WLAN SCANNING (Active vs Passive)
♣ What is SCANNING?
SCANNING is a mechanism to find out APs within range. If STA finds required AP in scan list, then it can be sure that target AP is alive. So STA can proceed for connection if needed.
♣ Is SCANNING STA or AP feature?
In general scanning is performed by client or station to get list of APs. But AP can also do scan.
In this article we will discuss on STA scanning feature only.
♣ How many types of SCANNING are there in 802.11?
There are two types of scanning are there
1. Active scanning.
2. Passive scanning.
Let’s assume there are three APs (2.4Ghz) and one client/STA is there.
AP1 [Broadcast SSID, Channel 1]
AP2 [Broadcast SSID, Channel 11]
AP3 [Hidden SSID, so does not broadcast SSID, Channel 1]
♣ Active SCAN steps:
1. STA sends probe request on first channel 1 of 2.4Ghz band.
There are two types of probe request
♦ In general Probe request is broadcast packet. This means whoever gets this probe request, may (Except hidden SSID AP ex: AP3) reply with probe response to STA.
♦ Probe request can be unicast to particular AP. This type of probe request is called directed probe request.
Let’s think our STA sends broadcast probe request.
2. Now AP1, AP2, AP3 can see this broadcast probe request. So, AP1 replies with probe response frame to STA.
3. STA sends 802.11 ACK to AP1.
4. Now, STA continues to send probe request on channel 2,3,4…11 (or 12,13 if supported).
STA receives probe response from AP2 when probe request was sent on channel 11.
If STA supports 5Ghz, then STA also perform active scan starting from channel 36 to 165 (Depending on supported channel).
5. At last STA collects all AP probe response and make scan list.
This is implementation depended that STA can do scan on all channels or only one channel [Directed Probe Request] or non-overlapping channels only.
Screenshot for Active Scanning
♣ How to trigger Active scanning in STA?
For testing purpose there are some general methods [Linux/Android] to trigger active on STA.
♦ Use below command (wlan0 is Wi-Fi interface name)
“iw wlan0 scan or iwlist wlan0 scan”
♦ Use wpa_supplicant
“wpa_cli –I wlan0 scan”
There are many other methods which can be exposed by vendor.
♣ Passive SCAN steps:
1. If STA is in passive scanning mode then STA does not send any frame in air.
2. STA waits certain time on one supported channel and receive beacon frame broadcasted by AP.
3. Then STA moves to next supported channel (Ch: 1,2,3,…11 or 36…165) and repeat the same.
4. After completing all supported channel STA collects SCAN results.
*For passive scan we do not see any packet in sniffer capture*
♣ How to trigger Passive scanning in STA?
As per knowledge, I have not seen any open source command to put STA into passive scanning mode. Each vendor may have their own command to put device into passive scanning mode. But we can take any android phone Wi-Fi and observe that it does passive scan maximum times.
♣ Which SCANNING is better Active scan or passive scan?
It depends on application. Here are the advantages and disadvantages of these two scanning method.
♦Active scan is quick as STA sends Probe Request and get probe response. But passive scan slower as STA has to wait for beacon in each channel.
♦Passive scan saves more battery as no frame is transmitted in the air.
So battery operated devices should go for passive scanning but the device which needs scan list in short time and does not care about more power consumption should go for active scanning. Or there can be mixture of active or passive scanning. This is again implementation depended.
♣ What is special about directed probe request? When do you need it?
Directed probe request is having below address structure
ADR2 [RA] = Broadcast Address
ADR3 [DA] = Broadcast Address
SSID Field = “AP SSID”
ADR2 [RA] = AP MAC
ADR3 [DA] = AP MAC
SSID Field = “AP SSID”
So, according to our scenario if STA sends directed probe request to AP3 then only AP3 replies with probe response. That means, to get AP details of a hidden ssid, STA has to send directed probe request. In another way we can say, STA must know the hidden ssid name.
Another scenario where STA was previously connected to one AP (Ex: Android Wi-Fi) and now again wants to reconnect to same AP. In this case also before connecting to AP, STA may send one directed probe request to AP to check if AP is alive. This saves time and energy for STA.
Screenshot for directed probe request for above discussed 2nd scenario.
It’s observed that sometimes hidden ssid AP replies to broadcast probe request but does not share AP’s SSID inside probe response.
Scanning is very important part for STA feature. This helps STA to be updated with surrounding APs and other purpose like roaming.
♥♥If you have any doubts or query please let me know in comment section or send mail at firstname.lastname@example.org.♥♥