WiFi 5 (802.11ac) Explained
Table of Contents
The 5 GHz Leap
802.11ac, branded as WiFi 5 by the Wi-Fi Alliance, was ratified in 2013 and made a deliberate choice: 5 GHz only. Unlike 802.11n, which operated on both 2.4 GHz and 5 GHz, the 802.11ac specification defines operation exclusively on the 5 GHz band.
This was not arbitrary. The 5 GHz band has far more available spectrum than 2.4 GHz. While 2.4 GHz offers only three non-overlapping 20 MHz channels, 5 GHz provides up to 25 non-overlapping 20 MHz channels (depending on regulatory domain). That additional spectrum is what makes 80 MHz and 160 MHz channels possible - features that define 802.11ac's performance.
The trade-off is physics. 5 GHz signals attenuate faster than 2.4 GHz. They penetrate walls and floors less effectively. A 5 GHz network has shorter range than a 2.4 GHz network under the same conditions. This is why most routers labeled "802.11ac" actually run dual-band - 802.11ac on 5 GHz alongside 802.11n on 2.4 GHz for coverage.
MU-MIMO - Serving Multiple Clients
802.11n's MIMO was single-user (SU-MIMO): the access point communicated with one client at a time using multiple spatial streams. Even with four antennas, all four streams went to the same device.
802.11ac introduced MU-MIMO (Multi-User MIMO), which allows the access point to transmit to multiple clients simultaneously. A 4x4 access point can send two streams to one client and two streams to another at the same time, or one stream each to four clients.
Important limitations: MU-MIMO in 802.11ac works on downlink only (access point to clients). Uplink is still single-user. And both the access point and the clients must support MU-MIMO - most consumer devices in the WiFi 5 era were 1x1 or 2x2, limiting the practical benefit. MU-MIMO requires explicit beamforming feedback from each client, which adds overhead.
In practice, MU-MIMO in WiFi 5 provided modest improvements in dense environments. The real benefit of MU-MIMO would come later with WiFi 6, which added uplink MU-MIMO and OFDMA for more efficient multi-user access.
graph TD
subgraph "SU-MIMO - 802.11n"
AP1[Access Point] -->|All 4 streams| C1[Client 1]
C2[Client 2] -.->|Waits| AP1
C3[Client 3] -.->|Waits| AP1
end
subgraph "MU-MIMO - 802.11ac"
AP2[Access Point] -->|2 streams| D1[Client 1]
AP2 -->|1 stream| D2[Client 2]
AP2 -->|1 stream| D3[Client 3]
end
subgraph "Key Difference"
E["SU-MIMO: one client at a time"]
F["MU-MIMO: multiple clients simultaneously"]
G["802.11ac MU-MIMO: downlink only"]
end
SU-MIMO serves one client with all streams while MU-MIMO divides streams across multiple clients
Wider Channels - 80 and 160 MHz
802.11n maxed out at 40 MHz channels. 802.11ac doubled that to 80 MHz as the default and offered 160 MHz as an option. Wider channels mean more bandwidth per transmission.
An 80 MHz channel carries about twice the data of a 40 MHz channel at the same modulation rate. A 160 MHz channel doubles that again. Combined with 256-QAM modulation (which packs more bits per symbol than 802.11n's 64-QAM), a single 160 MHz stream in 802.11ac delivers significantly more throughput than a single 40 MHz stream in 802.11n.
The challenge with wide channels is availability. An 80 MHz channel occupies four contiguous 20 MHz channels. A 160 MHz channel occupies eight. In the 5 GHz band, finding eight contiguous clear channels is difficult in environments with multiple access points or where DFS (Dynamic Frequency Selection) channels are restricted.
802.11ac also introduced 80+80 MHz mode, where two non-contiguous 80 MHz channels are bonded together to form a 160 MHz channel. This is more flexible than contiguous 160 MHz but adds complexity to the radio hardware.
graph LR
subgraph "Channel Width Evolution"
subgraph "802.11a/g"
A["20 MHz"]
end
subgraph "802.11n"
B["20 MHz"] --> C["40 MHz"]
end
subgraph "802.11ac"
D["20 MHz"] --> E["40 MHz"] --> F["80 MHz"] --> G["160 MHz"]
end
end
subgraph "Throughput Impact"
H["20 MHz: ~86 Mbps per stream"]
I["40 MHz: ~200 Mbps per stream"]
J["80 MHz: ~433 Mbps per stream"]
K["160 MHz: ~866 Mbps per stream"]
end
Channel width progression and approximate single-stream throughput at each width
Beamforming - Standard at Last
Beamforming was optional and poorly standardized in 802.11n. Different manufacturers implemented incompatible versions. 802.11ac fixed this by defining a single, mandatory beamforming mechanism: explicit beamforming with compressed feedback.
The process: the access point sends a sounding frame. The client measures the channel and sends back a compressed feedback matrix describing the channel characteristics. The access point uses this matrix to calculate the optimal phase and amplitude for each antenna, focusing the signal toward the client.
The practical effect is improved signal strength at the client. A beamformed signal can be 3-6 dB stronger than an omnidirectional transmission, which translates to better range or higher data rates at the same distance. For WiFi 5 devices, beamforming is one of the reasons real-world performance exceeded expectations despite the shorter range of 5 GHz.
Wave 1 vs Wave 2
WiFi 5 deployed in two waves, each adding capabilities.
Wave 1 (2013): Up to 80 MHz channels, 3 spatial streams, 256-QAM, SU-MIMO only, explicit beamforming. Maximum theoretical rate: 1.3 Gbps. Most consumer routers from 2013-2015 were Wave 1 products.
Wave 2 (2016): Added 160 MHz channels, a fourth spatial stream, and MU-MIMO. Maximum theoretical rate: 6.9 Gbps (eight streams at 160 MHz - though no single client could use all eight). Wave 2 access points began appearing in enterprise networks in 2016 and consumer products in 2017.
The MU-MIMO in Wave 2 was the marquee feature, but the fourth spatial stream and 160 MHz channels often provided more real-world benefit. MU-MIMO requires compatible clients, precise beamforming, and favorable spatial conditions. Wider channels and more streams help every client.
Security Implications
802.11ac did not introduce new security protocols. It used WPA2 with AES-CCMP, the same as late-era 802.11n. The security implications are primarily about visibility and attack surface.
5 GHz invisibility: Any security tool that operates only on 2.4 GHz cannot see 802.11ac traffic. This includes the BLEShark Nano, ESP32-based scanners, and many cheap USB adapters that only support 2.4 GHz. If a network runs exclusively on 5 GHz (which is uncommon but possible), these tools will not detect it at all.
Dual-band scanning requirement: To assess a WiFi 5 network completely, you need to monitor both bands. The access point may appear on a 2.4 GHz scan (because most routers also broadcast on 2.4 GHz), but clients connected on 5 GHz will be invisible to a 2.4 GHz-only scanner.
Wider channels and capture: Capturing traffic on 80 MHz or 160 MHz channels requires a capture adapter that supports those channel widths in monitor mode. Not all adapters do. Ensure your capture hardware supports the channel width of the target network.
MU-MIMO and sniffing: MU-MIMO transmissions are beamformed to specific clients. A sniffer that is not in the beamformed path may receive a weaker signal or miss frames entirely. Positioning the sniffer near the access point helps, but MU-MIMO fundamentally makes passive capture less reliable than SU-MIMO.
graph TD
subgraph "Security Tool Visibility"
A[WiFi 5 Router - Dual Band]
A -->|2.4 GHz 802.11n| B["Visible to:
BLEShark Nano
ESP32 tools
Any 2.4 GHz adapter"]
A -->|5 GHz 802.11ac| C["Visible to:
Dual-band adapters only
Alfa AWUS036ACH
Enterprise analyzers"]
end
subgraph "What You Miss on 2.4 GHz Only"
D["5 GHz clients"]
E["80/160 MHz channel data"]
F["MU-MIMO transmissions"]
end
C --> D
C --> E
C --> F
2.4 GHz-only tools see the router but miss 5 GHz clients and traffic
The Dual-Band Reality
Despite 802.11ac being a 5 GHz-only specification, nearly every "802.11ac" router sold is dual-band. They run 802.11n on 2.4 GHz and 802.11ac on 5 GHz simultaneously. This means the access point is always visible on 2.4 GHz, even to tools like the BLEShark Nano that only scan that band.
What the Nano will see: the SSID, the 2.4 GHz channel, WPA2 encryption, and signal strength. What it will not see: how many clients are on 5 GHz, the 5 GHz channel width, or any traffic flowing on the 802.11ac radio.
For a basic site survey - "what networks exist here and how strong are they?" - a 2.4 GHz scan catches nearly everything because nearly every access point broadcasts on 2.4 GHz. For a deep security assessment that needs to analyze client behavior, traffic patterns, and 5 GHz-specific vulnerabilities, you need a dual-band capture setup.
WiFi 5 remains the most common standard in enterprise and high-end consumer routers in 2026. It is gradually being replaced by WiFi 6 and 6E, but the installed base is large. Understanding its capabilities and limitations is essential for anyone doing wireless security work.
Get the BLEShark Nano - $36.99+