1MAUSEZAHN(1) General Commands Manual MAUSEZAHN(1)
2
3
4
6 mausezahn - a fast versatile packet generator
7
9 mausezahn [options]<arg_string> | <hex_string>
10
12 Mausezahn is a free fast traffic generator written in C which allows
13 you to send nearly every possible and impossible packet.
14 Mausezahn can also be used for example as didactical tool in network
15 labs or for security audits including penetration and DoS testing. As
16 traffic generator Mausezahn is for example used test IP multicast or
17 VoIP networks. Speeds close to the Ethernet limit are reachable
18 (depending on the HW platform).
19
21 Mausezahn supports two modes, raw-layer-2 mode, where every single byte
22 to be sent can be specified, and higher-layer mode, where packet
23 builder interfaces are used (using the -t option).
24 To use the raw-layer-2 mode, simply specify the desired frame as hexa‐
25 decimal sequence (the hex_string), such as
26
27 mausezahn eth0 "00:ab:cd:ef:00 00:00:00:00:00:01 08:00 ca:fe:ba:be"
28
29 The spaces within the byte string are optional and separate the Ether‐
30 net fields (destination and source address, type field, and a short
31 payload). The only additional options supported are -a, -b, -c, and -p.
32 The frame length MUST be greater or equal 15 bytes.
33 The higher-layer mode is enabled using the -t <packet_type> option.
34 This option activates a packet builder and besides the packet_type an
35 optional arg_string can be specified. The arg_string contains packet-
36 specific parameters, such as TCP flags, port numbers, etc.
37
38 Note that Mausezahn requires root privileges. Please see the Mausezahn
39 User's Guide for more details or use Mausezahn's command line help.
40
42 Mausezahn has a built-in context specific help. Simply append the key‐
43 word help to the configuration options.
44 The most important options are:
45
46 -v Verbose mode.
47
48 -q Quiet mode (only warnings and errors are displayed).
49
50 -c <count>
51 Send the packet count times (default: 1, infinite: 0).
52
53 -d <delay>
54 Apply delay between transmissions. The delay value can be speci‐
55 fied in usec (default, no additional unit needed), or in msec
56 (e. g. 100m or 100msec), or in seconds (e. g. 100s or 100sec).
57
58 -p <lenght>
59 Pad the raw frame to specified length (using zero bytes). Note
60 that for raw layer 2 frames the specified length defines the
61 whole frame length, while for higher layer packets the number of
62 additional padding bytes are specified.
63
64 -a <Src_MAC|keyword>
65 Use specified source mac address (use hex notation such as
66 00:00:aa:bb:cc:dd). By default the interface MAC address will
67 be used. The keywords rand and own refer to a random MAC address
68 (only unicast addresses are created) and the own address,
69 respectively. You can also use the keywords mentioned below
70 (although broadcast-type source addresses are officially
71 invalid).
72
73 -b <Dst_MAC|keyword>
74 Use specified destination mac address. By default a broadcast
75 is sent in raw layer 2 mode or the destination hosts/gateways
76 interface MAC address in normal (IP) mode. You can use the same
77 keywords as mentioned above as well as bc (or bcast), cisco, and
78 stp. Please note that for the destination MAC address the rand
79 keyword is supported but creates a random address only once,
80 even when you send multiple packets.
81
82 -A <Src_IP|range|rand>
83 Use specified source IP address (default is own interface IP).
84 Optionally the keyword rand can again be used for a random
85 source IP address or a range can be specified, such as
86 192.168.1.1-192.168.1.100 or 10.1.0.0/16. Also a DNS name can be
87 specified for which Mausezahn tries to determine the correspond‐
88 ing IP address automatically.
89
90 -B <Dst_IP|range>
91 Use specified destination IP address (default is broadcast i. e.
92 255.255.255.255). As with the source address (see above) you can
93 also specify a range or a DNS name.
94
95 -t <packet_type>
96 Create the specified packet type using the built-in packet
97 builder. Currently supported packet types are: arp, bpdu, ip,
98 udp, tcp, rtp, and dns. There is currently also a limited sup‐
99 port for ICMP. Enter -t help to verify which packet builders
100 your actual Mausezahn version supports. Also, for any particular
101 packet type, for example tcp enter mausezahn -t tcp help to
102 receive a context specific help.
103
104 -T <packet_type>
105 Make this Mausezahn instance the receiving station. Currently
106 (version 0.30) only rtp is an option here and provides precise
107 jitter measurements. For this purpose start another Mausezahn
108 instance on the sending station and the local receiving station
109 will output jitter statistics. See mausezahn -T rtp help for a
110 detailed help.
111
112 -Q <[CoS:]vlan> [, <[CoS:]vlan>, ...]
113 Specify 802.1Q VLAN tag and optional Class of Service. An arbi‐
114 trary number of VLAN tags can be specified (that is you can sim‐
115 ulate QinQ or even QinQinQinQ...). Multiple tags must be sepa‐
116 rated via a comma or a period (e. g. "5:10,20,2:30"). VLAN tags
117 are not supported for ARP and BPDU packets (in which case you
118 could specify the whole frame in hex using the raw layer 2
119 interface of Mausezahn).
120
121 -M <label[:cos[:ttl]][bos]> [, <label...>]
122 Specify a MPLS label or even a MPLS label stack. Optionally for
123 each label the experimental bits (usually the Class of Service,
124 CoS) and the Time To Live (TTL) can be specified. And if you are
125 really crazy you can set/unset the Bottom of Stack (BoS) bit at
126 each label using the S (set) and s (unset) option. By default
127 the BoS is set automatically and correctly. Any other setting
128 will lead to invalid frames. Enter -M help for detailed instruc‐
129 tions and examples.
130
131 -P <ASCII_payload>
132 Specify a cleartext payload. Alternatively each packet type sup‐
133 ports a hexadecimal specification of the payload (see for exam‐
134 ple -t udp help).
135
137 When multiple ranges are specified, e. g. destination port ranges AND
138 destination address ranges, then all possible combinations of ports and
139 addresses are used for packet generation. This can lead to a very huge
140 number of frames.
141
143 Mausezahn has been designed as fast traffic generator so you quickly
144 can overwhelm a LAN segment with myriads of packets. And because
145 Mausezahn should also support security audits it is easily possible to
146 create malicious packets, SYN floods, specify port and address ranges,
147 DNS and ARP poisoning, etc.
148 Therefore, don't use this tool when you are not aware of possible con‐
149 sequences or have only little knowledge about networks and data commu‐
150 nication. If you abuse Mausezahn for unallowed attacks and get caught,
151 or damage something of your own, then this is completely your fault.
152
154 Send BPDU frames for VLAN 5 as used with Cisco's PVST+ type of STP. Per
155 default Mausezahn assumes that you want to become the root bridge:
156
157 # mausezahn eth0 -c 0 -d 2s -t bpdu vlan=5
158
159 Perform a CAM table overflow attack:
160
161 # mausezahn eth0 -c 128000 -a rand -p 64
162
163 Perform a SYN flood attack to another VLAN using a VLAN hopping attack.
164 This only works if you are connected to the same VLAN which is config‐
165 ured as native VLAN on the trunk. We assume that the victim VLAN is
166 VLAN 100 and the native VLAN is VLAN 5. Also lets attack every host in
167 VLAN 100 which use a IP prefix of 10.100.100.0/24:
168
169 # mausezahn eth0 -c 0 -Q 5,100 -t tcp flags=syn -p 20
170
171 Send IP multicast packets to the multicast group 230.1.1.1 using a UDP
172 header with destination port 32000. Send one frame every 10 msec:
173
174 # mausezahn eth0 -c 0 -d 10msec -B 230.1.1.1 -t udp dp=32000 -P "Multi‐
175 cast test packet"
176
177 Send UDP packets to the destination host target.anynetwork.foo using
178 all possible destionation ports and send every packet with all possible
179 source addresses of the range 172.30.0.0/16; pad with 1000 bytes and
180 repeat this 10 times:
181
182 # mausezahn eth0 -c 10 -A 172.30.0.0/16 -B target.anynetwork.foo -t udp
183 dp=1-65535 -p 1000
184
186 Herbert Haas
187 Visit www.perihel.at/sec/mz/ for Mausezahn news and additional informa‐
188 tion.
189
190 This manual page has been written by Vivek Shah <boni.vivek at
191 gmail.com> for the Fedora project.
192
193
194
195 July 18, 2009 MAUSEZAHN(1)