-b <bssid> MAC address of access point.
-d <dmac> MAC address of destination.
-s <smac> MAC address of source.
-a <bssid> Set Access Point MAC address.
-c <dmac> Set destination MAC address.
-h <smac> Set source MAC address.
Fake Authentication attack: Set target SSID (see below). For
SSID containing special characters, see http://www.aircrack-
-0 <count>, --deauth=<count>
This attack sends deauthentication packets to one or more
clients which are currently associated with a particular access
point. Deauthenticating clients can be done for a number of rea‐
sons: Recovering a hidden ESSID. This is an ESSID which is not
being broadcast. Another term for this is "cloaked" or Capturing
WPA/WPA2 handshakes by forcing clients to reauthenticate or Gen‐
erate ARP requests (Windows clients sometimes flush their ARP
cache when disconnected). Of course, this attack is totally
useless if there are no associated wireless client or on fake
The classic ARP request replay attack is the most effective way
to generate new initialization vectors (IVs), and works very
reliably. The program listens for an ARP packet then retransmits
it back to the access point. This, in turn, causes the access
point to repeat the ARP packet with a new IV. The program
retransmits the same ARP packet over and over. However, each ARP
packet repeated by the access point has a new IVs. It is all
these new IVs which allow you to determine the WEP key.