1MAUSEZAHN(8) netsniff-ng toolkit MAUSEZAHN(8)
2
6 mausezahn - a fast versatile packet generator with Cisco-cli
7
9 mausezahn { [options] "<arg-string> | <hex-string>" }
10
12 mausezahn is a fast traffic generator which allows you to send nearly
13 every possible and impossible packet. In contrast to trafgen(8),
14 mausezahn's packet configuration is on a protocol-level instead of
15 byte-level and mausezahn also comes with a built-in Cisco-like command-
16 line interface, making it suitable as a network traffic generator box
17 in your network lab.
18 Next to network labs, it can also be used as a didactical tool and for
20 security audits including penetration and DoS testing. As a traffic
21 generator, mausezahn is also able to test IP multicast or VoIP net‐
22 works. Packet rates close to the physical limit are reachable, depend‐
23 ing on the hardware platform.
24 mausezahn supports two modes, ''direct mode'' and a multi-threaded
26 ''interactive mode''.
27 The ''direct mode'' allows you to create a packet directly on the com‐
29 mand line and every packet parameter is specified in the argument list
30 when calling mausezahn.
31 The ''interactive mode'' is an advanced multi-threaded configuration
33 mode with its own command line interface (CLI). This mode allows you to
34 create an arbitrary number of packet types and streams in parallel,
35 each with different parameters.
36 The interactive mode utilizes a completely redesigned and more flexible
38 protocol framework called ''mops'' (mausezahn's own packet system). The
39 look and feel of the CLI is very close to the Cisco IOS^tm command line
40 interface.
41 You can start the interactive mode by executing mausezahn with the
43 ''-x'' argument (an optional port number may follow, otherwise it is
44 25542). Then use telnet(1) to connect to this mausezahn instance. If
45 not otherwise specified, the default login and password combination is
46 mz:mz and the enable password is: mops. This can be changed in
47 /etc/netsniff-ng/mausezahn.conf.
48 The direct mode supports two specification schemes: The ''raw-layer-2''
50 scheme, where every single byte to be sent can be specified, and
51 ''higher-layer'' scheme, where packet builder interfaces are used
52 (using the ''-t'' option).
53 To use the ''raw-layer-2'' scheme, simply specify the desired frame as
55 a hexadecimal sequence (the ''hex-string''), such as:
56 mausezahn eth0 "00:ab:cd:ef:00 00:00:00:00:00:01 08:00 ca:fe:ba:be"
58 In this example, whitespaces within the byte string are optional and
60 separate the Ethernet fields (destination and source address, type
61 field, and a short payload). The only additional options supported are
62 ''-a'', ''-b'', ''-c'', and ''-p''. The frame length must be greater
63 than or equal to 15 bytes.
64 The ''higher-layer'' scheme is enabled using the ''-t <packet-type>''
66 option. This option activates a packet builder, and besides the
67 ''packet-type'', an optional ''arg-string'' can be specified. The
68 ''arg-string'' contains packet- specific parameters, such as TCP flags,
69 port numbers, etc. (see example section).
70
72 mausezahn provides a built-in context-specific help. Append the keyword
73 ''help'' after the configuration options. The most important options
74 are:
75 -x [<port>]
77 Start mausezahn in interactive mode with a Cisco-like CLI. Use telnet
78 to log into the local mausezahn instance. If no port has been speci‐
79 fied, port 25542 is used by default.
80 -6
82 Specify IPv6 mode (IPv4 is the default).
83 -l <IP>
85 Specify the IP address mausezahn should bind to when in interactive
86 mode, default: 0.0.0.0.
87 -v
89 Verbose mode. Capital -V is even more verbose.
90 -S
92 Simulation mode, i.e. don't put anything on the wire. This is typically
93 combined with the verbose mode.
94 -q
96 Quiet mode where only warnings and errors are displayed.
97 -c <count>
99 Send the packet count times (default: 1, infinite: 0).
100 -d <delay>
102 Apply delay between transmissions. The delay value can be specified in
103 usec (default, no additional unit needed), or in msec (e.g. 100m or
104 100msec), or in seconds (e.g. 100s or 100sec). Note: mops also supports
105 nanosecond delay resolution if you need it (see interactive mode).
106 -p <length>
108 Pad the raw frame to specified length using zero bytes. Note that for
109 raw layer 2 frames the specified length defines the whole frame length,
110 while for higher layer packets the number of additional padding bytes
111 are specified.
112 -a <src-mac|keyword>
114 Use specified source MAC address with hexadecimal notation such as
115 00:00:aa:bb:cc:dd. By default the interface MAC address will be used.
116 The keywords ''rand'' and
117 ''own'' refer to a random MAC address (only unicast addresses are cre‐
118 ated) and the own address, respectively. You can also use the keywords
119 mentioned below although broadcast-type source addresses are officially
120 invalid.
121 -b <dst-mac|keyword>
123 Use specified destination MAC address. By default, a broadcast is sent
124 in raw layer 2 mode or to the destination hosts or gateway interface
125 MAC address in normal (IP) mode. You can use the same keywords as men‐
126 tioned above, as well as
127 ''bc'' or ''bcast'', ''cisco'', and ''stp''. Please note that for the
128 destination MAC address the ''rand'' keyword is supported but creates a
129 random address only once, even when you send multiple packets.
130 -A <src-ip|range|rand>
132 Use specified source IP address, default is own interface address.
133 Optionally, the keyword ''rand'' can again be used for a random source
134 IP address or a range can be specified, such as
135 ''192.168.1.1-192.168.1.100'' or ''10.1.0.0/16''. Also, a DNS name can
136 be specified for which mausezahn tries to determine the corresponding
137 IP address automatically.
138 -B <dst-ip|range>
140 Use specified destination IP address (default is broadcast i.e.
141 255.255.255.255). As with the source address (see above) you can also
142 specify a range or a DNS name.
143 -t <packet-type [help] | help>
145 Create the specified packet type using the built-in packet builder.
146 Currently, supported packet types are: ''arp'', ''bpdu'', ''ip'',
147 ''udp'', ''tcp'', ''rtp'', and ''dns''. Currently, there is also lim‐
148 ited support for ''icmp''. Type
149 ''-t help'' to verify which packet builders your actual mausezahn ver‐
150 sion supports. Also, for any particular packet type, for example
151 ''tcp'' type
152 ''mausezahn -t tcp help'' to receive a more in-depth context specific
153 help.
154 -T <packet-type>
156 Make this mausezahn instance the receiving station. Currently, only
157 ''rtp'' is an option here and provides precise jitter measurements. For
158 this purpose, start another mausezahn instance on the sending station
159 and the local receiving station will output jitter statistics. See
160 ''mausezahn -T rtp help'' for a detailed help.
161 -Q <[CoS:]vlan> [, <[CoS:]vlan>, ...]
163 Specify 802.1Q VLAN tag and optional Class of Service. An arbitrary
164 number of VLAN tags can be specified (that is, you can simulate QinQ or
165 even QinQinQinQ..). Multiple tags must be separated via a comma or a
166 period (e.g. "5:10,20,2:30"). VLAN tags are not supported for ARP and
167 BPDU packets (in which case you could specify the whole frame in hexa‐
168 decimal using the raw layer 2 interface of mausezahn).
169 -M <label[:cos[:ttl]][bos]> [, <label...>]
171 Specify a MPLS label or even a MPLS label stack. Optionally, for each
172 label the experimental bits (usually the Class of Service, CoS) and the
173 Time To Live (TTL) can be specified. If you are really crazy you can
174 set and unset the Bottom of Stack (BoS) bit for each label using the
175 ''S'' (set) and ''s'' (unset) option. By default, the BoS is set auto‐
176 matically and correctly. Any other setting will lead to invalid frames.
177 Enter ''-M help'' for detailed instructions and examples.
178 -P <ascii-payload>
180 Specify a cleartext payload. Alternatively, each packet type supports a
181 hexadecimal specification of the payload (see for example ''-t udp
182 help'').
183 -f <filename>
185 Read the ASCII payload from the specified file.
186 -F <filename>
188 Read the hexadecimal payload from the specified file. Actually, this
189 file must be also an ASCII text file, but must contain hexadecimal dig‐
190 its, e.g. "aa:bb:cc:0f:e6...". You can use also spaces as separation
191 characters.
192
194 For more comprehensive examples, have a look at the two following HOWTO
195 sections.
196 mausezahn eth0 -c 0 -d 2s -t bpdu vlan=5
198 Send BPDU frames for VLAN 5 as used with Cisco's PVST+ type of STP. By
199 default mausezahn assumes that you want to become the root bridge.
200 mausezahn eth0 -c 128000 -a rand -p 64
202 Perform a CAM table overflow attack.
203 mausezahn eth0 -c 0 -Q 5,100 -t tcp flags=syn,dp=1-1023 -p 20 -A rand -B
205 10.100.100.0/24
206 Perform a SYN flood attack to another VLAN using VLAN hopping. This
207 only works if you are connected to the same VLAN which is configured as
208 native VLAN on the trunk. We assume that the victim VLAN is VLAN 100
209 and the native VLAN is VLAN 5. Lets attack every host in VLAN 100
210 which use an IP prefix of 10.100.100.0/24, also try out all ports
211 between 1 and 1023 and use a random source IP address.
212 mausezahn eth0 -c 0 -d 10msec -B 230.1.1.1 -t udp dp=32000,dscp=46 -P Mul‐
214 ticast test packet
215 Send IP multicast packets to the multicast group 230.1.1.1 using a UDP
216 header with destination port 32000 and set the IP DSCP field to EF
217 (46). Send one frame every 10 msec.
218 mausezahn eth0 -Q 6:420 -M 100,200,300:5 -A 172.30.0.0/16 -B target.anynet‐
220 work.foo -t udp sp=666,dp=1-65535 -p 1000 -c 10
221 Send UDP packets to the destination host target.anynetwork.foo using
222 all possible destination ports and send every packet with all possible
223 source addresses of the range 172.30.0.0/16; additionally use a source
224 port of 666 and three MPLS labels, 100, 200, and 300, the outer (300)
225 with QoS field 5. Send the frame with a VLAN tag 420 and CoS 6; even‐
226 tually pad with 1000 bytes and repeat the whole thing 10 times.
227 mausezahn -t syslog sev=3 -P Main reactor reached critical temperature. -A
229 192.168.33.42 -B 10.1.1.9 -c 6 -d 10s
230 Send six forged syslog messages with severity 3 to a Syslog server
231 10.1.1.9; use a forged source IP address 192.168.33.42 and let
232 mausezahn decide which local interface to use. Use an inter-packet
233 delay of 10 seconds.
234 mausezahn -t tcp flags=syn|urg|rst, sp=145, dp=145, win=0, s=0-4294967295,
236 ds=1500, urg=666 -a bcast -b bcast -A bcast -B 10.1.1.6 -p 5
237 Send an invalid TCP packet with only a 5 byte payload as layer-2 broad‐
238 cast and also use the broadcast MAC address as source address. The tar‐
239 get should be 10.1.1.6 but use a broadcast source address. The source
240 and destination port shall be 145 and the window size 0. Set the TCP
241 flags SYN, URG, and RST simultaneously and sweep through the whole TCP
242 sequence number space with an increment of 1500. Finally set the urgent
243 pointer to 666, i.e. pointing to nowhere.
244
246 When mausezahn is run in interactive mode it automatically looks for
247 and reads a configuration file located at /etc/netsniff-
248 ng/mausezahn.conf for custom options if the file is available, other‐
249 wise it uses defaults set at compile time.
250 Config file: /etc/netsniff-ng/mausezahn.conf
252 The configuration file contains lines of the form:
253 option = value
255 Options supported in the configuration file are:
257 Option: Description:
258 user Username for authentication (default: mz)
260 password Password for authentication (default: mz)
261 enable Password to enter privilege mode (default: mops)
262 port The listening port for the CLI (default: 25542)
263 listen-addr IP address to bind CLI to (default: 0.0.0.0)
264 management-only Set management interface (no data traffic is
265 allowed to pass through)
266 cli-device Interface to bind CLI to (default: all) *not fully
267 implemented*
268 automops Path to automops file (contains XML data describing
269 protocols) *in development*
270 Example:
273 $ cat /etc/netsniff-ng/mausezahn.conf
274 user = mzadmin
275 password = mzpasswd
276 enable = privilege-mode-passwd
277 port = 65000
278 listen-addr = 127.0.0.1
279
281 Telnet:
282 Using the interactive mode requires starting mausezahn as a server:
283 # mausezahn -x
285 Now you can telnet(1) to that server using the default port number
287 25542, but also an arbitrary port number can be specified:
288 # mausezahn -x 99
290 mausezahn accepts incoming telnet connections on port 99.
291 mz: Problems opening config file. Will use defaults
292 Either from another terminal or from another host try to telnet to the
294 mausezahn server:
295 caprica$ telnet galactica 99
297 Trying 192.168.0.4...
298 Connected to galactica.
299 Escape character is '^]'.
300 mausezahn <version>
301 Username: mz
303 Password: mz
304 mz> enable
306 Password: mops
307 mz#
308 It is recommended to configure your own login credentials in /etc/net‐
310 sniff-ng/mausezahn.conf, (see configuration file section)
311 Basics:
313 Since you reached the mausezahn prompt, lets try some common commands.
314 You can use the '?' character at any time for context-specific help.
315 Note that Cisco-like short form of commands are accepted in interactive
316 mode. For example, one can use "sh pac" instead of "show packet";
317 another common example is to use "config t" in place of "configure ter‐
318 minal". For readability, this manual will continue with the full com‐
319 mands.
320 First try out the show command:
322 mz# show ?
324 mausezahn maintains its own ARP table and observes anomalies. There is
326 an entry for every physical interface (however this host has only one):
327 mz# show arp
329 Intf Index IP address MAC address last Ch
330 UCast BCast Info
331 ----------------------------------------------------------------------------------
332 eth0 [1] D 192.168.0.1 00:09:5b:9a:15:84 23:44:41 1
333 1 0 0000
334 The column Ch tells us that the announced MAC address has only changed
336 one time (= when it was learned). The columns Ucast and BCast tell us
337 how often this entry was announced via unicast or broadcast respec‐
338 tively.
339 Let's check our interfaces:
341 mz# show interface
343 Available network interfaces:
344 real real used (fake)
345 used (fake)
346 device IPv4 address MAC address IPv4 address
347 MAC address
348 ---------------------------------------------------------------------------------------
349 > eth0 192.168.0.4 00:30:05:76:2e:8d 192.168.0.4
350 00:30:05:76:2e:8d
351 lo 127.0.0.1 00:00:00:00:00:00 127.0.0.1
352 00:00:00:00:00:00
353 2 interfaces found.
354 Default interface is eth0.
355 Defining packets:
357 Let's check the current packet list:
358 mz# show packet
360 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
361 I/i=IP/delivery_off, U=UDP, T=TCP
362 PktID PktName Layers Proto Size State Device
363 Delay Count/CntX
364 1 sysARP_servic... E----- ARP 60 config lo
365 100 msec 1/0 (100%)
366 1 packets defined, 0 active.
367 We notice that there is already one system-defined packet process; it
369 has been created and used only once (during startup) by mausezahn's ARP
370 service. Currently, its state is config which means that the process
371 is sleeping.
372 General packet options:
374 Now let's create our own packet process and switch into the global con‐
375 figuration mode:
376 mz# configure terminal
378 mz(config)# packet
379 Allocated new packet PKT0002 at slot 2
380 mz(config-pkt-2)# ?
381 ...
382 name Assign a unique name
383 description Assign a packet description text
384 bind Select the network interface
385 count Configure the packet count value
386 delay Configure the inter-packet delay
387 interval Configure a greater interval
388 type Specify packet type
389 mac Configure packet's MAC addresses
390 tag Configure tags
391 payload Configure a payload
392 port Configure packet's port numbers
393 end End packet configuration mode
394 ethernet Configure frame's Ethernet, 802.2, 802.3, or
395 SNAP settings
396 ip Configure packet's IP settings
397 udp Configure packet's UDP header parameters
398 tcp Configure packet's TCP header parameters
399 Here are a lot of options but normally you only need a few of them.
401 When you configure lots of different packets you might assign a reason‐
402 able name and description for them:
403 mz(config-pkt-2)# name Test
405 mz(config-pkt-2)# description This is just a test
406 You can, for example, change the default settings for the source and
408 destination MAC or IP addresses using the mac and ip commands:
409 mz(config-pkt-2)# ip address destination 10.1.1.0 /24
411 mz(config-pkt-2)# ip address source random
412 In the example above, we configured a range of addresses (all hosts in
414 the network 10.1.1.0 should be addressed). Additionally we spoof our
415 source IP address. Of course, we can also add one or more VLAN and, or,
416 MPLS tag(s):
417 mz(config-pkt-2)# tag ?
419 dot1q Configure 802.1Q (and 802.1P) parameters
420 mpls Configure MPLS label stack
421 mz(config-pkt-2)# tag dot ?
422 Configure 802.1Q tags:
423 VLAN[:CoS] [VLAN[:CoS]] ... The leftmost tag is the outer tag in
424 the frame
425 remove <tag-nr> | all Remove one or more tags (<tag-nr>
426 starts with 1),
427 by default the first (=leftmost,outer)
428 tag is removed,
429 keyword 'all' can be used instead of
430 tag numbers.
431 cfi | nocfi [<tag-nr>] Set or unset the CFI-bit in any tag (by
432 default
433 assuming the first tag).
434 mz(config-pkt-2)# tag dot 1:7 200:5
435 Configure count and delay:
437 mz(config-pkt-2)# count 1000
438 mz(config-pkt-2)# delay ?
439 delay <value> [hour | min | sec | msec | usec | nsec]
440 Specify the inter-packet delay in hours, minutes, seconds, millisec‐
442 onds, microseconds or nanoseconds. The default unit is milliseconds
443 (i.e. when no unit is given).
444 mz(config-pkt-2)# delay 1 msec
446 Inter-packet delay set to 0 sec and 1000000 nsec
447 mz(config-pkt-2)#
448 Configuring protocol types:
450 mausezahn's interactive mode supports a growing list of protocols and
451 only relies on the MOPS architecture (and not on libnet as is the case
452 with the legacy direct mode):
453 mz(config-pkt-2)# type
455 Specify a packet type from the following list:
456 arp
457 bpdu
458 igmp
459 ip
460 lldp
461 tcp
462 udp
463 mz(config-pkt-2)# type tcp
464 mz(config-pkt-2-tcp)#
465 ....
466 seqnr Configure the TCP sequence number
467 acknr Configure the TCP acknowledgement number
468 hlen Configure the TCP header length
469 reserved Configure the TCP reserved field
470 flags Configure a combination of TCP flags at once
471 cwr Set or unset the TCP CWR flag
472 ece Set or unset the TCP ECE flag
473 urg Set or unset the TCP URG flag
474 ack set or unset the TCP ACK flag
475 psh set or unset the TCP PSH flag
476 rst set or unset the TCP RST flag
477 syn set or unset the TCP SYN flag
478 fin set or unset the TCP FIN flag
479 window Configure the TCP window size
480 checksum Configure the TCP checksum
481 urgent-pointer Configure the TCP urgent pointer
482 options Configure TCP options
483 end End TCP configuration mode
484 mz(config-pkt-2-tcp)# flags syn fin rst
485 Current setting is: --------------------RST-SYN-FIN
486 mz(config-pkt-2-tcp)# end
487 mz(config-pkt-2)# payload ascii This is a dummy payload for my first
488 packet
489 mz(config-pkt-2)# end
490 Now configure another packet, for example let's assume we want an LLDP
492 process:
493 mz(config)# packet
495 Allocated new packet PKT0003 at slot 3
496 mz(config-pkt-3)# type lldp
497 mz(config-pkt-3-lldp)# exit
498 mz(config)# exit
499 In the above example we only use the default LLDP settings and don't
501 configure further LLDP options or TLVs. Back in the top level of the
502 CLI let's verify what we had done:
503 mz# show packet
505 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
506 I/i=IP/delivery_off, U=UDP, T=TCP
507 PktID PktName Layers Proto Size State Device
508 Delay Count/CntX
509 1 sysARP_servic... E----- ARP 60 config lo
510 100 msec 1/0 (100%)
511 2 Test E-Q-IT 125 config eth0
512 1000 usec 1000/1000 (0%)
513 3 PKT0003 E----- LLDP 36 config eth0
514 30 sec 0/0 (0%)
515 3 packets defined, 0 active.
516 The column Layers indicates which major protocols have been combined.
518 For example the packet with packet-id 2 ("Test") utilizes Ethernet (E),
519 IP (I), and TCP (T). Additionally an 802.1Q tag (Q) has been inserted.
520 Now start one of these packet processes:
521 mz# start slot 3
523 Activate [3]
524 mz# show packet
525 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
526 I/i=IP/delivery_off, U=UDP, T=TCP
527 PktID PktName Layers Proto Size State Device
528 Delay Count/CntX
529 1 sysARP_servic... E----- ARP 60 config lo
530 100 msec 1/0 (100%)
531 2 Test E-Q-IT 125 config eth0
532 1000 usec 1000/1000 (0%)
533 3 PKT0003 E----- LLDP 36 config eth0
534 30 sec 0/1 (0%)
535 3 packets defined, 1 active.
536 Let's have a more detailed look at a specific packet process:
538 mz# show packet 2
540 Packet [2] Test
541 Description: This is just a test
542 State: config, Count=1000, delay=1000 usec (0 s 1000000 nsec), inter‐
543 val= (undefined)
544 Headers:
545 Ethernet: 00-30-05-76-2e-8d => ff-ff-ff-ff-ff-ff [0800 after 802.1Q
546 tag]
547 Auto-delivery is ON (that is, the actual MAC is adapted upon trans‐
548 mission)
549 802.1Q: 0 tag(s); (VLAN:CoS)
550 IP: SA=192.168.0.4 (not random) (no range)
551 DA=255.255.255.255 (no range)
552 ToS=0x00 proto=17 TTL=255 ID=0 offset=0 flags: -|-|-
553 len=49664(correct) checksum=0x2e8d(correct)
554 TCP: 83 bytes segment size (including TCP header)
555 SP=0 (norange) (not random), DP=0 (norange) (not random)
556 SQNR=3405691582 (start 0, stop 4294967295, delta 0) -- ACKNR=0
557 (invalid)
558 Flags: ------------------------SYN----, reserved field is 00,
559 urgent pointer= 0
560 Announced window size= 100
561 Offset= 0 (times 32 bit; value is valid), checksum= ffff
562 (valid)
563 (No TCP options attached) - 0 bytes defined
564 Payload size: 43 bytes
565 Frame size: 125 bytes
566 1 ff:ff:ff:ff:ff:ff:00:30 05:76:2e:8d:81:00:e0:01
567 81:00:a0:c8:08:00:45:00 00:67:00:00:00:00:ff:06
568 33 fa:e4:c0:a8:00:04:ff:ff ff:ff:00:00:00:00:ca:fe
569 ba:be:00:00:00:00:a0:07 00:64:f7:ab:00:00:02:04
570 65 05:ac:04:02:08:0a:19:35 90:c3:00:00:00:00:01:03
571 03:05:54:68:69:73:20:69 73:20:61:20:64:75:6d:6d
572 97 79:20:70:61:79:6c:6f:61 64:20:66:6f:72:20:6d:79
573 20:66:69:72:73:74:20:70 61:63:6b:65:74
574 mz#
575 If you want to stop one or more packet processes, use the stop command.
577 The "emergency stop" is when you use stop all:
578 mz# stop all
580 Stopping
581 [3] PKT0003
582 Stopped 1 transmission processe(s)
583 The launch command provides a shortcut for commonly used packet pro‐
585 cesses. For example to behave like a STP-capable bridge we want to
586 start an BPDU process with typical parameters:
587 mz# launch bpdu
589 Allocated new packet sysBPDU at slot 5
590 mz# show packet
591 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
592 I/i=IP/delivery_off, U=UDP, T=TCP
593 PktID PktName Layers Proto Size State Device
594 Delay Count/CntX
595 1 sysARP_servic... E----- ARP 60 config lo
596 100 msec 1/0 (100%)
597 2 Test E-Q-IT 125 config eth0
598 1000 usec 1000/1000 (0%)
599 3 PKT0003 E----- LLDP 36 config eth0
600 30 sec 0/12 (0%)
601 4 PKT0004 E---I- IGMP 46 config eth0
602 100 msec 0/0 (0%)
603 5 sysBPDU ES---- BPDU 29 active eth0
604 2 sec 0/1 (0%)
605 5 packets defined, 1 active.
606 Now a Configuration BPDU is sent every 2 seconds, claiming to be the
608 root bridge (and usually confusing the LAN. Note that only packet 5
609 (i.e. the last row) is active and therefore sending packets while all
610 other packets are in state config (i.e. they have been configured but
611 they are not doing anything at the moment).
612 Configuring a greater interval:
614 Sometimes you may want to send a burst of packets at a greater inter‐
615 val:
616 mz(config)# packet 2
618 Modify packet parameters for packet Test [2]
619 mz(config-pkt-2)# interval
620 Configure a greater packet interval in days, hours, minutes, or sec‐
621 onds
622 Arguments: <value> <days | hours | minutes | seconds>
623 Use a zero value to disable an interval.
624 mz(config-pkt-2)# interval 1 hour
625 mz(config-pkt-2)# count 10
626 mz(config-pkt-2)# delay 15 usec
627 Inter-packet delay set to 0 sec and 15000 nsec
628 Now this packet is sent ten times with an inter-packet delay of 15
630 microseconds and this is repeated every hour. When you look at the
631 packet list, an interval is indicated with the additional flag 'i' when
632 inactive or 'I' when active:
633 mz# show packet
635 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
636 I/i=IP/delivery_off, U=UDP, T=TCP
637 PktID PktName Layers Proto Size State Device
638 Delay Count/CntX
639 1 sysARP_servic... E----- ARP 60 config lo
640 100 msec 1/0 (100%)
641 2 Test E-Q-IT 125 config-i eth0
642 15 usec 10/10 (0%)
643 3 PKT0003 E----- LLDP 36 config eth0
644 30 sec 0/12 (0%)
645 4 PKT0004 E---I- IGMP 46 config eth0
646 100 msec 0/0 (0%)
647 5 sysBPDU ES---- BPDU 29 active eth0
648 2 sec 0/251 (0%)
649 5 packets defined, 1 active.
650 mz# start slot 2
651 Activate [2]
652 mz# show packet
653 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
654 I/i=IP/delivery_off, U=UDP, T=TCP
655 PktID PktName Layers Proto Size State Device
656 Delay Count/CntX
657 1 sysARP_servic... E----- ARP 60 config lo
658 100 msec 1/0 (100%)
659 2 Test E-Q-IT 125 config+I eth0
660 15 usec 10/0 (100%)
661 3 PKT0003 E----- LLDP 36 config eth0
662 30 sec 0/12 (0%)
663 4 PKT0004 E---I- IGMP 46 config eth0
664 100 msec 0/0 (0%)
665 5 sysBPDU ES---- BPDU 29 active eth0
666 2 sec 0/256 (0%)
667 5 packets defined, 1 active.
668 Note that the flag 'I' indicates that an interval has been specified
670 for packet 2. The process is not active at the moment (only packet 5 is
671 active here) but it will become active at a regular interval. You can
672 verify the actual interval when viewing the packet details via the
673 'show packet 2' command.
674 Load prepared configurations:
676 You can prepare packet configurations using the same commands as you
677 would type them in on the CLI and then load them to the CLI. For exam‐
678 ple, assume we have prepared a file 'test.mops' containing:
679 configure terminal
681 packet
682 name IGMP_TEST
683 desc This is only a demonstration how to load a file to mops
684 type igmp
685 Then we can add this packet configuration to our packet list using the
687 load command:
688 mz# load test.mops
690 Read commands from test.mops...
691 Allocated new packet PKT0002 at slot 2
692 mz# show packet
693 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
694 I/i=IP/delivery_off, U=UDP, T=TCP
695 PktID PktName Layers Proto Size State Device
696 Delay Count/CntX
697 1 sysARP_servic... E----- ARP 60 config lo
698 100 msec 1/0 (100%)
699 2 IGMP_TEST E---I- IGMP 46 config eth0
700 100 msec 0/0 (0%)
701 2 packets defined, 0 active.
702 The file src/examples/mausezahn/example_lldp.conf contains another
704 example list of commands to create a bogus LLDP packet. You can load
705 this configuration from the mausezahn command line as follows:
706 mz# load /home/hh/tmp/example_lldp.conf
708 In case you copied the file in that path. Now when you enter 'show
710 packet' you will see a new packet entry in the packet list. Use the
711 'start slot <nr>' command to activate this packet.
712 You can store your own packet creations in such a file and easily load
714 them when you need them. Every command within such configuration files
715 is executed on the command line interface as if you had typed it in --
716 so be careful about the order and don't forget to use 'configure termi‐
717 nal' as first command.
718 You can even load other files from within a central config file.
720
722 How to specify hexadecimal digits:
723 Many arguments allow direct byte input. Bytes are represented as two
724 hexadecimal digits. Multiple bytes must be separated either by spaces,
725 colons, or dashes - whichever you prefer. The following byte strings
726 are equivalent:
727 "aa:bb cc-dd-ee ff 01 02 03-04 05"
729 "aa bb cc dd ee ff:01:02:03:04 05"
730 To begin with, you may want to send an arbitrary fancy (possibly
732 invalid) frame right through your network card:
733 mausezahn ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:08:00:ca:fe:ba:be
735 or equivalent but more readable:
737 mausezahn ff:ff:ff:ff:ff:ff-ff:ff:ff:ff:ff:ff-08:00-ca:fe:ba:be
739 Basic operations:
741 All major command line options are listed when you execute mausezahn
742 without arguments. For practical usage, keep the following special (not
743 so widely known) options in mind:
744 -r Multiplies the specified delay with a random
746 value.
747 -p <length> Pad the raw frame to specified length (using
748 random bytes).
749 -P <ASCII Payload> Use the specified ASCII payload.
750 -f <filename> Read the ASCII payload from a file.
751 -F <filename> Read the hexadecimal payload from a file.
752 -S Simulation mode: DOES NOT put anything on the
753 wire.
754 This is typically combined with one of the ver‐
755 bose
756 modes (-v or V).
757 Many options require a keyword or a number but the -t option is an
759 exception since it requires both a packet type (such as ip, udp, dns,
760 etc) and an argument string which is specific for that packet type.
761 Here are some simple examples:
762 mausezahn -t help
764 mausezahn -t tcp help
765 mausezahn eth3 -t udp sp=69,dp=69,p=ca:fe:ba:be
766 Note: Don't forget that on the CLI the Linux shell (usually the Bash)
768 interprets spaces as a delimiting character. That is, if you are speci‐
769 fying an argument that consists of multiple words with spaces in
770 between, you MUST group these within quotes. For example, instead of
771 mausezahn eth0 -t udp sp=1,dp=80,p=00:11:22:33
773 you could either omit the spaces
775 mausezahn eth0 -t udp sp=1,dp=80,p=00:11:22:33
777 or, for greater safety, use quotes:
779 mausezahn eth0 -t udp "sp=1,dp=80,p=00:11:22:33"
781 In order to monitor what's going on, you can enable the verbose mode
783 using the -v option. The opposite is the quiet mode (-q) which will
784 keep mausezahn absolutely quiet (except for error messages and warn‐
785 ings.)
786 Don't confuse the payload argument p=... with the padding option -p.
788 The latter is used outside the quotes!
789 The automatic packet builder:
791 An important argument is -t which invokes a packet builder. Currently
792 there are packet builders for ARP, BPDU, CDP, IP, partly ICMP, UDP,
793 TCP, RTP, DNS, and SYSLOG. (Additionally you can insert a VLAN tag or a
794 MPLS label stack but this works independently of the packet builder.)
795 You get context specific help for every packet builder using the help
797 keyword, such as:
798 mausezahn -t bpdu help
800 mausezahn -t tcp help
801 For every packet you may specify an optional payload. This can be done
803 either via hexadecimal notation using the payload (or short p) argument
804 or directly as ASCII text using the -P option:
805 mausezahn eth0 -t ip -P "Hello World" # ASCII
807 payload
808 mausezahn eth0 -t ip p=68:65:6c:6c:6f:20:77:6f:72:6c:64 # hex
809 payload
810 mausezahn eth0 -t ip "proto=89, \
811 p=68:65:6c:6c:6f:20:77:6f:72:6c:64, \ # same
812 with other
813 ttl=1" # IP
814 arguments
815 Note: The raw link access mode only accepts hexadecimal payloads
817 (because you specify everything in hexadecimal here.)
818 Packet count and delay:
820 By default only one packet is sent. If you want to send more packets
821 then use the count option -c <count>. When count is zero then mausezahn
822 will send forever. By default, mausezahn sends at maximum speed (and
823 this is really fast ;-)). If you don't want to overwhelm your network
824 devices or have other reasons to send at a slower rate then you might
825 want to specify a delay using the -d <delay> option.
826 If you only specify a numeric value it is interpreted in microsecond
828 units. Alternatively, for easier use, you might specify units such as
829 seconds, sec, milliseconds, or msec. (You can also abbreviate this with
830 s or m.) Note: Don't use spaces between the value and the unit! Here
831 are typical examples:
832 Send an infinite number of frames as fast as possible:
834 mausezahn -c 0 "aa bb cc dd ...."
836 Send 100,000 frames with a 50 msec interval:
838 mausezahn -c 100000 -d 50msec "aa bb cc dd ...."
840 Send an unlimited number of BPDU frames in a 2 second interval:
842 mausezahn -c 0 -d 2s -t bpdu conf
844 Note: mausezahn does not support fractional numbers. If you want to
846 specify for example 2.5 seconds then express this in milliseconds (2500
847 msec).
848 Source and destination addresses:
850 As a mnemonic trick keep in mind that all packets run from "A" to "B".
851 You can always specify source and destination MAC addresses using the
852 -a and -b options, respectively. These options also allow keywords such
853 as rand, own, bpdu, cisco, and others.
854 Similarly, you can specify source and destination IP addresses using
856 the -A and -B options, respectively. These options also support FQDNs
857 (i.e. domain names) and ranges such as 192.168.0.0/24 or
858 10.0.0.11-10.0.3.22. Additionally, the source address option supports
859 the rand keyword (ideal for "attacks").
860 Note: When you use the packet builder for IP-based packets (e.g. UDP or
862 TCP) then mausezahn automatically cares about correct MAC and IP
863 addresses (i.e. it performs ARP, DHCP, and DNS for you). But when you
864 specify at least a single link-layer address (or any other L2 option
865 such as a VLAN tag or MPLS header) then ARP is disabled and you must
866 care for the Ethernet destination address for yourself.
867 Layer-2:
869 `-- Direct link access:
870 mausezahn allows you to send ANY chain of bytes directly through your
871 Ethernet interface:
872 mausezahn eth0 "ff:ff:ff:ff:ff:ff ff:ff:ff:ff:ff:ff 00:00
874 ca:fe:ba:be"
875 This way you can craft every packet you want but you must do it by
877 hand. Note: On Wi-Fi interfaces the header is much more complicated and
878 automatically created by the Wi-Fi driver. As an example to introduce
879 some interesting options, lets continuously send frames at max speed
880 with random source MAC address and broadcast destination address, addi‐
881 tionally pad the frame to 1000 bytes:
882 mausezahn eth0 -c 0 -a rand -b bcast -p 1000 "08 00 aa bb cc dd"
884 The direct link access supports automatic padding using the -p <total
886 frame length> option. This allows you to pad a raw L2 frame to the
887 desired length. You must specify the total length, and the total frame
888 length must have at least 15 bytes for technical reasons. Zero bytes
889 are used for padding.
890 `-- ARP:
892 mausezahn provides a simple interface to the ARP packet. You can spec‐
893 ify the ARP method (request|reply) and up to four arguments: sendermac,
894 targetmac, senderip, targetip, or short smac, tmac, sip, tip. By
895 default, an ARP reply is sent with your own interface addresses as
896 source MAC and IP address, and a broadcast destination MAC and IP
897 address. Send a gratuitous ARP request (as used for duplicate IP
898 address detection):
899 mausezahn eth0 -t arp
901 ARP cache poisoning:
903 mausezahn eth0 -t arp "reply, senderip=192.168.0.1, target‐
905 mac=00:00:0c:01:02:03, \
906 targetip=172.16.1.50"
907 where by default your interface MAC address will be used as sendermac,
909 senderip denotes the spoofed IP address, targetmac and targetip identi‐
910 fies the receiver. By default, the Ethernet source address is your
911 interface MAC and the destination address is the broadcast address. You
912 can change this using the flags -a and -b.
913 `-- BPDU:
915 mausezahn provides a simple interface to the 802.1D BPDU frame format
916 (used to create the Spanning Tree in bridged networks). By default,
917 standard IEEE 802.1D BPDUs are sent and it is assumed that your com‐
918 puter wants to become the root bridge (rid=bid). Optionally the 802.3
919 destination address can be a specified MAC address, broadcast, own MAC,
920 or Cisco's PVST+ MAC address. The destination MAC can be specified
921 using the -b command which, besides MAC addresses, accepts keywords
922 such as bcast, own, pvst, or stp (default). PVST+ is supported as well.
923 Simply specify the VLAN for which you want to send a BPDU:
924 mausezahn eth0 -t bpdu "vlan=123, rid=2000"
926 See mausezahn -t bpdu help for more details.
928 `-- CDP:
930 mausezahn can send Cisco Discovery Protocol (CDP) messages since this
931 protocol has security relevance. Of course lots of dirty tricks are
932 possible; for example arbitrary TLVs can be created (using the hex-pay‐
933 load argument for example p=00:0e:00:07:01:01:90) and if you want to
934 stress the CDP database of some device, mausezahn can send each CDP
935 message with another system-id using the change keyword:
936 mausezahn -t cdp change -c 0
938 Some routers and switches may run into deep problems ;-) See mausezahn
940 -t cdp help for more details.
941 `-- 802.1Q VLAN Tags:
943 mausezahn allows simple VLAN tagging for IP (and other higher layer)
944 packets. Simply use the option -Q <[CoS:]VLAN>, such as -Q 10 or -Q
945 3:921. By default CoS=0. For example send a TCP packet in VLAN 500
946 using CoS=7:
947 mausezahn eth0 -t tcp -Q 7:500 "dp=80, flags=rst, p=aa:aa:aa"
949 You can create as many VLAN tags as you want! This is interesting to
951 create QinQ encapsulations or VLAN hopping: Send a UDP packet with VLAN
952 tags 100 (outer) and 651 (inner):
953 mausezahn eth0 -t udp "dp=8888, sp=13442" -P "Mausezahn is great" -Q
955 100,651
956 Don't know if this is useful anywhere but at least it is possible:
958 mausezahn eth0 -t udp "dp=8888, sp=13442" -P "Mausezahn is great" \
960 -Q 6:5,7:732,5:331,5,6
961 Mix it with MPLS:
963 mausezahn eth0 -t udp "dp=8888, sp=13442" -P "Mausezahn is great" -Q
965 100,651 -M 314
966 When in raw Layer 2 mode you must create the VLAN tag completely by
968 yourself. For example if you want to send a frame in VLAN 5 using CoS
969 0 simply specify 81:00 as type field and for the next two bytes the CoS
970 (PCP), DEI (CFI), and VLAN ID values (all together known as TCI):
971 mausezahn eth0 -b bc -a rand "81:00 00:05 08:00 aa-aa-aa-aa-aa-aa-aa-
973 aa-aa"
974 `-- MPLS labels:
976 mausezahn allows you to insert one or more MPLS headers. Simply use the
977 option -M <label:CoS:TTL:BoS> where only the label is mandatory. If you
978 specify a second number it is interpreted as the experimental bits (the
979 CoS usually). If you specify a third number it is interpreted as TTL.
980 By default the TTL is set to 255. The Bottom of Stack flag is set auto‐
981 matically, otherwise the frame would be invalid, but if you want you
982 can also set or unset it using the S (set) and s (unset) argument. Note
983 that the BoS must be the last argument in each MPLS header definition.
984 Here are some examples:
985 Use MPLS label 214:
987 mausezahn eth0 -M 214 -t tcp "dp=80" -P "HTTP..." -B myhost.com
989 Use three labels (the 214 is now the outer):
991 mausezahn eth0 -M 9999,51,214 -t tcp "dp=80" -P "HTTP..." -B
993 myhost.com
994 Use two labels, one with CoS=5 and TTL=1, the other with CoS=7:
996 mausezahn eth0 -M 100:5:1,500:7 -t tcp "dp=80" -P "HTTP..." -B
998 myhost.com
999 Unset the BoS flag (which will result in an invalid frame):
1001 mausezahn eth0 -M 214:s -t tcp "dp=80" -P "HTTP..." -B myhost.com
1003 Layer 3-7:
1005 IP, UDP, and TCP packets can be padded using the -p option. Currently
1006 0x42 is used as padding byte ('the answer'). You cannot pad DNS packets
1007 (would be useless anyway).
1008 `-- IP:
1010 mausezahn allows you to send any malformed or correct IP packet. Every
1011 field in the IP header can be manipulated. The IP addresses can be
1012 specified via the -A and -B options, denoting the source and destina‐
1013 tion address, respectively. You can also specify an address range or a
1014 host name (FQDN). Additionally, the source address can also be random.
1015 By default the source address is your interface IP address and the des‐
1016 tination address is a broadcast address. Here are some examples:
1017 ASCII payload:
1019 mausezahn eth0 -t ip -A rand -B 192.168.1.0/24 -P "hello world"
1021 Hexadecimal payload:
1023 mausezahn eth0 -t ip -A 10.1.0.1-10.1.255.254 -B 255.255.255.255
1025 p=ca:fe:ba:be
1026 Will use correct source IP address:
1028 mausezahn eth0 -t ip -B www.xyz.com
1030 The Type of Service (ToS) byte can either be specified directly by two
1032 hexadecimal digits, which means you can also easily set the Explicit
1033 Congestion Notification (ECN) bits (LSB 1 and 2), or you may only want
1034 to specify a common DSCP value (bits 3-8) using a decimal number
1035 (0..63):
1036 Packet sent with DSCP = Expedited Forwarding (EF):
1038 mausezahn eth0 -t ip dscp=46,ttl=1,proto=1,p=08:00:5a:a2:de:ad:be:af
1040 If you leave the checksum as zero (or unspecified) the correct checksum
1042 will be automatically computed. Note that you can only use a wrong
1043 checksum when you also specify at least one L2 field manually.
1044 `-- UDP:
1046 mausezahn supports easy UDP datagram generation. Simply specify the
1047 destination address (-B option) and optionally an arbitrary source
1048 address (-A option) and as arguments you may specify the port numbers
1049 using the dp (destination port) and sp (source port) arguments and a
1050 payload. You can also easily specify a whole port range which will
1051 result in sending multiple packets. Here are some examples:
1052 Send test packets to the RTP port range:
1054 mausezahn eth0 -B 192.168.1.1 -t udp "dp=16384-32767, \
1056 p=A1:00:CC:00:00:AB:CD:EE:EE:DD:DD:00"
1057 Send a DNS request as local broadcast (often a local router replies):
1059 mausezahn eth0 -t udp
1061 dp=53,p=c5-2f-01-00-00-01-00-00-00-00-00-00-03-77-77-\
1062 77-03-78-79-7a-03-63-6f-6d-00-00-01-00-01"
1063 Additionally you may specify the length and checksum using the len and
1065 sum arguments (will be set correctly by default). Note: several proto‐
1066 cols have same arguments such as len (length) and sum (checksum). If
1067 you specified a UDP type packet (via -t udp) and want to modify the IP
1068 length, then use the alternate keyword iplen and ipsum. Also note that
1069 you must specify at least one L2 field which tells mausezahn to build
1070 everything without the help of your kernel (the kernel would not allow
1071 modifying the IP checksum and the IP length).
1072 `-- ICMP:
1074 mausezahn currently only supports the following ICMP methods: PING
1075 (echo request), Redirect (various types), Unreachable (various types).
1076 Additional ICMP types will be supported in future. Currently you would
1077 need to tailor them by yourself, e.g. using the IP packet builder (set‐
1078 ting proto=1). Use the mausezahn -t icmp help for help on currently
1079 implemented options.
1080 `-- TCP:
1082 mausezahn allows you to easily tailor any TCP packet. Similarly as with
1083 UDP you can specify source and destination port (ranges) using the sp
1084 and dp arguments. Then you can directly specify the desired flags
1085 using an "|" as delimiter if you want to specify multiple flags. For
1086 example, a SYN-Flood attack against host 1.1.1.1 using a random source
1087 IP address and periodically using all 1023 well-known ports could be
1088 created via:
1089 mausezahn eth0 -A rand -B 1.1.1.1 -c 0 -t tcp "dp=1-1023, flags=syn"
1091 \
1092 -P "Good morning! This is a SYN Flood Attack.
1093 \
1094 We apologize for any inconvenience."
1095 Be careful with such SYN floods and only use them for firewall testing.
1097 Check your legal position! Remember that a host with an open TCP ses‐
1098 sion only accepts packets with correct socket information (addresses
1099 and ports) and a valid TCP sequence number (SQNR). If you want to try a
1100 DoS attack by sending a RST-flood and you do NOT know the target's ini‐
1101 tial SQNR (which is normally the case) then you may want to sweep
1102 through a range of sequence numbers:
1103 mausezahn eth0 -A legal.host.com -B target.host.com \
1105 -t tcp "sp=80,dp=80,s=1-4294967295"
1106 Fortunately, the SQNR must match the target host's acknowledgement num‐
1108 ber plus the announced window size. Since the typical window size is
1109 something between 40000 and 65535 you are MUCH quicker when using an
1110 increment via the ds argument:
1111 mausezahn eth0 -A legal.host.com -B target.host.com \
1113 -t tcp "sp=80, dp=80, s=1-4294967295, ds=40000"
1114 In the latter case mausezahn will only send 107375 packets instead of
1116 4294967295 (which results in a duration of approximately 1 second com‐
1117 pared to 11 hours!). Of course you can tailor any TCP packet you like.
1118 As with other L4 protocols mausezahn builds a correct IP header but you
1119 can additionally access every field in the IP packet (also in the Eth‐
1120 ernet frame).
1121 `-- DNS:
1123 mausezahn supports UDP-based DNS requests or responses. Typically you
1124 may want to send a query or an answer. As usual, you can modify every
1125 flag in the header. Here is an example of a simple query:
1126 mausezahn eth0 -B mydns-server.com -t dns "q=www.ibm.com"
1128 You can also create server-type messages:
1130 mausezahn eth0 -A spoofed.dns-server.com -B target.host.com \
1132 "q=www.topsecret.com, a=172.16.1.1"
1133 The syntax according to the online help (-t dns help) is:
1135 query|q = <name>[:<type>] ............. where type is per default
1137 "A"
1138 (and class is always "IN")
1139 answer|a = [<type>:<ttl>:]<rdata> ...... ttl is per default 0.
1140 = [<type>:<ttl>:]<rdata>/[<type>:<ttl>:]<rdata>/...
1141 Note: If you only use the 'query' option then a query is sent. If you
1143 additionally add an 'answer' then an answer is sent. Examples:
1144 q = www.xyz.com
1146 q = www.xyz.com, a=192.168.1.10
1147 q = www.xyz.com, a=A:3600:192.168.1.10
1148 q = www.xyz.com, a=CNAME:3600:abc.com/A:3600:192.168.1.10
1149 Please try out mausezahn -t dns help to see the many other optional
1151 command line options.
1152 `-- RTP and VoIP path measurements:
1154 mausezahn can send arbitrary Real Time Protocol (RTP) packets. By
1155 default a classical G.711 codec packet of 20 ms segment size and 160
1156 bytes is assumed. You can measure jitter, packet loss, and reordering
1157 along a path between two hosts running mausezahn. The jitter measure‐
1158 ment is either done following the variance low-pass filtered estimation
1159 specified in RFC 3550 or using an alternative "real-time" method which
1160 is even more precise (the RFC-method is used by default). For example
1161 on Host1 you start a transmission process:
1162 mausezahn -t rtp -B 192.168.1.19
1164 And on Host2 (192.168.1.19) a receiving process which performs the mea‐
1166 surement:
1167 mausezahn -T rtp
1169 Note that the option flag with the capital "T" means that it is a
1171 server RTP process, waiting for incoming RTP packets from any mausezahn
1172 source. In case you want to restrict the measurement to a specific
1173 source or you want to perform a bidirectional measurement, you must
1174 specify a stream identifier. Here is an example for bidirectional mea‐
1175 surements which logs the running jitter average in a file:
1176 Host1# mausezahn -t rtp id=11:11:11:11 -B 192.168.2.2 &
1178 Host1# mausezahn -T rtp id=22:22:22:22 "log, path=/tmp/mz/"
1179 Host2# mausezahn -t rtp id=22:22:22:22 -B 192.168.1.1 &
1181 Host2# mausezahn -T rtp id=11:11:11:11 "log, path=/tmp/mz/"
1182 In any case the measurements are printed continuously onto the screen;
1184 by default it looks like this:
1185 0.00 0.19 0.38
1187 0.57
1188 |-------------------------|-------------------------|-------------------------|
1189 #########
1190 0.07 msec
1191 ####################
1192 0.14 msec
1193 ##
1194 0.02 msec
1195 ###
1196 0.02 msec
1197 #########
1198 0.07 msec
1199 ####
1200 0.03 msec
1201 #########
1202 0.07 msec
1203 #############
1204 0.10 msec
1205 ##
1206 0.02 msec
1207 ###########################################
1208 0.31 msec
1209 #########
1210 0.07 msec
1211 ##############################################
1212 0.33 msec
1213 ###############
1214 0.11 msec
1215 ##########
1216 0.07 msec
1217 ###############
1218 0.11 msec
1219 ##########################################################
1220 0.42 msec
1221 #####
1222 0.04 msec
1223 More information is shown using the txt keyword:
1225 mausezahn -T rtp txt
1227 Got 100 packets from host 192.168.0.3: 0 lost (0 absolute lost), 1
1228 out of order
1229 Jitter_RFC (low pass filtered) = 30 usec
1230 Samples jitter (min/avg/max) = 1/186/2527 usec
1231 Delta-RX (min/avg/max) = 2010/20167/24805 usec
1232 Got 100 packets from host 192.168.0.3: 0 lost (0 absolute lost), 1
1233 out of order
1234 Jitter_RFC (low pass filtered) = 17 usec
1235 Samples jitter (min/avg/max) = 1/53/192 usec
1236 Delta-RX (min/avg/max) = 20001/20376/20574 usec
1237 Got 100 packets from host 192.168.0.3: 0 lost (0 absolute lost), 1
1238 out of order
1239 Jitter_RFC (low pass filtered) = 120 usec
1240 Samples jitter (min/avg/max) = 0/91/1683 usec
1241 Delta-RX (min/avg/max) = 18673/20378/24822 usec
1242 See mausezahn -t rtp help and mz -T rtp help for more details.
1244 `-- Syslog:
1246 The traditional Syslog protocol is widely used even in professional
1247 networks and is sometimes vulnerable. For example you might insert
1248 forged Syslog messages by spoofing your source address (e.g. imperson‐
1249 ate the address of a legit network device):
1250 mausezahn -t syslog sev=3 -P "You have been mausezahned." -A
1252 10.1.1.109 -B 192.168.7.7
1253 See mausezahn -t syslog help for more details.
1255
1257 When multiple ranges are specified, e.g. destination port ranges and
1258 destination address ranges, then all possible combinations of ports and
1259 addresses are used for packet generation. Furthermore, this can be
1260 mixed with other ranges e.g. a TCP sequence number range. Note that
1261 combining ranges can lead to a very huge number of frames to be sent.
1262 As a rule of thumb you can assume that about 100,000 frames and more
1263 are sent in a fraction of one second, depending on your network inter‐
1264 face.
1265 mausezahn has been designed as a fast traffic generator so you might
1267 easily overwhelm a LAN segment with myriads of packets. And because
1268 mausezahn could also support security audits it is possible to create
1269 malicious or invalid packets, SYN floods, port and address sweeps, DNS
1270 and ARP poisoning, etc.
1271 Therefore, don't use this tool when you are not aware of the possible
1273 consequences or have only a little knowledge about networks and data
1274 communication. If you abuse mausezahn for 'unallowed' attacks and get
1275 caught, or damage something of your own, then this is completely your
1276 fault. So the safest solution is to try it out in a lab environment.
1277 Also have a look at the netsniff-ng(8) note section on how you can
1279 properly setup and tune your system.
1280
1282 mausezahn is licensed under the GNU GPL version 2.0.
1283
1285 mausezahn was originally written by Herbert Haas. According to his web‐
1286 site [1], he unfortunately passed away in 2011 thus leaving this tool
1287 unmaintained. It has been adopted and integrated into the netsniff-ng
1288 toolkit and is further being maintained and developed from there. Main‐
1289 tainers are Tobias Klauser <tklauser@distanz.ch> and Daniel Borkmann
1290 <dborkma@tik.ee.ethz.ch>.
1291 [1] http://www.perihel.at/
1293
1295 netsniff-ng(8), trafgen(8), ifpps(8), bpfc(8), flowtop(8), astracer‐
1296 oute(8), curvetun(8)
1297
1299 Manpage was written by Herbert Haas and modified by Daniel Borkmann.
1300
1302 This page is part of the Linux netsniff-ng toolkit project. A descrip‐
1303 tion of the project, and information about reporting bugs, can be found
1304 at http://netsniff-ng.org/.
1305Linux 03 March 2013 MAUSEZAHN(8)