Mac – Is looking for Wi-Fi access points purely passive

mac addresswireless-networking

Say I carry a Wi-Fi enabled phone or laptop through an area where there are WAPs. Assuming that I don't actively try to connect to them or otherwise interact with them, is it possible for the owner of that WAP to know that I was there?

I'm asking this in the context of my earlier question: Looking for MACs on the network

I was talking with a friend about my newfound ability to detect phones (and other devices with MAC addresses) on the network, and he pointed out that it might be useful to detect unknown phones on the network; I could use that data to track down anyone who was in my house and brought a Wi-Fi phone with them.

So, if I set up a logging fake WAP with no security or encryption, can I glean any useful information about the devices that come into the house? Assuming that the thief doesn't actively try to connect…

Best Answer

No, looking for 802.11 APs is primarily active. When you bring up a list of visible APs in the area, your 802.11 client most likely does what's known as an "active scan", where it tunes its radio to each supported channel in turn, transmits a Probe Request frame, and waits perhaps 20-40ms to gather Probe Response frames from any APs on that channel before moving on to the next channel. This allows it to scan all the channels much faster than a "passive scan".

A "passive scan" is possible, but isn't used very often because it takes longer. To do a passive scan, the client tunes to each channel in turn, and waits a typical Beacon Interval (usually about 100ms, but could be more) to gather Beacons.

Some channels in 5GHz in some regulatory regions require that you scan passively first, until you know that the channel is not in use by nearby radar installations. But most clients, as soon as they see a Beacon on a passive-scan channel, will switch to an active scan to speed up the process.

If your client device is on, and hasn't given up looking for your recently-joined/preferred/remembered networks, it will almost certainly be broadcasting Probe Requests which give away not only your wireless MAC address and some of the capabilities of your card, but often also the name the network it's looking for. This is necessary in case the network is a "hidden" (a.k.a. "non-broadcast SSID", a.k.a. "closed") network.

It's pretty trivial to learn people's wireless client MAC addresses and also the names of their home and work networks just by hanging out at the office or a coffee shop or airport terminal with an 802.11 monitor mode packet sniffer, recording Probe Requests.

Related Question