connection to AP after what stage? 802.11b protocol
up vote
1
down vote
favorite
I'm seeing several devices trying to connect to an AP (using wireshark), several send and receive the "Probe response" message (802.11)
But the don't even send the association request.
Why is that? does the connection considered to be closed or open only after the probe response?
How did they know not to sent the association request?
Here is a response packet of a device that didn't sent a association request afterwords
Frame 442: 243 bytes on wire (1944 bits), 243 bytes captured (1944 bits) on interface 0
Interface id: 0 (\.airpcap00)
Encapsulation type: IEEE 802.11 plus radiotap radio header (23)
Arrival Time: Mar 18, 2014 21:32:31.171606000 Jerusalem Standard Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1395171151.171606000 seconds
[Time delta from previous captured frame: 0.002142000 seconds]
[Time delta from previous displayed frame: 0.096003000 seconds]
[Time since reference or first frame: 13.290039000 seconds]
Frame Number: 442
Frame Length: 243 bytes (1944 bits)
Capture Length: 243 bytes (1944 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: radiotap:wlan_radio:wlan]
Radiotap Header v0, Length 20
Header revision: 0
Header pad: 0
Header length: 20
Present flags
Present flags word: 0x000018ee
Flags: 0x10
.... ...0 = CFP: False
.... ..0. = Preamble: Long
.... .0.. = WEP: False
.... 0... = Fragmentation: False
...1 .... = FCS at end: True
..0. .... = Data Pad: False
.0.. .... = Bad FCS: False
0... .... = Short GI: False
Data Rate: 1.0 Mb/s
Channel frequency: 2412 [BG 1]
Channel flags: 0x00a0, Complementary Code Keying (CCK), 2 GHz spectrum
Antenna signal: -70dBm
Antenna noise: -100dBm
Signal Quality: 76
Antenna: 0
dB antenna signal: 30dB
802.11 radio information
PHY type: 802.11b (4)
Short preamble: False
Data rate: 1.0 Mb/s
Channel: 1
Frequency: 2412MHz
Signal strength (dBm): -70dBm
Noise level (dBm): -100dBm
[Duration: 1976µs]
IEEE 802.11 Probe Response, Flags: ........C
Type/Subtype: Probe Response (0x0005)
Frame Control Field: 0x5000
.... ..00 = Version: 0
.... 00.. = Type: Management frame (0)
0101 .... = Subtype: 5
Flags: 0x00
.000 0001 0011 1010 = Duration: 314 microseconds
Receiver address: SamsungE_74:b9:f9 (d0:22:be:74:b9:f9)
Destination address: SamsungE_74:b9:f9 (d0:22:be:74:b9:f9)
Transmitter address: Sagemcom_fb:5d:9d (00:78:9e:fb:5d:9d)
Source address: Sagemcom_fb:5d:9d (00:78:9e:fb:5d:9d)
BSS Id: Sagemcom_fb:5d:9d (00:78:9e:fb:5d:9d)
.... .... .... 0000 = Fragment number: 0
0010 1000 0011 .... = Sequence number: 643
Frame check sequence: 0xeb99cc98 [correct]
[FCS Status: Good]
IEEE 802.11 wireless LAN
Fixed parameters (12 bytes)
Timestamp: 0x0000008df2ce0b90
Beacon Interval: 0.102400 [Seconds]
Capabilities Information: 0x0411
.... .... .... ...1 = ESS capabilities: Transmitter is an AP
.... .... .... ..0. = IBSS status: Transmitter belongs to a BSS
.... ..0. .... 00.. = CFP participation capabilities: No point coordinator at AP (0x00)
.... .... ...1 .... = Privacy: AP/STA can support WEP
.... .... ..0. .... = Short Preamble: Not Allowed
.... .... .0.. .... = PBCC: Not Allowed
.... .... 0... .... = Channel Agility: Not in use
.... ...0 .... .... = Spectrum Management: Not Implemented
.... .1.. .... .... = Short Slot Time: In use
.... 0... .... .... = Automatic Power Save Delivery: Not Implemented
...0 .... .... .... = Radio Measurement: Not Implemented
..0. .... .... .... = DSSS-OFDM: Not Allowed
.0.. .... .... .... = Delayed Block Ack: Not Implemented
0... .... .... .... = Immediate Block Ack: Not Implemented
Tagged parameters (183 bytes)
Tag: SSID parameter set: HOTBOX-9810
Tag Number: SSID parameter set (0)
Tag length: 11
SSID: HOTBOX-9810
Tag: Supported Rates 1(B), 2(B), 5.5(B), 11(B), 18, 24, 36, 54, [Mbit/sec]
Tag Number: Supported Rates (1)
Tag length: 8
Supported Rates: 1(B) (0x82)
Supported Rates: 2(B) (0x84)
Supported Rates: 5.5(B) (0x8b)
Supported Rates: 11(B) (0x96)
Supported Rates: 18 (0x24)
Supported Rates: 24 (0x30)
Supported Rates: 36 (0x48)
Supported Rates: 54 (0x6c)
Tag: DS Parameter set: Current Channel: 1
Tag Number: DS Parameter set (3)
Tag length: 1
Current Channel: 1
Tag: ERP Information
Tag Number: ERP Information (42)
Tag length: 1
ERP Information: 0x00
Tag: ERP Information
Tag Number: ERP Information (47)
Tag length: 1
ERP Information: 0x00
Tag: RSN Information
Tag Number: RSN Information (48)
Tag length: 24
RSN Version: 1
Group Cipher Suite: 00:0f:ac (Ieee 802.11) TKIP
Pairwise Cipher Suite Count: 2
Pairwise Cipher Suite List 00:0f:ac (Ieee 802.11) AES (CCM) 00:0f:ac (Ieee 802.11) TKIP
Auth Key Management (AKM) Suite Count: 1
Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) PSK
RSN Capabilities: 0x000c
Tag: Extended Supported Rates 6, 9, 12, 48, [Mbit/sec]
Tag Number: Extended Supported Rates (50)
Tag length: 4
Extended Supported Rates: 6 (0x0c)
Extended Supported Rates: 9 (0x12)
Extended Supported Rates: 12 (0x18)
Extended Supported Rates: 48 (0x60)
Tag: HT Capabilities (802.11n D1.10)
Tag Number: HT Capabilities (802.11n D1.10) (45)
Tag length: 26
HT Capabilities Info: 0x18fc
A-MPDU Parameters: 0x1b
Rx Supported Modulation and Coding Scheme Set: MCS Set
HT Extended Capabilities: 0x0000
Transmit Beam Forming (TxBF) Capabilities: 0x00000000
Antenna Selection (ASEL) Capabilities: 0x00
Tag: HT Information (802.11n D1.10)
Tag Number: HT Information (802.11n D1.10) (61)
Tag length: 22
Primary Channel: 1
HT Information Subset (1 of 3): 0x08
HT Information Subset (2 of 3): 0x0004
HT Information Subset (3 of 3): 0x0000
Rx Supported Modulation and Coding Scheme Set: Basic MCS Set
Tag: Vendor Specific: Broadcom
Tag Number: Vendor Specific (221)
Tag length: 9
OUI: 00:10:18 (Broadcom)
Vendor Specific OUI Type: 2
Vendor Specific Data: 0201f02c0000
Tag: Vendor Specific: Microsoft Corp.: WPA Information Element
Tag Number: Vendor Specific (221)
Tag length: 28
OUI: 00:50:f2 (Microsoft Corp.)
Vendor Specific OUI Type: 1
Type: WPA Information Element (0x01)
WPA Version: 1
Multicast Cipher Suite: 00:50:f2 (Microsoft Corp.) TKIP
Unicast Cipher Suite Count: 2
Unicast Cipher Suite List 00:50:f2 (Microsoft Corp.) AES (CCM) 00:50:f2 (Microsoft Corp.) TKIP
Auth Key Management (AKM) Suite Count: 1
Auth Key Management (AKM) List 00:50:f2 (Microsoft Corp.) PSK
Tag: Vendor Specific: Microsoft Corp.: WMM/WME: Parameter Element
Tag Number: Vendor Specific (221)
Tag length: 24
OUI: 00:50:f2 (Microsoft Corp.)
Vendor Specific OUI Type: 2
Type: WMM/WME (0x02)
WME Subtype: Parameter Element (1)
WME Version: 1
WME QoS Info: 0x80
Reserved: 00
Ac Parameters ACI 0 (Best Effort), ACM no, AIFSN 3, ECWmin/max 4/10 (CWmin/max 15/1023), TXOP 0
Ac Parameters ACI 1 (Background), ACM no, AIFSN 7, ECWmin/max 4/10 (CWmin/max 15/1023), TXOP 0
Ac Parameters ACI 2 (Video), ACM no, AIFSN 2, ECWmin/max 3/4 (CWmin/max 7/15), TXOP 94
Ac Parameters ACI 3 (Voice), ACM no, AIFSN 2, ECWmin/max 2/3 (CWmin/max 3/7), TXOP 47
wireless ieee-802.11
add a comment |
up vote
1
down vote
favorite
I'm seeing several devices trying to connect to an AP (using wireshark), several send and receive the "Probe response" message (802.11)
But the don't even send the association request.
Why is that? does the connection considered to be closed or open only after the probe response?
How did they know not to sent the association request?
Here is a response packet of a device that didn't sent a association request afterwords
Frame 442: 243 bytes on wire (1944 bits), 243 bytes captured (1944 bits) on interface 0
Interface id: 0 (\.airpcap00)
Encapsulation type: IEEE 802.11 plus radiotap radio header (23)
Arrival Time: Mar 18, 2014 21:32:31.171606000 Jerusalem Standard Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1395171151.171606000 seconds
[Time delta from previous captured frame: 0.002142000 seconds]
[Time delta from previous displayed frame: 0.096003000 seconds]
[Time since reference or first frame: 13.290039000 seconds]
Frame Number: 442
Frame Length: 243 bytes (1944 bits)
Capture Length: 243 bytes (1944 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: radiotap:wlan_radio:wlan]
Radiotap Header v0, Length 20
Header revision: 0
Header pad: 0
Header length: 20
Present flags
Present flags word: 0x000018ee
Flags: 0x10
.... ...0 = CFP: False
.... ..0. = Preamble: Long
.... .0.. = WEP: False
.... 0... = Fragmentation: False
...1 .... = FCS at end: True
..0. .... = Data Pad: False
.0.. .... = Bad FCS: False
0... .... = Short GI: False
Data Rate: 1.0 Mb/s
Channel frequency: 2412 [BG 1]
Channel flags: 0x00a0, Complementary Code Keying (CCK), 2 GHz spectrum
Antenna signal: -70dBm
Antenna noise: -100dBm
Signal Quality: 76
Antenna: 0
dB antenna signal: 30dB
802.11 radio information
PHY type: 802.11b (4)
Short preamble: False
Data rate: 1.0 Mb/s
Channel: 1
Frequency: 2412MHz
Signal strength (dBm): -70dBm
Noise level (dBm): -100dBm
[Duration: 1976µs]
IEEE 802.11 Probe Response, Flags: ........C
Type/Subtype: Probe Response (0x0005)
Frame Control Field: 0x5000
.... ..00 = Version: 0
.... 00.. = Type: Management frame (0)
0101 .... = Subtype: 5
Flags: 0x00
.000 0001 0011 1010 = Duration: 314 microseconds
Receiver address: SamsungE_74:b9:f9 (d0:22:be:74:b9:f9)
Destination address: SamsungE_74:b9:f9 (d0:22:be:74:b9:f9)
Transmitter address: Sagemcom_fb:5d:9d (00:78:9e:fb:5d:9d)
Source address: Sagemcom_fb:5d:9d (00:78:9e:fb:5d:9d)
BSS Id: Sagemcom_fb:5d:9d (00:78:9e:fb:5d:9d)
.... .... .... 0000 = Fragment number: 0
0010 1000 0011 .... = Sequence number: 643
Frame check sequence: 0xeb99cc98 [correct]
[FCS Status: Good]
IEEE 802.11 wireless LAN
Fixed parameters (12 bytes)
Timestamp: 0x0000008df2ce0b90
Beacon Interval: 0.102400 [Seconds]
Capabilities Information: 0x0411
.... .... .... ...1 = ESS capabilities: Transmitter is an AP
.... .... .... ..0. = IBSS status: Transmitter belongs to a BSS
.... ..0. .... 00.. = CFP participation capabilities: No point coordinator at AP (0x00)
.... .... ...1 .... = Privacy: AP/STA can support WEP
.... .... ..0. .... = Short Preamble: Not Allowed
.... .... .0.. .... = PBCC: Not Allowed
.... .... 0... .... = Channel Agility: Not in use
.... ...0 .... .... = Spectrum Management: Not Implemented
.... .1.. .... .... = Short Slot Time: In use
.... 0... .... .... = Automatic Power Save Delivery: Not Implemented
...0 .... .... .... = Radio Measurement: Not Implemented
..0. .... .... .... = DSSS-OFDM: Not Allowed
.0.. .... .... .... = Delayed Block Ack: Not Implemented
0... .... .... .... = Immediate Block Ack: Not Implemented
Tagged parameters (183 bytes)
Tag: SSID parameter set: HOTBOX-9810
Tag Number: SSID parameter set (0)
Tag length: 11
SSID: HOTBOX-9810
Tag: Supported Rates 1(B), 2(B), 5.5(B), 11(B), 18, 24, 36, 54, [Mbit/sec]
Tag Number: Supported Rates (1)
Tag length: 8
Supported Rates: 1(B) (0x82)
Supported Rates: 2(B) (0x84)
Supported Rates: 5.5(B) (0x8b)
Supported Rates: 11(B) (0x96)
Supported Rates: 18 (0x24)
Supported Rates: 24 (0x30)
Supported Rates: 36 (0x48)
Supported Rates: 54 (0x6c)
Tag: DS Parameter set: Current Channel: 1
Tag Number: DS Parameter set (3)
Tag length: 1
Current Channel: 1
Tag: ERP Information
Tag Number: ERP Information (42)
Tag length: 1
ERP Information: 0x00
Tag: ERP Information
Tag Number: ERP Information (47)
Tag length: 1
ERP Information: 0x00
Tag: RSN Information
Tag Number: RSN Information (48)
Tag length: 24
RSN Version: 1
Group Cipher Suite: 00:0f:ac (Ieee 802.11) TKIP
Pairwise Cipher Suite Count: 2
Pairwise Cipher Suite List 00:0f:ac (Ieee 802.11) AES (CCM) 00:0f:ac (Ieee 802.11) TKIP
Auth Key Management (AKM) Suite Count: 1
Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) PSK
RSN Capabilities: 0x000c
Tag: Extended Supported Rates 6, 9, 12, 48, [Mbit/sec]
Tag Number: Extended Supported Rates (50)
Tag length: 4
Extended Supported Rates: 6 (0x0c)
Extended Supported Rates: 9 (0x12)
Extended Supported Rates: 12 (0x18)
Extended Supported Rates: 48 (0x60)
Tag: HT Capabilities (802.11n D1.10)
Tag Number: HT Capabilities (802.11n D1.10) (45)
Tag length: 26
HT Capabilities Info: 0x18fc
A-MPDU Parameters: 0x1b
Rx Supported Modulation and Coding Scheme Set: MCS Set
HT Extended Capabilities: 0x0000
Transmit Beam Forming (TxBF) Capabilities: 0x00000000
Antenna Selection (ASEL) Capabilities: 0x00
Tag: HT Information (802.11n D1.10)
Tag Number: HT Information (802.11n D1.10) (61)
Tag length: 22
Primary Channel: 1
HT Information Subset (1 of 3): 0x08
HT Information Subset (2 of 3): 0x0004
HT Information Subset (3 of 3): 0x0000
Rx Supported Modulation and Coding Scheme Set: Basic MCS Set
Tag: Vendor Specific: Broadcom
Tag Number: Vendor Specific (221)
Tag length: 9
OUI: 00:10:18 (Broadcom)
Vendor Specific OUI Type: 2
Vendor Specific Data: 0201f02c0000
Tag: Vendor Specific: Microsoft Corp.: WPA Information Element
Tag Number: Vendor Specific (221)
Tag length: 28
OUI: 00:50:f2 (Microsoft Corp.)
Vendor Specific OUI Type: 1
Type: WPA Information Element (0x01)
WPA Version: 1
Multicast Cipher Suite: 00:50:f2 (Microsoft Corp.) TKIP
Unicast Cipher Suite Count: 2
Unicast Cipher Suite List 00:50:f2 (Microsoft Corp.) AES (CCM) 00:50:f2 (Microsoft Corp.) TKIP
Auth Key Management (AKM) Suite Count: 1
Auth Key Management (AKM) List 00:50:f2 (Microsoft Corp.) PSK
Tag: Vendor Specific: Microsoft Corp.: WMM/WME: Parameter Element
Tag Number: Vendor Specific (221)
Tag length: 24
OUI: 00:50:f2 (Microsoft Corp.)
Vendor Specific OUI Type: 2
Type: WMM/WME (0x02)
WME Subtype: Parameter Element (1)
WME Version: 1
WME QoS Info: 0x80
Reserved: 00
Ac Parameters ACI 0 (Best Effort), ACM no, AIFSN 3, ECWmin/max 4/10 (CWmin/max 15/1023), TXOP 0
Ac Parameters ACI 1 (Background), ACM no, AIFSN 7, ECWmin/max 4/10 (CWmin/max 15/1023), TXOP 0
Ac Parameters ACI 2 (Video), ACM no, AIFSN 2, ECWmin/max 3/4 (CWmin/max 7/15), TXOP 94
Ac Parameters ACI 3 (Voice), ACM no, AIFSN 2, ECWmin/max 2/3 (CWmin/max 3/7), TXOP 47
wireless ieee-802.11
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I'm seeing several devices trying to connect to an AP (using wireshark), several send and receive the "Probe response" message (802.11)
But the don't even send the association request.
Why is that? does the connection considered to be closed or open only after the probe response?
How did they know not to sent the association request?
Here is a response packet of a device that didn't sent a association request afterwords
Frame 442: 243 bytes on wire (1944 bits), 243 bytes captured (1944 bits) on interface 0
Interface id: 0 (\.airpcap00)
Encapsulation type: IEEE 802.11 plus radiotap radio header (23)
Arrival Time: Mar 18, 2014 21:32:31.171606000 Jerusalem Standard Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1395171151.171606000 seconds
[Time delta from previous captured frame: 0.002142000 seconds]
[Time delta from previous displayed frame: 0.096003000 seconds]
[Time since reference or first frame: 13.290039000 seconds]
Frame Number: 442
Frame Length: 243 bytes (1944 bits)
Capture Length: 243 bytes (1944 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: radiotap:wlan_radio:wlan]
Radiotap Header v0, Length 20
Header revision: 0
Header pad: 0
Header length: 20
Present flags
Present flags word: 0x000018ee
Flags: 0x10
.... ...0 = CFP: False
.... ..0. = Preamble: Long
.... .0.. = WEP: False
.... 0... = Fragmentation: False
...1 .... = FCS at end: True
..0. .... = Data Pad: False
.0.. .... = Bad FCS: False
0... .... = Short GI: False
Data Rate: 1.0 Mb/s
Channel frequency: 2412 [BG 1]
Channel flags: 0x00a0, Complementary Code Keying (CCK), 2 GHz spectrum
Antenna signal: -70dBm
Antenna noise: -100dBm
Signal Quality: 76
Antenna: 0
dB antenna signal: 30dB
802.11 radio information
PHY type: 802.11b (4)
Short preamble: False
Data rate: 1.0 Mb/s
Channel: 1
Frequency: 2412MHz
Signal strength (dBm): -70dBm
Noise level (dBm): -100dBm
[Duration: 1976µs]
IEEE 802.11 Probe Response, Flags: ........C
Type/Subtype: Probe Response (0x0005)
Frame Control Field: 0x5000
.... ..00 = Version: 0
.... 00.. = Type: Management frame (0)
0101 .... = Subtype: 5
Flags: 0x00
.000 0001 0011 1010 = Duration: 314 microseconds
Receiver address: SamsungE_74:b9:f9 (d0:22:be:74:b9:f9)
Destination address: SamsungE_74:b9:f9 (d0:22:be:74:b9:f9)
Transmitter address: Sagemcom_fb:5d:9d (00:78:9e:fb:5d:9d)
Source address: Sagemcom_fb:5d:9d (00:78:9e:fb:5d:9d)
BSS Id: Sagemcom_fb:5d:9d (00:78:9e:fb:5d:9d)
.... .... .... 0000 = Fragment number: 0
0010 1000 0011 .... = Sequence number: 643
Frame check sequence: 0xeb99cc98 [correct]
[FCS Status: Good]
IEEE 802.11 wireless LAN
Fixed parameters (12 bytes)
Timestamp: 0x0000008df2ce0b90
Beacon Interval: 0.102400 [Seconds]
Capabilities Information: 0x0411
.... .... .... ...1 = ESS capabilities: Transmitter is an AP
.... .... .... ..0. = IBSS status: Transmitter belongs to a BSS
.... ..0. .... 00.. = CFP participation capabilities: No point coordinator at AP (0x00)
.... .... ...1 .... = Privacy: AP/STA can support WEP
.... .... ..0. .... = Short Preamble: Not Allowed
.... .... .0.. .... = PBCC: Not Allowed
.... .... 0... .... = Channel Agility: Not in use
.... ...0 .... .... = Spectrum Management: Not Implemented
.... .1.. .... .... = Short Slot Time: In use
.... 0... .... .... = Automatic Power Save Delivery: Not Implemented
...0 .... .... .... = Radio Measurement: Not Implemented
..0. .... .... .... = DSSS-OFDM: Not Allowed
.0.. .... .... .... = Delayed Block Ack: Not Implemented
0... .... .... .... = Immediate Block Ack: Not Implemented
Tagged parameters (183 bytes)
Tag: SSID parameter set: HOTBOX-9810
Tag Number: SSID parameter set (0)
Tag length: 11
SSID: HOTBOX-9810
Tag: Supported Rates 1(B), 2(B), 5.5(B), 11(B), 18, 24, 36, 54, [Mbit/sec]
Tag Number: Supported Rates (1)
Tag length: 8
Supported Rates: 1(B) (0x82)
Supported Rates: 2(B) (0x84)
Supported Rates: 5.5(B) (0x8b)
Supported Rates: 11(B) (0x96)
Supported Rates: 18 (0x24)
Supported Rates: 24 (0x30)
Supported Rates: 36 (0x48)
Supported Rates: 54 (0x6c)
Tag: DS Parameter set: Current Channel: 1
Tag Number: DS Parameter set (3)
Tag length: 1
Current Channel: 1
Tag: ERP Information
Tag Number: ERP Information (42)
Tag length: 1
ERP Information: 0x00
Tag: ERP Information
Tag Number: ERP Information (47)
Tag length: 1
ERP Information: 0x00
Tag: RSN Information
Tag Number: RSN Information (48)
Tag length: 24
RSN Version: 1
Group Cipher Suite: 00:0f:ac (Ieee 802.11) TKIP
Pairwise Cipher Suite Count: 2
Pairwise Cipher Suite List 00:0f:ac (Ieee 802.11) AES (CCM) 00:0f:ac (Ieee 802.11) TKIP
Auth Key Management (AKM) Suite Count: 1
Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) PSK
RSN Capabilities: 0x000c
Tag: Extended Supported Rates 6, 9, 12, 48, [Mbit/sec]
Tag Number: Extended Supported Rates (50)
Tag length: 4
Extended Supported Rates: 6 (0x0c)
Extended Supported Rates: 9 (0x12)
Extended Supported Rates: 12 (0x18)
Extended Supported Rates: 48 (0x60)
Tag: HT Capabilities (802.11n D1.10)
Tag Number: HT Capabilities (802.11n D1.10) (45)
Tag length: 26
HT Capabilities Info: 0x18fc
A-MPDU Parameters: 0x1b
Rx Supported Modulation and Coding Scheme Set: MCS Set
HT Extended Capabilities: 0x0000
Transmit Beam Forming (TxBF) Capabilities: 0x00000000
Antenna Selection (ASEL) Capabilities: 0x00
Tag: HT Information (802.11n D1.10)
Tag Number: HT Information (802.11n D1.10) (61)
Tag length: 22
Primary Channel: 1
HT Information Subset (1 of 3): 0x08
HT Information Subset (2 of 3): 0x0004
HT Information Subset (3 of 3): 0x0000
Rx Supported Modulation and Coding Scheme Set: Basic MCS Set
Tag: Vendor Specific: Broadcom
Tag Number: Vendor Specific (221)
Tag length: 9
OUI: 00:10:18 (Broadcom)
Vendor Specific OUI Type: 2
Vendor Specific Data: 0201f02c0000
Tag: Vendor Specific: Microsoft Corp.: WPA Information Element
Tag Number: Vendor Specific (221)
Tag length: 28
OUI: 00:50:f2 (Microsoft Corp.)
Vendor Specific OUI Type: 1
Type: WPA Information Element (0x01)
WPA Version: 1
Multicast Cipher Suite: 00:50:f2 (Microsoft Corp.) TKIP
Unicast Cipher Suite Count: 2
Unicast Cipher Suite List 00:50:f2 (Microsoft Corp.) AES (CCM) 00:50:f2 (Microsoft Corp.) TKIP
Auth Key Management (AKM) Suite Count: 1
Auth Key Management (AKM) List 00:50:f2 (Microsoft Corp.) PSK
Tag: Vendor Specific: Microsoft Corp.: WMM/WME: Parameter Element
Tag Number: Vendor Specific (221)
Tag length: 24
OUI: 00:50:f2 (Microsoft Corp.)
Vendor Specific OUI Type: 2
Type: WMM/WME (0x02)
WME Subtype: Parameter Element (1)
WME Version: 1
WME QoS Info: 0x80
Reserved: 00
Ac Parameters ACI 0 (Best Effort), ACM no, AIFSN 3, ECWmin/max 4/10 (CWmin/max 15/1023), TXOP 0
Ac Parameters ACI 1 (Background), ACM no, AIFSN 7, ECWmin/max 4/10 (CWmin/max 15/1023), TXOP 0
Ac Parameters ACI 2 (Video), ACM no, AIFSN 2, ECWmin/max 3/4 (CWmin/max 7/15), TXOP 94
Ac Parameters ACI 3 (Voice), ACM no, AIFSN 2, ECWmin/max 2/3 (CWmin/max 3/7), TXOP 47
wireless ieee-802.11
I'm seeing several devices trying to connect to an AP (using wireshark), several send and receive the "Probe response" message (802.11)
But the don't even send the association request.
Why is that? does the connection considered to be closed or open only after the probe response?
How did they know not to sent the association request?
Here is a response packet of a device that didn't sent a association request afterwords
Frame 442: 243 bytes on wire (1944 bits), 243 bytes captured (1944 bits) on interface 0
Interface id: 0 (\.airpcap00)
Encapsulation type: IEEE 802.11 plus radiotap radio header (23)
Arrival Time: Mar 18, 2014 21:32:31.171606000 Jerusalem Standard Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1395171151.171606000 seconds
[Time delta from previous captured frame: 0.002142000 seconds]
[Time delta from previous displayed frame: 0.096003000 seconds]
[Time since reference or first frame: 13.290039000 seconds]
Frame Number: 442
Frame Length: 243 bytes (1944 bits)
Capture Length: 243 bytes (1944 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: radiotap:wlan_radio:wlan]
Radiotap Header v0, Length 20
Header revision: 0
Header pad: 0
Header length: 20
Present flags
Present flags word: 0x000018ee
Flags: 0x10
.... ...0 = CFP: False
.... ..0. = Preamble: Long
.... .0.. = WEP: False
.... 0... = Fragmentation: False
...1 .... = FCS at end: True
..0. .... = Data Pad: False
.0.. .... = Bad FCS: False
0... .... = Short GI: False
Data Rate: 1.0 Mb/s
Channel frequency: 2412 [BG 1]
Channel flags: 0x00a0, Complementary Code Keying (CCK), 2 GHz spectrum
Antenna signal: -70dBm
Antenna noise: -100dBm
Signal Quality: 76
Antenna: 0
dB antenna signal: 30dB
802.11 radio information
PHY type: 802.11b (4)
Short preamble: False
Data rate: 1.0 Mb/s
Channel: 1
Frequency: 2412MHz
Signal strength (dBm): -70dBm
Noise level (dBm): -100dBm
[Duration: 1976µs]
IEEE 802.11 Probe Response, Flags: ........C
Type/Subtype: Probe Response (0x0005)
Frame Control Field: 0x5000
.... ..00 = Version: 0
.... 00.. = Type: Management frame (0)
0101 .... = Subtype: 5
Flags: 0x00
.000 0001 0011 1010 = Duration: 314 microseconds
Receiver address: SamsungE_74:b9:f9 (d0:22:be:74:b9:f9)
Destination address: SamsungE_74:b9:f9 (d0:22:be:74:b9:f9)
Transmitter address: Sagemcom_fb:5d:9d (00:78:9e:fb:5d:9d)
Source address: Sagemcom_fb:5d:9d (00:78:9e:fb:5d:9d)
BSS Id: Sagemcom_fb:5d:9d (00:78:9e:fb:5d:9d)
.... .... .... 0000 = Fragment number: 0
0010 1000 0011 .... = Sequence number: 643
Frame check sequence: 0xeb99cc98 [correct]
[FCS Status: Good]
IEEE 802.11 wireless LAN
Fixed parameters (12 bytes)
Timestamp: 0x0000008df2ce0b90
Beacon Interval: 0.102400 [Seconds]
Capabilities Information: 0x0411
.... .... .... ...1 = ESS capabilities: Transmitter is an AP
.... .... .... ..0. = IBSS status: Transmitter belongs to a BSS
.... ..0. .... 00.. = CFP participation capabilities: No point coordinator at AP (0x00)
.... .... ...1 .... = Privacy: AP/STA can support WEP
.... .... ..0. .... = Short Preamble: Not Allowed
.... .... .0.. .... = PBCC: Not Allowed
.... .... 0... .... = Channel Agility: Not in use
.... ...0 .... .... = Spectrum Management: Not Implemented
.... .1.. .... .... = Short Slot Time: In use
.... 0... .... .... = Automatic Power Save Delivery: Not Implemented
...0 .... .... .... = Radio Measurement: Not Implemented
..0. .... .... .... = DSSS-OFDM: Not Allowed
.0.. .... .... .... = Delayed Block Ack: Not Implemented
0... .... .... .... = Immediate Block Ack: Not Implemented
Tagged parameters (183 bytes)
Tag: SSID parameter set: HOTBOX-9810
Tag Number: SSID parameter set (0)
Tag length: 11
SSID: HOTBOX-9810
Tag: Supported Rates 1(B), 2(B), 5.5(B), 11(B), 18, 24, 36, 54, [Mbit/sec]
Tag Number: Supported Rates (1)
Tag length: 8
Supported Rates: 1(B) (0x82)
Supported Rates: 2(B) (0x84)
Supported Rates: 5.5(B) (0x8b)
Supported Rates: 11(B) (0x96)
Supported Rates: 18 (0x24)
Supported Rates: 24 (0x30)
Supported Rates: 36 (0x48)
Supported Rates: 54 (0x6c)
Tag: DS Parameter set: Current Channel: 1
Tag Number: DS Parameter set (3)
Tag length: 1
Current Channel: 1
Tag: ERP Information
Tag Number: ERP Information (42)
Tag length: 1
ERP Information: 0x00
Tag: ERP Information
Tag Number: ERP Information (47)
Tag length: 1
ERP Information: 0x00
Tag: RSN Information
Tag Number: RSN Information (48)
Tag length: 24
RSN Version: 1
Group Cipher Suite: 00:0f:ac (Ieee 802.11) TKIP
Pairwise Cipher Suite Count: 2
Pairwise Cipher Suite List 00:0f:ac (Ieee 802.11) AES (CCM) 00:0f:ac (Ieee 802.11) TKIP
Auth Key Management (AKM) Suite Count: 1
Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) PSK
RSN Capabilities: 0x000c
Tag: Extended Supported Rates 6, 9, 12, 48, [Mbit/sec]
Tag Number: Extended Supported Rates (50)
Tag length: 4
Extended Supported Rates: 6 (0x0c)
Extended Supported Rates: 9 (0x12)
Extended Supported Rates: 12 (0x18)
Extended Supported Rates: 48 (0x60)
Tag: HT Capabilities (802.11n D1.10)
Tag Number: HT Capabilities (802.11n D1.10) (45)
Tag length: 26
HT Capabilities Info: 0x18fc
A-MPDU Parameters: 0x1b
Rx Supported Modulation and Coding Scheme Set: MCS Set
HT Extended Capabilities: 0x0000
Transmit Beam Forming (TxBF) Capabilities: 0x00000000
Antenna Selection (ASEL) Capabilities: 0x00
Tag: HT Information (802.11n D1.10)
Tag Number: HT Information (802.11n D1.10) (61)
Tag length: 22
Primary Channel: 1
HT Information Subset (1 of 3): 0x08
HT Information Subset (2 of 3): 0x0004
HT Information Subset (3 of 3): 0x0000
Rx Supported Modulation and Coding Scheme Set: Basic MCS Set
Tag: Vendor Specific: Broadcom
Tag Number: Vendor Specific (221)
Tag length: 9
OUI: 00:10:18 (Broadcom)
Vendor Specific OUI Type: 2
Vendor Specific Data: 0201f02c0000
Tag: Vendor Specific: Microsoft Corp.: WPA Information Element
Tag Number: Vendor Specific (221)
Tag length: 28
OUI: 00:50:f2 (Microsoft Corp.)
Vendor Specific OUI Type: 1
Type: WPA Information Element (0x01)
WPA Version: 1
Multicast Cipher Suite: 00:50:f2 (Microsoft Corp.) TKIP
Unicast Cipher Suite Count: 2
Unicast Cipher Suite List 00:50:f2 (Microsoft Corp.) AES (CCM) 00:50:f2 (Microsoft Corp.) TKIP
Auth Key Management (AKM) Suite Count: 1
Auth Key Management (AKM) List 00:50:f2 (Microsoft Corp.) PSK
Tag: Vendor Specific: Microsoft Corp.: WMM/WME: Parameter Element
Tag Number: Vendor Specific (221)
Tag length: 24
OUI: 00:50:f2 (Microsoft Corp.)
Vendor Specific OUI Type: 2
Type: WMM/WME (0x02)
WME Subtype: Parameter Element (1)
WME Version: 1
WME QoS Info: 0x80
Reserved: 00
Ac Parameters ACI 0 (Best Effort), ACM no, AIFSN 3, ECWmin/max 4/10 (CWmin/max 15/1023), TXOP 0
Ac Parameters ACI 1 (Background), ACM no, AIFSN 7, ECWmin/max 4/10 (CWmin/max 15/1023), TXOP 0
Ac Parameters ACI 2 (Video), ACM no, AIFSN 2, ECWmin/max 3/4 (CWmin/max 7/15), TXOP 94
Ac Parameters ACI 3 (Voice), ACM no, AIFSN 2, ECWmin/max 2/3 (CWmin/max 3/7), TXOP 47
wireless ieee-802.11
wireless ieee-802.11
asked Nov 16 at 16:50
DsCpp
1343
1343
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
up vote
3
down vote
accepted
These devices are simply looking for available networks, not trying to associate with them. This is normal behavior for a device looking for networks and to determine what the AP capabilities are.
The device won't send an association request until you tell it to connect to that network.
So only the devices the send the association request (and receive a respond) are the ones connected?
– DsCpp
Nov 16 at 16:57
Yes. For example, on a Windows PC, when you click the icon and see a list of available networks, that list is generated from probe request/responses. When you click Connect, then it sends an association request.
– Ron Trunk
Nov 16 at 17:06
add a comment |
up vote
2
down vote
But the don't even send the association request. Why is that? does the connection considered to be closed or open only after the probe response?
How did they know not to sent the association request?
They are simply checking the availability of wireless networks around them. This does not necessarily indicate they actually want to join or associate to the network.
When a wireless client is looking to join a wireless network (or check for the possibility of roaming to a new one), they send out probe requests. Often these are general in nature and how a device discovers which networks are around them. Think of it as the client device yelling, "Can any wireless networks hear me?"
Probe requests can also be directed to particular networks. "Can network ABCXYZ hear me?" This is required with the SSID is "hidden" and is the default way many mobile devices try to reconnect to stored networks.
When an access point hears a probe request, if the probe request is either general in nature or for the configured wireless network, it responds with a probe response. This behavior is defined by the IEEE standards for 802.11 networks. So your AP will always respond to any general probe request from a wireless client.
You have likely experienced this yourself without realizing it. When you want to join a wireless device to a network, you have likely been presented with a list of wireless networks and selected the one you wanted to join. This list was generated largely from the probe responses the wireless client received from APs in the area when it sent out probe requests.
All APs also advertise themselves with beacon frames periodically, which is the other way that clients can find wireless networks in the area. However this is a slower process for discovery, so the vast majority of clients use probe request/responses primarily for discovery.
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
accepted
These devices are simply looking for available networks, not trying to associate with them. This is normal behavior for a device looking for networks and to determine what the AP capabilities are.
The device won't send an association request until you tell it to connect to that network.
So only the devices the send the association request (and receive a respond) are the ones connected?
– DsCpp
Nov 16 at 16:57
Yes. For example, on a Windows PC, when you click the icon and see a list of available networks, that list is generated from probe request/responses. When you click Connect, then it sends an association request.
– Ron Trunk
Nov 16 at 17:06
add a comment |
up vote
3
down vote
accepted
These devices are simply looking for available networks, not trying to associate with them. This is normal behavior for a device looking for networks and to determine what the AP capabilities are.
The device won't send an association request until you tell it to connect to that network.
So only the devices the send the association request (and receive a respond) are the ones connected?
– DsCpp
Nov 16 at 16:57
Yes. For example, on a Windows PC, when you click the icon and see a list of available networks, that list is generated from probe request/responses. When you click Connect, then it sends an association request.
– Ron Trunk
Nov 16 at 17:06
add a comment |
up vote
3
down vote
accepted
up vote
3
down vote
accepted
These devices are simply looking for available networks, not trying to associate with them. This is normal behavior for a device looking for networks and to determine what the AP capabilities are.
The device won't send an association request until you tell it to connect to that network.
These devices are simply looking for available networks, not trying to associate with them. This is normal behavior for a device looking for networks and to determine what the AP capabilities are.
The device won't send an association request until you tell it to connect to that network.
answered Nov 16 at 16:56
Ron Trunk
33.4k22970
33.4k22970
So only the devices the send the association request (and receive a respond) are the ones connected?
– DsCpp
Nov 16 at 16:57
Yes. For example, on a Windows PC, when you click the icon and see a list of available networks, that list is generated from probe request/responses. When you click Connect, then it sends an association request.
– Ron Trunk
Nov 16 at 17:06
add a comment |
So only the devices the send the association request (and receive a respond) are the ones connected?
– DsCpp
Nov 16 at 16:57
Yes. For example, on a Windows PC, when you click the icon and see a list of available networks, that list is generated from probe request/responses. When you click Connect, then it sends an association request.
– Ron Trunk
Nov 16 at 17:06
So only the devices the send the association request (and receive a respond) are the ones connected?
– DsCpp
Nov 16 at 16:57
So only the devices the send the association request (and receive a respond) are the ones connected?
– DsCpp
Nov 16 at 16:57
Yes. For example, on a Windows PC, when you click the icon and see a list of available networks, that list is generated from probe request/responses. When you click Connect, then it sends an association request.
– Ron Trunk
Nov 16 at 17:06
Yes. For example, on a Windows PC, when you click the icon and see a list of available networks, that list is generated from probe request/responses. When you click Connect, then it sends an association request.
– Ron Trunk
Nov 16 at 17:06
add a comment |
up vote
2
down vote
But the don't even send the association request. Why is that? does the connection considered to be closed or open only after the probe response?
How did they know not to sent the association request?
They are simply checking the availability of wireless networks around them. This does not necessarily indicate they actually want to join or associate to the network.
When a wireless client is looking to join a wireless network (or check for the possibility of roaming to a new one), they send out probe requests. Often these are general in nature and how a device discovers which networks are around them. Think of it as the client device yelling, "Can any wireless networks hear me?"
Probe requests can also be directed to particular networks. "Can network ABCXYZ hear me?" This is required with the SSID is "hidden" and is the default way many mobile devices try to reconnect to stored networks.
When an access point hears a probe request, if the probe request is either general in nature or for the configured wireless network, it responds with a probe response. This behavior is defined by the IEEE standards for 802.11 networks. So your AP will always respond to any general probe request from a wireless client.
You have likely experienced this yourself without realizing it. When you want to join a wireless device to a network, you have likely been presented with a list of wireless networks and selected the one you wanted to join. This list was generated largely from the probe responses the wireless client received from APs in the area when it sent out probe requests.
All APs also advertise themselves with beacon frames periodically, which is the other way that clients can find wireless networks in the area. However this is a slower process for discovery, so the vast majority of clients use probe request/responses primarily for discovery.
add a comment |
up vote
2
down vote
But the don't even send the association request. Why is that? does the connection considered to be closed or open only after the probe response?
How did they know not to sent the association request?
They are simply checking the availability of wireless networks around them. This does not necessarily indicate they actually want to join or associate to the network.
When a wireless client is looking to join a wireless network (or check for the possibility of roaming to a new one), they send out probe requests. Often these are general in nature and how a device discovers which networks are around them. Think of it as the client device yelling, "Can any wireless networks hear me?"
Probe requests can also be directed to particular networks. "Can network ABCXYZ hear me?" This is required with the SSID is "hidden" and is the default way many mobile devices try to reconnect to stored networks.
When an access point hears a probe request, if the probe request is either general in nature or for the configured wireless network, it responds with a probe response. This behavior is defined by the IEEE standards for 802.11 networks. So your AP will always respond to any general probe request from a wireless client.
You have likely experienced this yourself without realizing it. When you want to join a wireless device to a network, you have likely been presented with a list of wireless networks and selected the one you wanted to join. This list was generated largely from the probe responses the wireless client received from APs in the area when it sent out probe requests.
All APs also advertise themselves with beacon frames periodically, which is the other way that clients can find wireless networks in the area. However this is a slower process for discovery, so the vast majority of clients use probe request/responses primarily for discovery.
add a comment |
up vote
2
down vote
up vote
2
down vote
But the don't even send the association request. Why is that? does the connection considered to be closed or open only after the probe response?
How did they know not to sent the association request?
They are simply checking the availability of wireless networks around them. This does not necessarily indicate they actually want to join or associate to the network.
When a wireless client is looking to join a wireless network (or check for the possibility of roaming to a new one), they send out probe requests. Often these are general in nature and how a device discovers which networks are around them. Think of it as the client device yelling, "Can any wireless networks hear me?"
Probe requests can also be directed to particular networks. "Can network ABCXYZ hear me?" This is required with the SSID is "hidden" and is the default way many mobile devices try to reconnect to stored networks.
When an access point hears a probe request, if the probe request is either general in nature or for the configured wireless network, it responds with a probe response. This behavior is defined by the IEEE standards for 802.11 networks. So your AP will always respond to any general probe request from a wireless client.
You have likely experienced this yourself without realizing it. When you want to join a wireless device to a network, you have likely been presented with a list of wireless networks and selected the one you wanted to join. This list was generated largely from the probe responses the wireless client received from APs in the area when it sent out probe requests.
All APs also advertise themselves with beacon frames periodically, which is the other way that clients can find wireless networks in the area. However this is a slower process for discovery, so the vast majority of clients use probe request/responses primarily for discovery.
But the don't even send the association request. Why is that? does the connection considered to be closed or open only after the probe response?
How did they know not to sent the association request?
They are simply checking the availability of wireless networks around them. This does not necessarily indicate they actually want to join or associate to the network.
When a wireless client is looking to join a wireless network (or check for the possibility of roaming to a new one), they send out probe requests. Often these are general in nature and how a device discovers which networks are around them. Think of it as the client device yelling, "Can any wireless networks hear me?"
Probe requests can also be directed to particular networks. "Can network ABCXYZ hear me?" This is required with the SSID is "hidden" and is the default way many mobile devices try to reconnect to stored networks.
When an access point hears a probe request, if the probe request is either general in nature or for the configured wireless network, it responds with a probe response. This behavior is defined by the IEEE standards for 802.11 networks. So your AP will always respond to any general probe request from a wireless client.
You have likely experienced this yourself without realizing it. When you want to join a wireless device to a network, you have likely been presented with a list of wireless networks and selected the one you wanted to join. This list was generated largely from the probe responses the wireless client received from APs in the area when it sent out probe requests.
All APs also advertise themselves with beacon frames periodically, which is the other way that clients can find wireless networks in the area. However this is a slower process for discovery, so the vast majority of clients use probe request/responses primarily for discovery.
answered Nov 16 at 20:21
YLearn♦
21.3k54297
21.3k54297
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f54776%2fconnection-to-ap-after-what-stage-802-11b-protocol%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown