mausezahn(1)

1MAUSEZAHN(1)                General Commands Manual               MAUSEZAHN(1)
2
3
4

NAME

6       mausezahn - a fast versatile packet generator
7

SYNOPSIS

9       mausezahn [options]<arg_string> | <hex_string>
10

DESCRIPTION

12       Mausezahn  is  a  free fast traffic generator written in C which allows
13       you to send nearly every possible and impossible packet.
14       Mausezahn can also be used for example as didactical  tool  in  network
15       labs  or  for security audits including penetration and DoS testing. As
16       traffic generator Mausezahn is for example used test  IP  multicast  or
17       VoIP  networks.   Speeds  close  to  the  Ethernet  limit are reachable
18       (depending on the HW platform).
19

USAGE

21       Mausezahn supports two modes, raw-layer-2 mode, where every single byte
22       to  be  sent  can  be  specified,  and  higher-layer mode, where packet
23       builder interfaces are used (using the -t option).
24       To use the raw-layer-2 mode, simply specify the desired frame as  hexa‐
25       decimal sequence (the hex_string), such as
26
27       mausezahn eth0 "00:ab:cd:ef:00 00:00:00:00:00:01 08:00 ca:fe:ba:be"
28
29       The  spaces within the byte string are optional and separate the Ether‐
30       net fields (destination and source address, type  field,  and  a  short
31       payload). The only additional options supported are -a, -b, -c, and -p.
32       The frame length MUST be greater or equal 15 bytes.
33       The higher-layer mode is enabled using  the  -t  <packet_type>  option.
34       This  option  activates a packet builder and besides the packet_type an
35       optional arg_string can be specified. The arg_string  contains  packet-
36       specific parameters, such as TCP flags, port numbers, etc.
37
38       Note  that Mausezahn requires root privileges. Please see the Mausezahn
39       User's Guide for more details or use Mausezahn's command line help.
40

OPTIONS

42       Mausezahn has a built-in context specific help. Simply append the  key‐
43       word help to the configuration options.
44       The most important options are:
45
46       -v     Verbose mode.
47
48       -q     Quiet mode (only warnings and errors are displayed).
49
50       -c <count>
51              Send the packet count times (default: 1, infinite: 0).
52
53       -d <delay>
54              Apply delay between transmissions. The delay value can be speci‐
55              fied in usec (default, no additional unit needed),  or  in  msec
56              (e. g. 100m or 100msec), or in seconds (e. g. 100s or 100sec).
57
58       -p <lenght>
59              Pad  the  raw frame to specified length (using zero bytes). Note
60              that for raw layer 2 frames the  specified  length  defines  the
61              whole frame length, while for higher layer packets the number of
62              additional padding bytes are specified.
63
64       -a <Src_MAC|keyword>
65              Use specified source mac  address  (use  hex  notation  such  as
66              00:00:aa:bb:cc:dd).   By  default the interface MAC address will
67              be used. The keywords rand and own refer to a random MAC address
68              (only  unicast  addresses  are  created)  and  the  own address,
69              respectively. You can also  use  the  keywords  mentioned  below
70              (although   broadcast-type   source   addresses  are  officially
71              invalid).
72
73       -b <Dst_MAC|keyword>
74              Use specified destination mac address.  By default  a  broadcast
75              is  sent  in  raw layer 2 mode or the destination hosts/gateways
76              interface MAC address in normal (IP) mode. You can use the  same
77              keywords as mentioned above as well as bc (or bcast), cisco, and
78              stp.  Please note that for the destination MAC address the  rand
79              keyword  is  supported  but  creates a random address only once,
80              even when you send multiple packets.
81
82       -A <Src_IP|range|rand>
83              Use specified source IP address (default is own  interface  IP).
84              Optionally  the  keyword  rand  can  again  be used for a random
85              source  IP  address  or  a  range  can  be  specified,  such  as
86              192.168.1.1-192.168.1.100 or 10.1.0.0/16. Also a DNS name can be
87              specified for which Mausezahn tries to determine the correspond‐
88              ing IP address automatically.
89
90       -B <Dst_IP|range>
91              Use specified destination IP address (default is broadcast i. e.
92              255.255.255.255). As with the source address (see above) you can
93              also specify a range or a DNS name.
94
95       -t <packet_type>
96              Create  the  specified  packet  type  using  the built-in packet
97              builder. Currently supported packet types are:  arp,  bpdu,  ip,
98              udp,  tcp,  rtp, and dns. There is currently also a limited sup‐
99              port for ICMP. Enter -t help to  verify  which  packet  builders
100              your actual Mausezahn version supports. Also, for any particular
101              packet type, for example tcp enter  mausezahn  -t  tcp  help  to
102              receive a context specific help.
103
104       -T <packet_type>
105              Make  this  Mausezahn  instance the receiving station. Currently
106              (version 0.30) only rtp is an option here and  provides  precise
107              jitter  measurements.  For  this purpose start another Mausezahn
108              instance on the sending station and the local receiving  station
109              will  output  jitter statistics. See mausezahn -T rtp help for a
110              detailed help.
111
112       -Q <[CoS:]vlan> [, <[CoS:]vlan>, ...]
113              Specify 802.1Q VLAN tag and optional Class of Service. An  arbi‐
114              trary number of VLAN tags can be specified (that is you can sim‐
115              ulate QinQ or even QinQinQinQ...). Multiple tags must  be  sepa‐
116              rated via a comma or a period (e. g.  "5:10,20,2:30"). VLAN tags
117              are not supported for ARP and BPDU packets (in  which  case  you
118              could  specify  the  whole  frame  in  hex using the raw layer 2
119              interface of Mausezahn).
120
121       -M <label[:cos[:ttl]][bos]> [, <label...>]
122              Specify a MPLS label or even a MPLS label stack. Optionally  for
123              each  label the experimental bits (usually the Class of Service,
124              CoS) and the Time To Live (TTL) can be specified. And if you are
125              really  crazy you can set/unset the Bottom of Stack (BoS) bit at
126              each label using the S (set) and s (unset)  option.  By  default
127              the  BoS  is  set automatically and correctly. Any other setting
128              will lead to invalid frames. Enter -M help for detailed instruc‐
129              tions and examples.
130
131       -P <ASCII_payload>
132              Specify a cleartext payload. Alternatively each packet type sup‐
133              ports a hexadecimal specification of the payload (see for  exam‐
134              ple -t udp help).
135

COMBINATION OF RANGES

137       When  multiple  ranges are specified, e. g. destination port ranges AND
138       destination address ranges, then all possible combinations of ports and
139       addresses  are used for packet generation. This can lead to a very huge
140       number of frames.
141

DISCLAIMER AND WARNING

143       Mausezahn has been designed as fast traffic generator  so  you  quickly
144       can  overwhelm  a  LAN  segment  with  myriads  of packets. And because
145       Mausezahn should also support security audits it is easily possible  to
146       create  malicious packets, SYN floods, specify port and address ranges,
147       DNS and ARP poisoning, etc.
148       Therefore, don't use this tool when you are not aware of possible  con‐
149       sequences  or have only little knowledge about networks and data commu‐
150       nication.  If you abuse Mausezahn for unallowed attacks and get caught,
151       or damage something of your own, then this is completely your fault.
152

EXAMPLES

154       Send BPDU frames for VLAN 5 as used with Cisco's PVST+ type of STP. Per
155       default Mausezahn assumes that you want to become the root bridge:
156
157       # mausezahn eth0 -c 0 -d 2s -t bpdu vlan=5
158
159       Perform a CAM table overflow attack:
160
161       # mausezahn eth0 -c 128000 -a rand -p 64
162
163       Perform a SYN flood attack to another VLAN using a VLAN hopping attack.
164       This  only works if you are connected to the same VLAN which is config‐
165       ured as native VLAN on the trunk.  We assume that the  victim  VLAN  is
166       VLAN  100 and the native VLAN is VLAN 5. Also lets attack every host in
167       VLAN 100 which use a IP prefix of 10.100.100.0/24:
168
169       # mausezahn eth0 -c 0 -Q 5,100 -t tcp flags=syn -p 20
170
171       Send IP multicast packets to the multicast group 230.1.1.1 using a  UDP
172       header with destination port 32000. Send one frame every 10 msec:
173
174       # mausezahn eth0 -c 0 -d 10msec -B 230.1.1.1 -t udp dp=32000 -P "Multi‐
175       cast test packet"
176
177       Send UDP packets to the destination  host  target.anynetwork.foo  using
178       all possible destionation ports and send every packet with all possible
179       source addresses of the range 172.30.0.0/16; pad with  1000  bytes  and
180       repeat this 10 times:
181
182       # mausezahn eth0 -c 10 -A 172.30.0.0/16 -B target.anynetwork.foo -t udp
183       dp=1-65535 -p 1000
184

AUTHOR

186       Herbert Haas
187       Visit www.perihel.at/sec/mz/ for Mausezahn news and additional informa‐
188       tion.
189
190       This  manual  page  has  been  written  by  Vivek  Shah  <boni.vivek at
191       gmail.com> for the Fedora project.
192
193
194
195                                 July 18, 2009                    MAUSEZAHN(1)