On Sunday, Mar 30, 2003, at 15:37 Pacific/Honolulu, Per von Zweigbergk wrote: > > Thanks for an excellent response, although it left some questions > unanswered. > > If searching for networks can be done entirely passively, why doesn't > the > Airport driver (looking in the menu close to the clock), (and > consequently > not macstumbler) do it this way? A wireless computer can either obtain information about an access point passively -- by listening for beacon packets. Or actively, by generating a probe -- and getting a "probe response" from an access point. I think Apple actively probes rather than just listens ... but I'm not absolutely certain. If you walk/drive around and keep looking the little menu, you will see ESSIDs of various wireless networks appear (as their signal is detected) and disappear (as their signal is lost). [To do this, make sure you have the AirPort signal strength indicator on the menu bar by selecting "Show AirPort status in menu bar" on the Internet Connect popup. Then click once on the signal display on the menu (near the clock). Don't click on anything else, and it will stay up, showing you the SSIDs of the visible networks. Information it gets by passive monitoring.] Note, though, that it only shows you the ESSIDs. It doesn't show all the extra information that you get from macstumbler, istumbler, or kisMAC. ... and it will NOT show any wireless networks which are not broadcasting their ESSIDs in their beacon packets. > > Also, when you refer to turning off beacon packets (for cisco AP's etc) > is this the same as the "closed network" feature that among others > Airport > provides? Or is that just not replying to packets with ANY as the > ESSID? > > Related, but not quite the same feature. To start an association (i.e., to try and join a wireless network), a "station" (computer with wireless card) is supposed to send a "probe frame" on all the frequencies it is capable of. And the probe should contain the specific ESSID of the wireless network it is trying to join. However, if the ESSID in the probe is "ANY", most brands of wireless access points will respond with a probe response frame containing a string which is their actual ESSID. In particular, Cisco and Apple AirPort access points respond this way by default. (Some brands respond the same way if the probe frame contains the null string instead of "any" as well.) Sending probe frames is "active monitoring". By configuring the access point for "closed network", it will only respond to probe frames with the access point's real ESSID. (Both Cisco and Apple access points can be configured this way, and others as well.) However, essentially all access points -- by default -- broadcast their ESSIDs in their "beacon frames". That typically has to be turned off separately. For Cisco access points, that means turning off "ESSID broadcasts". I'm not sure how (or even if) than can be turned off for Apple access points. Just listening -- for beacon frames and other frames (including data frames) is "passive monitoring".