Aireplay-ng is used to inject frames.

        Aireplay-ng 是一个用来（向网络中）注入帧（即数据包）的工具。

The primary function is to generate traffic for the later use in Aircrack-ng for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of capturing WPA handshake data, fake authentications, Interactive packet replay, hand-crafted ARP request injection and ARP-request reinjection. With the packetforge-ng tool it‘s possible to create arbitrary frames.

        它最主要的功能是产生一些（数据）流量，而这些流量会在 Aircrack-ng 破解WEP和WPA-PSK的密钥时被用到。它提供了一些不同的攻击方式，比如说，为了获取WPA的握手包而发起的解除认证攻击（-0），或是伪造认证攻击（-1），交互式数据包重放攻击（-2），手工ARP请求注入攻击（-3）以及ARP请求重放注入攻击（-3）。基于工具 packetforge-ng ，我们可以随心所欲地创建数据帧。

Most drivers needs to be patched to be able to inject, don‘t forget to read Installing drivers.

        大部分的驱动需要打上补丁才能支持数据包注入，请不要忘了阅读关于 安装驱动 的说明。

It currently implements multiple different attacks:

        当前已经实现的攻击（模式）如下：

• Attack 0: Deauthentication                 【解除认证攻击】
• Attack 1: Fake authentication             【伪造认证攻击】
• Attack 2: Interactive packet replay      【交互式注入攻击】
• Attack 3: ARP request replay attack   【ARP请求包重放攻击】
• Attack 4: KoreK chopchop attack
• Attack 5: Fragmentation attack
• Attack 6: Cafe-latte attack
• Attack 7: Client-oriented fragmentation attack
• Attack 8: WPA Migration Mode
• Attack 9: Injection test                          【数据包注入测试】

This section provides a general overview. Not all options apply to all attacks. See the details of the specific attack for the relevant details.

        本小节（并非面面俱到，而是只）提供了一个通常情况下会用到的概览。（首先要说明的是，）并非所有的命令选项都适用于所有的攻击模式。您可以参阅特定攻击（模式）的（实现）细节来获得（该种攻击模式）的相关（使用）细节。

Usage: 【用法： 】

 aireplay-ng <options（攻击/重放选项）> <replay interface（重放网卡）> 

For all the attacks except deauthentication and fake authentication, you may use the following filters to limit which packets will be presented to the particular attack. The most commonly used filter option is the "-b" to select a specific access point. For typical usage, the "-b" is the only one you use.

        除了解除认证攻击（-0）和伪造认证攻击（-1）以外，其他所有的攻击（模式）都可以使用以下的过滤选项来限制哪些包会被提交给特定的攻击。"-b"是最常用的一个过滤选项，它的作用是指定一个特定的接入点（即AP）。（甚至）在典型的用法中，您可能只会用到"-b"一个选项。

Filter options: 【过滤选项如下： 】

• -b bssid : MAC address, Access Point【接入点[AP]的MAC地址】
• -d dmac : MAC address, Destination【目的MAC地址】
• -s smac : MAC address, Source【源MAC地址】
• -m len : minimum packet length【数据包最小长度】
• -n len : maximum packet length【数据包最大长度】
• -u type : frame control, type field
• -v subt : frame control, subtype field
• -t tods : frame control, To DS bit
• -f fromds : frame control, From DS bit
• -w iswep : frame control, WEP bit

When replaying (injecting) packets, the following options apply. Keep in mind that not every option is relevant for every attack. The specific attack documentation provides examples of the relevant options.

        当我们重放（注入）数据包时，会用到以下的选项。请谨记，并非所有的命令选项都适用于每一种攻击模式。在特定攻击模式的说明文档中提供了和它（该种攻击模式）相关的重放选项的使用范例。

Replay options: 【重放选项如下： 】

• -x nbpps : number of packets per second【每秒发送多少个数据包】
• -p fctrl : set frame control word (hex)
• -a bssid : set Access Point MAC address【设置AP的MAC地址】
• -c dmac : set Destination MAC address【设置目的MAC地址】
• -h smac : set Source MAC address【设置源MAC地址】
• -e essid : For fakeauth attack or injection test, it sets target AP SSID. This is optional when the SSID is not hidden.
• -j : arpreplay attack : inject FromDS pkts
• -g value : change ring buffer size (default: 8)
• -k IP : set destination IP in fragments
• -l IP : set source IP in fragments
• -o npckts : number of packets per burst (-1)
• -q sec : seconds between keep-alives (-1)
• -y prga : keystream for shared key auth
• "-B"or "–bittest" : bit rate test (Applies only to test mode)
• "-D" :disables AP detection. Some modes will not proceed if the AP beacon is not heard. This disables this functionality.
• "-F" or "–fast": chooses first matching packet. For test mode, it just checks basic injection and skips all other tests.
• "-R" disables /dev/rtc usage. Some systems experience lockups or other problems with RTC. This disables the usage.

The attacks can obtain packets to replay from two sources. The first being a live flow of packets from your wireless card. The second being from a pcap file. Standard Pcap(Packet CAPture, associated with the libpcap libraryhttp://www.tcpdump.org) format, is recognized by most commercial and open-source traffic capture and analysis tools. Reading from a file is an often overlooked feature of aireplay-ng. This allows you to read packets from other capture sessions. Keep in mind that various attacks generate pcap files for easy reuse.

        在攻击的时候，（Aireplay-ng）有两个来源可以获取数据包。第一个来源是取自无线网卡的实时通信流，第二个来源是取自一个pcap文件。大部分商业的或开源的（数据）流量捕获与分析工具都可以识别标准的Pcap【即Packet CAPture[数据包捕获]，（更多相关知识）可咨询libpcap的文档库http://www.tcpdump.org 】格式。可以从pcap文件读取数据（并以此作为攻击时数据包的来源）是Aireplay-ng一个经常被忽视的功能。这个功能使得您可以从其他捕获的会话中读取数据包。请注意，有很多种攻击会在攻击时生成pcap文件以便于重复使用。

Source options: 【来源选项： 】

• iface : capture packets from this interface【从指定网卡捕获数据包】
• -r file : extract packets from this pcap file【从指定pcap文件提取数据包】

This is how you specify which mode (attack) the program will operate in. Depending on the mode, not all options above are applicable.

        您可以用下面的选项来指定程序运行哪一种攻击模式。前面我们提到的选项并非在所有攻击模式下都适用，（选项是否可用）基于当前指定的攻击模式。

Attack modes (Numbers can still be used): 【攻击模式选项（您可以照旧使用编号来指定攻击模式） 】

• - -deauth count : deauthenticate 1 or all stations (-0)
  解除一个或所有工作站与AP之间的认证（编号-0）
• - -fakeauth delay : fake authentication with AP (-1) 
  向AP发起伪造的认证（编号-1）
• - -interactive : interactive frame selection (-2)
  交互式注入（编号-2）
• - -arpreplay : standard ARP-request replay (-3) 
  标准ARP请求包重放（编号-3）
• - -chopchop : decrypt/chopchop WEP packet (-4)
  （编号-4）
• - -fragment : generates valid keystream (-5)
  （编号-5）
• - -test : injection test (-9) 
  注入测试（编号-9）

Here are the differences between the fragmentation and chopchop attacks

Pros:

• Typically obtains the full packet length of 1500 bytes xor. This means you can subsequently pretty well create any size of packet. Even in cases where less then 1500 bytes are collected, there is sufficient to create ARP requests.
• May work where chopchop does not.
• Is extremely fast. It yields the xor stream extremely quickly when successful.

Cons:

• Need more information to launch it - IE IP address info. Quite often this can be guessed. Better still, aireplay-ng assumes source and destination IPs of 255.255.255.255 if nothing is specified. This will work successfully on most if not all APs. So this is a very limited con.
• Setup to execute the attack is more subject to the device drivers. For example, Atheros does not generate the correct packets unless the wireless card is set to the mac address you are spoofing.
• You need to be physically closer to the access point because if any packets are lost then the attack fails.
• The attack will fail on access points which do not properly handle fragmented packets.

Pros:

• May work where fragmentation does not work.
• You don‘t need to know any IP information.

Cons:

• Cannot be used against every access point.
• The maximum xor bits is limited to the length of the packet you chopchop against. Although in theory you could obtain 1500 bytes of the xor stream, in practice, you rarely if ever see 1500 byte wireless packets.
• Much slower then the fragmentation attack

Optimizing injection speed is more art than science. First, try using the tools “as is”. You can try using the ”-x” parameter to vary the injection speed. Surprisingly, lowering this value can sometimes increase your overall rate.

        （如何）优化注入速率，与其说这是一门科学，不如说它是一门艺术。您可以首先尝试让工具按照默认的设定运行。（如果效果欠佳，）您可以使用-x选项来改变注入速度。出乎意料的是，降低注入速率有时反而会提高您的整体效率。

You can try playing with the transmission rate. IE “iwconfig wlan0 rate 11M”. Depending on the driver and how you started the card in monitor mode, it is typically 1 or 11MBit by default. If you are close enough set it up to a higher value, like 54M, this way you‘ll get more packets per second. If you are too far away and the packets don‘t travel that far, try to lowering it to (for example) 1M.

        您可以按照（网卡本身支持的）传输速率来设置注入速率。即"iwconfig wlan0 rate 11M"。通常默认的传输速率是1或11M，这取决于网卡驱动以及您怎样启动那张工作于监听模式下的无线网卡。如果您（距离AP）足够近，您可以设定一个相对较高的值，比方说54M，这使您每秒可以获取更多的数据包。如果您（距离AP）是如此远以至于数据包都无法传输到这么远，您可以尝试将它降低到，比如说1M。

These items apply to all modes of aireplay-ng.

        以下各项适用于aireplay-ng的所有攻击模式。

Ensure you are using the correct monitor mode interface. “iwconfig” will show the wireless interfaces and their state. For the mac80211 drivers, the monitor mode interface is typically “mon0”. For ieee80211 madwifi-ng drivers, it is typically “ath0”. For other drivers, the interface name may vary.

        请确认您正在使用的是正确的，且开启了监听模式的无线网卡。使用"iwconfig"命令可以查看无线网卡列表以及他们的状态。对于开启了监听模式的无线网卡，当驱动程序为mac80211时，一般显示为"mon0"；当驱动程序为ieee80211 madwifi-ng时，一般显示为"ath0"。当使用其他驱动时，网卡显示的名称可能会有所不同。

Make sure there are no other VAPs running. There can be issues when creating a new VAP in monitor mode and there was an existing VAP in managed mode.

You should first stop ath0 then start wifi0:

 airmon-ng stop ath0
 airmon-ng start wifi0

or

 wlanconfig ath0 destroy
 wlanconfig ath create wlandev wifi0 wlanmode monitor

You enter the command and the command appears to hang and there is no output.

        您输入了命令，但它看起来好像被挂起了，没有任何输出。

This is typically caused by your wireless card being on a different channel then the access point. Another potential cause of this problem is when you are using an old version of firmware on prism2 chipset. Be sure you are running firmware 1.7.4 or above to resolve this. See Prism card for more details. Firmware upgrade instruction can be found here.

  nbsp;      导致这种现象的原因通常是因为您的无线网卡与AP工作在不同的频道。另一个可能会导致这个问题的原因是您正在prism2芯片组上使用的固件版本过老。要解决这个问题，请确保您正在使用1.7.4或更高版本的固件。欲知详情，请查看这个链接：Prism card。您还可以在这里找到升级固件所使用的指令。

As well, if you have another instance of aireplay-ng running in background mode, this can cause the second to hang if the options conflict.

        另外，如果您还在后台运行了另一个aireplay-ng的实例（即进程），如果两个实例之间选项有冲突，那也会导致第二个实例被挂起。

See this thread: Aireplay freezes when injecting

        查看这篇帖子：Aireplay在注入过程中僵死

Or see this thread: Commenting out RTC

        也可以查看这篇帖子：注释掉RTC

Also check the previous entries.

        另外还可以查看前面列举的条目。

When using a broadcom chipset and related driver you get something similar to:

        当您使用一块broadcom芯片以及对应驱动时，您可能会得到类似于下面的提示信息：

 write failed: Cannot allocate memory wi_write(): Illegal seek

This is due to a bug in the original bcm43xx patch. Use SuD‘s modified patch to fix this. Alternatively, you can try using theb43 driver instead of bcm43xx. (B43 requires aireplay-ng 1.0-beta2 or newer; 1.0 rc1 or svn is recommended.)

        这要归咎于bcm43xx原始补丁里的一个BUG。要解决这个问题，可以使用SuD修改过的补丁。此外，您也可以使用B43驱动来代替bcm43xx。【B43要求aireplay-ng 1.0-beta2或更新的aireplay-ng版本，我们推荐您使用1.0 rc1或它的子版本。】

Symptoms: The injection works but very slowly, at around 30 packets per second (pps). Whenever you start injecting packets, you get the following or similar kernel message:

        症状：可以成功注入但是速度非常慢，注入速率大概是30个数据包每秒【记为30pps】。不论您何时开始注入数据包，您都会收到和下述一样或类似的内核（警告）消息：

"rtc: lost some interrupts at 1024Hz"

 This message is then repeated continuously. There are a couple of workarounds. The first workaround is to start another instance of aireplay, then injection would increase to around 300 pps. The second workaround is to:

        这消息随后不断重复。对此有多种变通方法，第一种变通方法是再启动一个新的aireplay进程，这样注入速度就能涨到大约300pps。第二种变通方法需要输入以下命令：

 rmmod rtc
 modprobe genrtc

or if you have rtc-cmos enabled in your kernel:

又或者，如果您的内核里可以用rtc-cmos，那么输入以下命令：

 rmmod rtc
 modprobe rtc-cmos

There is no solution at this point in time, just the workarounds. See this forum thread.

        对于这个问题当前并没有一个解决方案，有的只是变通方法。详情可查看这篇帖子。

Being too close to the AP can dramatically reduce the injection rate. This is caused by packet corruption and/or overloading the the AP. See thisthread for an example of the impact of being too close to the AP.

        离AP太近会导致注入速率显著地降低。这主要是由数据包损坏 和/或 AP过载导致的。在这篇帖子里可以看到，因距离AP太近而导致影响的一个具体例子。

This is caused by having two or more instances of aireplay-ng running at the same time. The program will still work but the timing will be less accurate.

        导致此错误信息的原因是同时运行了两个或多个aireplay-ng的实例。程序依旧可以运行，但是时序会变得不那么准确。

After entering an aireplay-ng command similar to:

        当您键入了一个类似于如下的命令启动aireplay-ng后，

 aireplay-ng -1 0 -e horcer -a 00:50:18:4C:A5:02 -h 00:13:A7:12:3C:5B ath0

You get a message similar to:

        您会看到类似于如下的信息：

 The interface MAC (06:13:F7:12:23:4A) doesn‘t match the specified MAC (-h).
      ifconfig ath1 hw ether 00:13:A7:12:3C:5B

This occurs when the source MAC address for injection (specified by -h) is different then your card MAC address. In the case above, the injection MAC of 00:13:A7:12:3C:5B does not match the card MAC of 06:13:F7:12:23:4A. In some cases, but not all, this will cause injection to fail. That is why it gives you this warning. So it is always recommended that your injection MAC match the card MAC address.

        当用来进行注入的MAC地址【由-h选项指定】不同于您网卡的（真实）MAC地址时，会出现上述提示信息。在上述例子中，用来注入的MAC地址是00:13:A7:12:3C:5B，而网卡的MAC地址是06:13:F7:12:23:4A，二者不相匹配。在某些但并非所有情况下，这样的不匹配会导致注入的失败。这就是它为什么会给出这个警告的原因。所以一般会要求您指定用以注入的MAC地址要匹配网卡的MAC地址。

Detailed instructions on changing the card MAC address can be found in the FAQ: How do I change my card‘s MAC address ?.

        您可以在常见问题：How do I change my card‘s MAC address ? 中找到更改网卡MAC地址的具体方法细节。

Many aireplay-ng commands require knowing the SSID. You will sometimes see ”<length: ?>” as the SSID on theairodump-ng display. This means the SSID is hidden. The ”?” is normally the length of the SSID. For example, if the SSID was “test123” then it would show up as ”<length: 7>” where 7 is the number of characters. When the length is 0 or 1, it means the AP does not reveal the actual length and the real length could be any value.

        许多aireplay-ng命令要求知道SSID（此处指ESSID，即AP唯一的ID码）。您有时会在airodump-ng 的输出结果中看到以"<length: ?>"作为SSID的情况，这表示该AP的SSID是隐藏的。"?"的取值通常是SSID的长度。比如说当SSID是 "test123" 时，显示的就会是"<length: 7>"，其中7是SSID中字符的数量。当长度显示为0或1的时候，就表示AP并没有透露出它SSID的确切长度，真正的长度可能是（<=32的）任意值。

To obtain the hidden SSID there are a few options:

        要想获取被隐藏的SSID可以有以下一些办法：

• Wait for a wireless client to associate with the AP. When this happens, airodump-ng will capture and display the SSID.
  等待一个无线客户端（及前文说的station，工作站）与该AP建立连接。当发生此事件时，airodump-ng 可以抓到并显示该AP的SSID。
• Deauthenticate an existing wireless client to force it to associate again. The point above will apply.
  对一个现有的无线客户端发动解除认证攻击，迫使其再次与该AP建立连接。接下来参找上一点。
• Use a tool like mdk3 to bruteforce the SSID.
  使用类似于mdk3的工具来暴力破解该AP的SSID。

See this FAQ entry

        查看这个常见问题条目。

When you enter the command, the system freezes or a line is printed with “Waiting for beacon frame” or “No such BSSID available” and then no further activity occurs.

        当您输入命令后，系统僵死了，或者输出一行提示信息："Waiting for beacon frame"或"No such BSSID available"，然后就没有进一步的行为发生了。

There are many possible root causes of this problem:

        可能导致这个问题的根源有很多：

• The wireless card is set to a channel which is different from the AP. Solution: Use iwconfig and confirm the card is set to the same channel as the AP.
  （您使用的）无线网卡被设置到了一个AP不一样的工作频道。
  解决方法：使用iwconfig命令，确认您的无线网卡被设置到和AP处于同一工作频道。
• The card is scanning channels. Solution: Start airodump-ng with the ”-c” or ”–channel” parameter and set it to the same channel as the AP.
  无线网卡正在扫描所有的频道。
  解决方法：带上"-c" 或 "–channel"参数启动airodump-ng并设置其和AP处于同一工作频道。
• The ESSID is wrong. Solution: Enter the correct value. If if contains spaces or special characters then enclose it in quotes. For the complete details, see thisFAQ entry.
  设置了错误的ESSID。
  解决方法：输入正确的值。如果其中含有空格或其他的特殊的字符，使用引号把它括起来。欲知详情，请看这个常见问题条目。
• The BSSID is wrong. Solution: Enter the correct value.
  设置了错误的BSSID。
  解决方法：输入正确的值。
• You are too far away from the AP and are not receiving any beacons. Solution: You can use tcpdump and/or airodump-ng to confirm you are in fact receiving beacons for the AP. If not, move closer.
  您离AP太远了以至于无法收到信标帧。
  解决方法：您可以使用tcpdump 和/或 airodump-ng来确认您确实收到了信标帧。如果（确认结果显示）没收到，那么（把您的设备）挪到离AP更近的地方。
• You are not receiving beacons for the AP: Solution: Use “tcpdump -n -vvv -e -s0 -i <interface name> ” to confirm you are receiving beacons. Assuming you have dealt with with potential problems above, it could be the drivers or you have not put the card into monitor mode.
  确实没收到来自AP的信标帧。
  解决方法：使用"tcpdump -n -vvv -e -s0 -i <interface name>"来确认您收到了信标帧。假设您已经处理了上述潜在的问题，那么可能是安装的驱动有问题，或者是您并没有成功设置无线网卡工作于监听模式下。

For all of the above, running airodump-ng and the related text file should provide all the information you require identify and correct the problem.

运行airodump-ng，通过其相关的文件（应该是指airodump-ng的运行结果）您应该可以获得，找出并修正上述所有的问题所需要的所有信息。

A typical example of this message is: “mon0 is on channel 1, but the AP uses channel 6”

        此消息的一个典型范例是："mon0 is on channel 1, but the AP uses channel 6"

This means something is causing your card to channel hop. A possible reason is that failed to start airodump-ng locked to a single channel. airodump-ng needs to be started with “-c <channel-number>”.

这意味着有什么东西导致您的网卡发生了跳频。一个可能的原因是并未启动airodump-ng的时候并未成功将之锁定到一个单一的频道。airodump-ng需要带上参数"-c <频道编号>"启动。

Another reason is that you have processes such as a network manager or wpa_supplicant channel hopping. You must kill off all these processes. See[airmon-ng] for details on checking what is running and how to kill the processes off.

        另一个（可能的）原因是您同时运行了会引起跳频的进程，比如：network manager、wpa_supplicant。您必须杀死所有这些进程。查看[airmon-ng]来获取怎样查看哪些进程正在运行，以及怎样杀死这些进程。

• Most modes of aireplay-ng require that your MAC address be associated with the access point. The exception being client disassociation, injection test and fake authentication modes. You must either do a fake authentication to associate your MAC address with the access point or use the MAC address of a client already associated with the AP. Failure to do this means that the access point will not accept your packets. Look for deauthentication or disassociation messages during injection which indicates you are not associated with the access point. Aireplay-ng will typically indicate this or it can be done using tcpdump: "tcpdump -n -e -s0 -vvv -i <interface name>". You can filter it by piping it to grep with something like `tcpdump -n -e -s0 -vvv -i ath0 | grep -E “DeAuth|assoc”‘.
  Aireplay-ng大部分的攻击模式都要求您的（无线网卡）MAC地址已经和AP建立了连接。可以例外的只有：客户端解除认证攻击、注入测试，以及伪造认证三种模式。（为了满足那些攻击模式的条件要求，）您要么就必须使用伪造认证攻击让您的（无线网卡）MAC地址和AP建立伪连接，要么就必须使用一个已经和AP建立连接的客户端MAC地址（作为您所注入数据包的源MAC地址）。如果您不能做到这两点中的任一个，就意味着AP不会接受您的数据包。当您进行注入的时候您要留心查看是否有deauthentication或disassociation之类的提示消息，这个提示消息就是向您指明您（用的这个MAC地址）并未和AP建立（或真或伪的）连接。Aireplay-ng会明确地显示这个消息，或者您也可以使用tcpdump来捕获这个消息，命令：
  

  tcpdump -n -e -s0 -vvv -i <interface name（监听网卡）>

  您还可以把它和grep用管道连接起来以达到过滤的目的。类似于这样：
  

  tcpdump -n -e -s0 -vvv -i ath0 | grep -E "DeAuth|assoc"

  The wireless card driver is properly patched and installed. Use theinjection test to confirm your card can inject.
  确认您已经正确地安装了无线网卡驱动并打上了补丁。使用注入测试来确认您的网卡可以注入。
• You are physically close enough to the access point. You can confirm that you can communicate with the specific AP by followingthese instructions.
  确认您和AP的物理距离已经足够近。您可以根据这些说明来确认您可以和一个特定的AP进行通信。
• Another method to confirm that you can communicate with the AP is to ensure you receive ACK packets to each packet you transmit. In wireless communication, the receiver must acknowledge every packet received with an “ACK” packet. It is a mandatory part of the wireless communication protocol. By sniffing without filters on the wireless channel, you should see the “ACK” packets. Review a capture with wireshark or tcpdump. Alternatively you do this in real time with "tcpdump -n -vvv -e -s0 -i <wireless interface>". Failure to receive any ACKs from the AP means it cannot hear you. Thus you are physically too far away.
  确认您可以和一个特定的AP进行通信的另一个方法是确认您是否在发送每个数据包后都都收到了ACK包。在无线通信中，接收方每接收一个数据包都必须发送一个ACK包让发送方确认。这是无线通信协议中的一项强制规定。当您在一个无线频道上嗅探且没有附加过滤条件时，您应该可以看到ACK包。您可以去找一个以前用wireshark 或 tcpdump嗅探得到的pcap文件来检查里面是否有ACK包。另外您如果要实时地查看，使用：

  tcpdump -n -vvv -e -s0 -i <wireless interface（开启监听模式的无线网卡）>

  接收来自AP的ACK包失败意味着AP无法收到您的消息，也就表明您和AP的物理距离太远了。
• The wireless card is in monitor mode. Use “iwconfig” to confirm this.
  确认您的无线网卡已处于监听模式。使用"iwconfig"命令来确认此项。
• The card is configured on the same channel as the access point. Use “iwconfig” to confirm this.
  确认您的无线网卡和您要攻击的AP工作在同一频道上。使用"iwconfig"命令来确认此项。
• Make sure you are using a real MAC address. See discussion in setting MAC address).
  确认您正在使用的是一个真实的MAC地址。更多详情请查看在setting MAC address这篇文章里进行的讨论。
• Some access points are programmed to only accept connections from specific MAC addresses. In this case you will need to obtain a valid MAC address by observation usingairodump-ng and use that particular MAC address. Do not do a fake authentication for a specific MAC address if the client is active on the AP. MAC access control lists do not apply todeauthentication. See the MAC access control troubleshooting tip here.
  有些AP被设定为只接受来自指定MAC地址的连接。在这种情况下，您需要通过观察airodump-ng运行时的输出，从中获取一个有效的MAC地址，并且使用这个特定的有效MAC地址。当持有有效MAC地址的客户端与AP之间的连接出于活跃状态时，您就不能使用这个特定的有效MAC地址发起伪造认证攻击。MAC地址访问控制列表对deauthentication攻击并没有影响。点击这里查看关于MAC地址访问控制的故障诊断说明。
• The BSSID and ESSID (-a / -e options) are correct.
  确认使用了正确的BSSID 和 ESSID【分别由-a、-e参数指定】。
• If Prism2, make sure the firmware was updated.
  如果使用的是Prism2芯片组，确认已经升级了固件。
• Ensure your are running the current stable version. Some options are not available in older versions of the program. Also, the current stable version contains many bug fixes.
  确认您正在使用的是当前最新的稳定版本。有些命令选项并不被老版本的程序支持。此外，当前最新的稳定版本修复了很多已知的BUG。
• It does not hurt to check the Trac System to see if your “problem” is actually a known bug in the current stable version. Many times the currentdevelopment version has fixes to bugs within the current stable version.
  去Trac系统（一个基于Web的BUG管理系统）上查阅一下，您所遇到的"问题"是不是当前最新稳定版的一个已知BUG，这对您来说并没有什么坏处。很多时候，当前最新的开发版已经修复了当前最新稳定版的一些BUG。