Tags
Discovering the network by scanning all possible channels & listening to beacons is not considered to be very efficient (passive scanning). To enhance this discovery process, stations often use what is called active scanning.
In Active scanning, stations still go through each channel in turn, but instead of passively listening to the signals on that frequency, station send a Probe Request management frame asking what network is available on that channel.
Probe Request are sent to the broadcast DA address (ff:ff:ff:ff:ff:ff). Once a Probe sent, STA starts a ProbeTimer countdown & wait for answers. At the end of the timer, STA process the answer it has received. If no answers received, STA moves to next channel & repeats the discovery process.
STA sending Probe Request may specify the SSID they looking (called directed probe request). Then only IBSS STA or AP support that SSID will answer. The SSID value can also be set to 0 (ie SSID field is present, but empty). This is called Wildcard SSID or Null Probe Request.
Here is a frame capture of a client association to a BSS. Highlighted the Probe Request/Response frames.
Below shows the detail of Probe Request frame sent by the client which is a management type with subtype value of 4. As you can see client is sending it 6Mbps (lowest supported rate by the client). Address fields are set like below
Address Field-1 = Receiver Address (= Destination Address) ff:ff:ff:ff:ff:ff
Address Fiedl-2 = Transmitter Address (=Source Address) 84:38:38:58:63:D5
Address Field-3 = BSSID ff:ff:ff:ff:ff:ff
SSID field set to “OPEN” indicating it is a directed probe request. It list all supported rates, HT capabilities, Extended Capabilities, VHT Capabilities & other vendor specific attributes of the client.
Here is the full list of information fields that can be in a Probe Request (source IEEE 802.11-2012). Note that VHT capability element added to this list in 802.11-2013 (802.11ac) amendment.
Here is the Probe Response. As you can see it send 24Mbps (as AP does not support any rates below that) which is lowest common rate supported by both STA & AP. DA field is set to the STA mac from which the probe request was sent. It has lots of other fields to describe the BSS & it is very similar to a Beacon frame fields. But there are 3 noticable differences between Probe Response & Beacon
1. The beacon frame contain a TIM, the probe response does not
2. The beacon frame contain a QoS Capability information Element
3. The probe response contain the Requested Information elements that may have been requested by the probing station.
Here is the complete list of field that can be in the frame body of a Probe Response frame. (source IEEE 802.11-2012)
Once Probe Response received by the STA, it should send an ACK frame to the AP. This frame sent on lowest common rate which is 24Mbps in my case.
Below shows the frame capture of same client sending null probe request & receiving probe responses from all BSSID operating in that channel. (In my case two BSSID responds)
Here is the Probe request detail in this case. Note that SSID field set to 0 & sent in in lowest rate supported by client which is 6Mbps in this case.
Here is the Probe Response came from BSSID (88:38:61:99:1A:AF) which is advertising SSID named “OPEN“
Here is the Probe Response came from BSSID(88:38:61:99:1A:AE) which is advertising SSID named “MRN-EAP“
References
1. CWAP Official Study Guide – Chapter 4
2. IEEE 802.11-2012 Standard
Related Posts
1. 802.11 Mgmt Frame Types
2. 802.11 Mgmt : Beacon
3. 802.11 Mgmt : Association Req/Res
4. 802.11 Mgmt : Authentication Frame
5. 802.11 Deauthentication & Disassociation
6. 802.11 Mgmt : Information Elements
7. 802.11 Mgmt : Action Frames
8. 802.11 Mgmt : Spectrum & TPC
9. 802.11 Mgmt : Admission Control
mrn-cciew 
Dear Rasika,
Shouldn’t the AP answer the PROBE REQUEST with the lowest mandatory (!) rate?
Thx. in advance …
when 2 AP sends a probe response, which one STA connects to and on what basis it makes decision.
It is based on how these end device wifi driver is programmed to work. Below information regarding apple devices, you can get an idea
https://support.apple.com/en-us/HT202831
HTH
Rasika
Woudln’t the STA response be sent to the first AP, and if all packets are faster from that first AP, I would think the first AP would be associated? I think Nayarasi point should be considered, as many settings on client and client behavior can affect the AP chosen.
the apple link on preference , that is interesting!
I’m a a newbie, I need this for my study. How you send the probe request message? Is there any tool for send probe request? Can it be send to specific MAC Address of an access point?
Hi Fahmi,
Probe request sent by any wireless client device looking for an SSID to connect.
AP will respond to that frame
HTH
Rasika
Hello, I would like to discuss a problem with you: we can get ssid which the device has been connected through capture probe req.so,is there any way that you can get the mac address of ssid which the device has been connected ?I hope to receive your reply as soon as possible.
If you look at any response frames coming from AP you will see it as source MAC or under BSSID field
HTH
Rasika
Hello,my question is about the mac address of ssid in the probe req which the device send,but I found that all of the bssid under the probe req request are ff:ff:ff:ff:ff:ff:ff,so iis there any way to get the real mac address of ssid in the probe req ?
Hope to get your reply as soon as possible, you are my idol! ^_^
Hi, Your device is doing active scanning. So, the client will scan all the channels actively and sends probe request on all the channels looking for an SSID.
At this stage you will not be able to see the BSSID/ MAC address of the SSID.
You have to check the probe response frame coming from the AP for the BSSID info.
Regards,
Anusha
Thank you very much for the posts.
I would apprecita if you could briefly explain how Duration fields are calculated in probe request/request. I see on the screenshots that in probe request it is 0 and in probe response it is 44. how 44is calculated here?
Hi,
Is there any way to extract this IE’s information through some commands like iw or uci in linux?
Will WPA2PSK/WPA2 Enterprise securities work with passive scanning?
It should work. Only thing is passive scan is slow as it has to scan all available channel prior to association.
HTH
Rasika
Hi,
What is the use case of Null Probe Request in wlan?
Ideally when you send null probe request, you expect prob responses on all SSIDs advertise by AP. Due to security reason, certain vendors AP will not respond to Null Probe Request.
HTH
Rasika
Hello, I have a question about sending probe signals. I know ‘beacon’ signals transmitted like Non-HT format which means it has preamble before it.I wonder same thing applies for probe request/response?
All management and control frames are send on legacy data rates & only primary channel (no channel bonding or no MCS rates)
HTH
Rasika
Hi Rasika,
what is the actual requirement of directed probe request ?
Since after active scanning anyways STA client will send a authentication request , why does STA send directed probe request to AP before connection trigger
Even in the active scanning you discover SSID, prior to connection client want to reconfirm settings. hence sending probe req (AP respond with probe response)
HTH
Rasika
Hi Rasika,
What happens if SSID is hidden and client sends a wildcard probe request? Is the AP obligated to send SSID info in probe response?
It is depend on different vendor, certain vendors AP may not respond, some may do respond
HTH
Rasika
Question: If an AP has chosen to hide its SSID, thus the beacon frame is sending out NULL as the network name, then if a device sends a probe request to NULL, does the AP typically respond to a request? Does it *have* to respond to the request?
It depends on AP vendor, Cisco normally respond to such null probe request
HTH
Rasika
Hi Can You update this article for 2023 with new version of wireshark?
The Wireshark version should not make any difference to those packets. The only thing is if you got WiFi6 or WiFi6E APs, you will have additional information elements compared to WiFi4 or WiFi5 AP models.
HTH
Rasika