100+ Free CWAP Practice Questions

Pass your CWNP Certified Wireless Analysis Professional (CWAP-404) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

CWNP does not publish official pass rates Pass Rate

100+ Questions

100% Free

1 / 10

Question 1

Score: 0/0

In an 802.11 MAC header, which field identifies the type and subtype of a frame (Management, Control, or Data)?

Address 1

Frame Control field

FCS

Duration/ID

to track

2026 Statistics

Key Facts: CWAP Exam

70%

Passing Score

CWNP

Exam Questions

90 minutes

100-150 hrs

Study Time

Recommended

$275

Exam Fee

CWNP

3 years

Certification Valid

CWNP

Professional

Certification Level

CWNP (CWNA prereq)

The CWAP-404 exam has 60 multiple-choice questions in 90 minutes with a 70% passing score. Key topics: 802.11 frame structure and types, Wireshark and Omnipeek packet capture, PHY layer analysis (OFDMA, MCS, trigger frames), MAC layer (CSMA/CA, EDCA, Block ACK, TXOP), troubleshooting (retries, hidden node, CCI, 4-way handshake issues), spectrum analysis (Chanalyzer, CleanAir), roaming captures, and WPA2/WPA3 decryption. CWNA is recommended as prerequisite. The exam costs $275 USD and the certification is valid for 3 years.

Sample CWAP Practice Questions

Try these sample questions to test your CWAP exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1In an 802.11 MAC header, which field identifies the type and subtype of a frame (Management, Control, or Data)?

A.Address 1

B.Frame Control field

C.FCS

D.Duration/ID

Explanation: The Frame Control field is a 16-bit header field containing Protocol Version, Type (00=Management, 01=Control, 10=Data, 11=Extension), Subtype, and flags (ToDS, FromDS, MoreFrag, Retry, PwrMgt, MoreData, Protected, Order). Address 1 is a MAC address. FCS is the 32-bit CRC at the end of the frame. Duration/ID holds the NAV duration or association ID.

2Which frame type does an AP periodically broadcast to advertise its SSID, supported rates, and capabilities?

A.Probe Response

B.Beacon

C.Association Response

D.Authentication

Explanation: Beacon frames (Management type, subtype 8) are transmitted periodically (default every 102.4 ms / 100 TU) by APs to advertise SSID, supported rates, capabilities, country info, DS parameters, TIM, and vendor-specific information elements. Probe Responses are unicast replies to Probe Requests. Association Response follows an Association Request.

3Which Wireshark display filter shows only beacon frames?

A.wlan.fc.type == 0

B.wlan.fc.type_subtype == 8

C.wlan.fc.type == 2

D.wlan.fc.subtype == 11

Explanation: In Wireshark, wlan.fc.type_subtype == 8 matches Beacon frames (Management type, subtype 8). wlan.fc.type == 0 matches all Management frames. wlan.fc.type == 2 matches Data. wlan.fc.subtype == 11 is Authentication. Combining type_subtype filters quickly narrows captures to specific frames.

4Which of the following is a Control frame?

A.Beacon

B.Probe Request

C.Acknowledgment (ACK)

D.Association Request

Explanation: ACK is a Control frame (type 01, subtype 13). Control frames include RTS (subtype 11), CTS (12), ACK (13), PS-Poll (10), BlockAck (9), BlockAckReq (8), Trigger (2 in HE). Beacon, Probe Request, and Association Request are Management frames.

5A Wireshark capture shows many Retry bits set to 1 on Data frames. What does this indicate?

A.Successful transmissions

B.Retransmissions of previously unacknowledged frames

C.Encryption errors only

D.Association in progress

Explanation: The Retry bit in the Frame Control field, when set to 1, indicates this frame is a retransmission of an earlier unacknowledged frame. High retry rates suggest RF problems: low SNR, collisions, hidden nodes, CCI, or interference. Retry rates above 10-15% typically indicate trouble.

6Which protocol analyzer runs on Windows and specializes in Wi-Fi analysis, now owned by LiveAction?

A.Wireshark

B.Omnipeek (formerly Savvius/WildPackets)

C.tcpdump

D.NetMon

Explanation: Omnipeek (originally WildPackets, then Savvius, now LiveAction) is a Windows-based protocol analyzer with strong Wi-Fi support: multi-channel aggregation, peer map, expert analysis. Wireshark is cross-platform open source. tcpdump is CLI. Microsoft NetMon is deprecated.

7Which interface mode on a Linux or macOS wireless adapter captures 802.11 frames with PHY headers and radiotap?

A.Managed mode

B.Monitor mode

C.Master mode

D.Mesh mode

Explanation: Monitor mode (often appears as mon0 on Linux) allows the adapter to capture all 802.11 frames on a channel, including control, management, and data, with radiotap PHY metadata (RSSI, rate, channel). Managed mode is the normal client role. Master mode is AP mode. Kali Linux with airmon-ng and Kismet/Wireshark is the classic toolset.

8During a WPA2-PSK 4-way handshake, which message contains the Group Temporal Key (GTK) encrypted with the Pairwise Transient Key (PTK)?

A.Message 1

B.Message 2

C.Message 3

D.Message 4

Explanation: Message 3 of the 4-way handshake (from AP to client) carries the GTK encrypted by the PTK derived earlier. Message 1 is AP-to-client with ANonce. Message 2 is client-to-AP with SNonce and MIC. Message 4 is the final ACK from client to AP. A failed message 3 or 4 shows up as repeated retries during analysis.

9In Wireshark, which filter decrypts a WPA2-PSK capture given the SSID and passphrase plus the 4-way handshake?

A.Enable the IEEE 802.11 protocol preferences, provide the SSID:passphrase decryption key, and include the 4-way handshake in the capture

B.It cannot be done

C.Only with a proprietary tool

D.Only for open networks

Explanation: Wireshark can decrypt WPA/WPA2-PSK when given the SSID:passphrase as a wpa-pwd key in IEEE 802.11 protocol preferences, and the capture includes all 4 messages of the 4-way handshake for that client. Enterprise (802.1X) decryption requires exporting the per-session PMK from the client or RADIUS. WPA3 is harder due to SAE forward secrecy.

10What does the BSSID field in an 802.11 frame represent?

A.The client MAC address

B.The MAC address of the AP's radio (or Ad-Hoc network ID)

C.The VLAN ID

D.The IP address of the AP

Explanation: The BSSID (Basic Service Set Identifier) is the MAC address of the AP's radio interface. In infrastructure mode, all frames for a BSS carry the same BSSID in Address 3 (or another address field depending on ToDS/FromDS). In an IBSS (ad-hoc), the BSSID is a randomly generated 46-bit value.

About the CWAP Exam

The CWNP Certified Wireless Analysis Professional (CWAP-404) exam validates professional-level WLAN protocol and spectrum analysis skills. It covers 802.11 frame structure (management, control, data; MPDU vs MSDU vs PPDU; AMPDU/AMSDU), protocol tools (Wireshark, Omnipeek, aircrack-ng, Kismet, Ekahau Sidekick), PHY layer (OFDM/OFDMA, MCS, QAM, MIMO/MU-MIMO), MAC layer (CSMA/CA, IFS, EDCA, TXOP, Block ACK), troubleshooting scenarios, spectrum analysis, roaming captures, WPA2/WPA3 decryption, and 802.11ax/be frame specifics.

Questions

60 scored questions

Time Limit

90 minutes

Passing Score

70%

Exam Fee

$275 USD (CWNP / Pearson VUE)

CWAP Exam Content Outline

25%

802.11 Frame Analysis

Frame Control, address fields, management/control/data frames, MPDU/MSDU/PPDU, and AMPDU/AMSDU aggregation

20%

PHY Layer

OFDM, OFDMA, MCS, QAM, MIMO/MU-MIMO, trigger frames, resource units, and preamble structure

20%

MAC Layer and QoS

CSMA/CA, IFS (SIFS/DIFS/AIFS), EDCA access categories, TXOP, NAV, and Block ACK

20%

Capture Tools and Methodology

Wireshark, Omnipeek, aircrack-ng, Kismet, Ekahau Sidekick, multi-channel capture, and radiotap

15%

Troubleshooting and Spectrum

Retries, hidden node, CCI/ACI, 4-way handshake failures, spectrum analysis, and roaming analysis

How to Pass the CWAP Exam

What You Need to Know

Passing score: 70%
Exam length: 60 questions
Time limit: 90 minutes
Exam fee: $275 USD

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

CWAP Study Tips from Top Performers

1Learn Wireshark display filters for 802.11: wlan.fc.type_subtype, wlan.bssid, wlan.ra, wlan.sa, wlan.ta — these are core to every capture

2Practice decoding the 4-way handshake byte-by-byte — know Key Info flags, MIC, ANonce/SNonce, and GTK delivery

3Understand radiotap headers and how to read rate, MCS, channel, RSSI, and noise for each frame

4Learn EDCA parameters per access category (AIFSN, CWmin, CWmax) — these explain voice/video priority over data

5Capture Wi-Fi 6 trigger frames and HE TB PPDUs to understand UL OFDMA and UL MU-MIMO scheduling

6Practice spectrum analysis with Chanalyzer or Sidekick to identify non-Wi-Fi interferers (microwave, Bluetooth, analog cameras)

Frequently Asked Questions

What is the CWAP-404 exam?

CWAP-404 is the current CWNP Certified Wireless Analysis Professional exam. It validates deep knowledge of 802.11 frame analysis, protocol captures using Wireshark and Omnipeek, PHY layer details (OFDMA, MCS, trigger frames), MAC layer (EDCA, TXOP, Block ACK), spectrum analysis, and systematic troubleshooting of WLAN issues.

How hard is the CWAP exam?

CWAP is one of the hardest CWNP professional-level exams. It requires hands-on experience capturing and analyzing 802.11 frames in Wireshark, reading radiotap headers, decoding information elements, and decrypting WPA2 with the 4-way handshake. Plan for 100-150 hours of study including lots of hands-on capture practice.

Is CWNA a prerequisite for CWAP?

CWNA is strongly recommended as a prerequisite. You can take the CWAP exam without CWNA, but to earn the full CWAP certification, you must hold a current CWNA. Mastering CWNA's RF and 802.11 fundamentals is essential before tackling frame-level analysis.

What tools should I practice with for CWAP?

Essential tools: Wireshark with macOS or Linux monitor mode (or AirPcap on older Windows), Omnipeek, aircrack-ng suite on Kali Linux, Ekahau Sidekick (for integrated survey + capture + spectrum), Metageek Chanalyzer for spectrum analysis, and practice captures of real WPA2 handshakes and OFDMA flows.

What is the CWAP exam cost and validity?

The CWAP-404 exam fee is $275 USD. The certification is valid for 3 years. Recertification requires passing a current CWAP exam or a higher-level CWNP cert (such as CWNE).