802.11探测请求是否包含真实的BSSID?
[英]Do 802.11 probe requests ever contain real BSSIDs?
问题描述
It seems like 802.11 probe requests never contain a real BSSID but rather a wildcard BSSID (eg ff:ff:ff:ff:ff:ff) however I can't seem to find any documentation stating this. 
似乎802.11探测请求从不包含真实的BSSID,而是通配符BSSID(例如ff:ff:ff:ff:ff:ff),但是我似乎找不到任何文档说明这一点。 This Meraki documentation says: 此Meraki文档说:
"Because the probe request is sent from the mobile station to the destination layer-2 address and BSSID of ff:ff:ff:ff:ff:ff all AP's that receive it will respond."
Does this mean the probe requests never contain real BSSIDs? 这是否意味着探测请求从不包含真实的BSSID? Even though they sometimes contain SSIDs? 即使它们有时包含SSID?
2 个解决方案
解决方案1
1 已采纳 2017-03-21 12:17:45
I've seen many Probe Request frame with specific BSSID. 我已经看到许多带有特定BSSID的探测请求框架。 For example, in a wireless distribution system(WDS), one AP would probe another AP with specific BSSID since they have the same SSID: 例如,在无线分配系统(WDS)中,一个AP将探测具有特定BSSID的另一个AP,因为它们具有相同的SSID:
Frame 2022: 310 bytes on wire (2480 bits), 310 bytes captured (2480 bits)
Radiotap Header v0, Length 25
802.11 radio information
IEEE 802.11 Probe Request, Flags: opmP..FT.
Type/Subtype: Probe Request (0x0004)
Frame Control Field: 0x41f3
.... ..01 = Version: 1
.... 00.. = Type: Management frame (0)
0100 .... = Subtype: 4
Flags: 0xf3
.... ..11 = DS status: WDS (AP to AP) or Mesh (MP to MP) Frame (To DS: 1 From DS: 1) (0x3)
.... .0.. = More Fragments: This is the last fragment
.... 0... = Retry: Frame is not being retransmitted
...1 .... = PWR MGT: STA will go to sleep
..1. .... = More Data: Data is buffered for STA at AP
.1.. .... = Protected flag: Data is protected
1... .... = Order flag: Strictly ordered
.101 1101 0001 0110 = Duration: 23830 microseconds
Receiver address: 80:1d:30:a5:81:39 (80:1d:30:a5:81:39)
Destination address: 80:1d:30:a5:81:39 (80:1d:30:a5:81:39)
Transmitter address: 4b:3b:67:a4:4d:fe (4b:3b:67:a4:4d:fe)
Source address: 4b:3b:67:a4:4d:fe (4b:3b:67:a4:4d:fe)
BSS Id: ef:e1:f9:51:09:e6 (ef:e1:f9:51:09:e6)
.... .... .... 0010 = Fragment number: 2
0100 1110 1001 .... = Sequence number: 1257
Frame check sequence: 0x853d68c9 [incorrect, should be 0x7089dc98]
[FCS Status: Bad]
HT Control (+HTC): 0x8ab91f91
WEP parameters
Data (245 bytes)
Assume your PC had joined a open wireless network named Starbucks, and when you are at home, if some Rogue AP has the same name with it, then your PC connects to the AP. 假设您的PC已加入名为Starbucks的开放无线网络,并且当您在家时,如果某些Rogue AP具有相同的名称,则您的PC将连接到该AP。 That's why some clients will actually allow you to optionally select a BSSID as well. 这就是为什么某些客户端实际上允许您也选择BSSID的原因。 And in ad-hoc network, there are many probe requests with specific BSSID. 在自组织网络中,有许多带有特定BSSID的探测请求。
解决方案2
0 2017-03-17 16:17:57
I cannot find anything that definitely says a probe request will never contain a real BSSID. 我找不到任何明确表明探测请求永远不会包含真实BSSID的信息。 Yet in all examples I've found online, it is set to ff:ff:ff:ff:ff:ff. 但是,在我在线上找到的所有示例中,它都设置为ff:ff:ff:ff:ff:ff:ff。 Here is another case from the blog of a wireless network expert : 这是无线网络专家博客中的另一种情况:
Below shows the detail of Probe Request frame sent by the client which is a management type with subtype value of 4. As you can see client is sending it 6Mbps (lowest supported rate by the client).
Address Field-1 = Receiver Address (= Destination Address) ff:ff:ff:ff:ff:ff
Address Field-2 = Transmitter Address (=Source Address) 84:38:38:58:63:D5
Address Field-3 = BSSID ff:ff:ff:ff:ff:ff
In addition I did my own testing and never found a real BSSID broadcast. 另外,我进行了自己的测试,但从未发现真正的BSSID广播。 So while I won't say it never happens, it definitely happens so rarely that it's worth considering that it will never be available. 因此,尽管我不会说它永远不会发生,但它绝对很少发生,因此值得考虑的是它将永远不会可用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.