What methods, other than listening for Probe Requests, can be used to find 802.11 wifi devices?

Question

I'm writing a Python module for finding nearby WiFi client devices. All my current scanner does is listen for Probe Requests and logs the clients MAC address.

The problem I'm having is that I'm completely reliant on the device broadcasting a probe request for me to discover it.

I'm wondering if there is any other way to discover devices. Using this site as a 802.11 guide, I've come up with the ideas:

• Send out Broadcast packets with generic SSIDs to see if clients respond. For example, sending out a broadcast with 'Netgear' as the AP SSID and see if any clients with known 'Netgear' profiles respond
• Send out disassociation packets to force already connected clients to rescan the airwaves

I haven't tested these two ideas yet. Just spit balling.

Thoughts?

Answer 1

I don't think the broadcast idea will work. Broadcast traffic in 802.11 is not acked so there's no reason for the stations to respond to such traffic. The only way is if you're connected to the AP in question in which case you could do a broadcast ICMP echo request or something similar (but you'd only get responses from stations in the same ESS).

I don't think the disassociate packet idea will work either because it will have to be addressed to the station and you presumably don't know that address.

I would suggest just sniffing all traffic and keeping track of which MAC-addresses you see. You don't have to depend on stations probing but you do depend on them sending something (anything) sometime.