WLAN SCANNING (Active vs Passive)

Categories : Scanning , WLAN , WLAN Basic


SCANNING is a mechanism to find out APs within range. If STA finds required AP in scan list, then it can be sure that target AP is alive. So STA can proceed for connection if needed.

♣ Is SCANNING STA or AP feature?

In general scanning is performed by client or station to get list of APs. But AP can also do scan.

In this article we will discuss on STA scanning feature only.

♣ How many types of SCANNING are there in 802.11?

There are two types of scanning are there

1. Active scanning.

2. Passive scanning.

♣ Scenario:

Let’s assume there are three APs (2.4Ghz) and one client/STA is there.

AP1 [Broadcast SSID, Channel 1]

AP2 [Broadcast SSID, Channel 11]

AP3 [Hidden SSID, so does not broadcast SSID, Channel 1]

♣ Active SCAN steps:

1. STA sends probe request on first channel 1 of 2.4Ghz band.

There are two types of probe request

♦ In general Probe request is broadcast packet. This means whoever gets this probe request, may (Except hidden SSID AP ex: AP3) reply with probe response to STA.

♦ Probe request can be unicast to particular AP. This type of probe request is called directed probe request.

Let’s think our STA sends broadcast probe request.

2. Now AP1, AP2, AP3 can see this broadcast probe request. So, AP1 replies with probe response frame to STA.

3. STA sends 802.11 ACK to AP1.

4. Now, STA continues to send probe request on channel 2,3,4…11 (or 12,13 if supported).

STA receives probe response from AP2 when probe request was sent on channel 11.

If STA supports 5Ghz, then STA also perform active scan starting from channel 36 to 165 (Depending on supported channel).

5. At last STA collects all AP probe response and make scan list.

This is implementation depended that STA can do scan on all channels or only one channel [Directed Probe Request] or non-overlapping channels only.

Screenshot for Active Scanning

♣ How to trigger Active scanning in STA?

For testing purpose there are some general methods [Linux/Android] to trigger active on STA.

♦ Use below command (wlan0 is Wi-Fi interface name)

“iw wlan0 scan or iwlist wlan0 scan”

♦ Use wpa_supplicant

“wpa_cli –I wlan0 scan”

There are many other methods which can be exposed by vendor.

♣ Passive SCAN steps:

1.  If STA is in passive scanning mode then STA does not send any frame in air.

2. STA waits certain time on one supported channel and receive beacon frame broadcasted by AP.

3. Then STA moves to next supported channel (Ch: 1,2,3,…11 or 36…165)  and repeat the same.

4. After completing all supported channel STA collects SCAN results.

*For passive scan we do not see any packet in sniffer capture*

♣ How to trigger Passive scanning in STA?

As per knowledge, I have not seen any open source command to put STA into passive scanning mode. Each vendor may have their own command to put device into passive scanning mode. But we can take any android phone Wi-Fi and observe that it does passive scan maximum times.

♣ Which SCANNING is better Active scan or passive scan?

It depends on application. Here are the advantages and disadvantages of these two scanning method.

♦Active scan is quick as STA sends Probe Request and get probe response. But passive scan slower as STA has to wait for beacon in each channel.

♦Passive scan saves more battery as no frame is transmitted in the air.

So battery operated devices should go for passive scanning but the device which needs scan list in short time and does not care about more power consumption should go for active scanning. Or there can be mixture of active or passive scanning. This is again implementation depended.

♣ What is special about directed probe request? When do you need it?

Directed probe request is having below address structure

ADR2 [RA] = Broadcast Address

ADR3 [DA] = Broadcast Address

SSID Field = “AP SSID”




SSID Field = “AP SSID”

So, according to our scenario if STA sends directed probe request to AP3 then only AP3 replies with probe response. That means, to get AP details of a hidden ssid, STA has to send directed probe request. In another way we can say, STA must know the hidden ssid name.

Another scenario where STA was previously connected to one AP (Ex: Android Wi-Fi) and now again wants to reconnect to same AP. In this case also before connecting to AP, STA may send one directed probe request to AP to check if AP is alive. This saves time and energy for STA.

Screenshot for directed probe request for above discussed 2nd scenario.


It’s observed that sometimes hidden ssid AP replies to broadcast probe request but does not share AP’s SSID inside probe response.


Scanning is very important part for STA feature. This helps STA to be updated with surrounding APs and other purpose like roaming.

♥♥If you have any doubts or query please let me know in comment section or send mail at feedback@wifisharks.com.♥♥

6 comments on “WLAN SCANNING (Active vs Passive)

    My Homepage

    • December 25, 2023 at 3:12 am

    … [Trackback]

    […] Read More Infos here: wifisharks.com/2020/10/18/wlan-scanning/ […]


    • April 25, 2021 at 10:47 pm

    Please explain Roaming feature


      • October 3, 2022 at 12:10 pm

      we are having ideal date rate for 2×2 11n20 as 144Mbps, but we will get around ~100 why?


        • October 3, 2022 at 10:16 pm

        Thanks for reading the post.

        Yes, as per MCS table [https://mcsindex.com/]
        2×2 11n HT20 Data Rate is 144.4Mbps. This is called theoretical PHY Data Rate.

        But when you measure throughput using Iperf or Ixia chariot , it will be less than 144.4Mbps.
        There are many reasons for this.

        Let’s assume STA is sending UDP packets to AP and got 100Mbps throughput in Iperf.

        -> When STA sends UDP packets, it’s not only data. Along with data 802.11MAC header and other OSI layer header are there. That is called overhead.

        -> If WLAN security is enabled then extra header is added. Read section C-> Q11 from “https://wifisharks.com/2021/01/03/wlan-interview-questions-set-1/”

        -> Now when STA sends data there is an ACK or BA for that Data. That is also overhead to the Data.

        -> There are there PHY layer delay like CSMACA for 802.11

        Overall these are the basic factors . There are more depending on the scenario.

        Always, Actual Throughput < PHY Data Rate. If you want to debug less throughput then here is the post for this https://wifisharks.com/2021/07/23/how-to-debug-wlan-throughput/



    • October 25, 2020 at 11:41 am

    Nice article for wifi scanning.


      • October 26, 2020 at 1:37 pm

      Thanks for reading Supriya.

Leave a Reply

Your email address will not be published. Required fields are marked *

error: Content is protected !!
%d bloggers like this: