First post on the forums - hope someone can point me in the right direction.

I've been trying to use aireplay with the -2 option to generate some IVs. I got this working perfectly for one type of AP, but it seems to give different results for another.

I've been using the Wiki as a reference: interactive_packet_replay [Aircrack-ng]

My first attack got back the correct data eg:

 Read 4 packets...
      Size: 68, FromDS: 0, ToDS: 1 (WEP)
           BSSID  =  00:14:6C:7E:40:80
       Dest. MAC  =  FF:FF:FF:FF:FF:FF
      Source MAC  =  00:0F:B5:34:30:30
      0x0000:  0841 de00 0014 6c7e 4080 000f b534 3030  .A....l~@....400
      0x0010:  ffff ffff ffff 4045 d16a c800 6f4f ddef  ......@E.j..oO..
      0x0020:  b488 ad7c 9f2a 64f6 ab04 d363 0efe 4162  ...|.*d....c..Ab
      0x0030:  8ad9 2f74 16bb abcf 232e 97ee 5e45 754d  ../t....#...^EuM
      0x0040:  23e0 883e                                #..>
Where the Destination mac is FF:FF:FF:FF:FF:FF

When I do the same command on another AP, I seem to get a different Dest. Mac -> 01:00:5E:00:00:01 which seems to have something to do with a multicast if I have understood this correctly.

On the first AP, this generated ~ 20,000 IVs and allowed me to break the 64bit WEP

On the second AP, I tried several times - generating up to 200,000 IVs but still can't seem to crack the WEP key. I have toggled the -n option on aircrack incase it's 128bit but to no avail.

Can someone shed any light on this? Perhaps I have overlooked something simple. Also, is it possible to tell if the WEP is encrypted with 64 or 128bit?