JOURNAL OF COMPUTING, VOLUME 2, ISSUE 12, DECEMBER 2010, ISSN 2151-9617

HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 9

Improved Scanning Methods to speed-up

IEEE 802.11 Handoff
Michael Finsterbusch, Thomas Möbert, Patrick Schmidt

Abstract—The IEEE 802.11 wireless network adapters have one big weakness. They can just operate on one channel
respectively on one frequency at the same time. Therefore a IEEE 802.11 station is not able to scan and communicate
simultaneously. If a station scans its environment to e.g. prepare the roaming to another access point, it can’t receive frames
from its associated access point. This paper presents a special scan method for IEEE 802.11 stations. The Sleep Scan
improves the scan in a manner, that no packets get lost during the scan. It uses the IEEE 802.11 power save facility to signal
the access point to buffer every frame for the scanning station some time. Consequently no packets get lost during scanning. A
second variant of the Sleep Scan can not only prevent packet loss it also supports scanning during realtime communications.

Keywords—IEEE 802.11, Roaming, Scanning, Wireless Communication

——————————  ——————————

1 INTRODUCTION

B efore an IEEE 802.11 [1] station (STA) can associate

itself with an access point (AP), it has to scan it’s en-
vironment first to find suitable candidate APs. To
scan is the first step in the sequence to associate with an
access point. It is needed before the station’s first associa-
tion and also when roaming between different APs. The
roaming between APs is a time critical process, because
there could be several existing data connections of upper
network layers (e.g. TCP connections) which may be in-
terrupted if the roaming process takes to much time. We
will show later that the scan process takes a huge amount
of time today and is therefore the most critical part of the
roaming process.
The common IEEE 802.11 scan methods physically in-
terrupt the connection between STA and AP, because the
wireless network interface controller (NIC) has to switch
between different channels during the scan. However a
wireless NIC can just operate on a single channel. From
this it follows that a scanning STA is not able to receive
frames from it’s associated AP during a scan and packet
loss is the consequence. This fact is especially critical, be-
cause we can show that a full channel scan can take a few
hundreds of milliseconds till about some seconds.
In this paper, an improved scan technique will be pre-
sented, which allows scanning during normal packet
transmission without packet loss. At first we will discuss
some related work to distinguish the influence of scan-
ning on the mobility in 802.11 networks. After that we
will show on real life implementations of different wire-
less device drivers, how much time a scan consumes. Af-
ter that the idea of the Sleep Scan will be presented. In the
————————————————
 Michael Finsterbusch is with the Department IKT, Hochschule für Tele- the exchange of four frames. So t AuthAss takes 1.5ms to
kommunikation Leipzig (FH) University of Applied Sciences (HfTL) Leip- 5ms. The t AuthSec time depends on the kind of authentica-
zig, Germany.
 Patrick Schmidt is with the Department IKT, Hochschule für Telekommu-
nikation Leipzig (FH) University of Applied Sciences (HfTL) Leipzig,
Germany.
section after that we describe the Sleep Scan procedure
and the IEEE 802.11 parameters which must be consi-
dered. Then an improved variant of the Sleep Scan, the
Fast Sleep Scan, will be presented. Afterwards we will
discuss some measurement results to parametrize the
new scan methods. The final section summarizes all find-
ings.
2 RELATED WORK
Wireless IEEE 802.11 LANs are a widespread option for
wireless internet access. Wireless LANs are able to sup-
port realtime communication as long as the wireless sta-
tion does not leave the radio range of its AP. This is be-
cause the roaming (or handoff) from one AP to another
AP does not fulfill the constraints realtime traffic needs.
The common IEEE 802.11 handoff procedure starts
when the STA lose its connection to the AP. If the STA
detects the loss of connectivity ( t Detection ) it starts to scan
its environment to find a new suitable AP ( t Scan ). Then it
selects one of the available APs and starts to authenticate
and associate ( t AuthAss ) with the new AP. If necessary a
secure IEEE 802.11i [2] or IEEE 802.1X [4] ( t AuthSec ) fol-
lows.
t Handoff  t Detection  t Scan  t AuthAss  t AuthSec (1)
t Detection takes up to about 1.6 seconds depending on
the used hardware and drivers [9]. The t Scan time (full
channel scan) can reach in worst case up to 4 seconds (see
section 3) in average about 500ms to 1000ms. Authentica-
tion and association is necessary to establish the connec-
tion between STA and AP, but this procedure just needs
tion (pre shared key or EAP and EAP method). A lot of
research has been done in the last years to reduce the au-
thentication time. One of the resulting standards is the
IEEE 802.11r [3], which describe the reduction of the reau-
thentication time to about 5ms.
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 12, DECEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 10

So we can see the scanning has a huge influence on the

realtime capabilities of the handoff. The Sleep Scan, pre-
sented in this paper, can help to lower this bad influence.
It can be used for periodic ’parallel’ scans during (real-
time) communication to have every time up to date scan
results, to choose a new AP without extra scanning dur-
ing the handoff.

3 TIME CONSUMTION OF THE SCAN

The IEEE 802.11 standard defines two scan methods, the
passive and the active scan. When a STA does a passive
scan it switches over all channels and waits on each chan-
nel for beacon frames. This method is not in our focus
because it is much slower and much more imprecise in
scan results than an active scan. Therefore we focus on
the active scan method in our analysis. The active scan is
specified with the following steps:
1. Switch to the channel to scan and wait Probe-
Delay µs ( tPr obeDelay ).
2. Send a Probe-Request frame with respect to
the CSMA/CA access method
( t Backoff  t Pr obe Re quest ).
3. Wait a period of MinChannelTime ms and
sense the wireless medium for 802.11 frames
( t MinChannelTime ). Switch to the next channel tactiveScan  2  t MaxChannel
min
Time 
(goto step 1), if no 802.11 frames were received (3)
(else goto step 4).  (t min
Pr obeDelay  t Access
min
 t MinChannel
min
Time )
4. Wait a period of MaxChannelTime ms and Channel

sense the wireless medium for 802.11 frames TABLE 1

( t MaxChannelTime ). Then scan the next channel ProbeDelay, MinChannelTime and MaxChannelTime in dif-
(goto step 1). ferent device driver implementations
a Some implementations have a ‘fast’-option to reduce the scan time.
Any AP which receives a Probe-Request frame gene-
rates a Probe-Response frame which contains almost the Upper bound:
same information like a Beacon-Frame (SSID, data rates, tactiveScan 
security information, etc.). Every received Probe-
Response frame is evaluated by the STA and stored in the  (t max
Pr obeDelay  t Access
max
 t MinChannel
max
Time  t MaxChannelTime )
max (4)
scan results. Channel
The variables ProbeDelay, MinChannelTime and
MaxChannelTime are described by the IEEE 802.11 stan- For the lower bound we suppose that there are just
dard, but there are no values or ranges specified for this two AP’s on two different channels. This is the simplest
parameters. To calculate how much time an active scan environment where roaming is possible. For the worst
consumes, we need to know these parameters. Therefore case we suppose that on every possible 802.11bg channel
we have taken some example values from different device Probe-Response frames are received. The parameter
drivers for wireless NIC’s of different vendors, to deter- t Access is the time to physically send the Probe-Request
mine the real life scanning behavior. frame as well as the backoff time for the CSMA/CA
Table 1 contains values for ProbeDelay, MinChannel- access method.
Time and MaxChannelTime. MinChannelTime and Max-
ChannelTime are given in time units (TU). t Access  t Backoff  tPr obeDelay  tPr obe Re quest (5)

1TU  1024s (2)

With these parameters it is possible to calculate the
upper and lower bound of the active scan time.
Lower bound:
The time t Access consists of the time slot (9 or 20µs), the
used PLCP (Physical Layer Convergence Procedure)
preamble (long or short version) and the length of the
Probe-Request frame. Usually Probe-Request frames are
send with a data rate of 1 Mbit/s. So to send one Probe-
Request frame we need a time t Access of about 0.5 to 1ms.
With the values from table 1 we can calculate the scan
time for the 2,4GHz band in europe which is splitted into
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 12, DECEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 11

13 channels: 5 SLEEP SCAN

174.106ms   t Access
min
 tactiveScan
13
3993.808ms   t Access
max
 tactiveScan
13
As we can see, a full channel scan can consume about
four seconds in worst case. Regarding this fact, almost all
wireless device drivers are stopping scanning during data
transmission. As we mentioned in section 1 the scan re-
sults are needed in the time critical roaming procedure.
In some papers, e.g. in [9], the reduction of MinChannel-
Time and MaxChannelTime to 1ms and 10.24ms is dis-
cussed to reduce the scan time. In our opinion this is not
an appropriate way to reduce the scan time, because the
reduction of these parameters decreases the amount of
detected APs (quality of the scan results). The paramete-
rization of MinChannelTime and MaxChannelTime is
discussed in section 7.
The Sleep Scan procedure is defined by the following
(6) steps:
1. Switch to PS mode.
(7) 2. Start to scan one channel.
3. If the whole scan is complete, awake (Finish),
else goto step 4.
4. If there is data in the sending buffer awake
and send the frames, then goto step 2, else go-
to step 5.
5. If there is enough time to the next beacon
frame to do another scan, goto step 2, else go-
to step 6.
6. Receive the next beacon frame and the TIM-
element for buffered data in the AP. If buf-
fered frames are available, receive them and if
necessary, send local buffered frames to the
AP. Goto step 1.
The Sleep Scan procedure is also shown in the pro-
gram flow chart on figure 1.

4 IDEA OF SLEEP SCAN

As we discussed in section 3, one of the main problems of

today’s scan methods is that the device driver has to in-
terrupt the scan when transmitting data. Therefore the
driver is not able to scan the environment for alternate
AP’s to prepare roaming, if one or more data transmis-
sions are running at the same time.
The idea of the Sleep Scan is, to not interrupt a running
scan when transmitting data, but to arrange the scan and
the data transmission to minimize the cross influence be-
tween each other. If a frame has to be send by the STA
during a scan, it is just buffered by the STA for some time
until the scan is finished. This is easy for the STA because
it knows whenever it scans. On the other hand the AP
doesn’t know when a STA scans it’s environment. So all
frames send from AP to the scanning STA get lost. To
avoid this packet loss, the central idea of the Sleep Scan is
to use the Power Save Mode.
The power save (PS) mode in IEEE 802.11 networks al-
lows economizing energy by disabling parts of its wire-
less NIC for a STA. To avoid packet loss in power save Fig.1. Sleep Scan procedure
mode, the AP stores any frame for the ’sleeping’ STA for a
period of time. This behavior is used by the Sleep Scan. To ensure that there is enough time to scan, the Listen
A STA signalizes the PS mode with a flag in the Frame- Interval must be chosen with respect to the beacon inter-
Control field of the 802.11 MAC header. The AP then val and the time needed to scan one channel.
stores every frame for this STA. The AP then signalizes
the ’sleeping’ STA with the traffic indication map (TIM)
element in the beacon frame that it has buffered some
t ListenInterval  t Scan (8)
frames. A ’sleeping’ STA ’awakes’ periodically in the so
called Listen Interval to receive the beacon frame to check The STA’s listen interval is set during the association
if the AP has frames for it. A STA can request buffered with the AP. The AP uses the listen interval to calculate
frames with the PS-poll frame. If a STA completely leaves the lifetime of the buffered frames. It is not possible to
the PS mode, the AP sends all buffered frames to the STA change the listen interval without a reassociation with the
without the need of PS-poll frames. AP. So if a STA wants to use the Sleep Scan, it has to cal-
culate its listen interval before the (first) association.
To scan n channels during one listen interval, the pa-
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 12, DECEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG
rameters MinChannelTime, MaxChannelTime, ProbeDe-
lay or the Listen Interval itself can be tuned like the fol-
lowing (un)equations shows:
t ListenInterval  x  t BeaconInterval , x  N \ {0}
t Scan  t Backoff  t Pr obeDelay  t Pr obe Re quest 
t MinChannelTime  t MaxChannelTime
t ListenInterval  n  t Scan
6 FAST SLEEP SCAN
The Sleep Scan discussed in the above section can im-
prove the IEEE 802.11 scan to avoid packet loss during
the scan. So it can be used for a permanent scanning dur-
ing low data exchange to keep track of neighboured APs.
But the Sleep Scan is no good choice for scanning during
realtime communication (e.g. Voice over IP) because of
the short transmit and receive interval that the realtime
traffic needs. The maximum delay for voice traffic should
not be larger than 50ms to guarantee good quality.
Therefore the Sleep Scan that possibly scans a whole
beacon interval could interrupt such a realtime communi-
cation and so decrease its quality. A solution for this
problem is the ’Fast Sleep Scan’.
The Fast Sleep Scan procedure is shown in figure 2 and
is similarly to the Sleep Scan.
Fig.2. Fast Sleep Scan procedure
The Fast Sleep Scan procedure is defined as follows:
1. Switch to PS-mode and scan one channel.
2. Immediately after the scan awake from PS-
mode.
12
3. Send and receive the bursts of buffered data.
4. If not finished the full channel scan goto step
1, else the scan is finished.
(9) This procedure is the fastest scan method, but to guar-
antee short scan delays the parameters ProbeDelay, Min-
ChannelTime and MaxChannelTime have to be tuned.
The time to scan one dedicated channel is
(10)
t Scan  t Pr obeDelay  t Access 
(11) (12)
t MinChannelTime  t MaxChannelTime
Remember, MaxChannelTime is only used if in the pe-
riod of MinChannelTime frames where received on the
channel. If we assume to use the following values:
t Pr obeDelay  1ms (13)
t MinChannelTime  10ms (14)
t MaxChannelTime  18ms (15)
t Access  1ms (16)
The scan consumes about 30ms to scan one channel.
t Scan  1ms  1ms  10ms  18ms  30ms (17)
That means the scan delays the realtime traffic only 30ms
and there is a 20ms reserve to send the realtime data in
time.
7 MEASUREMENT
To evaluate that the Sleep Scan idea works, we imple-
mented the Fast Sleep Scan into the open source WLAN
device driver for Atheros chips MadWifi [8]. First we dis-
abled the scan cancel behavior during data transmission.
So we could see the interrupts in data transmission raised
by full channel scans. A scan, if it is not canceled during
data transmission, will lead to massive packet loss and a
VoIP call will be interrupted up to one second and the
jitter buffer will rise up to its maximum size.
Our Fast Sleep Scan implementation buffers all data
frames to send in a queue during the scan. If the scan of
one dedicated channel is done, all data frames will be
send immediately. By sending all buffered frames the AP
is informed about the wakeup and sends also all its buf-
fered frames. With this implementation we can scan dur-
ing a data transmission without packet loss. With well
tuned parameters for MinChannelTime and MaxChan-
nelTime scans during VoIP calls are possible without loss
of quality.
To evaluate good parameters for fast and efficient
scans, we setup a testbed with 10 APs which are confi-
gured to use the same channel. At first we want to inves-
tigate a good value for MinChannelTime. A too small
value would result in bad scan results, because probe re-
sponse frames will be missed. Too big values will extend
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 12, DECEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 13

the scan time per channel too much. So we set MaxChan- Based on this measurement results we can suggest (for
nelTime to a high value (50ms) and scanned one dedicat- this hardware and driver) to use 10ms for MinChannel-
ed channel with different values for MinChannelTime. If Time and 15ms to 20ms for MaxChannelTime to gain
we get at least one scan result we count the scan as suc- good and fast scan results.
cessful. Table 2 shows our measurement results for differ-
ent values of MinChannelTime. The results show that a
value of at least 7ms is needed for good scan results. Fig. 4. Measurement results for MaxChannelTime with high local
traffic load
Secondly we investigated good values for MaxChan-
nelTime. Here the same effect occurs as for MinChannel-
Time. Too small values would result in bad scan results
and too big values will extend the scan time per channel.
8 CONCLUSION
So we set MinChannelTime to 10ms and scanned with
variable values from 1ms to 50ms for MaxChannelTime. We determined that scanning and data transmission is
We made 100 scans on one dedicated channel for each
value of MaxChannelTime. At the same time we trans-
fered data with realtime characteristics on another chan-
nel. On the measurement channel with the 10 APs was no
traffic. Figure 3 shows the measurement results.

TABLE 2
Measurement results for MinChannelTime
Fig.3. Fast Sleep Scan procedure

Third we repeated the measurement of MaxChannel-

Time with the same parameters and under the same con-
ditions, except the channel load on the measurement
channel. On the measurement channel with the 10 APs
was high traffic load generated by two STAs that were
connected with two of the 10 APs. In sum the two STAs
generated constant traffic of about 20 MBit/s. Figure 4
shows the measurement results. We can see clearly that
the scan results on high traffic load channels are signifi-
cantly worse in comparision to channels with low traffic
load. Therefore MaxChannelTime has to be longer to gain
better scan results.
conflictive. A real life scan can consume up to four
seconds, so scanning causes packet loss or scanning is
interrupted during data transmission. This means that
after a long data transmission the last scan results are
outdated. So if a handoff during a data transmission is
necessary, a full channel scan is essential, but this will
interrupt the data transmission for some time. This is es-
pecially critical for realtime communication and realtime
applications.
The Sleep Scan can handle this disadvantage to scan
during data transmission without packet loss by using the
IEEE 802.11 power save mode. A STA that wants to use
the Sleep Scan has to calculate its listen interval first with
attention to the AP’s beacon interval and especially the
scan parameters MinChannelTime and MaxChannelTime
during the association. The only limiting factor is the size
of AP’s buffer which stores STA’s frames. The Sleep Scan
can avoid packet loss but it can not be used during real-
time communications. The Fast Sleep Scan is an improved
method and can be used to scan during realtime commu-
nications. It scans in a manner that halts the communica-
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 12, DECEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 14

tion just for a short time but does not break the realtime
conditions. So the traffic gets just a short delay. The delay
can be influenced by the parameters MinChannelTime
and MaxChannelTime.
Our measurements showed that 10ms is a good value
for MinChannelTime to steadily detect activity on the
channel and to observe the channel for the additional
time MaxChannelTime. To get good scan results also on
channels with high traffic load, the value for MaxChan-
nelTime should be between 15ms and 20ms. With these
parameters the scan takes about 30ms which is short
enough for e.g. VoIP communication.
To have up to date scan results at any time, the Sleep
Scan should be used periodically during less or no data
transmissions, because the Sleep Scan does not interrupt
after every single channel scan. Therefore the full channel
scan time is lower than using the Fast Sleep Scan. On high
traffic load or during realtime communication the Fast
Sleep Scan should be used.
puter Science at the University of Telecommunication for the areas
of teaching foundations of computer science and communication
networks.
M.Eng. Michael Finsterbusch studied computer science in Leipzig
at Telekom University of Applied Sciences (HfTL) and received his
Diploma in 2006 for implementing a Diameter server and client to
gain a AAA-infrastructure for a secure and mobile architecture for
mobile vehicles. His Master of Engineering at Telekom University of
Applied Sciences in Leipzig in 2009 was on research for WLAN mo-
bility. His current projects cover WLAN optimization, WLAN mobility,
network traffic management, deep packet inspection and high avail-
ability.
M.Eng. Patrick Schmidt studied computer science in Leipzig at
Telekom University of Applied Sciences (HfTL) and received his
Diploma in 2006 for inventing a secure and mobile architecture for
mobile vehicles. His Master of Engineering at Telekom University of
Applied Sciences in Leipzig in 2009 was on research for WLAN
backbone optimization. His current projects cover WLAN and WLAN
backbone optimization, network traffic management, deep packet
inspection and high availability.

REFERENCES
[1] IEEE Standard for Information technology – Telecommunications and
information exchange between systems – Local and metropolitan area
networks – Specific requirements — Part 11: Wireless LAN Medium
Access Control (MAC) and Physical Layer (PHY) Specifications. IEEE
Std 802.11™- 2007
[2] IEEE Standard for Information technology – Telecommunica-
tions and information exchange between systems – Local and
metropolitan area networks – Specific requirements — Part 11:
Wireless LAN Medium Access Control (MAC) and Physical
Layer (PHY) specifications Amendment 6: Medium Access
Control (MAC) Security Enhancements. IEEE Std 802.11i™-
2004.
[3] IEEE Standard for Information technology– Telecommunica-
tions and information exchange between systems– Local and
metropolitan area networks– Specific requirements — Part 11:
Wireless LAN Medium Access Control (MAC) and Physical
Layer (PHY) Specifications—Amendment 2: Fast Basic Service
Set (BSS) Transition. IEEE Std 802.11r™-2008.
[4] IEEE Standard for Local and metropolitan area networks –Port-
Based Network Access Control. IEEE Std 802.1X™-2004.
[5] linux-2.6.19/drivers/net/wireless/atmel.c, Linux Kernel 2.6.19.
line 2722 to 2722.
[6] linux/drivers/net/wireless/ipw2200.c, Linux Kernel 2.6.19.
line 2722 to 2722.
[7] linux/drivers/net/wireless/wl3501 cs.c, Linux Kernel 2.6.19.
line 601 to 614 an line 739.
[8] Madwifi 0.9.4, http://madwifi.org. net80211/ieee80211 node.h
line 55 to 59 and net80211/ieee80211 scan sta.c line 526 to 527.
[9] H. Velayos and G. Karlsson. Techniques to reduce the IEEE
802.11b handoff time. Communications, 2004 IEEE International
Conference on, 7:3844 – 3848, June 2004.

Prof. Dr. rer. nat. Thomas Möbert studied Mathematics (with spe-
cialization operations research/mathematical optimization) at the
Leipzig University (Germany) in 1975 - 1980 . He gained his doctor's
degree (Dr. rer. nat.) in Nonlinear Dynamic Programming (optimiza-
tion) in 1986. In 1986-96 he was a assistant professor engaged in
implementation of algorithms in integer and network optimization
among other things. Since 1999 he has been a professor for Com-