Doubt On Scanning Hidden AP

Dan Williams dcbw
Fri Apr 18 06:52:10 PDT 2008

On Fri, 2008-04-18 at 18:09 +0530, Raghavendra wrote:
> Hi Jouni,
>  In your below response to my query you have mentioned, (i.e.,
> wpa_supplicant is just configuring the SSID and security policy).

That's what ap_scan=2 does; it just dumps the settings to the driver and
hopes that the driver has enough to associate.  Because wpa_supplicant
isn't doing any scanning itself (because the AP is hidden and therefore
likely won't show up with the right SSID), the supplicant simply cannot
filter the options you provide against those that the AP's beacon
reports.  Therefore, when using ap_scan=2, you _must_ specify exactly
the same security options as the AP has set.

ap_scan=1 + scan_ssid=1 (for drivers that support it and implement
specific SSID scanning via 802.11 probe requests) is obviously the
better choice, because the supplicant can usually determine the AP's
supported security options from the scan and automatically use the right
security options.
> Does that means it is not possible to scan and display result of
> Hidden APs using wpa_supplicant. Becoz whatever you mentioned above is
> while getting conneted/associated, if we mention AP SSID then it will
> try to connect.

Correct.  When you hide the SSID, the AP broadcasts beacons with a blank
SSID, and therefore the supplicant can't match up your specified network
in the configuration with the AP and pick the right security options.
If you run 'iwlist wlan0 scan' for your adapter, you can see the scan
result for your hidden AP, but the SSID will usually not be available
because you've hidden it.

When using ap_scan=1 + scan_ssid=1, if the driver supports specific SSID
scanning, it will issue probe requests which the AP must respond to, and
since the probe response contains the SSID then the SSID becomes
available to the supplicant, and things work correctly.

If the driver does not support specific SSID scans, then you cannot
determine the SSID before the association attempt, and therefore the
supplicant cannot pick the correct security options automatically.
> I my case, I have a following config file using which I will enable
> wpa_supplicant.
> -----------wpa_supplicant.conf start-----
> ctrl_interface=/var/run/wpa_supplicant
> ap_scan=2
> ----------wpa_supplicant.conf ends-----

When using ap_scan=2, you must specify the security options exactly as
set on the AP itself.
> I am enabling wpa_supplicant with above configuration. Then using
> wpa_cli, I issue 'scan' command and then 'scan_result', to get scan
> result.
> Before enabling wpa_supplicant I have 'Disabled SSID Broadcast'
> feature on my AP.
> If I 'Enable SSID Broadcast' then I am getting my AP info in scan
> result. But If I 'Disable SSID Broadcast' I am not getting my AP info
> in scan result.
> So I would like to know how can I get information of a AP in which
> SSID Broadcast is Disabled.

You can't get what you want, precisely because you've decided to disable
SSID broadcasts.

Just don't do that.  Since the SSID is sent in the clear anyway in the
probe request and as a result of the association/authentication
exchanges, it's not in any way secure.

> -Raghu.
> Date: Sat, 12 Apr 2008 18:08:01 +0300
> From: Jouni Malinen <j at>
> Subject: Re: Doubt On Scanning Hidden AP
> To: hostap at
> Message-ID: <20080412150800.GA7709 at>
> Content-Type: text/plain; charset=us-ascii
> On Fri, Apr 11, 2008 at 09:58:47AM +0530, Raghavendra wrote:
> >    In some spec I came across the word "Scanning Hidden AP". 
> > 
> >  Can any tell me what is this hidden AP means?
> > 
> >  Also whether wpa supplicant is capable of doing that?
> >  If so how to achieve it in wpa supplicant..I mean is there any special configuration that I have to do for scanning hidden AP using wpa supplicant?
> In most cases, wpa_supplicant itself does not perform the scan; this is
> left for the driver/firmware. In case of "hidden SSID" passive scanning
> (just listening for Beacon frames) does not find the SSID for the AP and
> an active scan with a specific SSID (i.e., sending Probe Request frames
> with a specified SSID) is needed. wpa_supplicant can instruct the
> driver/firmware to do this with scan_ssid=1 option in ap_scan=1 mode
> (not all drivers support this, though). Alternatively, ap_scan=2 mode
> can be used to leave all details of AP selection to the dirver/firmware
> (i.e., wpa_supplicant is just configuring the SSID and security policy).
> -- 
> Jouni Malinen                                            PGP id EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP at

More information about the Hostap mailing list