You're correct, but obviously, AP name appears only, if there was a client connected, and it re-connect after re-auth. There is also problem of correct read timing (AP name is broadcast only for short moment) - I have no idea how to implement it properly, but it can't be too hard, as desktop/notebook tools seems to have 100% "success rate".

Easiest way for de-auth would be to use broadcast one (targeting AP, not clients), but it may not work for all AP's/clients. Other way is to target clients using same channel and BSSID (AP's MAC), which should be working 99,99% of times.

Also, maybe it's possible to use fake authentication to reveal hidden AP SSID- in this case, no clients connected would be needed (yet, one would still need to known authorized MAC, in case of MAC filtering).

/Estel