802.11 探测请求是否包含真正的 BSSID?
Do 802.11 probe requests ever contain real BSSIDs?
似乎 802.11 探测请求从不包含真正的 BSSID,而是包含通配符 BSSID(例如 ff:ff:ff:ff:ff:ff),但我似乎找不到任何说明这一点的文档。 Meraki 文档说:
"Because the probe request is sent from the mobile station to the
destination layer-2 address and BSSID of ff:ff:ff:ff:ff:ff all AP's
that receive it will respond."
这是否意味着探测请求从不包含真正的 BSSID?即使它们有时包含 SSID?
我找不到任何明确说明探测请求永远不会包含真实 BSSID 的内容。然而,在我在网上找到的所有示例中,它都设置为 ff:ff:ff:ff:ff:ff。这是 blog of a wireless network expert 的另一个案例:
Below shows the detail of Probe Request frame sent by the client which
is a management type with subtype value of 4. As you can see client is
sending it 6Mbps (lowest supported rate by the client). Address fields
are set like below
Address Field-1 = Receiver Address (= Destination Address) ff:ff:ff:ff:ff:ff
Address Field-2 = Transmitter Address (=Source Address) 84:38:38:58:63:D5
Address Field-3 = BSSID ff:ff:ff:ff:ff:ff
此外,我自己进行了测试,但从未发现真正的 BSSID 广播。因此,虽然我不会说它永远不会发生,但它确实很少发生,因此值得考虑它永远不会出现。
我见过很多带有特定 BSSID 的探测请求帧。例如,在无线分布系统 (WDS) 中,一个 AP 将探测具有特定 BSSID 的另一个 AP,因为它们具有相同的 SSID:
Frame 2022: 310 bytes on wire (2480 bits), 310 bytes captured (2480 bits)
Radiotap Header v0, Length 25
802.11 radio information
IEEE 802.11 Probe Request, Flags: opmP..FT.
Type/Subtype: Probe Request (0x0004)
Frame Control Field: 0x41f3
.... ..01 = Version: 1
.... 00.. = Type: Management frame (0)
0100 .... = Subtype: 4
Flags: 0xf3
.... ..11 = DS status: WDS (AP to AP) or Mesh (MP to MP) Frame (To DS: 1 From DS: 1) (0x3)
.... .0.. = More Fragments: This is the last fragment
.... 0... = Retry: Frame is not being retransmitted
...1 .... = PWR MGT: STA will go to sleep
..1. .... = More Data: Data is buffered for STA at AP
.1.. .... = Protected flag: Data is protected
1... .... = Order flag: Strictly ordered
.101 1101 0001 0110 = Duration: 23830 microseconds
Receiver address: 80:1d:30:a5:81:39 (80:1d:30:a5:81:39)
Destination address: 80:1d:30:a5:81:39 (80:1d:30:a5:81:39)
Transmitter address: 4b:3b:67:a4:4d:fe (4b:3b:67:a4:4d:fe)
Source address: 4b:3b:67:a4:4d:fe (4b:3b:67:a4:4d:fe)
BSS Id: ef:e1:f9:51:09:e6 (ef:e1:f9:51:09:e6)
.... .... .... 0010 = Fragment number: 2
0100 1110 1001 .... = Sequence number: 1257
Frame check sequence: 0x853d68c9 [incorrect, should be 0x7089dc98]
[FCS Status: Bad]
HT Control (+HTC): 0x8ab91f91
WEP parameters
Data (245 bytes)
假设你的PC加入了一个名为Starbucks的开放式无线网络,当你在家时,如果某个Rogue AP与它同名,那么你的PC就会连接到该AP。这就是为什么有些客户端实际上也允许您有选择地 select BSSID。并且在ad-hoc网络中,有很多带有特定BSSID的探测请求。
似乎 802.11 探测请求从不包含真正的 BSSID,而是包含通配符 BSSID(例如 ff:ff:ff:ff:ff:ff),但我似乎找不到任何说明这一点的文档。 Meraki 文档说:
"Because the probe request is sent from the mobile station to the destination layer-2 address and BSSID of ff:ff:ff:ff:ff:ff all AP's that receive it will respond."
这是否意味着探测请求从不包含真正的 BSSID?即使它们有时包含 SSID?
我找不到任何明确说明探测请求永远不会包含真实 BSSID 的内容。然而,在我在网上找到的所有示例中,它都设置为 ff:ff:ff:ff:ff:ff。这是 blog of a wireless network expert 的另一个案例:
Below shows the detail of Probe Request frame sent by the client which is a management type with subtype value of 4. As you can see client is sending it 6Mbps (lowest supported rate by the client). Address fields are set like below
Address Field-1 = Receiver Address (= Destination Address) ff:ff:ff:ff:ff:ff
Address Field-2 = Transmitter Address (=Source Address) 84:38:38:58:63:D5
Address Field-3 = BSSID ff:ff:ff:ff:ff:ff
此外,我自己进行了测试,但从未发现真正的 BSSID 广播。因此,虽然我不会说它永远不会发生,但它确实很少发生,因此值得考虑它永远不会出现。
我见过很多带有特定 BSSID 的探测请求帧。例如,在无线分布系统 (WDS) 中,一个 AP 将探测具有特定 BSSID 的另一个 AP,因为它们具有相同的 SSID:
Frame 2022: 310 bytes on wire (2480 bits), 310 bytes captured (2480 bits)
Radiotap Header v0, Length 25
802.11 radio information
IEEE 802.11 Probe Request, Flags: opmP..FT.
Type/Subtype: Probe Request (0x0004)
Frame Control Field: 0x41f3
.... ..01 = Version: 1
.... 00.. = Type: Management frame (0)
0100 .... = Subtype: 4
Flags: 0xf3
.... ..11 = DS status: WDS (AP to AP) or Mesh (MP to MP) Frame (To DS: 1 From DS: 1) (0x3)
.... .0.. = More Fragments: This is the last fragment
.... 0... = Retry: Frame is not being retransmitted
...1 .... = PWR MGT: STA will go to sleep
..1. .... = More Data: Data is buffered for STA at AP
.1.. .... = Protected flag: Data is protected
1... .... = Order flag: Strictly ordered
.101 1101 0001 0110 = Duration: 23830 microseconds
Receiver address: 80:1d:30:a5:81:39 (80:1d:30:a5:81:39)
Destination address: 80:1d:30:a5:81:39 (80:1d:30:a5:81:39)
Transmitter address: 4b:3b:67:a4:4d:fe (4b:3b:67:a4:4d:fe)
Source address: 4b:3b:67:a4:4d:fe (4b:3b:67:a4:4d:fe)
BSS Id: ef:e1:f9:51:09:e6 (ef:e1:f9:51:09:e6)
.... .... .... 0010 = Fragment number: 2
0100 1110 1001 .... = Sequence number: 1257
Frame check sequence: 0x853d68c9 [incorrect, should be 0x7089dc98]
[FCS Status: Bad]
HT Control (+HTC): 0x8ab91f91
WEP parameters
Data (245 bytes)
假设你的PC加入了一个名为Starbucks的开放式无线网络,当你在家时,如果某个Rogue AP与它同名,那么你的PC就会连接到该AP。这就是为什么有些客户端实际上也允许您有选择地 select BSSID。并且在ad-hoc网络中,有很多带有特定BSSID的探测请求。