Scanning problem for hidden SSIDs

Holger Schurig hs4233 at mail.mn-solutions.de
Thu Jun 21 02:43:13 EDT 2007 

> > In my AP, I disabled broadcasting of the SSID.
> >
> > When I insert the USB dongle, the device sends out specific
> > probe requests and the AP answers.
> >
> > When I insert the CF card, the log file indicates that it
> > probes, but nothing can be sniffed "from the air".
>
> We'd need more information about the frames over-the-air here,
> like whether or not the CF firmware is actually sending out
> active probe requests or what.

You have this information. I wrote:

      but nothing can be sniffed "from the air"

and that means that there was no active probe in the air. I can 
see active probes from another card, so I know my wireless 
sniffing works. And I see lots of beacons, but found a nice 
trick to hide them: 

          wireshark -i XXX -R '!(wlan.fc.sub_type != 8)'


The current libertas driver sends several commands like this:

libertas CMD: 06 00 2b 00 0d 00 00 00 03 00 00 00 00 00 00 00
libertas CMD: 00 06 00 4d 4e 54 45 53 54 01 01 0e 00 00 01 02
libertas CMD: 00 00 64 00 00 02 02 00 00 64 00

In decoded form:

SCAN CMD           06 00
length             2b 00
sequence           0d 00
result             00 00
bss type           03    = any
bssid              00 00 00 00 00 00 00
TLV ID SSID        00 00
len                06 00
ssid               4d 4e 54 45 53 54 = MNTEST
TLV ID CHANLIST    01 01
len                0e 00
radio type         00
channel            01
scan type          02    = turn off scan filter
min scan           00 00 = 0
max scan           64 00 = 100
radio type         00
channel            02
scan type          02    = turn off scan filter
min scan           00 00 = 0
max scan           64 00 = 100

And the response to this command was:

CMD_RESP: 06 80 0b 00 0d 00 00 00 00 00 00 00 00 00 00 00
CMD_RESP: 00 00 00

In decoded form:

SCAN RESPONSE      06 80
length             0b 00
sequence           0d 00
result             00 00 = at least it's no error :-)
bufsize            00 00 = no result
numofset           00    = no APs in result set
whatever           00 00 00 00 00 00 00 00 00 00


Please note that in the 0x0006 command above there was just an 
SSID TLV and an CHANLIST TLV, but no OPRATES TLV. On page 139 of 
the v5.1 firmware spec, they wrote that for the manual for v5.1 
made the OPRATES TLV optional. So I guess for an older firmware 
it was mandatory.

So I guess I have an angle of attack :-)

More information about the libertas-dev mailing list