Abstract - In this paper we characterize the proprietary Active Scanning algorithms of several wireless network interface cards (WNICs) and driver combinations. We believe our experiments are the first of their kind to observe the complete scanning process as the WNICs probe all the channels in the 2.4GHz spectrum. We discuss the 1) channel probe order; 2) correlation of channel popularity during active scanning and access point (AP) channel deployment popularity; 3) number of Probe Request Frames (PRFs) sent on each channel across WNICs; 4) amount of time spent on each channel across WNICs (dwell time); and 5) variation in scanning algorithms. The knowledge gained from profiling WNICs is of significant importance to numerous disciplines. It enables us to understand different implementations (hardware and software) of Active Scanning. The same knowledge can help lay a foundation for implementing Active Scanning in network simulators. It is generically considered in only one of the popular simulators. Finally, the results from our work can also radically influence research in link-layer handovers, effective deployment of Access Points (APs), securing wireless networks, etc. Index Terms - IEEE 802.11 Active Scanning, Wireless Network Interface Card, Host Association. I. INTRODUCTION ith the advent of IEEE 802.11 standards, it has become easier to access a network without requiring wired Ethernet as a connection medium. The popularity of wireless networking has risen to a point where nearly 70 million 802.11 enabled devices were sold worldwide in the second quarter of 2006 [1]. The essential hardware to enable wireless communication is the WNIC. It is our attempt to characterize WNICs based on certain parameters for the reasons described in section III. To characterize a WNIC, we focus on the Active Scanning algorithm, which is part of the IEEE 802.11 MAC Layer functions. The IEEE 802.11 MAC Layer is responsible for managing and maintaining communication between various network devices. It coordinates access to a shared radio channel and utilizes standardized protocols to facilitate communication between these devices. We focus on the parameters which can characterize the active scanning algorithm. These parameters include the channel on which the 1 st PRF is sent when scanning starts, the total number of PRFs sent on all channels, the bursty nature of a WNIC, the dwell time, etc. Examining these parameters for each WNIC gives us a wealth of information which helps us to characterize all the WNICs used in our experiments. We provide statistical results for this characterization. We passively listen on all the channels of the 2.4GHz spectrum (11 for USA). Thus, not introducing any additional traffic load on the network, helping to keep our observations unbiased. The remainder of the paper is organized as follows. Section II mentions the relevant background work done in this field. In Section III we explain the motivation behind conducting this research. It discusses the open problems and the benefits of our work. Section IV highlights the general algorithm used for Active Scanning as described in IEEE 802.11 standards. We then describe the experimental setup and the choice of hardware in Section V. The analysis of our experiments is presented in Section VI and we later use these results to distinguish between three different WNICs in Section VII. We conclude the paper in Section VIII, mentioning the scope of our future work. II. RELATED WORK Many attempts have been made to improve or create new active scanning algorithms [2, 3, 4]. The focus has been to reduce the scanning delays by introducing more efficient algorithms. As a result, more effort has been put in introducing newer algorithms rather than understanding the characteristics of the existing algorithms. Also, on previous occasions it has been shown that different WNICs exhibit peculiar characteristics based on the active scanning algorithm used [5, 6]. The focus was on finding the periodicity of the wireless traffic caused by the active scanning algorithm for distinguishing WNICs. In this paper we attempt to characterize parameters that have previously been ignored. A critical aspect of our work is that we examine the entire IEEE 802.11b/g spectrum at a given period. This allows us to characterize the active scanning A Characterization of Wireless NIC Active Scanning Algorithms Vaibhav Gupta Raheem Beyah Cherita Corbett Department of Computer Science Georgia State University Atlanta, GA, USA Department of Computer Science Georgia State University Atlanta, GA, USA Sandia National Laboratories * Livermore, CA, USA W