Quote:
|
Originally Posted by b0nk
Hello,
I'm just playing with arp-request reinjection with aireplay.
I had an original ~90MB (~260K unique IVs) capture file, and aireplay finds about 500 possible ARP packets.
After reinjecting about 2M packets to the traffic & launching aircrack, it only finds about 4000 unique IVs.
Reading aireplay.c source :
if( pkh.len + ( h80211[27] & 0x3F ) != 0x44 )
continue;
0x44 = 68 decimal.
The calculated packet length must be 68 bytes length exactly if I understand well (and match every post conditions before this line).
I believe some false positive are possible.
|
There's 50% false positives, which are the arp-replies. But we can't tell if an encrypted packet is a request or a reply, so aireplay sends both.
Quote:
|
Originally Posted by b0nk
What about improving the predictable packet filtering mechanism ?
ARP packets are not the only predictable ones, SYN/ACK/RST/FIN TCP packets are also predictable.
|
Yep, that's in my TODO list.