I am also interested in the answer to this question
ALL ap broadcast becons, they can be moded so they don't braodcast ESSID's but they must tranmitt becon frames to sysc clients, etc.
I think Iwlist switches to a channel and listens for a period of time for all becon frames tranmitted on the freq.
it takes 2.677 sec for me to do a iwlist scan, therefore my client 'listens' on each channel for 0.243 sec, or 200ms
I think the maximum time that AP have between broadcasts is 100ms. So it should always pickup AP in range.
So my thoughts are that lwlist is a passive scanning tool.
However, i read somewhere that passive scans can only happen the the scanning card is in RFMON mode, which means it cannot tranmitt.
But am running scans while writing this post on the internet,
So this kind of points to active scanning.