As I've understood Andrea Bittau's fragmentation attack, an attacker can obtain a keystream of arbitrary length if he can first obtain a very small keystream of about 8 bytes. I understand that this small keystream can be obtained by intercepting an arbitrary, encrypted packet sent between the AP and a client, and XOring with the partially known plaintext of this arbitrary packet (common headers, etc.).
However, if the AP has no clients, how can that first, encrypted packet be elicited from the AP for interception? There are several guides out there with practical tutorials for how to do this, but I never see it explicitly mentioned how the AP is lured into sending the first, encrypted packet.
It would be great if someone could help me out on this. I've been stuck on this problem for far too long.
I use the word "packet" to describe several frames aggregated into one frame. I'm not talking about the transport layer. I don't know if this is something only my lecturer does.