2 .\" Copyright (c) 2009 Sam Leffler, Errno Consulting
3 .\" All rights reserved.
5 .\" Redistribution and use in source and binary forms, with or without
6 .\" modification, are permitted provided that the following conditions
8 .\" 1. Redistributions of source code must retain the above copyright
9 .\" notice, this list of conditions and the following disclaimer.
10 .\" 2. Redistributions in binary form must reproduce the above copyright
11 .\" notice, this list of conditions and the following disclaimer in the
12 .\" documentation and/or other materials provided with the distribution.
14 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 .\" $FreeBSD: src/share/man/man9/ieee80211_scan.9,v 1.4 2010/03/29 17:39:38 trasz Exp $
33 .Nd 802.11 scanning support
37 .In netproto/802_11/ieee80211_var.h
40 .Fo ieee80211_start_scan
41 .Fa "struct ieee80211vap *"
47 .Fa "const struct ieee80211_scan_ssid ssids[]"
51 .Fo ieee80211_check_scan
52 .Fa "struct ieee80211vap *"
58 .Fa "const struct ieee80211_scan_ssid ssids[]"
62 .Fn ieee80211_check_scan_current "struct ieee80211vap *"
65 .Fn ieee80211_bg_scan "struct ieee80211vap *" "int"
68 .Fn ieee80211_cancel_scan "struct ieee80211vap *"
71 .Fn ieee80211_cancel_anyscan "struct ieee80211vap *"
74 .Fn ieee80211_scan_next "struct ieee80211vap *"
77 .Fn ieee80211_scan_done "struct ieee80211vap *"
80 .Fn ieee80211_probe_curchan "struct ieee80211vap *" "int"
83 .Fo ieee80211_add_scan
84 .Fa "struct ieee80211vap *"
85 .Fa "const struct ieee80211_scanparams *"
86 .Fa "const struct ieee80211_frame *"
93 .Fn ieee80211_scan_timeout "struct ieee80211com *"
96 .Fo ieee80211_scan_assoc_fail
97 .Fa "struct ieee80211vap *"
98 .Fa "const uint8_t mac[IEEE80211_ADDR_LEN]"
103 .Fn ieee80211_scan_flush "struct ieee80211vap *"
106 .Fo ieee80211_scan_iterate
107 .Fa "struct ieee80211vap *"
108 .Fa "ieee80211_scan_iter_func"
113 .Fn ieee80211_scan_dump_channels "const struct ieee80211_scan_state *"
116 .Fo ieee80211_scanner_register
117 .Fa "enum ieee80211_opmode"
118 .Fa "const struct ieee80211_scanner *"
122 .Fo ieee80211_scanner_unregister
123 .Fa "enum ieee80211_opmode"
124 .Fa "const struct ieee80211_scanner *"
128 .Fn ieee80211_scanner_unregister_all "const struct ieee80211_scanner *"
130 .Ft const struct ieee80211_scanner *
131 .Fn ieee80211_scanner_get "enum ieee80211_opmode"
135 software layer provides an extensible framework for scanning.
136 Scanning is the procedure by which a station locates a BSS to join
137 (in infrastructure and IBSS mode), or a channel to use (when operating
138 as an AP or an IBSS master).
143 An active scan causes one or more ProbeRequest frames to be sent on
144 visiting each channel.
145 A passive request causes each channel in the scan set to be visited but
146 no frames to be transmitted; the station only listens for traffic.
147 Note that active scanning may still need to listen for traffic before
148 sending ProbeRequest frames depending on regulatory constraints.
150 A scan operation involves constructing a set of channels to inspect
152 visiting each channel and collecting information
153 (e.g. what BSS are present),
154 and then analyzing the results to make decisions such as which BSS to join.
155 This process needs to be as fast as possible so
157 does things like intelligently construct scan sets and dwell on a channel
158 only as long as necessary.
159 Scan results are cached and the scan cache is used to avoid scanning when
160 possible and to enable roaming between access points when operating
161 in infrastructure mode.
163 Scanning is handled by pluggable modules that implement
166 The core scanning support provides an infrastructure to support these
167 modules and exports a common API to the rest of the
170 Policy modules decide what channels to visit, what state to record to
171 make decisions, and selects the final station/channel to return as the
174 Scanning is done synchronously when initially bringing a vap to
175 an operational state and optionally in the background to maintain
176 the scan cache for doing roaming and rogue AP monitoring.
177 Scanning is not tied to the
179 state machine that governs vaps except for linkage to the
182 Only one vap at a time may be scanning; this scheduling policy
184 .Fn ieee80211_new_state
185 and is transparent to scanning code.
187 Scanning is controlled by a set of parameters that (potentially)
188 constrains the channel set and any desired SSID's and BSSID's.
190 comes with a standard scanner module that works with all available
191 operating modes and supports
192 .Dq background scanning
197 Scanning modules use a registration mechanism to hook into the
201 .Fn ieee80211_scanner_register
202 to register a scan module for a particular operating mode and
203 .Fn ieee80211_scanner_unregister
205 .Fn ieee80211_scanner_unregister_all
206 to clear entries (typically on module unload).
207 Only one scanner module can be registered at any time for an operating mode.
209 Scanning operations are usually managed by the
216 methods that are called at the start of a scan and when the
217 work is done; these should handle work such as enabling receive
218 of Beacon and ProbeResponse frames and disable any BSSID matching.
221 method is used to change channels while scanning.
223 will generate ProbeRequest frames and transmit them using the
226 Frames received while scanning are dispatched to
228 using the normal receive path.
229 Devices that off-load scan work to firmware most easily mesh with
231 by operating on a channel-at-a-time basis as this defers control to
233 scan machine scheduler.
234 But multi-channel scanning
235 is supported if the driver manually dispatches results using
236 .Fn ieee80211_add_scan
237 routine to enter results into the scan cache.
239 Scan requests occur by way of the
240 .Dv IEEE80211_SCAN_REQUEST
241 ioctl or through a change in a vap's state machine that requires
243 In both cases the scan cache can be checked first and, if it is deemed
246 then it's contents are used without leaving the current channel.
247 To start a scan without checking the cache
248 .Fn ieee80211_start_scan
249 can be called; otherwise
250 .Fn ieee80211_check_scan
251 can be used to first check the scan cache, kicking off a scan if
252 the cache contents are out of date.
254 .Fn ieee80211_check_scan_current
255 which is a shorthand for using previously set scan parameters for
256 checking the scan cache and then scanning.
258 Background scanning is done using
259 .Fn ieee80211_bg_scan
260 in a co-routine fashion.
261 The first call to this routine will start a background scan that
262 runs for a limited period of time before returning to the BSS channel.
263 Subsequent calls advance through the scan set until all channels are
265 Typically these later calls are timed to allow receipt of
266 frames buffered by an access point for the station.
268 A scan operation can be canceled using
269 .Fn ieee80211_cancel_scan
270 if it was initiated by the specified vap, or
271 .Fn ieee80211_cancel_anyscan
272 to force termination regardless which vap started it.
273 These requests are mostly used by
275 in the transmit path to cancel background scans when frames are to be sent.
276 Drivers should not need to use these calls (or most of the calls described
280 .Fn ieee80211_scan_next
282 .Fn ieee80211_scan_done
283 routines do explicit iteration through the scan set and should
284 not normally be used by drivers.
285 .Fn ieee80211_probe_curchan
286 handles the work of transmitting ProbeRequest frames when visiting
287 a channel during an active scan.
288 When the channel attributes are marked with
289 .Dv IEEE80211_CHAN_PASSIVE
290 this function will arrange that before any frame is transmitted 802.11
291 traffic is first received (in order to comply with regulatory constraints).
293 Min/max dwell time parameters are used to constrain time spent visiting
295 The maximum dwell time constrains the time spent listening for traffic.
296 The minimum dwell time is used to reduce this time--when it is reached
297 and one or more frames have been received then an immediate channel
299 Drivers can override this behaviour through the
302 .Sh SCAN CACHE MANAGEMENT
303 The scan cache contents are managed by the scan policy module and
304 are opaque outside this module.
307 scan framework defines API's for interacting.
308 The validity of the scan cache contents are controlled by
310 which is exported to user space through the
311 .Dv IEEE80211_SCAN_VALID
314 The cache contents can be explicitly flushed with
315 .Fn ieee80211_scan_flush
317 .Dv IEEE80211_SCAN_FLUSH
318 flag when starting a scan operation.
320 Scan cache entries are created with the
321 .Fn ieee80211_add_scan
322 routine; usually on receipt of Beacon or ProbeResponse frames.
323 Existing entries are typically updated based on the latest information
324 though some information such as RSSI and noise floor readings may be
325 combined to present an average.
327 The cache contents is aged through
328 .Fn ieee80211_scan_timeout
330 Typically these happen together with other station table activity; every
331 .Dv IEEE80211_INACT_WAIT
332 seconds (default 15).
334 Individual cache entries are marked usable with
335 .Fn ieee80211_scan_assoc_success
337 .Fn ieee80211_scan_assoc_fail
338 with the latter taking an argument to identify if there was no response
339 to Authentication/Association requests or if a negative response was
340 received (which might hasten cache eviction or blacklist the entry).
342 The cache contents can be viewed using the
343 .Fn ieee80211_scan_iterate
345 Cache entries are exported in a public format that is exported to user
346 applications through the
347 .Dv IEEE80211_SCAN_RESULTS
352 .Xr ieee80211_proto 9