It seems like 802.11 probe requests never contain a real BSSID but rather a wildcard BSSID (e.g. ff:ff:ff:ff:ff:ff) however I can't seem to find any documentation stating this. This Meraki documentation says:
"Because the probe request is sent from the mobile station to the destination layer-2 address and BSSID of ff:ff:ff:ff:ff:ff all AP's that receive it will respond."
Does this mean the probe requests never contain real BSSIDs? Even though they sometimes contain SSIDs?
I've seen many Probe Request frame with specific BSSID. For example, in a wireless distribution system(WDS), one AP would probe another AP with specific BSSID since they have the same SSID:
Frame 2022: 310 bytes on wire (2480 bits), 310 bytes captured (2480 bits)
Radiotap Header v0, Length 25
802.11 radio information
IEEE 802.11 Probe Request, Flags: opmP..FT.
Type/Subtype: Probe Request (0x0004)
Frame Control Field: 0x41f3
.... ..01 = Version: 1
.... 00.. = Type: Management frame (0)
0100 .... = Subtype: 4
Flags: 0xf3
.... ..11 = DS status: WDS (AP to AP) or Mesh (MP to MP) Frame (To DS: 1 From DS: 1) (0x3)
.... .0.. = More Fragments: This is the last fragment
.... 0... = Retry: Frame is not being retransmitted
...1 .... = PWR MGT: STA will go to sleep
..1. .... = More Data: Data is buffered for STA at AP
.1.. .... = Protected flag: Data is protected
1... .... = Order flag: Strictly ordered
.101 1101 0001 0110 = Duration: 23830 microseconds
Receiver address: 80:1d:30:a5:81:39 (80:1d:30:a5:81:39)
Destination address: 80:1d:30:a5:81:39 (80:1d:30:a5:81:39)
Transmitter address: 4b:3b:67:a4:4d:fe (4b:3b:67:a4:4d:fe)
Source address: 4b:3b:67:a4:4d:fe (4b:3b:67:a4:4d:fe)
BSS Id: ef:e1:f9:51:09:e6 (ef:e1:f9:51:09:e6)
.... .... .... 0010 = Fragment number: 2
0100 1110 1001 .... = Sequence number: 1257
Frame check sequence: 0x853d68c9 [incorrect, should be 0x7089dc98]
[FCS Status: Bad]
HT Control (+HTC): 0x8ab91f91
WEP parameters
Data (245 bytes)
Assume your PC had joined a open wireless network named Starbucks, and when you are at home, if some Rogue AP has the same name with it, then your PC connects to the AP. That's why some clients will actually allow you to optionally select a BSSID as well. And in ad-hoc network, there are many probe requests with specific BSSID.