I am monitoring the 802.11 traffic in my network, and especially the active probing from my smartphone. I am sending Probe Requests for certain hidden SSIDs, but also an Undirected Probe Request, supposed to reveal networks matching the capabilities announced by my device.
I am in Europe, so we get to use more channels than in the US I think (right?) and thus they overlap.
As expected, the scanning takes place on different channels in turn, but what surprises me is this behaviour:
An undirected probe request sent on channel 5 is answered by an AP on channel 6.
Is this completely normal behaviour i.e. defined anywhere in the official specs?
EDIT: Here is the content of both probe request and response, I am basing my assumption on the DS Parameter Set: Current Channel.
The time difference between the two frames is 4ms, and I did not observe any other activity on the waves during this time period.
EDIT: Here is the command I run with airodump-ng 1.0
airodump-ng -c 6 mon0
and the capture tool shows beacons coming from APs on channel 2 to 9. To me it means that airodump accepts all packets visible on a frequecy range, without dismissing them according to the Current Channel Parameter, makes sense for performance reasons.
If the router has the same behaviour for answering probe requests… this may be why. (Starting to question the selectivity of the frequency filters used in our beloved routers.)
EDIT 1:
Is this behaviour 1) repeatable, could someone with a working device please try to observe this ?
2) specified somewhere in the 802.11 references ? Could not find it my self.
EDIT 2:
Thanks to everyone so far who tried repeating this setup. Here is my last attempt at getting an explanation to this. I need to move on 😛 Here is the exact order in which I did things.
root@mymachine:~# iwconfig :: no mon interface, wlan0 is managed, not associated, and on channel 6: 2.437GHz
root@mymachine:~# airmon-ng start wlan0 6 :: mon0 created, set on channel 6: 2.437GHz
This is confirmed later by another iwconfig. (on a sidenote, I can change the channel of wlan0, and mon0 stays independent.)
root@mymachine:~# airodump-ng mon0 --channel 6 -w out --output-format pcap :: start a capture on channel 6, write to a file.
Observation: airodump-ng doesn't display any change in channel, the top left corner is fixed on number 6. However, beacons observed on channels 2 to 11…
-> Apparently no selectivity and passing the arguments to both airmon-ng and airodump-ng seem pointless.
Observed with:
CHIPSET Intel 4965 driver iwlwifi
CHIPSET Atheros AR 9271 driver ath9k
Screenshot:
Best Answer
What happens is that your wireless device, even when tuned for channel 6 (2437) also have a small probability to receive frames from neighboring channels, such as channel 5 and 7. and even further (with less probability).
This is highly dependent on the wireless interface that you use. The worst radio that I found was an AR9170 based USB adapter, which was able to pick traffic on channel 1 when turned for channel 6. Some other interfaces (e.g. AR9280) do not have this problem, or it is fairly reduced.
PS: AR9271 is not supported by the ath9k driver, but by the ath9k_htc driver. Because this card seems to be the natural successor to AR9170, I am not surprised that you experience the same issue.