Skip to content


Aireplay-ng is used to inject frames.

The primary function is to generate traffic for the later use in aircrack-ng for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of capturing WPA handshake data, fake authentications, Interactive packet replay, hand-crafted ARP request injection and ARP-request reinjection. With the packetforge-ng tool it’s possible to create arbitrary frames.


Airplay-ng <options> <replay interface>


Syntax ParametersDescription
-bbssidMAC address, Access Point 
-ddmacMAC address, Destination 
-ssmacMAC address, Source 
-mlenminimum packet length 
-nlenmaximum packet length 
-utypeframe control, type field 
-vsubtframe control, subtype field 
-ttodsframe control, To DS bit 
-ffromdsframe control, From DS bit 
-wiswepframe control, WEP bit 

Replay Options

Syntax ParametersDescription
-xnbppsnumber of packets per second 
-pfctrlset frame control word (hex) 
-abssidset Access Point MAC address 
-cdmacset Destination MAC address 
-hsmacset Source MAC address 
-eessidFor fakeauth attack or injection test, it sets target AP SSID. This is optional when the SSID is not hidden. 
-jnonearpreplay attack, inject FromDS pkts 
-gvaluechange ring buffer size (default: 8) 
-kIPset destination IP in fragments 
-lIPset source IP in fragments 
-onpcktsnumber of packets per burst (-1) 
-qsecseconds between keep-alives (-1) 
-yprgakeystream for shared key auth 
-B or – bittest nonebit rate test (Applies only to test mode) 
-Dnonedisables AP detection. Some modes will not proceed if the AP beacon is not heard. This disables this functionality. 
-F or – fast nonechooses first matching packet. For test mode, it just checks basic injection and skips all other tests.  
-Rnonedisables /dev/rtc usage. Some systems experience lockups or other problems with RTC. This disables the usage.