NetStumbler.org Forums - View Single Post - (Aircrack)Yet another WEP cracking tool for Linux

b0nk · 08-24-2004

Hello,

I'm just playing with arp-request reinjection with aireplay.
I had an original ~90MB (~260K unique IVs) capture file, and aireplay finds about 500 possible ARP packets.
After reinjecting about 2M packets to the traffic & launching aircrack, it only finds about 4000 unique IVs.
Reading aireplay.c source :

if( pkh.len + ( h80211[27] & 0x3F ) != 0x44 )
continue;

0x44 = 68 decimal.
The calculated packet length must be 68 bytes length exactly if I understand well (and match every post conditions before this line).
I believe some false positive are possible.

What about improving the predictable packet filtering mechanism ?
ARP packets are not the only predictable ones, SYN/ACK/RST/FIN TCP packets are also predictable.
I would be pleased to have feedback for this.
I could rewrite the filtering mechanism and make a standalone filter code.

Thanks.
b0nk.

08-24-2004	#73 (permalink)
b0nk Registered Member Join Date: Aug 2004 Location: Paris, France Posts: 8	Hello, I'm just playing with arp-request reinjection with aireplay. I had an original ~90MB (~260K unique IVs) capture file, and aireplay finds about 500 possible ARP packets. After reinjecting about 2M packets to the traffic & launching aircrack, it only finds about 4000 unique IVs. Reading aireplay.c source : if( pkh.len + ( h80211[27] & 0x3F ) != 0x44 ) continue; 0x44 = 68 decimal. The calculated packet length must be 68 bytes length exactly if I understand well (and match every post conditions before this line). I believe some false positive are possible. What about improving the predictable packet filtering mechanism ? ARP packets are not the only predictable ones, SYN/ACK/RST/FIN TCP packets are also predictable. I would be pleased to have feedback for this. I could rewrite the filtering mechanism and make a standalone filter code. Thanks. b0nk.