ScanResult capabilities interpretation

Question

I want to analyze the capabilities string of a ScanResult. However, the names ther are grouped in up to four square brackets e.g.

[WPA-PSK-TKIP+CCMP][WPA2-PSK-TK         


        

Answer 1

This string is generated by wpa_supplicant. Unfortunately there is little documentation on this, but at least we can look at the precise code! There are three main functions reponsible for creating the string we see in Android:

• wpa_supplicant_ctrl_iface_scan_result: This takes a struct wpa_bss as argument, which contains the information about one networks, and converts it to a string. You can see tags such as [ESS] and WPA2 being added. It also (indirectly) calls the following two functions. So this function add the general capabilities of the network.
• wpa_supplicant_ie_txt: This add the [PSK] and/or [EAP] tags. In other words the type of handshake being used.
• wpa_write_ciphers: Adds the type of WPA1 or WPA2 encryption being used. So TKIP or CCMP. It's only called if the network is WPA1 or WPA2.

By reading these three functions you will know exactly what kind of parameters in the string that you can expect. You can always confirm your understanding by creating your own network and confirming the string corresponding to your own network!