Jiri Brejcha joins us on this episode to discuss his testing of 6 GHz capable clients (iPad and Google Pixel) and how they discovery 6 GHz Wi-Fi networks. Jiri demonstrates how important the Reduced Neighbor Report plays an important role in 6 GHz AP discovery.
Jiri is an enterprise architect at Cisco UK and part of the Cisco Live team. He’s also a core member of the WLAN Pi team.
In his lab, he has a Cisco 6 GHz access point broadcasting a few SSIDs on different bands. He wondered how an iPad and Pixel will detect a 6 GHz-only SSID. Do you need to have APs operate on PSC only?
Inside of a beacon frame, you’ll find a Reduced Neighbor Report (RNR) Information Element. The RNR contains important details such as the channel used by neighboring access points. This can be one access point or a group of access points. You’ll find this information in the Neighbor AP Information Fields
Target Beacon Transmission Time (TBTT)
Resources
- Section 9.4.2.170 of the 802.11-2020 standards
- https://www.jiribrejcha.net/2022/11/google-pixel-6-wi-fi-6e-scanning-and-6-ghz-ssid-discovery/
- https://www.jiribrejcha.net/2022/11/ipad-pro-wi-fi-6e-scanning-and-6-ghz-ssid-discovery/
- Apple specifications: https://support.apple.com/en-us/HT202068
Nice vlog guys.
Regrading the Short SSID in RNR, it is the Hex CRC32 check-sum (why??) of the actual 6GHz ssid. You can enter the SSID on this site https://crc32.online/ and see the HEX output and compare it with the short-ssid in RNR field.
OR you can use python cli
import zlib
hex(zlib.crc32(b’SSID’))
SSID –> The 6Ghz SSID
Eg:
>>>import zlib
>>> hex(zlib.crc32(b’Cisco 6′))
‘0x492011dc’ –> which is the short SSID in the RNR field of pcaps that Jiri has kindly shared.
The seems to one way function so most likely you cannot derive the SSID from the short-ssid.