This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'm doing a little Pen-Testing using my Laptop, phone (HTC Droid), and Desktop with a Wireless NIC.

When running Wireshark while my HTC Droid and Laptop are unassociated with a wireless network, I'm not picking up any Probes from any of these devices. The only traffic I'm seeing from them are null Broadcast frames that are announcing their presence.

Is there something I'm doing wrong, something I'm unaware of, or are my devices simply not broadcasting networks that are in its PNL (preferred network list) or cached networks?

Thanks, Bokeh

P.S. On another note, the only time I see a Probe Request to any particular Access Point is when my laptop is actually associated to that Access Point.

asked 30 Aug '11, 14:10

Bokeh's gravatar image

Bokeh
6114
accept rate: 0%

edited 30 Aug '11, 14:19

What version of what operating system (if it's a Linux distribution, give the kernel version as well) are you running?

Are you capturing in monitor mode?

What type of wireless adapter do you have?

(30 Aug '11, 16:50) Guy Harris ♦♦

Sorry for not providing that information earlier.

I'm running BackTrack 5 release (Based on Ubuntu 10.04 LTS, Linux kernel 2.6.38) in a Virtualization.

Yes, I'm setting my Wireless Adapter on Monitor Mode via airmon-ng on my wlan0 (and then sniffing with the mon0 interface created by airmon-ng).

Finally, it is an Alfa AWUS036H Wireless Adapter.

(30 Aug '11, 17:57) Bokeh

I tried and tried again last night with no luck. I was even intentionally forcing my "victim" machines to refresh networks (send probes) while unassociated and they still only sent out null broadcast frames.

And again, the only time I would see a probe request for any of the networks in the PNL is when that "victim" was actually connected that that particular network.

(31 Aug '11, 06:51) Bokeh

I let the packet capture run for a good 10 minutes... nothing.

But I think it might be my devices... This morning I ran airodump-ng and let it sit for 6 minutes... at 6 minutes airodump-ng recorded some probes for my home network essid "StayOffMyWireless" while connected to my work network essid "Mercado". Maybe it was just dumb luck, but I don't know.

(31 Aug '11, 06:55) Bokeh

Refreshing your PNL doesn't neccessarily mean that your device has to send Probe Requests, although that would be (like u assumed it) normal. I would try and look if one of your devices (which is NOT the one airodump-ng is actively capturing) sends out the Probe Request when you ask the device to actually connect to a wireless network, because that's the time when Probe Requests have to be sent right before Authentication and Association Request/Response.

Maybe that gives u a hint

(31 Aug '11, 07:02) Landi

Are you suggesting sending a de-auth broadcast, forcing them to re-auth/re-associate (an invariably sending a probe request in the process)?

(31 Aug '11, 07:04) Bokeh

No, I meant just to check whether your devices send the Probe Request only in the process of connecting to a wireless network (which I would expect to happen) and thereby to verify if it's just those systems not probing every SSID in their PNL which is what afaik all windows OS are doing when refreshing their network lists.

(31 Aug '11, 07:12) Landi

I think you're right Landi.

It appears that my devices are only sending out Probe Requests when connecting to an access point. I confirmed this by doing two things:

  1. I disconnected my Droid (phone) from the network, started a packet trace, then reconnected. I did see probe requests during the whole probe/authentication/association phase for the network that I just connected to.

  2. Hard way - I did a deauth flood. However, this time I did see Probes to two networks in the PNL DURING the deauth flood. Strange... only two (not all 4 in my PNL)

Well, I think I have this figured out... sorta.

(31 Aug '11, 07:27) Bokeh

So, let me confirm that I understand. I was under the assumption that, if unassociated to any network, devices would occasionally probe networks in the PNL for connection/discovery... this was incorrect. Right?

So, for various reasons, some devices only send probes when actually connected to that network... and for general network discovery they send out broadcast frames (with a SSID tagged parameter as null)?

Please correct me if I'm wrong. I'm a beginner and I have much to learn... much that I want to learn.

(31 Aug '11, 07:37) Bokeh

too little space here -> answer section

(31 Aug '11, 07:58) Landi
showing 5 of 10 show 5 more comments

Basically there is no need for wireless devices to probe networks just to see which are available. Every access point periodically sends out Beacon Frames (10 per second), from which the wireless clients can read all neccessary information like channel, SSID name, Encryption settings etc.

IF you have a wireless network not sending it's SSID in plaintext (hidden SSID), then your wireless device of course can't see it the network if there. For that + other reasons (on windows OS) networks in your PNL get probed to see if there is a probe response from the AP (meaning the network is in range). Why your HTC behaves different -> sorry no idea

So basically it's beacon frames every 100ms from every AP with or without plaintext SSID. Then when a client wants to connect you have the wireless 'handshake'

  • Probe Request / Response
  • Authentication Request / Response ( <-- nothing really happens here, relict from shared auth. times)
  • Association Request / Response followed by EAPoL packets if WPA(2) Auth. is enabled
permanent link

answered 31 Aug '11, 07:58

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×63
×36
×31
×5

question asked: 30 Aug '11, 14:10

question was seen: 12,300 times

last updated: 31 Aug '11, 07:58

p​o​w​e​r​e​d by O​S​Q​A