How to find out encapsulated protocol inside IEEE802.11 Frame?

For 802.11 frames that are encapsulating data, the header type/subtype will be between 0x20 and 0x2F (although the frame is usually 0x20 (Data) or 0x28 (QoS-Data)). There will be a 5-byte SNAP header which will contain the type of payload (as mentioned in this answer). If the OID (first three bytes of the SNAP header) is 0x000000, then the next two bytes are the Ethernet Type.

The Ethernet Type would be 0x888e for EAPoL (source). That is the field you would inspect to know the encapsulated protocol (0x0800 for IP, 0x0806 for ARP, etc.).

Here is a good Cisco doc on Ethernet types and how you can use them to filter certain protocols: http://www.cisco.com/c/en/us/td/docs/ios/12_2/ibm/vol1/command/reference/fibm_r1/br1fethc.pdf.

Here is a good Cisco doc on wireless sniffer traces that include a description of the 802.11 type/subtype fields: https://supportforums.cisco.com/document/52391/80211-frames-starter-guide-learn-wireless-sniffer-traces.

Data of IEEE802.11 data packets is encapsulated in a LLC header (See here):

An 802.11 frame should contain an LLC header if, and only if, it's a Data frame. The frame type and subtype are part of the Frame Control field in the MAC header; Data is one of the frame type values (the others are Control and Management). The subtype doesn't matter - all Data frames should contain an LLC header, and no other frames should.

There are two kinds of LLC header: 3 bytes, 8 bytes . IEEE 802.11 uses the second one (See here). In that one, the two last bytes of LLC header is equivalent to Ether Type field in Ethernet protocol. So 0x800 for this field means IPv4 for example.