Initially, it is noted that IEEE Standard 802.11—2012 (Standard) is used as a reference for specifications used in this disclosure, the entire contents of which are incorporated herein by reference.
FIG. 1 is a block schematic diagram of a typical IEEE 802.11 infrastructure network 100. A number of station (STA) nodes, 120a, 120b, 120c, 120d, 120e and 120f (collectively referred to as “mobile nodes 120”) may or may not be associated with access point (AP) 110 which, in turn, is in communication with a hard-wired distribution system 130. As used herein, the term “mobile node” refers to a non-AP station. In such a network, unassociated mobile nodes 120 will periodically transmit a probe request in order to locate and identify the network. These probes may be directly addressed to the AP 110 or may be addressed to a broadcast address. Mobile nodes 120 that are associated with the AP 110 will also periodically transmit probe requests in order to determine if other APs 110 may be in the vicinity. The term mobile node used herein may refer to any type of wireless device communicating with an access point in a wireless communication system. Examples of mobile nodes include, but are not limited to user equipment (UE), target device, device to device (D2D) mobile node, machine type mobile node or mobile node capable of machine to machine (M2M) communication, PDA, tablet, smart phone, laptop computer, desktop computer, wireless appliance, laptop embedded equipped (LEE), laptop mounted equipment (LME), device with wireless transceiver, USB dongle, etc.
The Standard specifies the information and information elements (IEs) that may be included in the management frame of subtype probe requests. It should be noted that the Standard is regularly revised as new amendments are approved. As a result of approved amendments and revision of the Standard, the probe request frame body may have additional information than that listed in the Standard. It should also be noted that a specific probe request from a specific mobile node 120 may not include all the information listed in the Standard but may include a selection that is determined by each mobile node 120 as a result of its features, its default settings and then possibly added to or changed by user settings. The information provided in the probe request will, to a large extent, reflect the capabilities of that mobile node 120 as well as specific user settings.
There is no requirement to transmit the information provided in the probe request in a specific order. However, it is common practice that the probe request starts with the first three tagged parameters, Service Set Identifier (SSID), Supported Rates, and Direct Sequence (DS) Parameter Set which are sent in order, but the rest of the IEs are, in practice, sent in differing orders according to the individual mobile node 120.
One type of parameter that may be included in the probe request is the “Vendor Specific” IE. The element format includes an “Organization Identifier” which is the Organizationally Unique Identifier (OUI). The OUI is a 24-bit number that uniquely identifies a vendor, manufacturer or other organization. There are some common vendor specific IEs such as the ones for Wi-Fi Multimedia (WMM) and Wi-Fi Protected Setup (WPS) which are, respectively, the Wi-Fi Alliance IEs for quality of service settings and protected setup. In one embodiment, the present disclosure relates to vendor specific IEs that refer to the chipset and/or firmware vendor.
FIG. 2 shows the management frame format which is used for the probe request transmission. When a mobile node 120 transmits the probe request, the probe request is sent with a particular format. For example, “Address 2” represents the Media Access Control (MAC) address of the mobile node 120. Typically, the first three octets of the MAC address are the OUI. A mobile node 120, however, may choose to use a random MAC address so as to hide the identity of the mobile node 120.
FIG. 3 is an example of information obtained in a probe request capture, from a known mobile node 120, using an analyzer tool, for example, the WIRESHARK® analyzer tool. The information obtained from the captured probe request may include the following:
Transmitter Address. The first three octets of the address are the OUI.
Supported Rates: Provides the list of supported data rates. This particular set of rates indicates that the mobile node 120 supports 802.11b.
Extended Supported Rates: Provides additional list of supported data rates. This particular set of rates indicates that the mobile node 120 supports 802.11g.
High Throughput (HT) Capabilities: These indicate that the mobile node 120 supports 802.11n capability.
Extended Capabilities: This indicates that the mobile node 120 supports a large set of extended capabilities.
Vendor Specific Epigram
Vendor Specific MICROSOFT® WPS
Vendor Specific “B . . . ”: This indicates the mobile node 120 chipset vendor OUI
Furthermore, from FIG. 3, the order that the tagged parameters are sent is clearly seen as service set identifier (SSID), Supported Rates, Extended Supported Rates, distribution system (DS) Parameter Set, HT Capabilities, Extended Capabilities, Vendor Specific Epigram, Vendor Specific Microsoft, Vendor Specific B . . . The order in which the information in a probe request is transmitted has been found to differ significantly between mobile nodes 120. Hence, the order or organization of the received information can be used as part of the fingerprint for this particular mobile node 120.
FIG. 4 is the same probe request as in FIG. 3 but the HT Capabilities details have been expanded. From the Supported Rates field and Extended Supported Rates field, the mobile node 120 has indicated that it supports 802.11b and 802.11g modes. In addition, the mobile node 120 indicates that it also supports 802.11n mode by including the HT Capabilities elements in its probe request. In this example, some details within these elements include:
HT Capabilities Info: a value of 0x002d
Aggregated MAC Protocol Data Unit (A-MPDU) Parameters: a value of 0x17
Receiver Modulation and Coding Scheme (RX MCS) Set: an examination of the bitmasks indicates that the mobile node 120 supports the reception of MCS 0 to 15. Hence, the mobile node 120 supports two spatial streams on receive. In addition, the Transmit (TX) and RX MCS Set bit is 0 indicating that this mobile node 120 also supports two spatial streams on transmit. The Multiple-Input Multiple-Output (MIMO) capability of an 802.11n device is termed (a) x (b): (c), where (a) is the maximum number of transmit antennas or TX chains, (b) is the maximum number of receive antennas or RX chains, and (c) is the maximum number of data spatial streams. Hence, by examining the HT Capabilities element, this mobile node 120 has MIMO capability 2×2:2.
The specific details and breakdown of each of these elements shown in FIGS. 3 and 4 and explanations of each of the values and their corresponding features is not necessary for understanding the disclosure. For the purposes of this disclosure, the presence of the IE, the corresponding values, and the order in which they are sent are considered. There may be times, however, when deeper inspection of the particular features can be useful. Examples of these instances are explained below.