Randomized MAC addresses in 802.11 Probe Frames
To address perceived privacy issues, some wireless clients adopt a randomized MAC address in probe frames when probing for wireless networks. In this post I take a quick look at how you might see clients using randomized MAC addresses. Background When a wireless LAN client needs to find a nearby access point to join a Wi-Fi network, it has two choices: Passive scanning: a client will listen to beacon frames, broadcast by nearby access points, that advertise networks that it makes available. This can be quite a slow process, as a client cycles though channels and waits to hear beacons. Active scanning: a client will cycle through channels and send out probe frames to proactively query nearby APs for a specific wireless network (SSID). This will generally be a faster method of finding networks that the client is configured to join, and may be used by all clients in conjunction with passive scanning. One (unfortunate) side-effect of active scanning is that a client a