1MAUSEZAHN(8) netsniff-ng toolkit MAUSEZAHN(8)
2
6 mausezahn - a fast versatile packet generator with Cisco-cli
7
9 mausezahn { [options] "<arg-string> | <hex-string>" }
10
12 mausezahn is a fast traffic generator which allows you to send nearly
13 every possible and impossible packet. In contrast to trafgen(8),
14 mausezahn's packet configuration is on a protocol-level instead of
15 byte-level and mausezahn also comes with a built-in Cisco-like command-
16 line interface, making it suitable as a network traffic generator box
17 in your network lab.
18 Next to network labs, it can also be used as a didactical tool and for
20 security audits including penetration and DoS testing. As a traffic
21 generator, mausezahn is also able to test IP multicast or VoIP net‐
22 works. Packet rates close to the physical limit are reachable, depend‐
23 ing on the hardware platform.
24 mausezahn supports two modes, ''direct mode'' and a multi-threaded
26 ''interactive mode''.
27 The ''direct mode'' allows you to create a packet directly on the com‐
29 mand line and every packet parameter is specified in the argument list
30 when calling mausezahn.
31 The ''interactive mode'' is an advanced multi-threaded configuration
33 mode with its own command line interface (CLI). This mode allows you to
34 create an arbitrary number of packet types and streams in parallel,
35 each with different parameters.
36 The interactive mode utilizes a completely redesigned and more flexible
38 protocol framework called ''mops'' (mausezahn's own packet system). The
39 look and feel of the CLI is very close to the Cisco IOS^tm command line
40 interface.
41 You can start the interactive mode by executing mausezahn with the
43 ''-x'' argument (an optional port number may follow, otherwise it is
44 25542). Then use telnet(1) to connect to this mausezahn instance. If
45 not otherwise specified, the default login and password combination is
46 mz:mz and the enable password is: mops. This can be changed in
47 /etc/netsniff-ng/mausezahn.conf.
48 The direct mode supports two specification schemes: The ''raw-layer-2''
50 scheme, where every single byte to be sent can be specified, and
51 ''higher-layer'' scheme, where packet builder interfaces are used
52 (using the ''-t'' option).
53 To use the ''raw-layer-2'' scheme, simply specify the desired frame as
55 a hexadecimal sequence (the ''hex-string''), such as:
56 mausezahn eth0 "00:ab:cd:ef:00 00:00:00:00:00:01 08:00 ca:fe:ba:be"
58 In this example, whitespaces within the byte string are optional and
60 separate the Ethernet fields (destination and source address, type
61 field, and a short payload). The only additional options supported are
62 ''-a'', ''-b'', ''-c'', and ''-p''. The frame length must be greater
63 than or equal to 15 bytes.
64 The ''higher-layer'' scheme is enabled using the ''-t <packet-type>''
66 option. This option activates a packet builder, and besides the
67 ''packet-type'', an optional ''arg-string'' can be specified. The
68 ''arg-string'' contains packet- specific parameters, such as TCP flags,
69 port numbers, etc. (see example section).
70
72 mausezahn provides a built-in context-specific help. Append the keyword
73 ''help'' after the configuration options. The most important options
74 are:
75 -x [<port>]
77 Start mausezahn in interactive mode with a Cisco-like CLI. Use telnet
78 to log into the local mausezahn instance. If no port has been speci‐
79 fied, port 25542 is used by default.
80 -6
82 Specify IPv6 mode (IPv4 is the default).
83 -l <IP>
85 Specify the IP address mausezahn should bind to when in interactive
86 mode, default: 0.0.0.0.
87 -v
89 Verbose mode. Capital -V is even more verbose.
90 -S
92 Simulation mode, i.e. don't put anything on the wire. This is typically
93 combined with the verbose mode.
94 -q
96 Quiet mode where only warnings and errors are displayed.
97 -c <count>
99 Send the packet count times (default: 1, infinite: 0).
100 -d <delay>
102 Apply delay between transmissions. The delay value can be specified in
103 usec (default, no additional unit needed), or in msec (e.g. 100m or
104 100msec), or in seconds (e.g. 100s or 100sec). Note: mops also supports
105 nanosecond delay resolution if you need it (see interactive mode).
106 -p <length>
108 Pad the raw frame to specified length using zero bytes. Note that for
109 raw layer 2 frames the specified length defines the whole frame length,
110 while for higher layer packets the number of additional padding bytes
111 are specified.
112 -a <src-mac|keyword>
114 Use specified source MAC address with hexadecimal notation such as
115 00:00:aa:bb:cc:dd. By default the interface MAC address will be used.
116 The keywords ''rand'' and ''own'' refer to a random MAC address (only
117 unicast addresses are created) and the own address, respectively. You
118 can also use the keywords mentioned below although broadcast-type
119 source addresses are officially invalid.
120 -b <dst-mac|keyword>
122 Use specified destination MAC address. By default, a broadcast is sent
123 in raw layer 2 mode or to the destination hosts or gateway interface
124 MAC address in normal (IP) mode. You can use the same keywords as men‐
125 tioned above, as well as ''bc'' or ''bcast'', ''cisco'', and ''stp''.
126 -A <src-ip|range|rand>
128 Use specified source IP address, default is own interface address.
129 Optionally, the keyword ''rand'' can again be used for a random source
130 IP address or a range can be specified, such as
131 ''192.168.1.1-192.168.1.100'' or ''10.1.0.0/16''. Also, a DNS name can
132 be specified for which mausezahn tries to determine the corresponding
133 IP address automatically.
134 -B <dst-ip|range>
136 Use specified destination IP address (default is broadcast i.e.
137 255.255.255.255). As with the source address (see above) you can also
138 specify a range or a DNS name.
139 -t <packet-type [help] | help>
141 Create the specified packet type using the built-in packet builder.
142 Currently, supported packet types are: ''arp'', ''bpdu'', ''ip'',
143 ''udp'', ''tcp'', ''rtp'', and ''dns''. Currently, there is also lim‐
144 ited support for ''icmp''. Type
145 ''-t help'' to verify which packet builders your actual mausezahn ver‐
146 sion supports. Also, for any particular packet type, for example
147 ''tcp'' type
148 ''mausezahn -t tcp help'' to receive a more in-depth context specific
149 help.
150 -T <packet-type>
152 Make this mausezahn instance the receiving station. Currently, only
153 ''rtp'' is an option here and provides precise jitter measurements. For
154 this purpose, start another mausezahn instance on the sending station
155 and the local receiving station will output jitter statistics. See
156 ''mausezahn -T rtp help'' for a detailed help.
157 -Q <[CoS:]vlan> [, <[CoS:]vlan>, ...]
159 Specify 802.1Q VLAN tag and optional Class of Service. An arbitrary
160 number of VLAN tags can be specified (that is, you can simulate QinQ or
161 even QinQinQinQ..). Multiple tags must be separated via a comma or a
162 period (e.g. "5:10,20,2:30"). VLAN tags are not supported for ARP and
163 BPDU packets (in which case you could specify the whole frame in hexa‐
164 decimal using the raw layer 2 interface of mausezahn).
165 -M <label[:cos[:ttl]][bos]> [, <label...>]
167 Specify a MPLS label or even a MPLS label stack. Optionally, for each
168 label the experimental bits (usually the Class of Service, CoS) and the
169 Time To Live (TTL) can be specified. If you are really crazy you can
170 set and unset the Bottom of Stack (BoS) bit for each label using the
171 ''S'' (set) and ''s'' (unset) option. By default, the BoS is set auto‐
172 matically and correctly. Any other setting will lead to invalid frames.
173 Enter ''-M help'' for detailed instructions and examples.
174 -P <ascii-payload>
176 Specify a cleartext payload. Alternatively, each packet type supports a
177 hexadecimal specification of the payload (see for example ''-t udp
178 help'').
179 -f <filename>
181 Read the ASCII payload from the specified file.
182 -F <filename>
184 Read the hexadecimal payload from the specified file. Actually, this
185 file must be also an ASCII text file, but must contain hexadecimal dig‐
186 its, e.g. "aa:bb:cc:0f:e6...". You can use also spaces as separation
187 characters.
188
190 For more comprehensive examples, have a look at the two following HOWTO
191 sections.
192 mausezahn eth0 -c 0 -d 2s -t bpdu vlan=5
194 Send BPDU frames for VLAN 5 as used with Cisco's PVST+ type of STP. By
195 default mausezahn assumes that you want to become the root bridge.
196 mausezahn eth0 -c 128000 -a rand -p 64
198 Perform a CAM table overflow attack.
199 mausezahn eth0 -c 0 -Q 5,100 -t tcp flags=syn,dp=1-1023 -p 20 -A rand -B
201 10.100.100.0/24
202 Perform a SYN flood attack to another VLAN using VLAN hopping. This
203 only works if you are connected to the same VLAN which is configured as
204 native VLAN on the trunk. We assume that the victim VLAN is VLAN 100
205 and the native VLAN is VLAN 5. Lets attack every host in VLAN 100
206 which use an IP prefix of 10.100.100.0/24, also try out all ports
207 between 1 and 1023 and use a random source IP address.
208 mausezahn eth0 -c 0 -d 10msec -B 230.1.1.1 -t udp dp=32000,dscp=46 -P Mul‐
210 ticast test packet
211 Send IP multicast packets to the multicast group 230.1.1.1 using a UDP
212 header with destination port 32000 and set the IP DSCP field to EF
213 (46). Send one frame every 10 msec.
214 mausezahn eth0 -Q 6:420 -M 100,200,300:5 -A 172.30.0.0/16 -B target.anynet‐
216 work.foo -t udp sp=666,dp=1-65535 -p 1000 -c 10
217 Send UDP packets to the destination host target.anynetwork.foo using
218 all possible destination ports and send every packet with all possible
219 source addresses of the range 172.30.0.0/16; additionally use a source
220 port of 666 and three MPLS labels, 100, 200, and 300, the outer (300)
221 with QoS field 5. Send the frame with a VLAN tag 420 and CoS 6; even‐
222 tually pad with 1000 bytes and repeat the whole thing 10 times.
223 mausezahn -t syslog sev=3 -P Main reactor reached critical temperature. -A
225 192.168.33.42 -B 10.1.1.9 -c 6 -d 10s
226 Send six forged syslog messages with severity 3 to a Syslog server
227 10.1.1.9; use a forged source IP address 192.168.33.42 and let
228 mausezahn decide which local interface to use. Use an inter-packet
229 delay of 10 seconds.
230 mausezahn -t tcp flags=syn|urg|rst, sp=145, dp=145, win=0, s=0-4294967295,
232 ds=1500, urg=666 -a bcast -b bcast -A bcast -B 10.1.1.6 -p 5
233 Send an invalid TCP packet with only a 5 byte payload as layer-2 broad‐
234 cast and also use the broadcast MAC address as source address. The tar‐
235 get should be 10.1.1.6 but use a broadcast source address. The source
236 and destination port shall be 145 and the window size 0. Set the TCP
237 flags SYN, URG, and RST simultaneously and sweep through the whole TCP
238 sequence number space with an increment of 1500. Finally set the urgent
239 pointer to 666, i.e. pointing to nowhere.
240
242 When mausezahn is run in interactive mode it automatically looks for
243 and reads a configuration file located at /etc/netsniff-
244 ng/mausezahn.conf for custom options if the file is available, other‐
245 wise it uses defaults set at compile time.
246 Config file: /etc/netsniff-ng/mausezahn.conf
248 The configuration file contains lines of the form:
249 option = value
251 Options supported in the configuration file are:
253 Option: Description:
254 user Username for authentication (default: mz)
256 password Password for authentication (default: mz)
257 enable Password to enter privilege mode (default: mops)
258 port The listening port for the CLI (default: 25542)
259 listen-addr IP address to bind CLI to (default: 0.0.0.0)
260 management-only Set management interface (no data traffic is
261 allowed to pass through)
262 cli-device Interface to bind CLI to (default: all) *not fully
263 implemented*
264 automops Path to automops file (contains XML data describing
265 protocols) *in development*
266 Example:
269 $ cat /etc/netsniff-ng/mausezahn.conf
270 user = mzadmin
271 password = mzpasswd
272 enable = privilege-mode-passwd
273 port = 65000
274 listen-addr = 127.0.0.1
275
277 Telnet:
278 Using the interactive mode requires starting mausezahn as a server:
279 # mausezahn -x
281 Now you can telnet(1) to that server using the default port number
283 25542, but also an arbitrary port number can be specified:
284 # mausezahn -x 99
286 mausezahn accepts incoming telnet connections on port 99.
287 mz: Problems opening config file. Will use defaults
288 Either from another terminal or from another host try to telnet to the
290 mausezahn server:
291 caprica$ telnet galactica 99
293 Trying 192.168.0.4...
294 Connected to galactica.
295 Escape character is '^]'.
296 mausezahn <version>
297 Username: mz
299 Password: mz
300 mz> enable
302 Password: mops
303 mz#
304 It is recommended to configure your own login credentials in /etc/net‐
306 sniff-ng/mausezahn.conf, (see configuration file section)
307 Basics:
309 Since you reached the mausezahn prompt, lets try some common commands.
310 You can use the '?' character at any time for context-specific help.
311 Note that Cisco-like short form of commands are accepted in interactive
312 mode. For example, one can use "sh pac" instead of "show packet";
313 another common example is to use "config t" in place of "configure ter‐
314 minal". For readability, this manual will continue with the full com‐
315 mands.
316 First try out the show command:
318 mz# show ?
320 mausezahn maintains its own ARP table and observes anomalies. There is
322 an entry for every physical interface (however this host has only one):
323 mz# show arp
325 Intf Index IP address MAC address last Ch
326 UCast BCast Info
327 ----------------------------------------------------------------------------------
328 eth0 [1] D 192.168.0.1 00:09:5b:9a:15:84 23:44:41 1
329 1 0 0000
330 The column Ch tells us that the announced MAC address has only changed
332 one time (= when it was learned). The columns Ucast and BCast tell us
333 how often this entry was announced via unicast or broadcast respec‐
334 tively.
335 Let's check our interfaces:
337 mz# show interface
339 Available network interfaces:
340 real real used (fake)
341 used (fake)
342 device IPv4 address MAC address IPv4 address
343 MAC address
344 ---------------------------------------------------------------------------------------
345 > eth0 192.168.0.4 00:30:05:76:2e:8d 192.168.0.4
346 00:30:05:76:2e:8d
347 lo 127.0.0.1 00:00:00:00:00:00 127.0.0.1
348 00:00:00:00:00:00
349 2 interfaces found.
350 Default interface is eth0.
351 Defining packets:
353 Let's check the current packet list:
354 mz# show packet
356 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
357 I/i=IP/delivery_off, U=UDP, T=TCP
358 PktID PktName Layers Proto Size State Device
359 Delay Count/CntX
360 1 sysARP_servic... E----- ARP 60 config lo
361 100 msec 1/0 (100%)
362 1 packets defined, 0 active.
363 We notice that there is already one system-defined packet process; it
365 has been created and used only once (during startup) by mausezahn's ARP
366 service. Currently, its state is config which means that the process
367 is sleeping.
368 General packet options:
370 Now let's create our own packet process and switch into the global con‐
371 figuration mode:
372 mz# configure terminal
374 mz(config)# packet
375 Allocated new packet PKT0002 at slot 2
376 mz(config-pkt-2)# ?
377 ...
378 name Assign a unique name
379 description Assign a packet description text
380 bind Select the network interface
381 count Configure the packet count value
382 delay Configure the inter-packet delay
383 interval Configure a greater interval
384 type Specify packet type
385 mac Configure packet's MAC addresses
386 tag Configure tags
387 payload Configure a payload
388 port Configure packet's port numbers
389 end End packet configuration mode
390 ethernet Configure frame's Ethernet, 802.2, 802.3, or
391 SNAP settings
392 ip Configure packet's IP settings
393 udp Configure packet's UDP header parameters
394 tcp Configure packet's TCP header parameters
395 Here are a lot of options but normally you only need a few of them.
397 When you configure lots of different packets you might assign a reason‐
398 able name and description for them:
399 mz(config-pkt-2)# name Test
401 mz(config-pkt-2)# description This is just a test
402 You can, for example, change the default settings for the source and
404 destination MAC or IP addresses using the mac and ip commands:
405 mz(config-pkt-2)# ip address destination 10.1.1.0 /24
407 mz(config-pkt-2)# ip address source random
408 In the example above, we configured a range of addresses (all hosts in
410 the network 10.1.1.0 should be addressed). Additionally we spoof our
411 source IP address. Of course, we can also add one or more VLAN and, or,
412 MPLS tag(s):
413 mz(config-pkt-2)# tag ?
415 dot1q Configure 802.1Q (and 802.1P) parameters
416 mpls Configure MPLS label stack
417 mz(config-pkt-2)# tag dot ?
418 Configure 802.1Q tags:
419 VLAN[:CoS] [VLAN[:CoS]] ... The leftmost tag is the outer tag in
420 the frame
421 remove <tag-nr> | all Remove one or more tags (<tag-nr>
422 starts with 1),
423 by default the first (=leftmost,outer)
424 tag is removed,
425 keyword 'all' can be used instead of
426 tag numbers.
427 cfi | nocfi [<tag-nr>] Set or unset the CFI-bit in any tag (by
428 default
429 assuming the first tag).
430 mz(config-pkt-2)# tag dot 1:7 200:5
431 Configure count and delay:
433 mz(config-pkt-2)# count 1000
434 mz(config-pkt-2)# delay ?
435 delay <value> [hour | min | sec | msec | usec | nsec]
436 Specify the inter-packet delay in hours, minutes, seconds, millisec‐
438 onds, microseconds or nanoseconds. The default unit is milliseconds
439 (i.e. when no unit is given).
440 mz(config-pkt-2)# delay 1 msec
442 Inter-packet delay set to 0 sec and 1000000 nsec
443 mz(config-pkt-2)#
444 Configuring protocol types:
446 mausezahn's interactive mode supports a growing list of protocols and
447 only relies on the MOPS architecture (and not on libnet as is the case
448 with the legacy direct mode):
449 mz(config-pkt-2)# type
451 Specify a packet type from the following list:
452 arp
453 bpdu
454 igmp
455 ip
456 lldp
457 tcp
458 udp
459 mz(config-pkt-2)# type tcp
460 mz(config-pkt-2-tcp)#
461 ....
462 seqnr Configure the TCP sequence number
463 acknr Configure the TCP acknowledgement number
464 hlen Configure the TCP header length
465 reserved Configure the TCP reserved field
466 flags Configure a combination of TCP flags at once
467 cwr Set or unset the TCP CWR flag
468 ece Set or unset the TCP ECE flag
469 urg Set or unset the TCP URG flag
470 ack set or unset the TCP ACK flag
471 psh set or unset the TCP PSH flag
472 rst set or unset the TCP RST flag
473 syn set or unset the TCP SYN flag
474 fin set or unset the TCP FIN flag
475 window Configure the TCP window size
476 checksum Configure the TCP checksum
477 urgent-pointer Configure the TCP urgent pointer
478 options Configure TCP options
479 end End TCP configuration mode
480 mz(config-pkt-2-tcp)# flags syn fin rst
481 Current setting is: --------------------RST-SYN-FIN
482 mz(config-pkt-2-tcp)# end
483 mz(config-pkt-2)# payload ascii This is a dummy payload for my first
484 packet
485 mz(config-pkt-2)# end
486 Now configure another packet, for example let's assume we want an LLDP
488 process:
489 mz(config)# packet
491 Allocated new packet PKT0003 at slot 3
492 mz(config-pkt-3)# type lldp
493 mz(config-pkt-3-lldp)# exit
494 mz(config)# exit
495 In the above example we only use the default LLDP settings and don't
497 configure further LLDP options or TLVs. Back in the top level of the
498 CLI let's verify what we had done:
499 mz# show packet
501 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
502 I/i=IP/delivery_off, U=UDP, T=TCP
503 PktID PktName Layers Proto Size State Device
504 Delay Count/CntX
505 1 sysARP_servic... E----- ARP 60 config lo
506 100 msec 1/0 (100%)
507 2 Test E-Q-IT 125 config eth0
508 1000 usec 1000/1000 (0%)
509 3 PKT0003 E----- LLDP 36 config eth0
510 30 sec 0/0 (0%)
511 3 packets defined, 0 active.
512 The column Layers indicates which major protocols have been combined.
514 For example the packet with packet-id 2 ("Test") utilizes Ethernet (E),
515 IP (I), and TCP (T). Additionally an 802.1Q tag (Q) has been inserted.
516 Now start one of these packet processes:
517 mz# start slot 3
519 Activate [3]
520 mz# show packet
521 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
522 I/i=IP/delivery_off, U=UDP, T=TCP
523 PktID PktName Layers Proto Size State Device
524 Delay Count/CntX
525 1 sysARP_servic... E----- ARP 60 config lo
526 100 msec 1/0 (100%)
527 2 Test E-Q-IT 125 config eth0
528 1000 usec 1000/1000 (0%)
529 3 PKT0003 E----- LLDP 36 config eth0
530 30 sec 0/1 (0%)
531 3 packets defined, 1 active.
532 Let's have a more detailed look at a specific packet process:
534 mz# show packet 2
536 Packet [2] Test
537 Description: This is just a test
538 State: config, Count=1000, delay=1000 usec (0 s 1000000 nsec), inter‐
539 val= (undefined)
540 Headers:
541 Ethernet: 00-30-05-76-2e-8d => ff-ff-ff-ff-ff-ff [0800 after 802.1Q
542 tag]
543 Auto-delivery is ON (that is, the actual MAC is adapted upon trans‐
544 mission)
545 802.1Q: 0 tag(s); (VLAN:CoS)
546 IP: SA=192.168.0.4 (not random) (no range)
547 DA=255.255.255.255 (no range)
548 ToS=0x00 proto=17 TTL=255 ID=0 offset=0 flags: -|-|-
549 len=49664(correct) checksum=0x2e8d(correct)
550 TCP: 83 bytes segment size (including TCP header)
551 SP=0 (norange) (not random), DP=0 (norange) (not random)
552 SQNR=3405691582 (start 0, stop 4294967295, delta 0) -- ACKNR=0
553 (invalid)
554 Flags: ------------------------SYN----, reserved field is 00,
555 urgent pointer= 0
556 Announced window size= 100
557 Offset= 0 (times 32 bit; value is valid), checksum= ffff
558 (valid)
559 (No TCP options attached) - 0 bytes defined
560 Payload size: 43 bytes
561 Frame size: 125 bytes
562 1 ff:ff:ff:ff:ff:ff:00:30 05:76:2e:8d:81:00:e0:01
563 81:00:a0:c8:08:00:45:00 00:67:00:00:00:00:ff:06
564 33 fa:e4:c0:a8:00:04:ff:ff ff:ff:00:00:00:00:ca:fe
565 ba:be:00:00:00:00:a0:07 00:64:f7:ab:00:00:02:04
566 65 05:ac:04:02:08:0a:19:35 90:c3:00:00:00:00:01:03
567 03:05:54:68:69:73:20:69 73:20:61:20:64:75:6d:6d
568 97 79:20:70:61:79:6c:6f:61 64:20:66:6f:72:20:6d:79
569 20:66:69:72:73:74:20:70 61:63:6b:65:74
570 mz#
571 If you want to stop one or more packet processes, use the stop command.
573 The "emergency stop" is when you use stop all:
574 mz# stop all
576 Stopping
577 [3] PKT0003
578 Stopped 1 transmission processe(s)
579 The launch command provides a shortcut for commonly used packet pro‐
581 cesses. For example to behave like a STP-capable bridge we want to
582 start an BPDU process with typical parameters:
583 mz# launch bpdu
585 Allocated new packet sysBPDU at slot 5
586 mz# show packet
587 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
588 I/i=IP/delivery_off, U=UDP, T=TCP
589 PktID PktName Layers Proto Size State Device
590 Delay Count/CntX
591 1 sysARP_servic... E----- ARP 60 config lo
592 100 msec 1/0 (100%)
593 2 Test E-Q-IT 125 config eth0
594 1000 usec 1000/1000 (0%)
595 3 PKT0003 E----- LLDP 36 config eth0
596 30 sec 0/12 (0%)
597 4 PKT0004 E---I- IGMP 46 config eth0
598 100 msec 0/0 (0%)
599 5 sysBPDU ES---- BPDU 29 active eth0
600 2 sec 0/1 (0%)
601 5 packets defined, 1 active.
602 Now a Configuration BPDU is sent every 2 seconds, claiming to be the
604 root bridge (and usually confusing the LAN. Note that only packet 5
605 (i.e. the last row) is active and therefore sending packets while all
606 other packets are in state config (i.e. they have been configured but
607 they are not doing anything at the moment).
608 Configuring a greater interval:
610 Sometimes you may want to send a burst of packets at a greater inter‐
611 val:
612 mz(config)# packet 2
614 Modify packet parameters for packet Test [2]
615 mz(config-pkt-2)# interval
616 Configure a greater packet interval in days, hours, minutes, or sec‐
617 onds
618 Arguments: <value> <days | hours | minutes | seconds>
619 Use a zero value to disable an interval.
620 mz(config-pkt-2)# interval 1 hour
621 mz(config-pkt-2)# count 10
622 mz(config-pkt-2)# delay 15 usec
623 Inter-packet delay set to 0 sec and 15000 nsec
624 Now this packet is sent ten times with an inter-packet delay of 15
626 microseconds and this is repeated every hour. When you look at the
627 packet list, an interval is indicated with the additional flag 'i' when
628 inactive or 'I' when active:
629 mz# show packet
631 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
632 I/i=IP/delivery_off, U=UDP, T=TCP
633 PktID PktName Layers Proto Size State Device
634 Delay Count/CntX
635 1 sysARP_servic... E----- ARP 60 config lo
636 100 msec 1/0 (100%)
637 2 Test E-Q-IT 125 config-i eth0
638 15 usec 10/10 (0%)
639 3 PKT0003 E----- LLDP 36 config eth0
640 30 sec 0/12 (0%)
641 4 PKT0004 E---I- IGMP 46 config eth0
642 100 msec 0/0 (0%)
643 5 sysBPDU ES---- BPDU 29 active eth0
644 2 sec 0/251 (0%)
645 5 packets defined, 1 active.
646 mz# start slot 2
647 Activate [2]
648 mz# show packet
649 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
650 I/i=IP/delivery_off, U=UDP, T=TCP
651 PktID PktName Layers Proto Size State Device
652 Delay Count/CntX
653 1 sysARP_servic... E----- ARP 60 config lo
654 100 msec 1/0 (100%)
655 2 Test E-Q-IT 125 config+I eth0
656 15 usec 10/0 (100%)
657 3 PKT0003 E----- LLDP 36 config eth0
658 30 sec 0/12 (0%)
659 4 PKT0004 E---I- IGMP 46 config eth0
660 100 msec 0/0 (0%)
661 5 sysBPDU ES---- BPDU 29 active eth0
662 2 sec 0/256 (0%)
663 5 packets defined, 1 active.
664 Note that the flag 'I' indicates that an interval has been specified
666 for packet 2. The process is not active at the moment (only packet 5 is
667 active here) but it will become active at a regular interval. You can
668 verify the actual interval when viewing the packet details via the
669 'show packet 2' command.
670 Load prepared configurations:
672 You can prepare packet configurations using the same commands as you
673 would type them in on the CLI and then load them to the CLI. For exam‐
674 ple, assume we have prepared a file 'test.mops' containing:
675 configure terminal
677 packet
678 name IGMP_TEST
679 desc This is only a demonstration how to load a file to mops
680 type igmp
681 Then we can add this packet configuration to our packet list using the
683 load command:
684 mz# load test.mops
686 Read commands from test.mops...
687 Allocated new packet PKT0002 at slot 2
688 mz# show packet
689 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
690 I/i=IP/delivery_off, U=UDP, T=TCP
691 PktID PktName Layers Proto Size State Device
692 Delay Count/CntX
693 1 sysARP_servic... E----- ARP 60 config lo
694 100 msec 1/0 (100%)
695 2 IGMP_TEST E---I- IGMP 46 config eth0
696 100 msec 0/0 (0%)
697 2 packets defined, 0 active.
698 The file src/examples/mausezahn/example_lldp.conf contains another
700 example list of commands to create a bogus LLDP packet. You can load
701 this configuration from the mausezahn command line as follows:
702 mz# load /home/hh/tmp/example_lldp.conf
704 In case you copied the file in that path. Now when you enter 'show
706 packet' you will see a new packet entry in the packet list. Use the
707 'start slot <nr>' command to activate this packet.
708 You can store your own packet creations in such a file and easily load
710 them when you need them. Every command within such configuration files
711 is executed on the command line interface as if you had typed it in --
712 so be careful about the order and don't forget to use 'configure termi‐
713 nal' as first command.
714 You can even load other files from within a central config file.
716
718 How to specify hexadecimal digits:
719 Many arguments allow direct byte input. Bytes are represented as two
720 hexadecimal digits. Multiple bytes must be separated either by spaces,
721 colons, or dashes - whichever you prefer. The following byte strings
722 are equivalent:
723 "aa:bb cc-dd-ee ff 01 02 03-04 05"
725 "aa bb cc dd ee ff:01:02:03:04 05"
726 To begin with, you may want to send an arbitrary fancy (possibly
728 invalid) frame right through your network card:
729 mausezahn ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:08:00:ca:fe:ba:be
731 or equivalent but more readable:
733 mausezahn ff:ff:ff:ff:ff:ff-ff:ff:ff:ff:ff:ff-08:00-ca:fe:ba:be
735 Basic operations:
737 All major command line options are listed when you execute mausezahn
738 without arguments. For practical usage, keep the following special (not
739 so widely known) options in mind:
740 -r Multiplies the specified delay with a random
742 value.
743 -p <length> Pad the raw frame to specified length (using
744 random bytes).
745 -P <ASCII Payload> Use the specified ASCII payload.
746 -f <filename> Read the ASCII payload from a file.
747 -F <filename> Read the hexadecimal payload from a file.
748 -S Simulation mode: DOES NOT put anything on the
749 wire.
750 This is typically combined with one of the ver‐
751 bose
752 modes (-v or V).
753 Many options require a keyword or a number but the -t option is an
755 exception since it requires both a packet type (such as ip, udp, dns,
756 etc) and an argument string which is specific for that packet type.
757 Here are some simple examples:
758 mausezahn -t help
760 mausezahn -t tcp help
761 mausezahn eth3 -t udp sp=69,dp=69,p=ca:fe:ba:be
762 Note: Don't forget that on the CLI the Linux shell (usually the Bash)
764 interprets spaces as a delimiting character. That is, if you are speci‐
765 fying an argument that consists of multiple words with spaces in
766 between, you MUST group these within quotes. For example, instead of
767 mausezahn eth0 -t udp sp=1,dp=80,p=00:11:22:33
769 you could either omit the spaces
771 mausezahn eth0 -t udp sp=1,dp=80,p=00:11:22:33
773 or, for greater safety, use quotes:
775 mausezahn eth0 -t udp "sp=1,dp=80,p=00:11:22:33"
777 In order to monitor what's going on, you can enable the verbose mode
779 using the -v option. The opposite is the quiet mode (-q) which will
780 keep mausezahn absolutely quiet (except for error messages and warn‐
781 ings.)
782 Don't confuse the payload argument p=... with the padding option -p.
784 The latter is used outside the quotes!
785 The automatic packet builder:
787 An important argument is -t which invokes a packet builder. Currently
788 there are packet builders for ARP, BPDU, CDP, IP, partly ICMP, UDP,
789 TCP, RTP, DNS, and SYSLOG. (Additionally you can insert a VLAN tag or a
790 MPLS label stack but this works independently of the packet builder.)
791 You get context specific help for every packet builder using the help
793 keyword, such as:
794 mausezahn -t bpdu help
796 mausezahn -t tcp help
797 For every packet you may specify an optional payload. This can be done
799 either via hexadecimal notation using the payload (or short p) argument
800 or directly as ASCII text using the -P option:
801 mausezahn eth0 -t ip -P "Hello World" # ASCII
803 payload
804 mausezahn eth0 -t ip p=68:65:6c:6c:6f:20:77:6f:72:6c:64 # hex
805 payload
806 mausezahn eth0 -t ip "proto=89, \
807 p=68:65:6c:6c:6f:20:77:6f:72:6c:64, \ # same
808 with other
809 ttl=1" # IP
810 arguments
811 Note: The raw link access mode only accepts hexadecimal payloads
813 (because you specify everything in hexadecimal here.)
814 Packet count and delay:
816 By default only one packet is sent. If you want to send more packets
817 then use the count option -c <count>. When count is zero then mausezahn
818 will send forever. By default, mausezahn sends at maximum speed (and
819 this is really fast ;-)). If you don't want to overwhelm your network
820 devices or have other reasons to send at a slower rate then you might
821 want to specify a delay using the -d <delay> option.
822 If you only specify a numeric value it is interpreted in microsecond
824 units. Alternatively, for easier use, you might specify units such as
825 seconds, sec, milliseconds, or msec. (You can also abbreviate this with
826 s or m.) Note: Don't use spaces between the value and the unit! Here
827 are typical examples:
828 Send an infinite number of frames as fast as possible:
830 mausezahn -c 0 "aa bb cc dd ...."
832 Send 100,000 frames with a 50 msec interval:
834 mausezahn -c 100000 -d 50msec "aa bb cc dd ...."
836 Send an unlimited number of BPDU frames in a 2 second interval:
838 mausezahn -c 0 -d 2s -t bpdu conf
840 Note: mausezahn does not support fractional numbers. If you want to
842 specify for example 2.5 seconds then express this in milliseconds (2500
843 msec).
844 Source and destination addresses:
846 As a mnemonic trick keep in mind that all packets run from "A" to "B".
847 You can always specify source and destination MAC addresses using the
848 -a and -b options, respectively. These options also allow keywords such
849 as rand, own, bpdu, cisco, and others.
850 Similarly, you can specify source and destination IP addresses using
852 the -A and -B options, respectively. These options also support FQDNs
853 (i.e. domain names) and ranges such as 192.168.0.0/24 or
854 10.0.0.11-10.0.3.22. Additionally, the source address option supports
855 the rand keyword (ideal for "attacks").
856 Note: When you use the packet builder for IP-based packets (e.g. UDP or
858 TCP) then mausezahn automatically cares about correct MAC and IP
859 addresses (i.e. it performs ARP, DHCP, and DNS for you). But when you
860 specify at least a single link-layer address (or any other L2 option
861 such as a VLAN tag or MPLS header) then ARP is disabled and you must
862 care for the Ethernet destination address for yourself.
863 Layer-2:
865 `-- Direct link access:
866 mausezahn allows you to send ANY chain of bytes directly through your
867 Ethernet interface:
868 mausezahn eth0 "ff:ff:ff:ff:ff:ff ff:ff:ff:ff:ff:ff 00:00
870 ca:fe:ba:be"
871 This way you can craft every packet you want but you must do it by
873 hand. Note: On Wi-Fi interfaces the header is much more complicated and
874 automatically created by the Wi-Fi driver. As an example to introduce
875 some interesting options, lets continuously send frames at max speed
876 with random source MAC address and broadcast destination address, addi‐
877 tionally pad the frame to 1000 bytes:
878 mausezahn eth0 -c 0 -a rand -b bcast -p 1000 "08 00 aa bb cc dd"
880 The direct link access supports automatic padding using the -p <total
882 frame length> option. This allows you to pad a raw L2 frame to the
883 desired length. You must specify the total length, and the total frame
884 length must have at least 15 bytes for technical reasons. Zero bytes
885 are used for padding.
886 `-- ARP:
888 mausezahn provides a simple interface to the ARP packet. You can spec‐
889 ify the ARP method (request|reply) and up to four arguments: sendermac,
890 targetmac, senderip, targetip, or short smac, tmac, sip, tip. By
891 default, an ARP reply is sent with your own interface addresses as
892 source MAC and IP address, and a broadcast destination MAC and IP
893 address. Send a gratuitous ARP request (as used for duplicate IP
894 address detection):
895 mausezahn eth0 -t arp
897 ARP cache poisoning:
899 mausezahn eth0 -t arp "reply, senderip=192.168.0.1, target‐
901 mac=00:00:0c:01:02:03, \
902 targetip=172.16.1.50"
903 where by default your interface MAC address will be used as sendermac,
905 senderip denotes the spoofed IP address, targetmac and targetip identi‐
906 fies the receiver. By default, the Ethernet source address is your
907 interface MAC and the destination address is the broadcast address. You
908 can change this using the flags -a and -b.
909 `-- BPDU:
911 mausezahn provides a simple interface to the 802.1D BPDU frame format
912 (used to create the Spanning Tree in bridged networks). By default,
913 standard IEEE 802.1D BPDUs are sent and it is assumed that your com‐
914 puter wants to become the root bridge (rid=bid). Optionally the 802.3
915 destination address can be a specified MAC address, broadcast, own MAC,
916 or Cisco's PVST+ MAC address. The destination MAC can be specified
917 using the -b command which, besides MAC addresses, accepts keywords
918 such as bcast, own, pvst, or stp (default). PVST+ is supported as well.
919 Simply specify the VLAN for which you want to send a BPDU:
920 mausezahn eth0 -t bpdu "vlan=123, rid=2000"
922 See mausezahn -t bpdu help for more details.
924 `-- CDP:
926 mausezahn can send Cisco Discovery Protocol (CDP) messages since this
927 protocol has security relevance. Of course lots of dirty tricks are
928 possible; for example arbitrary TLVs can be created (using the hex-pay‐
929 load argument for example p=00:0e:00:07:01:01:90) and if you want to
930 stress the CDP database of some device, mausezahn can send each CDP
931 message with another system-id using the change keyword:
932 mausezahn -t cdp change -c 0
934 Some routers and switches may run into deep problems ;-) See mausezahn
936 -t cdp help for more details.
937 `-- 802.1Q VLAN Tags:
939 mausezahn allows simple VLAN tagging for IP (and other higher layer)
940 packets. Simply use the option -Q <[CoS:]VLAN>, such as -Q 10 or -Q
941 3:921. By default CoS=0. For example send a TCP packet in VLAN 500
942 using CoS=7:
943 mausezahn eth0 -t tcp -Q 7:500 "dp=80, flags=rst, p=aa:aa:aa"
945 You can create as many VLAN tags as you want! This is interesting to
947 create QinQ encapsulations or VLAN hopping: Send a UDP packet with VLAN
948 tags 100 (outer) and 651 (inner):
949 mausezahn eth0 -t udp "dp=8888, sp=13442" -P "Mausezahn is great" -Q
951 100,651
952 Don't know if this is useful anywhere but at least it is possible:
954 mausezahn eth0 -t udp "dp=8888, sp=13442" -P "Mausezahn is great" \
956 -Q 6:5,7:732,5:331,5,6
957 Mix it with MPLS:
959 mausezahn eth0 -t udp "dp=8888, sp=13442" -P "Mausezahn is great" -Q
961 100,651 -M 314
962 When in raw Layer 2 mode you must create the VLAN tag completely by
964 yourself. For example if you want to send a frame in VLAN 5 using CoS
965 0 simply specify 81:00 as type field and for the next two bytes the CoS
966 (PCP), DEI (CFI), and VLAN ID values (all together known as TCI):
967 mausezahn eth0 -b bc -a rand "81:00 00:05 08:00 aa-aa-aa-aa-aa-aa-aa-
969 aa-aa"
970 `-- MPLS labels:
972 mausezahn allows you to insert one or more MPLS headers. Simply use the
973 option -M <label:CoS:TTL:BoS> where only the label is mandatory. If you
974 specify a second number it is interpreted as the experimental bits (the
975 CoS usually). If you specify a third number it is interpreted as TTL.
976 By default the TTL is set to 255. The Bottom of Stack flag is set auto‐
977 matically, otherwise the frame would be invalid, but if you want you
978 can also set or unset it using the S (set) and s (unset) argument. Note
979 that the BoS must be the last argument in each MPLS header definition.
980 Here are some examples:
981 Use MPLS label 214:
983 mausezahn eth0 -M 214 -t tcp "dp=80" -P "HTTP..." -B myhost.com
985 Use three labels (the 214 is now the outer):
987 mausezahn eth0 -M 9999,51,214 -t tcp "dp=80" -P "HTTP..." -B
989 myhost.com
990 Use two labels, one with CoS=5 and TTL=1, the other with CoS=7:
992 mausezahn eth0 -M 100:5:1,500:7 -t tcp "dp=80" -P "HTTP..." -B
994 myhost.com
995 Unset the BoS flag (which will result in an invalid frame):
997 mausezahn eth0 -M 214:s -t tcp "dp=80" -P "HTTP..." -B myhost.com
999 Layer 3-7:
1001 IP, UDP, and TCP packets can be padded using the -p option. Currently
1002 0x42 is used as padding byte ('the answer'). You cannot pad DNS packets
1003 (would be useless anyway).
1004 `-- IP:
1006 mausezahn allows you to send any malformed or correct IP packet. Every
1007 field in the IP header can be manipulated. The IP addresses can be
1008 specified via the -A and -B options, denoting the source and destina‐
1009 tion address, respectively. You can also specify an address range or a
1010 host name (FQDN). Additionally, the source address can also be random.
1011 By default the source address is your interface IP address and the des‐
1012 tination address is a broadcast address. Here are some examples:
1013 ASCII payload:
1015 mausezahn eth0 -t ip -A rand -B 192.168.1.0/24 -P "hello world"
1017 Hexadecimal payload:
1019 mausezahn eth0 -t ip -A 10.1.0.1-10.1.255.254 -B 255.255.255.255
1021 p=ca:fe:ba:be
1022 Will use correct source IP address:
1024 mausezahn eth0 -t ip -B www.xyz.com
1026 The Type of Service (ToS) byte can either be specified directly by two
1028 hexadecimal digits, which means you can also easily set the Explicit
1029 Congestion Notification (ECN) bits (LSB 1 and 2), or you may only want
1030 to specify a common DSCP value (bits 3-8) using a decimal number
1031 (0..63):
1032 Packet sent with DSCP = Expedited Forwarding (EF):
1034 mausezahn eth0 -t ip dscp=46,ttl=1,proto=1,p=08:00:5a:a2:de:ad:be:af
1036 If you leave the checksum as zero (or unspecified) the correct checksum
1038 will be automatically computed. Note that you can only use a wrong
1039 checksum when you also specify at least one L2 field manually.
1040 `-- UDP:
1042 mausezahn supports easy UDP datagram generation. Simply specify the
1043 destination address (-B option) and optionally an arbitrary source
1044 address (-A option) and as arguments you may specify the port numbers
1045 using the dp (destination port) and sp (source port) arguments and a
1046 payload. You can also easily specify a whole port range which will
1047 result in sending multiple packets. Here are some examples:
1048 Send test packets to the RTP port range:
1050 mausezahn eth0 -B 192.168.1.1 -t udp "dp=16384-32767, \
1052 p=A1:00:CC:00:00:AB:CD:EE:EE:DD:DD:00"
1053 Send a DNS request as local broadcast (often a local router replies):
1055 mausezahn eth0 -t udp
1057 dp=53,p=c5-2f-01-00-00-01-00-00-00-00-00-00-03-77-77-\
1058 77-03-78-79-7a-03-63-6f-6d-00-00-01-00-01"
1059 Additionally you may specify the length and checksum using the len and
1061 sum arguments (will be set correctly by default). Note: several proto‐
1062 cols have same arguments such as len (length) and sum (checksum). If
1063 you specified a UDP type packet (via -t udp) and want to modify the IP
1064 length, then use the alternate keyword iplen and ipsum. Also note that
1065 you must specify at least one L2 field which tells mausezahn to build
1066 everything without the help of your kernel (the kernel would not allow
1067 modifying the IP checksum and the IP length).
1068 `-- ICMP:
1070 mausezahn currently only supports the following ICMP methods: PING
1071 (echo request), Redirect (various types), Unreachable (various types).
1072 Additional ICMP types will be supported in future. Currently you would
1073 need to tailor them by yourself, e.g. using the IP packet builder (set‐
1074 ting proto=1). Use the mausezahn -t icmp help for help on currently
1075 implemented options.
1076 `-- TCP:
1078 mausezahn allows you to easily tailor any TCP packet. Similarly as with
1079 UDP you can specify source and destination port (ranges) using the sp
1080 and dp arguments. Then you can directly specify the desired flags
1081 using an "|" as delimiter if you want to specify multiple flags. For
1082 example, a SYN-Flood attack against host 1.1.1.1 using a random source
1083 IP address and periodically using all 1023 well-known ports could be
1084 created via:
1085 mausezahn eth0 -A rand -B 1.1.1.1 -c 0 -t tcp "dp=1-1023, flags=syn"
1087 \
1088 -P "Good morning! This is a SYN Flood Attack.
1089 \
1090 We apologize for any inconvenience."
1091 Be careful with such SYN floods and only use them for firewall testing.
1093 Check your legal position! Remember that a host with an open TCP ses‐
1094 sion only accepts packets with correct socket information (addresses
1095 and ports) and a valid TCP sequence number (SQNR). If you want to try a
1096 DoS attack by sending a RST-flood and you do NOT know the target's ini‐
1097 tial SQNR (which is normally the case) then you may want to sweep
1098 through a range of sequence numbers:
1099 mausezahn eth0 -A legal.host.com -B target.host.com \
1101 -t tcp "sp=80,dp=80,s=1-4294967295"
1102 Fortunately, the SQNR must match the target host's acknowledgement num‐
1104 ber plus the announced window size. Since the typical window size is
1105 something between 40000 and 65535 you are MUCH quicker when using an
1106 increment via the ds argument:
1107 mausezahn eth0 -A legal.host.com -B target.host.com \
1109 -t tcp "sp=80, dp=80, s=1-4294967295, ds=40000"
1110 In the latter case mausezahn will only send 107375 packets instead of
1112 4294967295 (which results in a duration of approximately 1 second com‐
1113 pared to 11 hours!). Of course you can tailor any TCP packet you like.
1114 As with other L4 protocols mausezahn builds a correct IP header but you
1115 can additionally access every field in the IP packet (also in the Eth‐
1116 ernet frame).
1117 `-- DNS:
1119 mausezahn supports UDP-based DNS requests or responses. Typically you
1120 may want to send a query or an answer. As usual, you can modify every
1121 flag in the header. Here is an example of a simple query:
1122 mausezahn eth0 -B mydns-server.com -t dns "q=www.ibm.com"
1124 You can also create server-type messages:
1126 mausezahn eth0 -A spoofed.dns-server.com -B target.host.com \
1128 "q=www.topsecret.com, a=172.16.1.1"
1129 The syntax according to the online help (-t dns help) is:
1131 query|q = <name>[:<type>] ............. where type is per default
1133 "A"
1134 (and class is always "IN")
1135 answer|a = [<type>:<ttl>:]<rdata> ...... ttl is per default 0.
1136 = [<type>:<ttl>:]<rdata>/[<type>:<ttl>:]<rdata>/...
1137 Note: If you only use the 'query' option then a query is sent. If you
1139 additionally add an 'answer' then an answer is sent. Examples:
1140 q = www.xyz.com
1142 q = www.xyz.com, a=192.168.1.10
1143 q = www.xyz.com, a=A:3600:192.168.1.10
1144 q = www.xyz.com, a=CNAME:3600:abc.com/A:3600:192.168.1.10
1145 Please try out mausezahn -t dns help to see the many other optional
1147 command line options.
1148 `-- RTP and VoIP path measurements:
1150 mausezahn can send arbitrary Real Time Protocol (RTP) packets. By
1151 default a classical G.711 codec packet of 20 ms segment size and 160
1152 bytes is assumed. You can measure jitter, packet loss, and reordering
1153 along a path between two hosts running mausezahn. The jitter measure‐
1154 ment is either done following the variance low-pass filtered estimation
1155 specified in RFC 3550 or using an alternative "real-time" method which
1156 is even more precise (the RFC-method is used by default). For example
1157 on Host1 you start a transmission process:
1158 mausezahn -t rtp -B 192.168.1.19
1160 And on Host2 (192.168.1.19) a receiving process which performs the mea‐
1162 surement:
1163 mausezahn -T rtp
1165 Note that the option flag with the capital "T" means that it is a
1167 server RTP process, waiting for incoming RTP packets from any mausezahn
1168 source. In case you want to restrict the measurement to a specific
1169 source or you want to perform a bidirectional measurement, you must
1170 specify a stream identifier. Here is an example for bidirectional mea‐
1171 surements which logs the running jitter average in a file:
1172 Host1# mausezahn -t rtp id=11:11:11:11 -B 192.168.2.2 &
1174 Host1# mausezahn -T rtp id=22:22:22:22 "log, path=/tmp/mz/"
1175 Host2# mausezahn -t rtp id=22:22:22:22 -B 192.168.1.1 &
1177 Host2# mausezahn -T rtp id=11:11:11:11 "log, path=/tmp/mz/"
1178 In any case the measurements are printed continuously onto the screen;
1180 by default it looks like this:
1181 0.00 0.19 0.38
1183 0.57
1184 |-------------------------|-------------------------|-------------------------|
1185 #########
1186 0.07 msec
1187 ####################
1188 0.14 msec
1189 ##
1190 0.02 msec
1191 ###
1192 0.02 msec
1193 #########
1194 0.07 msec
1195 ####
1196 0.03 msec
1197 #########
1198 0.07 msec
1199 #############
1200 0.10 msec
1201 ##
1202 0.02 msec
1203 ###########################################
1204 0.31 msec
1205 #########
1206 0.07 msec
1207 ##############################################
1208 0.33 msec
1209 ###############
1210 0.11 msec
1211 ##########
1212 0.07 msec
1213 ###############
1214 0.11 msec
1215 ##########################################################
1216 0.42 msec
1217 #####
1218 0.04 msec
1219 More information is shown using the txt keyword:
1221 mausezahn -T rtp txt
1223 Got 100 packets from host 192.168.0.3: 0 lost (0 absolute lost), 1
1224 out of order
1225 Jitter_RFC (low pass filtered) = 30 usec
1226 Samples jitter (min/avg/max) = 1/186/2527 usec
1227 Delta-RX (min/avg/max) = 2010/20167/24805 usec
1228 Got 100 packets from host 192.168.0.3: 0 lost (0 absolute lost), 1
1229 out of order
1230 Jitter_RFC (low pass filtered) = 17 usec
1231 Samples jitter (min/avg/max) = 1/53/192 usec
1232 Delta-RX (min/avg/max) = 20001/20376/20574 usec
1233 Got 100 packets from host 192.168.0.3: 0 lost (0 absolute lost), 1
1234 out of order
1235 Jitter_RFC (low pass filtered) = 120 usec
1236 Samples jitter (min/avg/max) = 0/91/1683 usec
1237 Delta-RX (min/avg/max) = 18673/20378/24822 usec
1238 See mausezahn -t rtp help and mz -T rtp help for more details.
1240 `-- Syslog:
1242 The traditional Syslog protocol is widely used even in professional
1243 networks and is sometimes vulnerable. For example you might insert
1244 forged Syslog messages by spoofing your source address (e.g. imperson‐
1245 ate the address of a legit network device):
1246 mausezahn -t syslog sev=3 -P "You have been mausezahned." -A
1248 10.1.1.109 -B 192.168.7.7
1249 See mausezahn -t syslog help for more details.
1251
1253 When multiple ranges are specified, e.g. destination port ranges and
1254 destination address ranges, then all possible combinations of ports and
1255 addresses are used for packet generation. Furthermore, this can be
1256 mixed with other ranges e.g. a TCP sequence number range. Note that
1257 combining ranges can lead to a very huge number of frames to be sent.
1258 As a rule of thumb you can assume that about 100,000 frames and more
1259 are sent in a fraction of one second, depending on your network inter‐
1260 face.
1261 mausezahn has been designed as a fast traffic generator so you might
1263 easily overwhelm a LAN segment with myriads of packets. And because
1264 mausezahn could also support security audits it is possible to create
1265 malicious or invalid packets, SYN floods, port and address sweeps, DNS
1266 and ARP poisoning, etc.
1267 Therefore, don't use this tool when you are not aware of the possible
1269 consequences or have only a little knowledge about networks and data
1270 communication. If you abuse mausezahn for 'unallowed' attacks and get
1271 caught, or damage something of your own, then this is completely your
1272 fault. So the safest solution is to try it out in a lab environment.
1273 Also have a look at the netsniff-ng(8) note section on how you can
1275 properly setup and tune your system.
1276
1278 mausezahn is licensed under the GNU GPL version 2.0.
1279
1281 mausezahn was originally written by Herbert Haas. According to his web‐
1282 site [1], he unfortunately passed away in 2011 thus leaving this tool
1283 unmaintained. It has been adopted and integrated into the netsniff-ng
1284 toolkit and is further being maintained and developed from there. Main‐
1285 tainers are Tobias Klauser <tklauser@distanz.ch> and Daniel Borkmann
1286 <dborkma@tik.ee.ethz.ch>.
1287 [1] http://www.perihel.at/
1289
1291 netsniff-ng(8), trafgen(8), ifpps(8), bpfc(8), flowtop(8), astracer‐
1292 oute(8), curvetun(8)
1293
1295 Manpage was written by Herbert Haas and modified by Daniel Borkmann.
1296
1298 This page is part of the Linux netsniff-ng toolkit project. A descrip‐
1299 tion of the project, and information about reporting bugs, can be found
1300 at http://netsniff-ng.org/.
1301Linux 03 March 2013 MAUSEZAHN(8)