Netstumbler uses "null" probe requests and therefore any hidden SSID should normally not be seen. Some WLAN vendor APs respond with a "null" probe response where the SSID field is blank. Some WLAN vender APs just ignore null probe requests when queried.
So the question remains, why does Netstumbler still sometimes find hidden SSIDs? When we wrote the book, my co-author contacted Marius Milner who wrote the Netstumbler program. There are two reasons Netstumbler can sometimes see a hidden SSID. Below are direct quotes from Mr. Milner:
"NetStumbler is at the mercy of whatever the underlying driver software chooses to do. For most drivers, this is just a simple probe request and response, but it can be more. It's also possible for the driver to pick up the extra probe response that is produced when a different client associates
with the access point (this one always includes the SSID). I don'tknow which drivers use these more advanced techniques though."
"NetStumbler does get SSID information another way: it looks to see if you're already associated to an access point; if so, it adds that access point's SSID to the list if it didn't already have it."
In conclusion, Netstumbler normally does not see hidden SSIDs although it might depending on the laptop driver and will also see the SSID if the same radio is already associated to an AP.
1)The better tool to see hidden SSIDs is a WLAN protocol analyzer like Wildpackets, AIrMagnet or WireShark. Hidden SSIDs will be seen in seconds with a good WLAN sniffer.
2) In the Enterprise, I would suggest that you NEVER hide the SSID because SSID cloaking is proprietary.Sometimes older WLAN radios will not connect even if they are properly configured with the correct SSID. I have seen this happen over and over with older legacy radios. Secondly, because SSIDs are case sensitive, end-users will drive the help desk crazy with needless phone calls about not being able to connect to the WLAN, simply because they type the case incorrectly.
Co-Author CWSP Study Guide