In the latest version of WiFi Scanner we introduced full support for scanning on the 6 GHz frequency band. But this was limited to in-band discovery, meaning that your device could only detect 6 GHz devices if it itself supported WiFi 6E / 6 GHz. With some clever algorithm interpretation, we’ve been able to overcome this hurdle and tackle out-of-band discovery.
So how do we do it? It’s all made possible by Reduced Neighbor Reporting (RNR). On tri-band access points (APs that have 2.4, 5, and 6 GHz radios), RNRs are broadcasted on all 3 bands and include very basic information including channel number, channel width and BSSID. RNRs are picked up and interpretable through WiFi Scanner.
This is an example from a reduced neighbor report sent over a 5 GHz network from a tri-band AP. We are able to determine this because of a few factors highlighted and explained below.
Operating class: 134 indicates the APs primary channel is 160 MHz-wide. 131 indicates 20 MHz, 132 indicates 40 MHz, 133 indicates 80 MHz, and 134 indicates 160 MHz. On 6 GHz, primary channels are generally 160 MHz-wide, so we can presume from this information that 6 GHz is present.
Channel 37 is a primary channel in 6 GHz. The presence of this in a probe response frame on 5 GHz indicates the presence of 6 GHz.
Short SSID is a RNR parameter that is essentially a hash of a 6 GHz SSID. We can also gather whether or not the same SSID is being used for 2.4/5 and 6 GHz. In this example, the “Same SSID” field is “False” indicating that this short SSID is only being used for the 6 GHz radio.
Co-Located AP: True - this indicates that the SSID that is transmitting the RNR information is the same access point with the 6 GHz radio.
The most certain way to scan for 6 GHz networks is inevitably through in-band-discovery with a WiFi 6E capable device. But the information provided by RNRs out-of-band is still helpful and worthwhile.
