I'm writing a Python module for finding nearby WiFi client devices. All my current scanner does is listen for Probe Requests and logs the clients MAC address.

The problem I'm having is that I'm completely reliant on the device broadcasting a probe request for me to discover it.

I'm wondering if there is any other way to discover devices. Using this site as a 802.11 guide, I've come up with the ideas:

• Send out Broadcast packets with generic SSIDs to see if clients respond. For example, sending out a broadcast with 'Netgear' as the AP SSID and see if any clients with known 'Netgear' profiles respond
• Send out disassociation packets to force already connected clients to rescan the airwaves

I haven't tested these two ideas yet. Just spit balling.

Thoughts?

I don't think the broadcast idea will work. Broadcast traffic in 802.11 is not acked so there's no reason for the stations to respond to such traffic. The only way is if you're connected to the AP in question in which case you could do a broadcast ICMP echo request or something similar (but you'd only get responses from stations in the same ESS).

I don't think the disassociate packet idea will work either because it will have to be addressed to the station and you presumably don't know that address.

I would suggest just sniffing all traffic and keeping track of which MAC-addresses you see. You don't have to depend on stations probing but you do depend on them sending something (anything) sometime.

I'm actually working on the exact same thing. From what I can tell, as @PerEkman pointed out, there doesn't seem to be a way to elicit a response from a client device.

Your first idea - setting up an AP with a generic SSID - is very similar to a WiFi hack known as Mis-Association (among other names). Check out http://www.packtpub.com/article/backtrack-5-attacking-the-client for more information on how malicious hackers use this technique.

If you were so inclined, you could wait for probe requests from nearby client devices then create an AP with an SSID that matches what the client is looking for. Of course, the major downside to this approach is the possible need for as many APs as client devices.

You might also be able to use some ideas from here: http://hackaday.com/2011/10/04/wifi-jamming-via-deauthentication-packets/ The info is a tad sparse, but it would appear to suggest that it's possible to send a deauthentication packet to Broadcast (255.255.255.255) on a given channel and have all clients on that channel be forced to reauthenticate with their respective APs (assuming they were on one). Then you could just wait for the reauths and get your info that way. Maybe someone else can confirm this?

You can also look for data frames and data-null frames sent by the Wi-Fi client device to the access point. These uplink frames from the STA will have the ToDs=1 and FromDs=0 in the frame control field. Even if a client device is not actively downloading data, most will frequently send data-null frames periodically, either as a keep-alive or to signal its current power save state with the access point.

Do a Github search if in doubt > -- already lots of projects there regarding 802.11 protocol.