WEP IVs Not Random?

Today (June 26, 2012) at the Casey W. O'Brien's MPICT Cryptography class, Doug Spindler and I set up a WEP network using a Linksys WRT54G access point and a MacBook Air as the client.

I sniffed traffic in Monitor mode and examined the packets to see the Initialization Vector.

Here are three packets:

The IVs are not random! They are just counting up.

To see the IVs, I sorted by Source, and look only at Data frames.

Here are some IVs I observed for frames sent from Cisco to Apple, labelled with Packet Number and IV:

2 6f4700 4 704700 19 714700 20 724700 53 734700 55 744700 71 754700 107 764700

Here are some IVs I observed for frames sent from Apple to Cisco, labelled with Packet Number and IV:

5 e4046f 21 e5046f 27 e6046f 29 e7046f

The pcap file is here.

I now see that some cards do start at a random value of the IV and count up: WEP Vulnerabilities .