Topics

Author

Nzyme is a free intrusion detection system that can analyze data from Ethernet or WiFi networks and Bluetooth devices to identify potential threats.

Learn More

Not written by AI.

Monitoring Probe Request SSIDs

Probe requests are frames sent by WiFi devices to discover nearby networks. When a device isn’t connected to WiFi, it periodically sends these requests, containing its MAC address and sometimes a preferred network’s name (SSID). Nearby access points respond, helping the device identify and connect to networks.

In certain situations, monitoring probe requests can help prevent privacy issues and data leaks.

Why Monitor Probe Requests?

Scenario 1: Sensitive Locations

Imagine you are responsible for the security of a critical location, such as a police station or military installation, which provides WiFi access to authorized users. If these users do not delete the WiFi network configuration from their devices, their devices will periodically send out probe requests, inadvertently revealing their previous connection to the sensitive network.

In the case of a police station, criminals could detect these probe requests within range and use them to infer the presence of officers or detectives nearby.

Scenario 2: Correlating Locations

Consider the police station example again. Now, imagine a police officer using their work phone at home. The device’s probe requests could reveal both the police station’s WiFi and the officer’s home WiFi network.

This information could be exploited by anyone using a site like Wigle.net, potentially exposing the officer’s private address.

Scenario 3: Legacy or Backup Networks

You might operate WiFi networks that are intended for use only during specific situations, such as a satellite uplink or backup WiFi. Users should have these networks configured for quick access but should not automatically connect to them. By monitoring probe requests, you can ensure that no devices are searching for these networks under normal circumstances.

How To Monitor Probe Requests in nzyme

You can configure SSIDs to monitor for in probe requests using the nzyme WiFi Network Monitoring functionality. The Probe Requests page under Network Monitoring shows you all currently monitored SSIDs. You can add, edit and delete such SSIDs from the same page.

An alert is raised when nzyme discovers a monitored SSID in a probe request frame.

How to Avoid Issues with Probe Requests

Probe requests are an integral aspect of WiFi communication and difficult to eliminate completely. We recommend implementing and clearly communicating a policy that instructs users to either remove critical WiFi networks from their mobile device configurations or disable the automatic connection feature. Disabling auto-connect will typically prevent probe requests for that network until the user manually initiates a connection.

To ensure compliance with this policy, you can monitor probe requests as a proactive measure.

Probe Request Monitoring in nzyme

You can configure probe request monitoring in nzyme using the WiFi - Monitoring pages in your web interface. Learn more about how to set up probe request monitoring in the nzyme documentation.

Found a problem?

Did you find a mistake or think something can be improved? You can file issues on GitHub, join the nzyme Discord or post in the discussion forums to provide your feedback. Thank you so much!