Once WEPKR has been installed, you can launch it by clicking Tools => WEP Key Recovery in the CommView for WiFi menu, as shown below:
Note that this menu item becomes available only after you've installed WEPKR. When WEPKR is launched, CommView for WiFi establishes a TCP/IP connection with WEPKR so CommView for WiFi can send captured packets to WEPKR for analysis.
The WEP key recovery process starts with collecting the necessary number of data packets. The number of packets required for key recovery depends on the key length and is discussed in detail in the next chapter. To collect the packets, you should capture them using CommView for WiFi, as you normally do. When WEPKR collects a minimum number of packets (10,000 by default) to initiate a new key recovery session, it will display a new line in the main window, as shown below.
The Start Time column indicates the time at which a new session was started. The MAC Addresses column lists the hardware addresses of the access points and stations involved in the session. The Unique IVs column displays the number of usable packets with unique Initialization Vectors (IVs) collected during the given session. Please bear in mind that not all captured packets are useable for key recovery; only Data packets are usable, Management and Control packets are not. Additionally, to be usable, the Data packets must have the correct CRC value (i.e. must not be broken), must not have the Retry flag set, and of course, must be WEP-encrypted. Therefore, the number shown in this column will be lower than the number of captured packets as reported by CommView for WiFi. The Attempts column shows the number of attempts made to recover the key so far. This value remains zero until the necessary number of packets has been collected by WEPKR. The Status column displays the current application status.
Please note that the collected packets are buffered to a temporary file in a subfolder located in the WEPKR folder. Since you may need over a million packets, make sure that you have sufficient disk space. A million packets occupy about 500 Mbytes.
The key recovery process starts when WEPKR has received the minimum necessary number of usable packets from CommView for WiFi. The packet collection process may take significant time. The time taken is fully dependent on the utilization of the WLAN being monitored. You can, however, artificially increase the WLAN utilization by using the method described in the Traffic Generation chapter.
After the packets have been collected, the time needed for key recovery varies depending on the number of collected packets (the more packets have been collected the faster the key will be recovered), expected key length, CPU speed, and current CPU utilization. (You may want to stop capturing in CommView for WiFi to decrease CPU utilization.)
The key recovery process on an Intel Core 2 Duo 3.16 GHz computer may take anywhere from a fraction of a second for a 64-bit key to one hour for a 128-bit key to several hours for 152- and 256-bit keys. This largely depends on the particular packets and cannot be predicted. On the average, a 64-bit key is recovered within a few seconds, and a 128-bit key is recovered within a few minutes.
The Action menu can be used for manually controlling the key recovery process. For example, you may want to start key recovery before the minimum number of packets has been collected, or you may want to stop key recovery and collect more packets for increasing the success probability.
When the WEP key is recovered, the corresponding message will be displayed. Depending on the application configuration (see the Configuration chapter), WEPKR may decrypt and then "inject" the decrypted packets back to CommView for WiFi. The obtained WEP key can be seen by clicking Tools => WEP Keys in the application menu. In evaluation mode, some bytes of the key are replaced by XX. The licensed version displays all the key bytes.
The recovered key can be entered into CommView for WiFi by clicking Settings => WEP/WPA Keys in the main menu, after which WEPKR can be closed. Alternatively, you can leave WEPKR running and let it perform the decryption itself. (See the Configuration chapter for information on how to make WEPKR send packets back to CommView for WiFi.)
WEPKR memorizes recovered keys between launches and tries them first, before attempting to recover them.