made both routers same length (on Wireshark cap this field is visible as PMK-R0)

Hi, do I understand it right from that Wireshark link that you'd need to have an adapter that is capable of capturing such information?
It does not work for me, even though I could set it to "monitor" mode instead of "managed".
Wireshark does not show me any packets that are related to WiFi.
I tried these filters:
Any clue? Thank!

Update (SOLVED):

I did this:

#Activating monitor mode on WiFi interface:
sudo iwconfig wlp4s0 mode monitor
#Select monitored channel:
sudo iwconfig wlp4s0 channel 100

wlp4s0    IEEE 802.11  ESSID:"something"  
          Mode:Managed  Frequency:5.5 GHz  Access Point: 30:93:BC:BB:5D:xy   
          Bit Rate=520 Mb/s   Tx-Power=22 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on
          Link Quality=34/70  Signal level=-76 dBm  
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:104   Missed beacon:0

I also activated the WiFi toolbar under View menu and selected the monitored channel.

It is likely a question byte order of numbers, of "little endian" vs. "big endian" CPUs.
Is 0x0064 stored in two bytes as is "00 64" or as "64 00" ?
That was something that I speculated three years ago at

and like @jow summarized as

Your other part about NASID is similar:

Hexadecimal characters for 0-9 are 30 31 ... 39
So, if one takes ASCII string of "6334..." it is actually hexadecimal values as "36 33 33 34 ..."
Apparently OpenWrt and your other router handle that aspect differently.
Other router want just ASCII numbers as the NASID and then stores it (naturally) as hex character, while OpenWrt directly takes/shows a hexadecimal string in config.

I use a byte-symmetric Mobility ID myself for 802.11r...
something like "0D 0D"