Even though the attacker gathers considerable amount of information regarding a wireless network through sniffing, without revealing his wireless presence at all, there are pieces that may still be missing. The attacker then sends artificially constructed packets to a target that trigger useful responses. This activity is known as probing or active scanning.

The target may discover that it is being probed, it might even be a honey pot (www.honeynet.org/) target carefully constructed to trap the attacker. The attacker would try to minimize this risk.

Detection of SSID

Detection of SSID is often possible by simply sniffing Beacon frames as describe in a previous section.

If Beacon transmission is disabled, and the attacker does not wish to patiently wait for a voluntary Associate Request to appear from a legitimate station that already has a correct SSID, or Probe Requests from legitimate stations, he will resort to probing by injecting a Probe Request frame that contains a spoofed source MAC address. The Probe Response frame from the APs will contain, in the clear, the SSID and other information similar to that in the Beacon frames were they enabled. The attacker sniffs these Probe Responses and extracts the SSIDs.

Some models of APs have an option to disable responding to Probe Requests that do not contain the correct SSID. In this case, the attacker determines a station associated with the AP, and sends the station a forged Disassociation frame where the source MAC address is set to that of the AP. The station will send a Reassociation Request that exposes the SSID.

Detection of APs and stations

Every AP is a station, so SSIDs, MAC addresses are gathered as described above.

Certain bits in the frames identify that the frame is from an AP. If we assume that WEP is either disabled or cracked, the attacker can also gather the IP addresses of the AP and the stations.

Detection of Probing

Detection of probing is possible. The frames that an attacker injects can also be heard by the intrusion detection systems (IDS) of hardened wireless LAN. There is GPS-enabled equipment that can identify the physical coordinates of a wireless device through which the probe frames are being transmitted.