Yah... essentially that is what hiding your SSID does. It causes it to be stripped from the beacon frames, hence the different data structure. Any data packets sent *to* the AP by a valid client will contain the name of the network. The reason you'd want to de-auth flood is to pick up a decrypted packed that contains the SSID, which you can get from the association request frame.
Another thing to think about, is that sometimes clients alreay connected to the network will send a probe request, causing the AP to reply with the SSID. In this case just listening for long enough could get you the name... but if you can successtfully de-auth a client, they'll usually try to reconnect immediately, which will give you the name.
Anyway, hope this makes sense, I have a tendency to ramble :-p
-- Kevin
> I don't think you need to use a de-auth flood to determine this...but > I could be wrong. Sniff the traffic going to this wap's channel and > tell kismac to save it to a pcap file. Open the pcap in ethereal and > see if you can see the ssid there. Don't remember the ethereal filter > exactly right now...just got back from Defcon and I'm a little > fuzzy ;-)
Defcon fuzz....ah the memories ;-)
The interesting thing about the pcap is that the structure of the Beacon packets is different, such that there is NO ssid value or data structure at all. I'm guessing the Malcolm is assuming there will always be an SSID structure, maybe by a specific byte offset, and is picking up junk off the tail end of the buffer when one is not actually there.
I'll have to consider if a deauth flood from the Walmart parking lot is a good idea or not...might need to go inside and buy some cheap sunglasses first ;-)