Been having trouble trying to find out why I am not getting the response I expect from aireplay with the -2 option. For example, this is what I expect:
The destination mac is FF:FF:FF:FF:FF:FF (a broadcast) and the packet also contains the correct ffffff data.
Read 4 packets...
Size: 68, FromDS: 0, ToDS: 1 (WEP)
BSSID = ##:##:##:##:##:##
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = ##:##:##:##:##:##
0x0000: 0841 de00 0014 6c7e 4080 000f b534 3030 .A....l~@....400
0x0010: ffff ffff ffff 4045 d16a c800 6f4f ddef ......@E.j..oO..
0x0020: b488 ad7c 9f2a 64f6 ab04 d363 0efe 4162 ...|.*d....c..Ab
0x0030: 8ad9 2f74 16bb abcf 232e 97ee 5e45 754d ../t....#...^EuM
0x0040: 23e0 883e #..>
When I run this on another AP, I seem to get a different Dest. Mac -> 01:00:5E:00:00:01 which seems to have something to do with a multicast if I have understood this correctly. It doesn't broadcast to FF:FF:FF:FF:FF:FF and I don't see the correct data in the packet (as per the example)
The first AP only takes ~ 20k IVs to bypass the WEP - but this one I can collect 200k IVs and it still won't budge.
I'm interested to know how they can both relay packets but aircrack only breaks one key. I have done a bit of research but can't seem to get anywhere with this. I have tried changing the fudge factor in aircrack, but I am thinking it's more to do with invalid IVs being captured - or maybe the relay isn't actually working.
These are both my routers before anyone asks - One of which is actually in use, and the other is from a box of random hardware that I can't find a home for!
Any help would be most appreciated,