Discovering the network by scanning all possible channels & listening to beacons is not considered to be very efficient (passive scanning). To enhance this discovery process, stations often use what is called active scanning.
In Active scanning, stations still go through each channel in turn, but instead of passively listening to the signals on that frequency, station send a Probe Request management frame asking what network is available on that channel.
Probe Request are sent to the broadcast DA address (ff:ff:ff:ff:ff:ff). Once a Probe sent, STA starts a ProbeTimer countdown & wait for answers. At the end of the timer, STA process the answer it has received. If no answers received, STA moves to next channel & repeats the discovery process.
STA sending Probe Request may specify the SSID they looking (called directed probe request). Then only IBSS STA or AP support that SSID will answer. The SSID value can also be set to 0 (ie SSID field is present, but empty). This is called Wildcard SSID or Null Probe Request.
Here is a frame capture of a client association to a BSS. Highlighted the Probe Request/Response frames.
Below shows the detail of Probe Request frame sent by the client which is a management type with subtype value of 4. As you can see client is sending it 6Mbps (lowest supported rate by the client). Address fields are set like below
Address Field-1 = Receiver Address (= Destination Address) ff:ff:ff:ff:ff:ff
Address Fiedl-2 = Transmitter Address (=Source Address) 84:38:38:58:63:D5
Address Field-3 = BSSID ff:ff:ff:ff:ff:ff
SSID field set to “OPEN” indicating it is a directed probe request. It list all supported rates, HT capabilities, Extended Capabilities, VHT Capabilities & other vendor specific attributes of the client.
Here is the full list of information fields that can be in a Probe Request (source IEEE 802.11-2012). Note that VHT capability element added to this list in 802.11-2013 (802.11ac) amendment.Here is the Probe Response. As you can see it send 24Mbps (as AP does not support any rates below that) which is lowest common rate supported by both STA & AP. DA field is set to the STA mac from which the probe request was sent. It has lots of other fields to describe the BSS & it is very similar to a Beacon frame fields. But there are 3 noticable differences between Probe Response & Beacon
1. The beacon frame contain a TIM, the probe response does not
2. The beacon frame contain a QoS Capability information Element
3. The probe response contain the Requested Information elements that may have been requested by the probing station.
Here is the complete list of field that can be in the frame body of a Probe Response frame. (source IEEE 802.11-2012)Once Probe Response received by the STA, it should send an ACK frame to the AP. This frame sent on lowest common rate which is 24Mbps in my case.
Here is the Probe Response came from BSSID (88:38:61:99:1A:AF) which is advertising SSID named “OPEN“Here is the Probe Response came from BSSID(88:38:61:99:1A:AE) which is advertising SSID named “MRN-EAP“References
1. CWAP Official Study Guide – Chapter 4
2. IEEE 802.11-2012 Standard
1. 802.11 Mgmt Frame Types
2. 802.11 Mgmt : Beacon
3. 802.11 Mgmt : Association Req/Res
4. 802.11 Mgmt : Authentication Frame
5. 802.11 Deauthentication & Disassociation
6. 802.11 Mgmt : Information Elements
7. 802.11 Mgmt : Action Frames
8. 802.11 Mgmt : Spectrum & TPC
9. 802.11 Mgmt : Admission Control