I sniffed traffic in Monitor mode and examined the packets to see the Initialization Vector.
Here are three packets:
The IVs are not random! They are just counting up.
To see the IVs, I sorted by Source, and look only at Data frames.
Here are some IVs I observed for frames sent from Cisco to Apple, labelled with Packet Number and IV:
2 6f4700
4 704700
19 714700
20 724700
53 734700
55 744700
71 754700
107 764700
Here are some IVs I observed for frames sent from Apple to Cisco, labelled with Packet Number and IV:
5 e4046f
21 e5046f
27 e6046f
29 e7046f
The pcap file is
here.
I now see that some cards do start at a random value of the IV and count up: WEP Vulnerabilities .