Quote:
|
Originally Posted by devine
Looks like the driver and/or the card is somewhat re-encrypting the packets. Does "iwconfig ath0 key off" help ? Also, aireplay automatically enables rawdev_type=1. Try changing this to rawdev_type=0 in the aireplay.c source.
|
Ok, I've played around some more. I checked that aireplay was changing the sysctls as expected, and it was. So using ath0 or ath0raw makes no difference.
With:
aireplay -2 -r arp1.cap ath0
And capturing using ethereal on ath0raw, the replayed packet (arp1.cap contains one packet only) is exactly as recorded, no change in sequence number or IV or anything.
However, with the -3 ARP reinjection, no matter what I use, I get the problem where the packet sent out has a different IV, and hence it gets recorded as a new ARP request.
Both use the same send_packet function, so it is either in the way that the h80211 variable is written, or in the way that the card is dealt with.
It looks as if the madwifi drivers themselves are partly to blame, as if dev.ath0.rawdev_type=1 is set, I get total rubbish in ethereal. I also seem to receive my own packets, whatever the case (not sure if this is supposed to happen or not). I'm also getting a lot of PHY errors showing in athstat - I will try to take a closer look tommorrow to isolate some of these issues.