Understanding the Fundamentals of WiFi Probe Request and Response Management Frames: WLAN Discovery methods



For the Wireless devices to efficiently discover and connect to available networks, there are two fundamental management frames that plays and important roles; Probe Request and Probe Response frames. Let's explore how these management frames work together to help your devices find and connect to wireless networks.

What is Probe Request?


Probe Requests are management frames sent by a Wireless Client device or a Station (STA) when searching for wireless networks. Think of them as your device calling out "Hello, is anyone there?" This frame serves two main purposes:

  • Finding a specific network, you have connected in the past.
  • Discovering all available networks in coverage area of the device.

Types of Probe Requests


The types of Probe Request is dictated by the length of the SSID field in the Probe Request. There are two types of Probe Requests: 
  • Directed Probe Request
  • Broadcast Probe Request 
 
Directed Probe Requests: When your device is looking for a specific network, it sends a directed request containing that network's SSID. The Access Points that are configured with the Specific SSID will respond to the Probe Request. In this case SSID field will have a length greater than Zero as shown in below example Wireshark Sniffer.

Wireshark Filter : wlan.fc.type_subtype eq 4




Broadcast Probe Requests: This type of Probe Request is also known as "Wild card" or Broadcast requests. In this case the SSID field in the Probe Request is empty as shown in the below example Wireshark Sniffer and all Access points receiving this request will respond with all SSIDs (excluding non-hidden) 



What is Probe Response?


When a wireless access point (AP) receives a Probe Request, it responds with a Probe Response frame. This Probe Response frame contains almost the same information as the Beacon Frame. Following information about the Wireless network is part of the Probe Response:

Fixed Fields of Probe Response:

  • Timestamp 
  • Beacon Interval in milliseconds
  • Capability Information

Tagged Parameters:

  • SSID Parameters
  • Supported Rates
  • PHY Parameter Sets
In addition to above parameters, it also includes additional information elements that can assist Stations based on their capabilities and standards. Example:
  • IEEE 802.11d networks include Country information element.
  • IEEE 802.11h networks provide Power Constraints, supported Channel information, Channel Switch Announcement etc.
  • IEEE 802.11e networks share QoS load data.
  • IEEE 802.11g networks may include ERP information.
  • IEEE 802.11i, provides the RSN information element.
  • HT,VHT, HE Capability information. 
  • Vendor Specific Information
Here is a sample Wireshark example of Probe Response:

Wireshark Filter : wlan.fc.type_subtype eq 4


For Details on these Fixed and Tagged Parameters, refer to my blog on Wireless Fundamentals: Beacon

How does it all works together

The interaction between Probe Requests and Responses follows below pattern:
  • Your Wireless device sends out a Probe Request
  • Access points or STA that meet the criteria(Directed or Broadcast) respond
  • In a traditional infrastructure network (BSS), the AP always responds to the probe request.
  • In IBSS (All Stations), the Mobile Station that have sent the latest Beacon would respond.   
  • In more complex scenarios (like mesh networks), multiple devices might respond

Conclusion:

Probe Request and Response frames are the fundamental to how wireless devices(Phones, Laptops, Handhelds etc.) discover and connect to networks. Understanding their behavior helps network administrators optimize their wireless infrastructure and troubleshoot connectivity issues more effectively.


Ref: https://www.cwnp.com/certifications/cwap


Comments

Post a Comment

Popular posts from this blog

Understanding RSSI and LQI Metrics of IOT

Image
 In the rapidly increasing adaption of Internet of Things (IoT), understanding  the basics network performance metrics is crucial for building reliable and efficient systems. Two fundamental metrics that play a n important role in the IOT Device communication are the Received Signal Strength Indicator (RSSI) and Link Quality Indication (LQI). Let's dive deep into what these metrics mean and why they matter for IoT implementations. Received Signal Strength Indicator (RSSI) RSSI serves as a fundamental measurement of RF power received by a wireless device. What makes RSSI particularly interesting is that it measures all RF power in a channel, regardless of the source. This means it captures: Signals from IEEE802.15.4 transmitters Interference from Bluetooth devices WiFi signals Background radiations This comprehensive measurement makes RSSI an essential tool for Clear Channel Assessment (CCA), helping devices determine if a channel is free befo...
Read more

Understanding "Invalid FTE" Error with 802.11r Roaming

Image
 When investigating Fast Transition (FT) roaming issues in enterprise wireless networks, packet captures often hold the key to diagnosis. Let's analyze this specific roaming failure case where a client fails to roam from one access point to another. Problem Statement: Random Devices are facing FT roaming issue and requires reauthentication.  While the problem statement sounds easy, capturing roaming failures could be challenging when the problem is random/intermittent. It is also important to know where to capture; Remember CWAP Guidelines? For roaming we need to capture near multiple AP's.  In this case we used RUCKUS AP Remote PCAP feature to stream captures from multiple AP's to the Wireshark and Voila! We were lucky to capture the failure  use case.  Now lets see what does it look like: The packet captures shows us an "Invalid FTE (0x0037)" error. FTE stands for Fast Transition Element, a critical component of the 802.11r protocol that facilitates seaml...
Read more

Association Failures with Legacy Printers due to Management Frame Protection- A Technical Analysis

Image
 Let's understand first, what is Management Frame Protection? Based on the IEEE 802.11w amendment, Protected Management Frames (PMF), also known as Management Frame Protection (MFP), is a security feature that provides integrity protection for both unicast and broadcast management frames, while also encrypting unicast management frames in the same way as data to provide confidentiality. Without the Protected Management Frames feature, all management frames are sent unprotected in the open. Transmitting open frames makes connections vulnerable to attack. To leverage Protected Management Frames, both the AP and the STA need to be capable of using it, and it must be activated for each encrypted Wi-Fi network of the AP. If those conditions are met, Protected Management Frames are automatically invoked during client association. Understanding Management Frame Protection Failures MFP is one of the common challenge when working with legacy devices in modern wireless networks. My recent t...
Read more