What I want to understand is how to determine clients that associated/connected to an AP using network traffic.
For clarification: I am not connected to the network. I am using a usb card on monitor mode and capturing traffic using wireshark. I choose some AP I saw on the traffic and filtered all traffic relevant to it. I am trying to understand, using this data, what clients are connected to this AP.
Hope you guys understand what I mean.
You should look for the association request and association response 802.11 packets in your sniffed list. Basically, client sends the association request and AP replies with the response (you can parse the response according to the 802.11 to find out whether association was granted or rejected. The client will normally be connected to the AP until deauthentication packet arrives from the AP.