2 .\" Copyright (c) 2009 Sam Leffler, Errno Consulting
3 .\" All rights reserved.
5 .\" Redistribution and use in source and binary forms, with or without
6 .\" modification, are permitted provided that the following conditions
8 .\" 1. Redistributions of source code must retain the above copyright
9 .\" notice, this list of conditions and the following disclaimer.
10 .\" 2. Redistributions in binary form must reproduce the above copyright
11 .\" notice, this list of conditions and the following disclaimer in the
12 .\" documentation and/or other materials provided with the distribution.
14 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 .\" $FreeBSD: head/share/man/man9/ieee80211_scan.9 233648 2012-03-29 05:02:12Z eadler $
33 .Nd 802.11 scanning support
37 .In netproto/802_11/ieee80211_var.h
40 .Fo ieee80211_start_scan
41 .Fa "struct ieee80211vap *"
47 .Fa "const struct ieee80211_scan_ssid ssids[]"
51 .Fo ieee80211_check_scan
52 .Fa "struct ieee80211vap *"
58 .Fa "const struct ieee80211_scan_ssid ssids[]"
62 .Fn ieee80211_check_scan_current "struct ieee80211vap *"
65 .Fn ieee80211_bg_scan "struct ieee80211vap *" "int"
68 .Fn ieee80211_cancel_scan "struct ieee80211vap *"
71 .Fn ieee80211_cancel_anyscan "struct ieee80211vap *"
74 .Fn ieee80211_scan_next "struct ieee80211vap *"
77 .Fn ieee80211_scan_done "struct ieee80211vap *"
80 .Fn ieee80211_probe_curchan "struct ieee80211vap *" "int"
83 .Fo ieee80211_add_scan
84 .Fa "struct ieee80211vap *"
85 .Fa "struct ieee80211_channel *"
86 .Fa "const struct ieee80211_scanparams *"
87 .Fa "const struct ieee80211_frame *"
94 .Fn ieee80211_scan_timeout "struct ieee80211com *"
97 .Fo ieee80211_scan_assoc_fail
98 .Fa "struct ieee80211vap *"
99 .Fa "const uint8_t mac[IEEE80211_ADDR_LEN]"
104 .Fn ieee80211_scan_flush "struct ieee80211vap *"
107 .Fo ieee80211_scan_iterate
108 .Fa "struct ieee80211vap *"
109 .Fa "ieee80211_scan_iter_func"
114 .Fn ieee80211_scan_dump_channels "const struct ieee80211_scan_state *"
117 .Fo ieee80211_scanner_register
118 .Fa "enum ieee80211_opmode"
119 .Fa "const struct ieee80211_scanner *"
123 .Fo ieee80211_scanner_unregister
124 .Fa "enum ieee80211_opmode"
125 .Fa "const struct ieee80211_scanner *"
129 .Fn ieee80211_scanner_unregister_all "const struct ieee80211_scanner *"
131 .Ft const struct ieee80211_scanner *
132 .Fn ieee80211_scanner_get "enum ieee80211_opmode"
136 software layer provides an extensible framework for scanning.
137 Scanning is the procedure by which a station locates a BSS to join
138 (in infrastructure and IBSS mode), or a channel to use (when operating
139 as an AP or an IBSS master).
144 An active scan causes one or more ProbeRequest frames to be sent on
145 visiting each channel.
146 A passive request causes each channel in the scan set to be visited but
147 no frames to be transmitted; the station only listens for traffic.
148 Note that active scanning may still need to listen for traffic before
149 sending ProbeRequest frames depending on regulatory constraints.
151 A scan operation involves constructing a set of channels to inspect
153 visiting each channel and collecting information
154 (e.g. what BSS are present),
155 and then analyzing the results to make decisions such as which BSS to join.
156 This process needs to be as fast as possible so
158 does things like intelligently construct scan sets and dwell on a channel
159 only as long as necessary.
160 Scan results are cached and the scan cache is used to avoid scanning when
161 possible and to enable roaming between access points when operating
162 in infrastructure mode.
164 Scanning is handled by pluggable modules that implement
167 The core scanning support provides an infrastructure to support these
168 modules and exports a common API to the rest of the
171 Policy modules decide what channels to visit, what state to record to
172 make decisions, and selects the final station/channel to return as the
175 Scanning is done synchronously when initially bringing a vap to
176 an operational state and optionally in the background to maintain
177 the scan cache for doing roaming and rogue AP monitoring.
178 Scanning is not tied to the
180 state machine that governs vaps except for linkage to the
183 Only one vap at a time may be scanning; this scheduling policy
185 .Fn ieee80211_new_state
186 and is transparent to scanning code.
188 Scanning is controlled by a set of parameters that (potentially)
189 constrains the channel set and any desired SSID's and BSSID's.
191 comes with a standard scanner module that works with all available
192 operating modes and supports
193 .Dq background scanning
198 Scanning modules use a registration mechanism to hook into the
202 .Fn ieee80211_scanner_register
203 to register a scan module for a particular operating mode and
204 .Fn ieee80211_scanner_unregister
206 .Fn ieee80211_scanner_unregister_all
207 to clear entries (typically on module unload).
208 Only one scanner module can be registered at any time for an operating mode.
210 Scanning operations are usually managed by the
217 methods that are called at the start of a scan and when the
218 work is done; these should handle work such as enabling receive
219 of Beacon and ProbeResponse frames and disable any BSSID matching.
222 method is used to change channels while scanning.
224 will generate ProbeRequest frames and transmit them using the
227 Frames received while scanning are dispatched to
229 using the normal receive path.
230 Devices that off-load scan work to firmware most easily mesh with
232 by operating on a channel-at-a-time basis as this defers control to
234 scan machine scheduler.
235 But multi-channel scanning
236 is supported if the driver manually dispatches results using
237 .Fn ieee80211_add_scan
238 routine to enter results into the scan cache.
240 Scan requests occur by way of the
241 .Dv IEEE80211_SCAN_REQUEST
242 ioctl or through a change in a vap's state machine that requires
244 In both cases the scan cache can be checked first and, if it is deemed
247 then it's contents are used without leaving the current channel.
248 To start a scan without checking the cache
249 .Fn ieee80211_start_scan
250 can be called; otherwise
251 .Fn ieee80211_check_scan
252 can be used to first check the scan cache, kicking off a scan if
253 the cache contents are out of date.
255 .Fn ieee80211_check_scan_current
256 which is a shorthand for using previously set scan parameters for
257 checking the scan cache and then scanning.
259 Background scanning is done using
260 .Fn ieee80211_bg_scan
261 in a co-routine fashion.
262 The first call to this routine will start a background scan that
263 runs for a limited period of time before returning to the BSS channel.
264 Subsequent calls advance through the scan set until all channels are
266 Typically these later calls are timed to allow receipt of
267 frames buffered by an access point for the station.
269 A scan operation can be canceled using
270 .Fn ieee80211_cancel_scan
271 if it was initiated by the specified vap, or
272 .Fn ieee80211_cancel_anyscan
273 to force termination regardless which vap started it.
274 These requests are mostly used by
276 in the transmit path to cancel background scans when frames are to be sent.
277 Drivers should not need to use these calls (or most of the calls described
281 .Fn ieee80211_scan_next
283 .Fn ieee80211_scan_done
284 routines do explicit iteration through the scan set and should
285 not normally be used by drivers.
286 .Fn ieee80211_probe_curchan
287 handles the work of transmitting ProbeRequest frames when visiting
288 a channel during an active scan.
289 When the channel attributes are marked with
290 .Dv IEEE80211_CHAN_PASSIVE
291 this function will arrange that before any frame is transmitted 802.11
292 traffic is first received (in order to comply with regulatory constraints).
294 Min/max dwell time parameters are used to constrain time spent visiting
296 The maximum dwell time constrains the time spent listening for traffic.
297 The minimum dwell time is used to reduce this time--when it is reached
298 and one or more frames have been received then an immediate channel
300 Drivers can override this behaviour through the
303 .Sh SCAN CACHE MANAGEMENT
304 The scan cache contents are managed by the scan policy module and
305 are opaque outside this module.
308 scan framework defines API's for interacting.
309 The validity of the scan cache contents are controlled by
311 which is exported to user space through the
312 .Dv IEEE80211_SCAN_VALID
315 The cache contents can be explicitly flushed with
316 .Fn ieee80211_scan_flush
318 .Dv IEEE80211_SCAN_FLUSH
319 flag when starting a scan operation.
321 Scan cache entries are created with the
322 .Fn ieee80211_add_scan
323 routine; usually on receipt of Beacon or ProbeResponse frames.
324 Existing entries are typically updated based on the latest information
325 though some information such as RSSI and noise floor readings may be
326 combined to present an average.
328 The cache contents is aged through
329 .Fn ieee80211_scan_timeout
331 Typically these happen together with other station table activity; every
332 .Dv IEEE80211_INACT_WAIT
333 seconds (default 15).
335 Individual cache entries are marked usable with
336 .Fn ieee80211_scan_assoc_success
338 .Fn ieee80211_scan_assoc_fail
339 with the latter taking an argument to identify if there was no response
340 to Authentication/Association requests or if a negative response was
341 received (which might hasten cache eviction or blacklist the entry).
343 The cache contents can be viewed using the
344 .Fn ieee80211_scan_iterate
346 Cache entries are exported in a public format that is exported to user
347 applications through the
348 .Dv IEEE80211_SCAN_RESULTS
353 .Xr ieee80211_proto 9