diff -Nurb madwifi-ng-r1475/ath/if_ath.c patched_madwifi-ng-r1475/ath/if_ath.c
--- madwifi-ng-r1475/ath/if_ath.c	2006-03-19 23:32:54.000000000 +0100
+++ patched_madwifi-ng-r1475/ath/if_ath.c	2006-03-19 23:23:08.000000000 +0100
@@ -2171,6 +2171,7 @@
 	struct ath_softc *sc = dev->priv;
 	struct ath_hal *ah = sc->sc_ah;
 	struct ieee80211_phy_params *ph = (struct ieee80211_phy_params *) (skb->cb + sizeof(struct ieee80211_cb));
+	struct ieee80211com *ic = &sc->sc_ic;
 	const HAL_RATE_TABLE *rt;
 	int pktlen;
 	int hdrlen;
@@ -2185,9 +2186,13 @@
 	struct ieee80211_frame *wh; 
 	
 	wh = (struct ieee80211_frame *) skb->data;
-	try0 = ATH_TXMAXTRY;
+	try0 = (ic->ic_opmode == IEEE80211_M_MONITOR) ? 1 : ATH_TXMAXTRY; 
+	/*
+	 * The retry value has to be patched to 1 when injecting,
+	 * otherwise the card waits for acknowledges...
+	*/
 	rt = sc->sc_currates;
-	txrate = dot11_to_ratecode(sc, rt, ph->rate0);
+	txrate = dot11_to_ratecode(sc, rt, (ic->ic_opmode == IEEE80211_M_MONITOR) ? (ic->inject_rate / 500) : ph->rate0);
 	power = ph->power > 60 ? 60 : ph->power;
 	hdrlen = ieee80211_anyhdrsize(wh);
 	pktlen = skb->len + IEEE80211_CRC_LEN;
diff -Nurb madwifi-ng-r1475/net80211/ieee80211_var.h patched_madwifi-ng-r1475/net80211/ieee80211_var.h
--- madwifi-ng-r1475/net80211/ieee80211_var.h	2006-03-19 23:32:40.000000000 +0100
+++ patched_madwifi-ng-r1475/net80211/ieee80211_var.h	2006-03-19 23:24:48.000000000 +0100
@@ -138,6 +138,7 @@
 	u_int16_t ic_txpowlimit; 		/* global tx power limit */
 	u_int16_t ic_uapsdmaxtriggers; 		/* max triggers that could arrive */
 	u_int8_t ic_coverageclass; 		/* coverage class */
+	int inject_rate;  /* injection rate in Monitor mode */
 
 	/*
 	 * Channel state:
diff -Nurb madwifi-ng-r1475/net80211/ieee80211_wireless.c patched_madwifi-ng-r1475/net80211/ieee80211_wireless.c
--- madwifi-ng-r1475/net80211/ieee80211_wireless.c	2006-03-19 23:32:40.000000000 +0100
+++ patched_madwifi-ng-r1475/net80211/ieee80211_wireless.c	2006-03-19 23:30:28.000000000 +0100
@@ -346,6 +346,18 @@
 	struct ifmediareq imr;
 	int rate, retv;
 
+	if (ic->ic_opmode == IEEE80211_M_MONITOR) {
+		rate = rrq->value / 1000;
+		if (rate !=  1000 && rate !=  2000 && rate !=  5500 &&
+		    rate != 11000 && rate !=  6000 && rate !=  9000 &&
+		    rate != 12000 && rate != 18000 && rate != 24000 &&
+		    rate != 36000 && rate != 48000 && rate != 54000 )
+		    return -EINVAL;
+		printk(KERN_DEBUG "setting xmit rate to %d\n", rate);
+		ic->inject_rate = rate;
+		return 0;
+	}
+
 	if (vap->iv_media.ifm_cur == NULL)
 		return -EINVAL;
 	memset(&ifr, 0, sizeof(ifr));
@@ -379,9 +391,15 @@
 	struct iw_param *rrq, char *extra)
 {
 	struct ieee80211vap *vap = dev->priv;
+	struct ieee80211com *ic = vap->iv_ic;
 	struct ifmediareq imr;
 	int rate;
 
+	if (ic->ic_opmode == IEEE80211_M_MONITOR) {
+		rrq->value = ic->inject_rate * 1000;
+		return 0;
+	}
+
 	memset(&imr, 0, sizeof(imr));
 	vap->iv_media.ifm_status(vap->iv_dev, &imr);
 
@@ -1051,6 +1069,7 @@
 	__u32 *mode, char *extra)
 {
 	struct ieee80211vap *vap = dev->priv;
+	struct ieee80211com *ic = vap->iv_ic;
 	struct ifmediareq imr;
 	int valid = 0;
 	
@@ -1060,8 +1079,10 @@
 	if (imr.ifm_active & IFM_IEEE80211_HOSTAP)
 		valid = (*mode == IW_MODE_MASTER);
 #if WIRELESS_EXT >= 15
-	else if (imr.ifm_active & IFM_IEEE80211_MONITOR)
+	else if (imr.ifm_active & IFM_IEEE80211_MONITOR) {
 		valid = (*mode == IW_MODE_MONITOR);
+		ic->inject_rate = 5500; /* default = 5.5M CCK */
+	}
 #endif
 	else if (imr.ifm_active & IFM_IEEE80211_ADHOC)
 		valid = (*mode == IW_MODE_ADHOC);