MRL Wiki	Main Page | About | Help | FAQ | Special pages | Log in
	Printable version | Disclaimers | Privacy policy

Wireless Scan

From MRL Wiki

Wireless Scan is the process of identifying wireless access point located within the vicinity of a radio performing the scan. Both Active and Passive wireless scanners exist. Active Scanners such as Netstumbler perform continuous broadcast probe requests in hopes to receive probe responses from participating access points. Passive Scanners such as Kismet passively analyze all wireless data in order to extract relevant information about surrounding wireless infrastructure. It is important to note that Passive Scanners are known to present a much more complete picture of surrounding access points as well as additional information such as associated clients, network addressing scheme, etc.

Contents 1 Active Wireless Scan 1.1 Probe Requests/Responses 2 Passive Wireless Scan 2.1 Beacons 2.2 Data Packets

[edit] Active Wireless Scan

[edit] Probe Requests/Responses

[edit] Passive Wireless Scan

[edit] Beacons

Beacon frames are sent out periodically by APs in order to announce their existence and contains a wealth of information useful for identification of a wireless network. Below is a packet capture of a beacon frame:

IEEE 802.11
    Type/Subtype: Beacon frame (8)
    Frame Control: 0x0080 (Normal)
    Duration: 0
    Destination address: Broadcast (ff:ff:ff:ff:ff:ff)
    Source address: Netgear_99:80:a2 (00:14:6c:XX:XX:XX)
    BSS Id: Netgear_99:80:a2 (00:14:6c:XX:XX:XX)
    Fragment number: 0
    Sequence number: 248
    Frame check sequence: 0xfc94a275 [correct]
IEEE 802.11 wireless LAN management frame
    Fixed parameters (12 bytes)
        Timestamp: 0x0000000009E34181
        Beacon Interval: 0.102400 [Seconds]
        Capability Information: 0x0431
    Tagged parameters (126 bytes)
        SSID parameter set: "netgear"
        Supported Rates: 1.0(B) 2.0(B) 5.5(B) 11.0(B) 6.0 12.0 24.0 36.0 
        DS Parameter set: Current Channel: 1
        (TIM) Traffic Indication Map: DTIM 0 of 1 bitmap empty
        ERP Information: no Non-ERP STAs, do not use protection, short or long preambles
        Extended Supported Rates: 9.0 18.0 48.0 54.0 
        Vendor Specific: WPA
        Vendor Specific: AtherosC
        Vendor Specific: AtherosC
        Vendor Specific: WME

From the above frame we can immediately learn both AP's SSID 'netgear', BSSID '00:14:6c:XX:XX:XX' and channel '1' on which the AP is operating. Upon further examination we can learn that the access point is operating in 802.11b and 802.11g modes based on Supported Rates parameter. Even more information can be learned by analyzing timestamp value, Capability Information parameter, and other content in the frame.

[edit] Data Packets

Edit this page | Discuss this page | Page history | What links here | Related changes Main Page | About MRL Wiki | Find: This page has been accessed 1,070 times. This page was last modified on 7 August 2008, at 12:16.