Doubt On Scanning Hidden AP

Raghavendra s.raghu
Sun Apr 20 22:50:07 PDT 2008

Hi Dan Williams,

  "iwlist eth0 scanning essid test", scans and display result even if AP by 
name "test" is hidden. Is there a way achieve this using wpa_supplicant.


----- Original Message ----- 
From: "Dan Williams" <dcbw at>
To: "Raghavendra" <s.raghu at>
Cc: <hostap at>
Sent: Friday, April 18, 2008 7:22 PM
Subject: Re: Doubt On Scanning Hidden AP

> On Fri, 2008-04-18 at 18:09 +0530, Raghavendra wrote:
>> Hi Jouni,
>>  In your below response to my query you have mentioned, (i.e.,
>> wpa_supplicant is just configuring the SSID and security policy).
> That's what ap_scan=2 does; it just dumps the settings to the driver and
> hopes that the driver has enough to associate.  Because wpa_supplicant
> isn't doing any scanning itself (because the AP is hidden and therefore
> likely won't show up with the right SSID), the supplicant simply cannot
> filter the options you provide against those that the AP's beacon
> reports.  Therefore, when using ap_scan=2, you _must_ specify exactly
> the same security options as the AP has set.
> ap_scan=1 + scan_ssid=1 (for drivers that support it and implement
> specific SSID scanning via 802.11 probe requests) is obviously the
> better choice, because the supplicant can usually determine the AP's
> supported security options from the scan and automatically use the right
> security options.
>> Does that means it is not possible to scan and display result of
>> Hidden APs using wpa_supplicant. Becoz whatever you mentioned above is
>> while getting conneted/associated, if we mention AP SSID then it will
>> try to connect.
> Correct.  When you hide the SSID, the AP broadcasts beacons with a blank
> SSID, and therefore the supplicant can't match up your specified network
> in the configuration with the AP and pick the right security options.
> If you run 'iwlist wlan0 scan' for your adapter, you can see the scan
> result for your hidden AP, but the SSID will usually not be available
> because you've hidden it.
> When using ap_scan=1 + scan_ssid=1, if the driver supports specific SSID
> scanning, it will issue probe requests which the AP must respond to, and
> since the probe response contains the SSID then the SSID becomes
> available to the supplicant, and things work correctly.
> If the driver does not support specific SSID scans, then you cannot
> determine the SSID before the association attempt, and therefore the
> supplicant cannot pick the correct security options automatically.
>> I my case, I have a following config file using which I will enable
>> wpa_supplicant.
>> -----------wpa_supplicant.conf start-----
>> ctrl_interface=/var/run/wpa_supplicant
>> ap_scan=2
>> ----------wpa_supplicant.conf ends-----
> When using ap_scan=2, you must specify the security options exactly as
> set on the AP itself.
>> I am enabling wpa_supplicant with above configuration. Then using
>> wpa_cli, I issue 'scan' command and then 'scan_result', to get scan
>> result.
>> Before enabling wpa_supplicant I have 'Disabled SSID Broadcast'
>> feature on my AP.
>> If I 'Enable SSID Broadcast' then I am getting my AP info in scan
>> result. But If I 'Disable SSID Broadcast' I am not getting my AP info
>> in scan result.
>> So I would like to know how can I get information of a AP in which
>> SSID Broadcast is Disabled.
> You can't get what you want, precisely because you've decided to disable
> SSID broadcasts.
> Just don't do that.  Since the SSID is sent in the clear anyway in the
> probe request and as a result of the association/authentication
> exchanges, it's not in any way secure.
> Dan
>> -Raghu.
>> Date: Sat, 12 Apr 2008 18:08:01 +0300
>> From: Jouni Malinen <j at>
>> Subject: Re: Doubt On Scanning Hidden AP
>> To: hostap at
>> Message-ID: <20080412150800.GA7709 at>
>> Content-Type: text/plain; charset=us-ascii
>> On Fri, Apr 11, 2008 at 09:58:47AM +0530, Raghavendra wrote:
>> >    In some spec I came across the word "Scanning Hidden AP".
>> >
>> >  Can any tell me what is this hidden AP means?
>> >
>> >  Also whether wpa supplicant is capable of doing that?
>> >  If so how to achieve it in wpa supplicant..I mean is there any special 
>> > configuration that I have to do for scanning hidden AP using wpa 
>> > supplicant?
>> In most cases, wpa_supplicant itself does not perform the scan; this is
>> left for the driver/firmware. In case of "hidden SSID" passive scanning
>> (just listening for Beacon frames) does not find the SSID for the AP and
>> an active scan with a specific SSID (i.e., sending Probe Request frames
>> with a specified SSID) is needed. wpa_supplicant can instruct the
>> driver/firmware to do this with scan_ssid=1 option in ap_scan=1 mode
>> (not all drivers support this, though). Alternatively, ap_scan=2 mode
>> can be used to leave all details of AP selection to the dirver/firmware
>> (i.e., wpa_supplicant is just configuring the SSID and security policy).
>> -- 
>> Jouni Malinen                                            PGP id EFC895FA
>> _______________________________________________
>> HostAP mailing list
>> HostAP at

More information about the Hostap mailing list