捕获Wi-Fi探针wequest时，手机不会发送所有存储的ssid [英] Phone doesn't send all stored ssids while capturing Wi-Fi probe wequests

问题描述

我用scapy构建了一个脚本，以在monitornig wi-fi界面中捕获探测请求. 我成功捕获了请求以及其中包含的一些SSID.但是手机中存储的大多数网络都不会广播. 并没有一个明确的模式说明为什么会发生这种情况.有些电话根本不播放ssid.

我正在尝试解释这种行为背后的原因，但没有找到任何解释，除了应该广播隐藏网络以使电话连接到网络之外，但事实并非如此，并且大多数广播的都是可见的.

另一种行为是iPhone，它们似乎只广播它们所连接的网络，而没有其他任何广播. (没有网络->没有SSID).

我曾尝试将接口放置在各种频道中，结果在广播的网络上会有所不同，但是设备中保存的绝大多数接口仍不会广播.

这背后有原因吗?还是一种强制设备将其全部广播的方法?

解决方案

您似乎假设电话将永久地对每个已知网络进行探测请求.

这不是 情况-不仅用于电话，而且通常.引用Wi-Fi联盟[*]:

什么是被动扫描和主动扫描?

进行客户端扫描的原因是要确定适合的AP 客户可能 [强调我的]需要现在或将来漫游.一个客户可以使用两个 扫描方式:主动和被动. 在主动扫描期间， 客户端无线电发送探查请求并侦听探查 AP的回复(重点是我的). 通过被动扫描， 客户广播在每个频道上监听信标 [再次强调我的] 由AP定期发送.被动扫描通常会花费更多时间， 因为客户必须聆听并等待信标而不是主动 试图找到一个AP.被动扫描的另一个限制是 如果客户端没有在频道上等待足够长的时间，则客户端 可能会错过AP信标.

因此，这完全取决于应用程序/操作系统

• 电话STA进行主动扫描，发送探测请求，

• 或只是坐在那里听信标(或什么也不做).

在我的记忆中-几年来我一直没有使用/查看Android代码，因此可能有所改变-Android将不进行主动扫描，因此 除非您在Wi-Fi网络设置屏幕中，否则不会将探测请求发送到已知的SSID.它只会听信标.

背后有一些Wi-Fi 802.11设计原理:

• STA应该是可移动的.毕竟，如果您不打算从 有时，使用Wi-Fi并没有太多意义(营销除外) 或懒惰，当然智能手机对此有所改变)，您可能会 好接线.

• ...如果您正在移动，可以认为您正在跑步 电池，

• 所以您想节省电池寿命:所以您宁愿做被动式的 扫描侦听信标，而不是主动扫描发送探针 请求，因为这会消耗更少的电量.

这种节能替代功能的想法在STA设计中的所有其他地方都被传播到了802.11设计中(隐藏在地毯下).

因此，如果它1/仅侦听信标/2主动为每个已知的AP 3发送探测请求/发送广播探测请求，以及是否这样做，则完全取决于STA的OS堆栈/应用程序连续，定期或根据其是否处于已知状态(例如，屏幕打开，用户将进入Wi-Fi网络设置屏幕).

现在可能还需要考虑其他一些因素，例如某些区域性法规要求您首先听信标来决定是否可以使用某些频道.但是要点在上面.

*:

http://www. wi-fi.org/knowledge-center/faq/什么是被动和主动扫描

在编程方面:

1/您似乎遇到的是一个IOP(互操作性)问题，因为您希望STA出现有关扫描主动与被动以及所涉及的探查请求的特定行为，而这在现实世界中并非如此.根据您的应用程序最终的主要目标，这可能是设计中的缺陷-或只是很小的麻烦.您可能想限制自己使用某些特定设备的品牌，或者尝试涵盖所有情况，这会增加开发成本.

2/...或者您只是对您的观察感到惊讶，并寻求解释.在这种令人惊讶的结果的情况下，不用说:直接去wireshark检查程序的观察结果(如果您的程序是数据包嗅探器)或行为(如果您的程序是客户端/服务器/XYZ协议实现).

关于主动扫描与被动扫描以及节能的802.11策略:

摘自Matthew S. Gast("IEEE 802.11工作组成员，并担任802.11任务组M的主席."作为Wi-Fi联盟主席的"802.11无线网络:权威指南，第二版").他是无线网络管理市场营销任务组的负责人，负责调查有关节电，性能优化以及定位和定时服务的认证要求."我强烈推荐这本书.

p. 171:

ScanType(主动或被动)

主动扫描使用探测请求帧的传输来 确定该地区的网络.被动扫描可节省电池电量 听信标帧.

p. 172:

被动扫描

被动扫描可以节省电池电量，因为它不需要 传输.在被动扫描中，电台移动到 频道列表并等待信标帧.

也有点老(2003年)，但是这些人知道他们有关网络的知识.关于扫描策略:

摘自Cisco"802.11无线局域网基础知识"，第5章移动性".

第153页:

漫游算法

IEEE未定义确定何时漫游的机制 802.11规范，因此留给供应商实施. [...]算法留给供应商实施的事实 通过创建供应商提供差异化​​自己的机会 比竞争对手更新颖，性能更好的算法.漫游 算法成为供应商的秘密调味料"，结果被保留下来 机密.

第154页确定漫游位置":

没有理想的扫描技术.被动扫描具有 不需要客户端发送探测请求的好处，但是 冒着可能会丢失AP的风险，因为它可能不会 在扫描期间接收信标.主动扫描具有 积极寻找与之关联的AP的好处，但要求 客户主动发送探针.取决于实现 对于802.11客户端，一个可能比另一个更适合. 例如，许多嵌入式系统将被动扫描作为首选 方法 [强调我的] [...]

第155页上的其他有趣的内容，抢先AP发现".

I build a script with scapy to capture probe requests in a monitornig wi-fi interface. I successfully capture the requests, and some of the SSIDs contained in them. But most of the networks stored in the phone don't get broadcasted. And there isn't a clear pattern of why this happens. Some phones don't broadcast ssids at all.

I'm trying to find an explanation for the reasoning behind this behaviour, but haven't found any, apart that the hidden networks should be broadcasted in order for the phone to connect to them, but even that is not true, and most of the broadcasted ones are visible.

Another behaviour is the iPhones, that only seem to broadcast the network that they are connected to, and nothing else. (no network -> no SSIDs).

I have tried putting the interface in various channels, and results vary on the broadcasted networks, but the great majority of the saved ones in the device still aren't broadcasted.

Is there a reason behind this? Or a way to force the device to broadcast them all?

解决方案

You seem to assume that the phone would do a probe request for each and every known network, permanently.

This is not the case - and not just for phone, but in general. Quoting the Wi-Fi Alliance[*]:

What are passive and active scanning?

The reason for client scanning is to determine a suitable AP to which the client may [emphasis mine] need to roam now or in the future. A client can use two scanning methods: active and passive. During an active scan, the client radio transmits a probe request and listens for a probe response from an AP [emphasis mine]. With a passive scan, the client radio listens on each channel for beacons[emphasis mine again] sent periodically by an AP. A passive scan generally takes more time, since the client must listen and wait for a beacon versus actively probing to find an AP. Another limitation with a passive scan is that if the client does not wait long enough on a channel, then the client may miss an AP beacon.

So this is entirely application/OS dependent if

• the phone STA do an active scan, sending probe requests,

• or just seat there listening for beacons (or doing nothing at all).

In my remembering - it's been a few years I didn't worked/looked at Android code, so it may have change - Android will not do an active scan, and thus will not send probe request to known SSID, unless you're in the Wi-Fi networks setting screen. It will just listen to beacons.

There are some Wi-Fi 802.11 design rationale behind this:

• STA are supposed to be mobile. After all, if you're not moving from time to time, there's not much point in using Wi-Fi (except marketing or laziness, and of course smartphones changed that), you might as well get wired.

• ...if you're mobile, it's reasonable to think you're running on a battery,

• And so you want to save battery life: so you'll rather do passive scans listening to beacons rather than active scan sending probe request, because this uses less power.

This idea of power saving alternative capabilities is spread all other the place in 802.11 design, hidden under carpet, when you're a STA.

So it is fully OS stack/application dependent from the STA if it 1/ just listen to beacons /2 actively send probe-request for every know AP 3/ send a broadcast probe-request, and also if it do so in a continuous manner, or periodically, or depending if it's in a know state (ex screen ON, and user going to the Wi-Fi networks setting screen).

Now there may be some other considerations, like some regional regulations that mandate that you first listen to beacons to decide if you can or cannot use some channels. But the main point is above.

*:

http://www.wi-fi.org/knowledge-center/faq/what-are-passive-and-active-scanning

EDIT:

On the programming side:

1/ What you seem to have is an IOP (interoperability) problem, because you expect a specific behavior from STA regarding scanning active vs passive and the involved probe-requests, and this is not how it works in the real world. Depending on your application final main goal, this may be a flawn in the design - or just a minor nuisance. You may want to restrict yourself to some specific device's brand, or try to cover all cases, which has a development cost.

2/ ...OR you were just surprised by your observations, and look for an explanation. In such case of surprising results, it goes without saying: go straight to wireshark to check your program observations (if your program is a packet sniffer) or behavior (if your program is a client/server/layer XYZ protocol implementation).

On the 802.11 strategies regarding active vs passive scan and power saving:

From "802.11 Wireless Networks: The Definitive Guide, 2nd Edition", by Matthew S. Gast ("member of the IEEE 802.11 working group, and serves as chair of 802.11 Task Group M. As chair of the Wi-Fi Alliance's Wireless Network Management marketing task group, he is leading the investigation of certification requirements for power saving, performance optimization, and location and timing services" - from his publisher bio). A book i can highly recommend.

p. 171:

ScanType (active or passive)

Active scanning uses the transmission of Probe Request frames to identify networks in the area. Passive scanning saves battery power by listening for Beacon frames.

p. 172:

Passive Scanning

Passive scanning saves battery power because it does not require transmitting. In passive scanning, a station moves to each channel on the channel list and waits for Beacon frames.

Also, a bit old (2003), but these guys know their stuff about networking. About scanning strategies:

From Cisco "802.11 Wireless LAN Fundamentals", chapter 5 "mobility".

Page 153:

Roaming Algorithms

The mechanism to determine when to roam is not defined by the IEEE 802.11 specification and is, therefore, left to vendors to implement. [...] The fact that the algorithms are left to vendor implementation provide vendors an opportunity to differentiate themselves by creating new and better performing algorithms than their competitors. Roaming algorithms become a vendor’s "secret sauce," and as a result are kept confidential.

Page 154 "Determining Where to Roam":

There is no ideal technique for scanning. Passive scanning has the benefit of not requiring the client to transmit probe requests but runs the risk of potentially missing an AP because it might not receive a beacon during the scanning duration. Active scanning has the benefit of actively seeking out APs to associate to but requires the client to actively transmit probes. Depending on the implementation for the 802.11 client, one might be better suited than the other. For example, many embedded systems use passive scanning as the preferred method [emphasis mine] [...]

Other interesting stuff on page 155, "Preemptive AP Discovery".

这篇关于捕获Wi-Fi探针wequest时，手机不会发送所有存储的ssid的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！