Hi, I'm trying to figure out how to use nl80211 to scan. The "iw" example has been somewhat helpful, though the userspace header file nl80211 and /usr/include/netlink/*.h have been helpful. I'm on an ubuntu system, and I'm sorry to say that the libnl1-doc package has some doxygen files in it that don't agree with the actual headers (function prototypes differ, etc.) but it's enough to get at least some picture of what's going on. Here's what I have put together so far, in snippets: Register callbacks for all messages: callbacks = nl_cb_alloc(NL_CB_DEFAULT); nl_cb_set_all(callbacks, NL_CB_CUSTOM, rx, NULL); Create a socket, allocate a cache. I do error checking on each of these calls to make sure they succeed, but I'm eliminating that here for brevity: genl_connect(sock); cache = genl_ctrl_alloc_cache(sock); nl80211 = genl_ctrl_search_by_name(cache, cacheName); /* cacheName is "nl80211" */ Start building the message. First build an SSID list with one entry in it (empty string) struct nl_msg *ssids = nlmsg_alloc(); nla_put_string(ssids, 0, ""); Next build the scan request message: struct nl_msg *msg = nlmsg_alloc(); int flags = 0; int cmd = NL80211_CMD_TRIGGER_SCAN; genlmsg_put(msg, 0, 0, genl_family_get_id(nl80211), 0, flags, cmd, 0); /* append our ssid list to this message as a nested message */ nla_put_nested(msg, NL80211_ATTR_SCAN_SSIDS, ssids) Finally I send the request: int rc = nl_send_auto_complete(sock, msg); >From this I found out that 32 bytes were sent (seems reasonable). Unfortunately, what I get back is this: [HEADER] 16 octets .nlmsg_len = 52 .nlmsg_type = 2 <ERROR> .nlmsg_flags = 0 <> .nlmsg_seq = 1282012377 .nlmsg_pid = 30415 [ERRORMSG] 20 octets .error = -22 "Invalid argument" [ORIGINAL MESSAGE] 16 octets .nlmsg_len = 16 .nlmsg_type = 23 <0x17> .nlmsg_flags = 5 <REQUEST,ACK> .nlmsg_seq = 1282012377 .nlmsg_pid = 30415 so, even following what iw's "scan.c" does I have somehow pieced the request together incorrectly. Questions: 1. Am I doing something obviously wrong? 2. Is this even the interface I should be using to do this? (I need to scan for all access points on a specific "hidden" SSID to retrieve some information about their SNR. It's a type of "site survey" application for building contour maps of coverage). I'm not sure what I'm doing next makes sense, either. After I send the scan request I wait 3 seconds then start reading like this: while(nl_recvmsgs(sock, callbacks) != 0) { printf("processed a result\n"); } I have registered my callback earlier; this seems to work because I get the message (above) plus later an "Operation Not Supported" message. The operation is indeed supported, as it works with the iwlist and iw command line tools. --Chris -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html