null probe request

There are 2 types of scanning: passive scanning – mobile client will listen to predefined channels for beacons and active scanning – mobile client will send a probe request frame asking for specific Wi-Fi network it had been previously associated or all available Wi-Fi networks on specific channel.

I will focus on the second option. A probe request is considered as null probe request if there is no entry in the SSID field in incoming probe request. The other name is a wildcard SSID.

Capture

According to the 802.11 standard, the Access Point should response with the probe response, which functions the same purpose as beacon frame.

Capture2

In this lab scenario, the Access Point was configured with 6 x SSIDs broadcasted on channel 64. For one null probe request, the Access Point responded with 6 probe requests, which had to be acknowledged each.

The management and control frames are sent with the lowest possible data rate – 1Mbps with 802.11b and 6Mbps with 802.11a/g – all clients must hear it . If 802.11b in 2.4 GHz  is used, it takes longer time to send a frame over the air than in 802.11g. All management and control frames are considered as an overhead.

For all non-hotspot and non-opened networks, the best practise is to disable responding to null probe requests. It will save air time and reduce overhead for congested networks.

As an example, the mobile client sends a null probe requests and the access point ignores it. It continues to send beacon frames every 100 TU (102.4 milliseconds).

Capture3

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s