When you pick up your smartphone and unlock the screen, it instantly begins searching for familiar access points. This background process happens in a split second, but it's the basis of a technology known as WiFi Probe RequestMany users are unaware that their device is constantly "shouting" its presence into the airwaves, broadcasting a list of networks it has previously connected to.
Understanding how they work probe queries, is essential not only for system administrators but also for ordinary gadget owners. This knowledge helps us understand the true scale of digital surveillance and why public Wi-Fi networks can be dangerous even without connecting to them.
In this article, we'll examine the technical aspects of the scanning process, examine the packet structure, and discuss how modern operating systems try to hide these signals from prying eyes.
Technical nature of Probe Request packets
The network discovery mechanism is based on the IEEE 802.11 standard. When a client device (laptop, phone, tablet) wants to find an available Wi-Fi network, it sends broadcast or addressed management frames. These frames are called Probe RequestsThey operate at the MAC addressing level and do not require prior association with an access point.
There are two main types of scanning. Passive scanning involves the device simply listening in on the air. Beacon frames From routers. Active scanning, which is more often used to speed up connections, forces the device to initiate a dialogue itself. It broadcasts requests on all available channels, asking, "Is there a network named X here?"
Interestingly, historically these packets contained the real network name (SSID) in cleartext. If your phone previously connected to your "Home_WiFi" home network, it would constantly broadcast the question "Where is Home_WiFi?" This allowed attackers to easily track a person's movements using the unique network names they visited.
⚠️ Note: Older devices (before Android 10 and iOS 14) often sent these requests even when Wi-Fi was turned off in the user interface if the geolocation feature required location confirmation.
Modern security standards require a more thorough approach. The 802.11mc (Wi-Fi Round Trip Trip) protocol and new privacy features have changed the rules of the game, but the basic operating principle probe frames remained unchanged to ensure compatibility.
Packet structure and network search process
Digging deeper into that, What is a WiFi probe?, it's necessary to examine the structure of the frame itself. The Probe Request packet consists of a header, a body, and a trailer (FCS). The frame body contains the parameters that the client wishes to negotiate with the access point before connecting.
The key element here is the field SSIDIn the classic scenario, it can be empty (Broadcast SSID), which means "Is anyone here?", or it can contain a specific network name. The packet also transmits supported data rates and channel information.
The process looks like this:
- 📡 The device switches to channel 1 and sends a Probe Request.
- 📡 If the access point hears the request and the network name matches (or the request is broadcast), it responds with a Probe Response.
- 📡 The device receives a response, evaluates the signal strength (RSSI) and moves on to the next channel.
It's important to note that this data exchange occurs at a low transmission rate to ensure maximum detection range. This is why even a weak signal from your phone can be intercepted by specialized equipment from tens of meters away.
What's inside the packet header?
The 802.11 frame header contains information about the frame type (control), the recipient address (usually broadcast FF:FF:FF:FF:FF:FF), and the source address (your device's MAC address). It also contains a sequence number, which allows you to track the number of requests sent.
Analysis of these packets allows not only to find the network, but also to carry out deanonymization user, if the device manufacturer has not implemented MAC address randomization mechanisms.
Security Threats: From Surveillance to Attacks
The main problem with classic Probe Requests is their openness. Anyone with a laptop and a packet sniffer (for example, Wireshark or Airodump-ng) can see which networks your device is searching for. This poses a serious privacy risk.
Attackers use this information to create so-called "Evil Twins." If they see a request for the "Free_Airport_WiFi" network, they can instantly create an access point with the same name. Your device, believing it to be safe and familiar, may attempt to connect automatically, transmitting the password hash or falling into a trap designed to intercept traffic.
Key risks include:
- 🕵️ Location tracking: using unique SSIDs (e.g. "Ivan_i_Maria_Home"), you can track a person's route.
- 🎣 Phishing: redirection to fake authorization pages during automatic connection.
- 🔓 Handshake attacks: intercepting a 4-way handshake to subsequently brute-force a password.
⚠️ Note: Even if you are not connected to a network, the very fact of sending a Probe Request with the name of your home network reveals that you are within range and have access to that network.
In addition, a constant stream of requests can be used for attacks like Deauthentication, when an attacker forcibly breaks the connection between a legitimate client and a router, forcing the device to search for the network again and again and generate traffic.
Comparison of the behavior of devices with different operating systems
Different operating systems handle Probe Request generation differently. This is due to evolving security standards and updated privacy policies. Below is a table demonstrating the differences in behavior.
| operating system | Probe Request Behavior | MAC randomization | Note |
|---|---|---|---|
| Windows 10/11 | Uses random MAC addresses when scanning | Yes (default) | Can use real MAC for known networks |
| Android 10+ | Strict randomization | Yes (required) | Before Android 10, a real MAC was used |
| iOS 14+ | Private Wi-Fi addressing | Yes (for each network) | Unique MAC for each access point |
| Linux (old) | Often the real MAC | No (requires configuration) | Depends on the driver and configuration |
As can be seen from the table, modern systems strive to minimize data leakage. However, MAC address randomization not always enabled by default for all scenarios, especially in enterprise environments or on older IoT devices.
Users should be aware that router and operating system firmware updates often contain patches that address vulnerabilities associated with information leakage through control frames.
Privacy protection methods and settings
To protect yourself from Probe Request analysis, you should enable privacy features on your devices. On modern smartphones, this is often called "Private Wi-Fi Address" or "Use Random MAC Address."
To set up on Android, go to Settings → Connections → Wi-Fi → Advanced. You can find the randomization option here. On iOS, the setting is in Settings → Wi-Fi → (i icon) next to the network → Private Wi-Fi AddressEnabling this feature forces the device to generate a new MAC address for each new network, which breaks the connection between your identity and the device in the eyes of an observer.
Also recommended:
- 🔒 Delete networks you no longer use from your phone's memory so that your device doesn't search for them.
- 🔒 Disable automatic connection to open networks.
- 🔒 Use a VPN when working with sensitive data, although this does not hide the Probe Request itself.
⚠️ Note: Settings interfaces may vary depending on your smartphone model and manufacturer's OS version. If you don't find this option, search for "MAC" or "Privacy" in the settings.
For corporate networks, the implementation of a standard is an important step 802.11w (Protected Management Frames), which encrypts some management frames, making deauthentication attacks impossible.
Traffic diagnostics and analysis
For security professionals, Probe Request analysis is an essential audit tool. Using tools like Kismet or Aircrack-ng, you can visualize activity on the air. This helps identify rogue access points or devices with improperly configured security.
The analysis process typically involves putting the network card into monitor mode. In this mode, the card stops filtering packets not intended for it and captures the entire airwaves. The command to start scanning in Linux might look like this:
sudo airodump-ng wlan0mon
In the program output, you'll see a "Probe" column, which displays the SSIDs that clients are searching for. If you see network names like "Home_5G" or "Office_Secure," it means there are devices in the area that have previously connected to networks with those names.
☑️ Wi-Fi Security Check
Understanding what a network administrator or attacker sees allows you to better configure security settings and reduce a device's digital footprint.
The Future of Technology and the 802.11ax/be Standard
With the development of Wi-Fi 6 (802.11ax) and Wi-Fi 7 (802.11be) standards, network discovery mechanisms continue to evolve. Target Wake Time (TWT) technologies and more efficient scanning methods are being introduced, allowing devices to broadcast less frequently, saving battery life and reducing the number of Probe Requests transmitted.
However, the fundamental problem remains: to connect, a device must somehow identify itself. The future lies in deeper integration of encryption at the control frame level and the use of certificates instead of simple network names for identification.
Users are left to rely on hardware manufacturers to provide timely software updates and implement new security standards.
Is it possible to completely disable sending Probe Requests?
It's impossible to completely disable their transmission when Wi-Fi is enabled, as this would disrupt the ability to connect to the network. However, you can minimize their information content by using MAC randomization and deleting saved networks.
Do providers see my Probe Requests?
The provider only sees the traffic that passes through its equipment after the connection is established. Probe Requests are sent at the radio channel level before the connection is established, so the provider doesn't see them, but anyone physically near you can see them.
Does Airplane Mode affect Probe Request?
Yes, enabling Aviation Mode completely disables all radios, including Wi-Fi. In this state, the device does not send any signals, including Probe Requests. However, if Wi-Fi is manually enabled after enabling Aviation Mode, scanning will resume.
Are Probe Requests dangerous for banking apps?
Probe Request packets themselves do not contain any banking application data. The danger lies in the risk of connecting to a rogue access point masquerading as a trusted network discovered through these requests. Always verify the network name before connecting.