Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Understanding Wireless Scanning


All wireless access point radios continually scan for other RF transmitters. While 802.11b/g/n radios scan in the 2.4-GHz to 2.4835-GHz spectrum, 802.11a radios (and sometimes 802.11n radios) scan in the 5.15-GHz to 5.85-GHz spectrum. There are two scanning methods, passive scanning and active scanning. By default, radios perform both types of scans on all channels allowed by the country of operation, which is the regulatory domain set during initial access point deployment. While both types of scanning are on by default, active scanning is performed only on channels on which local government regulations allow it to transmit. Channels that are not authorized for unlicensed use and channels that require radar detection with dynamic frequency selection (DFS) are excluded from active scanning.

A radio in sentry mode is a dedicated scanner (no data transmission) providing better RF detection because the radio spends more time scanning each channel.

This topic describes:

What Is the Difference Between Passive and Active Scanning?

During passive scans, the radio listens for beacons and probe responses. If you use only passive mode, the radio scans once per second, and audits packets on the wireless network. Passive scans are always enabled and cannot be disabled because this capability is also used to connect clients to access points.

Active scans are enabled by default but can be disabled in a Radio profile. During active scans, the radio sends probe-any requests (probe requests with a null SSID name) to solicit probe responses from other devices. In other words, access points actively look for other devices, in addition to listening for them.

What Channels Are Scanned?

RF scanning can be performed on a variety of different sets of channel ranges or frequencies. The scan can be configured in the Radio profile to scan either operating channels, regulatory channels, or all channels.


An access point will never transmit on channels that are not authorized for transmission.

In a Radio profile, you can change the channels a radio actively scans. These are the three options for active scanning :

  • Operating: Only the current channel is scanned and audited.

  • Regulatory: Only regulatory channels are scanned and audited. If the radio is configured for 802.11b/g/n, the most commonly used channels, such as 1, 6, or 11, are scanned and audited more frequently.

  • All: All channels are scanned and audited.

How Does Scanning Work?

To scan outside of the operating range, the access point must change channels. These off-channel scans are performed once per second, and a different channel in the range is scanned each second until it cycles through all in-scope channels. The access point will go off channel for about 30ms (3% of the time). Scans are scheduled to avoid interfering with beacon transmission. Radio transmit queues are drained prior to channel change. Then the probes are sent once channel change is completed. Note that the scan frequency is reduced if voice, video traffic, or heavy load is detected. Also, the CTS-to-self feature can be configured to silence clients on the operating channel while access point goes off channel. See Figure 1 for more details.

Figure 1: Scanned Data Is Stored in the Station Databases and Sent to the Controller
Scanned Data Is Stored in
the Station Databases and Sent to the Controller

How Does Active Scanning Work?

The active-scan algorithm is sensitive to high-priority (voice or video) traffic or heavy data traffic. Active-scan scans for 30 milliseconds once every second, unless either of the following conditions is true:

  • High-priority traffic (voice or video) is present at 64 Kbps or higher. In this case, active-scan scans for 30 milliseconds every 60 seconds.

  • Heavy data traffic is present at 4 Mbps or higher. In this case, active-scan scans for 30 milliseconds every 5 seconds.

What Additional Information Is Learned by an Active Scan?

Active scanning is more thorough and provides more information than passive scanning. If you select active mode, the radio actively sends probes on other channels and then audits the packets on the wireless network. The probe response received by an active scan normally contains the BSSID and WLAN SSID of the access point answering the probe. This is how the Permitted SSID list gets a list of all SSIDs on the air, even if a device is not currently sending signals.

What Happens to Scanned Information?

Scanned information is stored and used by the:

CTS-to-self During Scanning

The clear to scan CTS-to-self feature can be configured in a Radio profile to silence clients on the operating channel while an access point goes off channel to scan. This option is also part of the Radio profile.

What Is Spectral RF Scanning?

The electromagnetic spectrum includes all possible frequencies of electromagnetic radiation. Wireless communication uses the low frequencies used for radio communication, but other objects can affect these frequencies. Spectral analysis reports objects with any electromagnetic properties.

Spectral analysis starts with the RF detect function. The primary function of RF detect is to detect and classify 802.11 devices, but for spectral analysis, that function is extended to recognize non-802.11 sources of interference. Because the primary function of RF detect is to locate 802.11 devices, interfaces are wireless-LAN-centric; for example, frequencies are displayed in terms of 802.11 channels.

In Network Director, two spectrograms are provided under monitoring, one for a radio’s channels and one for the results of a spectrum sweep. The second spectrogram also includes graphing of the duty cycle of the radio.

Channel auto-tuning (see Understanding Adaptive Channel Planner) defines a transmission ID for access point radios. With spectral analysis, that definition is extended to all interference sources.

With spectral monitoring enabled, an enabled access point radio will drop the current clients and scan for any device with a radio signal. For directions to implement spectral monitoring, see Monitoring the RF Spectrum of a Radio.