I was wondering how to properly use these attacks. there is little to nothing documented about this. please give me an example.

When looking at the aircrack wiki examples, I don't get it.

aireplay-ng -6 -h 00:09:5B:EC:EE:F2 -b 00:13:10:30:24:9C -D rausb0

-h = my card's mac
-b = acces point mac

but how can I specify a client which I want to query for new IV's? And even if it works, on what BSSID should airodump be listening to capture the IV's?

Will aircrack read those client IV's? 'Cause I've noticed it doesn't matter how many packets are coming from clients, aircrack only reads the IV's(data) coming from the AP..

I have been succesfull with the airbase hirte and caffe-latte attacks, but not with aireplay.