1MAUSEZAHN(8)                  netsniff-ng toolkit                 MAUSEZAHN(8)
2
3
4

NAME

6       mausezahn - a fast versatile packet generator with Cisco-cli
7

SYNOPSIS

9       mausezahn { [options] "<arg-string> | <hex-string>" }
10

DESCRIPTION

12       mausezahn  is  a fast traffic generator which allows you to send nearly
13       every possible  and  impossible  packet.  In  contrast  to  trafgen(8),
14       mausezahn's  packet  configuration  is  on  a protocol-level instead of
15       byte-level and mausezahn also comes with a built-in Cisco-like command-
16       line  interface,  making it suitable as a network traffic generator box
17       in your network lab.
18
19       Next to network labs, it can also be used as a didactical tool and  for
20       security  audits  including  penetration  and DoS testing. As a traffic
21       generator, mausezahn is also able to test IP  multicast  or  VoIP  net‐
22       works.  Packet rates close to the physical limit are reachable, depend‐
23       ing on the hardware platform.
24
25       mausezahn supports two modes,  ''direct  mode''  and  a  multi-threaded
26       ''interactive mode''.
27
28       The  ''direct mode'' allows you to create a packet directly on the com‐
29       mand line and every packet parameter is specified in the argument  list
30       when calling mausezahn.
31
32       The  ''interactive  mode''  is an advanced multi-threaded configuration
33       mode with its own command line interface (CLI). This mode allows you to
34       create  an  arbitrary  number  of packet types and streams in parallel,
35       each with different parameters.
36
37       The interactive mode utilizes a completely redesigned and more flexible
38       protocol framework called ''mops'' (mausezahn's own packet system). The
39       look and feel of the CLI is very close to the Cisco IOS^tm command line
40       interface.
41
42       You  can  start  the  interactive  mode by executing mausezahn with the
43       ''-x'' argument (an optional port number may follow,  otherwise  it  is
44       25542).  Then  use  telnet(1) to connect to this mausezahn instance. If
45       not otherwise specified, the default login and password combination  is
46       mz:mz  and  the  enable  password  is:  mops.   This  can be changed in
47       /etc/netsniff-ng/mausezahn.conf.
48
49       The direct mode supports two specification schemes: The ''raw-layer-2''
50       scheme,  where  every  single  byte  to  be  sent can be specified, and
51       ''higher-layer'' scheme,  where  packet  builder  interfaces  are  used
52       (using the ''-t'' option).
53
54       To  use the ''raw-layer-2'' scheme, simply specify the desired frame as
55       a hexadecimal sequence (the ''hex-string''), such as:
56
57         mausezahn eth0 "00:ab:cd:ef:00 00:00:00:00:00:01 08:00 ca:fe:ba:be"
58
59       In this example, whitespaces within the byte string  are  optional  and
60       separate  the  Ethernet  fields  (destination  and source address, type
61       field, and a short payload). The only additional options supported  are
62       ''-a'',  ''-b'',  ''-c'',  and ''-p''. The frame length must be greater
63       than or equal to 15 bytes.
64
65       The ''higher-layer'' scheme is enabled using the  ''-t  <packet-type>''
66       option.   This  option  activates  a  packet  builder,  and besides the
67       ''packet-type'', an  optional  ''arg-string''  can  be  specified.  The
68       ''arg-string'' contains packet- specific parameters, such as TCP flags,
69       port numbers, etc. (see example section).
70

OPTIONS

72       mausezahn provides a built-in context-specific help. Append the keyword
73        ''help'' after the configuration options. The most  important  options
74       are:
75
76   -x [<port>]
77       Start  mausezahn  in interactive mode with a Cisco-like CLI. Use telnet
78       to log into the local mausezahn instance. If no port  has  been  speci‐
79       fied, port 25542 is used by default.
80
81   -6
82       Specify IPv6 mode (IPv4 is the default).
83
84   -l <IP>
85       Specify  the  IP  address  mausezahn should bind to when in interactive
86       mode, default: 0.0.0.0.
87
88   -R <PRIO>
89       Set priority of sent packets. This configures SO_PRIORITY at the socket
90       through  which  the packets are sent. Usual priority numbers are 0..15,
91       but the value can also be a class ID for purposes of Qdisc  classifica‐
92       tion.  In that case, a class ID such is 1234:5678 would be specified as
93       0x12345678.
94
95   -v
96       Verbose mode. Capital -V is even more verbose.
97
98   -S
99       Simulation mode, i.e. don't put anything on the wire. This is typically
100       combined with the verbose mode.
101
102   -q
103       Quiet mode where only warnings and errors are displayed.
104
105   -c <count>
106       Send the packet count times (default: 1, infinite: 0).
107
108   -d <delay>
109       Apply  delay between transmissions. The delay value can be specified in
110       usec (default, no additional unit needed), or in  msec  (e.g.  100m  or
111       100msec), or in seconds (e.g. 100s or 100sec). Note: mops also supports
112       nanosecond delay resolution if you need it (see interactive mode).
113
114   -r
115       Multiply the specified delay with a random value.
116
117   -p <length>
118       Pad the raw frame to specified length using zero bytes. Note  that  for
119       raw layer 2 frames the specified length defines the whole frame length,
120       while for higher layer packets the number of additional  padding  bytes
121       are specified.
122
123   -a <src-mac|keyword>
124       Use  specified  source  MAC  address  with hexadecimal notation such as
125       00:00:aa:bb:cc:dd.  By default the interface MAC address will be  used.
126       The  keywords  ''rand'' and ''own'' refer to a random MAC address (only
127       unicast addresses are created) and the own address,  respectively.  You
128       can  also  use  the  keywords  mentioned  below although broadcast-type
129       source addresses are officially invalid.
130
131   -b <dst-mac|keyword>
132       Use specified destination MAC address. By default, a broadcast is  sent
133       in  raw  layer  2 mode or to the destination hosts or gateway interface
134       MAC address in normal (IP) mode. You can use the same keywords as  men‐
135       tioned above, as well as ''bc'' or ''bcast'', ''cisco'', and ''stp''.
136
137   -A <src-ip|range|rand>
138       Use  specified  source  IP  address,  default is own interface address.
139       Optionally, the keyword ''rand'' can again be used for a random  source
140       IP    address    or    a    range    can    be   specified,   such   as
141       ''192.168.1.1-192.168.1.100'' or ''10.1.0.0/16''.  Also, a DNS name can
142       be  specified  for which mausezahn tries to determine the corresponding
143       IP address automatically.
144
145   -B <dst-ip|range>
146       Use  specified  destination  IP  address  (default  is  broadcast  i.e.
147       255.255.255.255).   As with the source address (see above) you can also
148       specify a range or a DNS name.
149
150   -t <packet-type [help] | help>
151       Create the specified packet type using  the  built-in  packet  builder.
152       Currently,  supported  packet  types  are:  ''arp'',  ''bpdu'', ''ip'',
153       ''udp'', ''tcp'', ''rtp'', and ''dns''. Currently, there is  also  lim‐
154       ited support for ''icmp''. Type
155        ''-t help'' to verify which packet builders your actual mausezahn ver‐
156       sion supports. Also,  for  any  particular  packet  type,  for  example
157       ''tcp'' type
158        ''mausezahn  -t tcp help'' to receive a more in-depth context specific
159       help.
160
161   -T <packet-type>
162       Make this mausezahn instance the  receiving  station.  Currently,  only
163       ''rtp'' is an option here and provides precise jitter measurements. For
164       this purpose, start another mausezahn instance on the  sending  station
165       and  the  local  receiving  station  will output jitter statistics. See
166       ''mausezahn -T rtp help'' for a detailed help.
167
168   -Q <[CoS:]vlan> [, <[CoS:]vlan>, ...]
169       Specify 802.1Q VLAN tag and optional Class  of  Service.  An  arbitrary
170       number of VLAN tags can be specified (that is, you can simulate QinQ or
171       even QinQinQinQ..).  Multiple tags must be separated via a comma  or  a
172       period  (e.g. "5:10,20,2:30").  VLAN tags are not supported for ARP and
173       BPDU packets (in which case you could specify the whole frame in  hexa‐
174       decimal using the raw layer 2 interface of mausezahn).
175
176   -M <label[:cos[:ttl]][bos]> [, <label...>]
177       Specify  a  MPLS label or even a MPLS label stack. Optionally, for each
178       label the experimental bits (usually the Class of Service, CoS) and the
179       Time  To  Live  (TTL) can be specified. If you are really crazy you can
180       set and unset the Bottom of Stack (BoS) bit for each  label  using  the
181       ''S''  (set) and ''s'' (unset) option. By default, the BoS is set auto‐
182       matically and correctly. Any other setting will lead to invalid frames.
183       Enter ''-M help'' for detailed instructions and examples.
184
185   -P <ascii-payload>
186       Specify a cleartext payload. Alternatively, each packet type supports a
187       hexadecimal specification of the payload  (see  for  example  ''-t  udp
188       help'').
189
190   -f <filename>
191       Read the ASCII payload from the specified file.
192
193   -F <filename>
194       Read  the  hexadecimal  payload from the specified file. Actually, this
195       file must be also an ASCII text file, but must contain hexadecimal dig‐
196       its,  e.g.  "aa:bb:cc:0f:e6...".  You can use also spaces as separation
197       characters.
198

USAGE EXAMPLE

200       For more comprehensive examples, have a look at the two following HOWTO
201       sections.
202
203   mausezahn eth0 -c 0 -d 2s -t bpdu vlan=5
204       Send  BPDU frames for VLAN 5 as used with Cisco's PVST+ type of STP. By
205       default mausezahn assumes that you want to become the root bridge.
206
207   mausezahn eth0 -c 128000 -a rand -p 64
208       Perform a CAM table overflow attack.
209
210   mausezahn eth0 -c 0 -Q 5,100 -t tcp flags=syn,dp=1-1023 -p 20  -A  rand  -B
211       10.100.100.0/24
212       Perform  a  SYN  flood  attack to another VLAN using VLAN hopping. This
213       only works if you are connected to the same VLAN which is configured as
214       native  VLAN  on  the trunk. We assume that the victim VLAN is VLAN 100
215       and the native VLAN is VLAN 5.  Lets attack  every  host  in  VLAN  100
216       which  use  an  IP  prefix  of  10.100.100.0/24, also try out all ports
217       between 1 and 1023 and use a random source IP address.
218
219   mausezahn eth0 -c 0 -d 10msec -B 230.1.1.1 -t udp dp=32000,dscp=46 -P  Mul‐
220       ticast test packet
221       Send  IP multicast packets to the multicast group 230.1.1.1 using a UDP
222       header with destination port 32000 and set the  IP  DSCP  field  to  EF
223       (46). Send one frame every 10 msec.
224
225   mausezahn eth0 -Q 6:420 -M 100,200,300:5 -A 172.30.0.0/16 -B target.anynet‐
226       work.foo -t udp sp=666,dp=1-65535 -p 1000 -c 10
227       Send UDP packets to the destination  host  target.anynetwork.foo  using
228       all  possible destination ports and send every packet with all possible
229       source addresses of the range 172.30.0.0/16; additionally use a  source
230       port  of  666 and three MPLS labels, 100, 200, and 300, the outer (300)
231       with QoS field 5.  Send the frame with a VLAN tag 420 and CoS 6;  even‐
232       tually pad with 1000 bytes and repeat the whole thing 10 times.
233
234   mausezahn  -t syslog sev=3 -P Main reactor reached critical temperature. -A
235       192.168.33.42 -B 10.1.1.9 -c 6 -d 10s
236       Send six forged syslog messages with severity  3  to  a  Syslog  server
237       10.1.1.9;  use  a  forged  source  IP  address  192.168.33.42  and  let
238       mausezahn decide which local interface  to  use.  Use  an  inter-packet
239       delay of 10 seconds.
240
241   mausezahn  -t tcp flags=syn|urg|rst, sp=145, dp=145, win=0, s=0-4294967295,
242       ds=1500, urg=666 -a bcast -b bcast -A bcast -B 10.1.1.6 -p 5
243       Send an invalid TCP packet with only a 5 byte payload as layer-2 broad‐
244       cast and also use the broadcast MAC address as source address. The tar‐
245       get should be 10.1.1.6 but use a broadcast source address.  The  source
246       and  destination  port  shall be 145 and the window size 0. Set the TCP
247       flags SYN, URG, and RST simultaneously and sweep through the whole  TCP
248       sequence number space with an increment of 1500. Finally set the urgent
249       pointer to 666, i.e. pointing to nowhere.
250

CONFIGURATION FILE

252       When mausezahn is run in interactive mode it  automatically  looks  for
253       and    reads   a   configuration   file   located   at   /etc/netsniff-
254       ng/mausezahn.conf for custom options if the file is  available,  other‐
255       wise it uses defaults set at compile time.
256
257   Config file: /etc/netsniff-ng/mausezahn.conf
258       The configuration file contains lines of the form:
259
260            option = value
261
262       Options supported in the configuration file are:
263          Option:          Description:
264
265          user             Username for authentication (default: mz)
266          password         Password for authentication (default: mz)
267          enable           Password to enter privilege mode (default: mops)
268          port             The listening port for the CLI (default: 25542)
269          listen-addr      IP address to bind CLI to (default: 0.0.0.0)
270          management-only  Set   management  interface  (no  data  traffic  is
271       allowed to pass through)
272          cli-device       Interface to bind CLI to (default: all) *not  fully
273       implemented*
274          automops         Path to automops file (contains XML data describing
275       protocols) *in development*
276
277
278   Example:
279        $ cat /etc/netsniff-ng/mausezahn.conf
280        user = mzadmin
281        password = mzpasswd
282        enable = privilege-mode-passwd
283        port = 65000
284        listen-addr = 127.0.0.1
285

INTERACTIVE MODE HOWTO

287   Telnet:
288       Using the interactive mode requires starting mausezahn as a server:
289
290         # mausezahn -x
291
292       Now you can telnet(1) to that server  using  the  default  port  number
293       25542, but also an arbitrary port number can be specified:
294
295         # mausezahn -x 99
296         mausezahn accepts incoming telnet connections on port 99.
297         mz: Problems opening config file. Will use defaults
298
299       Either  from another terminal or from another host try to telnet to the
300       mausezahn server:
301
302         caprica$ telnet galactica 99
303         Trying 192.168.0.4...
304         Connected to galactica.
305         Escape character is '^]'.
306         mausezahn <version>
307
308         Username: mz
309         Password: mz
310
311         mz> enable
312         Password: mops
313         mz#
314
315       It is recommended to configure your own login credentials in  /etc/net‐
316       sniff-ng/mausezahn.conf, (see configuration file section)
317
318   Basics:
319       Since  you reached the mausezahn prompt, lets try some common commands.
320       You can use the '?' character at any time  for  context-specific  help.
321       Note that Cisco-like short form of commands are accepted in interactive
322       mode. For example, one can use  "sh  pac"  instead  of  "show  packet";
323       another common example is to use "config t" in place of "configure ter‐
324       minal". For readability, this manual will continue with the  full  com‐
325       mands.
326
327       First try out the show command:
328
329         mz# show ?
330
331       mausezahn  maintains its own ARP table and observes anomalies. There is
332       an entry for every physical interface (however this host has only one):
333
334         mz# show arp
335         Intf    Index     IP  address      MAC  address        last        Ch
336       UCast BCast Info
337         ----------------------------------------------------------------------------------
338         eth0    [1]  D      192.168.0.1   00:09:5b:9a:15:84   23:44:41      1
339       1     0  0000
340
341       The  column Ch tells us that the announced MAC address has only changed
342       one time (= when it was learned). The columns Ucast and BCast  tell  us
343       how  often  this  entry  was announced via unicast or broadcast respec‐
344       tively.
345
346       Let's check our interfaces:
347
348         mz# show interface
349         Available network interfaces:
350                        real              real                   used   (fake)
351       used (fake)
352          device         IPv4  address      MAC address           IPv4 address
353       MAC address
354         ---------------------------------------------------------------------------------------
355         >  eth0          192.168.0.4       00:30:05:76:2e:8d      192.168.0.4
356       00:30:05:76:2e:8d
357           lo             127.0.0.1          00:00:00:00:00:00       127.0.0.1
358       00:00:00:00:00:00
359         2 interfaces found.
360         Default interface is eth0.
361
362   Defining packets:
363       Let's check the current packet list:
364
365         mz# show packet
366         Packet   layer   flags:   E=Ethernet,   S=SNAP,   Q=802.1Q,   M=MPLS,
367       I/i=IP/delivery_off, U=UDP, T=TCP
368         PktID  PktName           Layers   Proto     Size   State       Device
369       Delay       Count/CntX
370             1    sysARP_servic...    E-----   ARP         60   config      lo
371       100 msec        1/0 (100%)
372         1 packets defined, 0 active.
373
374       We notice that there is already one system-defined packet  process;  it
375       has been created and used only once (during startup) by mausezahn's ARP
376       service.  Currently, its state is config which means that  the  process
377       is sleeping.
378
379   General packet options:
380       Now let's create our own packet process and switch into the global con‐
381       figuration mode:
382
383         mz# configure terminal
384         mz(config)# packet
385         Allocated new packet PKT0002 at slot 2
386         mz(config-pkt-2)# ?
387         ...
388         name                 Assign a unique name
389         description          Assign a packet description text
390         bind                 Select the network interface
391         count                Configure the packet count value
392         delay                Configure the inter-packet delay
393         interval             Configure a greater interval
394         type                 Specify packet type
395         mac                  Configure packet's MAC addresses
396         tag                  Configure tags
397         payload              Configure a payload
398         port                 Configure packet's port numbers
399         end                  End packet configuration mode
400         ethernet             Configure frame's  Ethernet,  802.2,  802.3,  or
401       SNAP settings
402         ip                   Configure packet's IP settings
403         udp                  Configure packet's UDP header parameters
404         tcp                  Configure packet's TCP header parameters
405
406       Here  are  a  lot  of options but normally you only need a few of them.
407       When you configure lots of different packets you might assign a reason‐
408       able name and description for them:
409
410         mz(config-pkt-2)# name Test
411         mz(config-pkt-2)# description This is just a test
412
413       You  can,  for  example, change the default settings for the source and
414       destination MAC or IP addresses using the mac and ip commands:
415
416         mz(config-pkt-2)# ip address destination 10.1.1.0 /24
417         mz(config-pkt-2)# ip address source random
418
419       In the example above, we configured a range of addresses (all hosts  in
420       the  network  10.1.1.0  should be addressed). Additionally we spoof our
421       source IP address. Of course, we can also add one or more VLAN and, or,
422       MPLS tag(s):
423
424         mz(config-pkt-2)# tag ?
425         dot1q                Configure 802.1Q (and 802.1P) parameters
426         mpls                 Configure MPLS label stack
427         mz(config-pkt-2)# tag dot ?
428         Configure 802.1Q tags:
429         VLAN[:CoS]  [VLAN[:CoS]]  ...    The leftmost tag is the outer tag in
430       the frame
431         remove <tag-nr> | all          Remove  one  or  more  tags  (<tag-nr>
432       starts with 1),
433                                       by  default the first (=leftmost,outer)
434       tag is removed,
435                                       keyword 'all' can be  used  instead  of
436       tag numbers.
437         cfi | nocfi [<tag-nr>]        Set or unset the CFI-bit in any tag (by
438       default
439                                       assuming the first tag).
440         mz(config-pkt-2)# tag dot 1:7 200:5
441
442   Configure count and delay:
443         mz(config-pkt-2)# count 1000
444         mz(config-pkt-2)# delay ?
445         delay <value> [hour | min | sec | msec | usec | nsec]
446
447       Specify the inter-packet delay in hours,  minutes,  seconds,  millisec‐
448       onds,  microseconds  or  nanoseconds.  The default unit is milliseconds
449       (i.e. when no unit is given).
450
451         mz(config-pkt-2)# delay 1 msec
452         Inter-packet delay set to 0 sec and 1000000 nsec
453         mz(config-pkt-2)#
454
455   Configuring protocol types:
456       mausezahn's interactive mode supports a growing list of  protocols  and
457       only  relies on the MOPS architecture (and not on libnet as is the case
458       with the legacy direct mode):
459
460         mz(config-pkt-2)# type
461         Specify a packet type from the following list:
462         arp
463         bpdu
464         igmp
465         ip
466         lldp
467         tcp
468         udp
469         mz(config-pkt-2)# type tcp
470         mz(config-pkt-2-tcp)#
471         ....
472         seqnr                Configure the TCP sequence number
473         acknr                Configure the TCP acknowledgement number
474         hlen                 Configure the TCP header length
475         reserved             Configure the TCP reserved field
476         flags                Configure a combination of TCP flags at once
477         cwr                  Set or unset the TCP CWR flag
478         ece                  Set or unset the TCP ECE flag
479         urg                  Set or unset the TCP URG flag
480         ack                  set or unset the TCP ACK flag
481         psh                  set or unset the TCP PSH flag
482         rst                  set or unset the TCP RST flag
483         syn                  set or unset the TCP SYN flag
484         fin                  set or unset the TCP FIN flag
485         window               Configure the TCP window size
486         checksum             Configure the TCP checksum
487         urgent-pointer       Configure the TCP urgent pointer
488         options              Configure TCP options
489         end                  End TCP configuration mode
490         mz(config-pkt-2-tcp)# flags syn fin rst
491         Current setting is: --------------------RST-SYN-FIN
492         mz(config-pkt-2-tcp)# end
493         mz(config-pkt-2)# payload ascii This is a dummy payload for my  first
494       packet
495         mz(config-pkt-2)# end
496
497       Now  configure another packet, for example let's assume we want an LLDP
498       process:
499
500         mz(config)# packet
501         Allocated new packet PKT0003 at slot 3
502         mz(config-pkt-3)# type lldp
503         mz(config-pkt-3-lldp)# exit
504         mz(config)# exit
505
506       In the above example we only use the default LLDP  settings  and  don't
507       configure  further  LLDP  options or TLVs. Back in the top level of the
508       CLI let's verify what we had done:
509
510         mz# show packet
511         Packet   layer   flags:   E=Ethernet,   S=SNAP,   Q=802.1Q,   M=MPLS,
512       I/i=IP/delivery_off, U=UDP, T=TCP
513         PktID   PktName             Layers   Proto    Size  State      Device
514       Delay      Count/CntX
515            1    sysARP_servic...    E-----   ARP         60   config       lo
516       100 msec       1/0 (100%)
517            2    Test                E-Q-IT             125   config      eth0
518       1000 usec    1000/1000 (0%)
519            3   PKT0003             E-----   LLDP        36   config      eth0
520       30 sec        0/0 (0%)
521         3 packets defined, 0 active.
522
523       The  column  Layers indicates which major protocols have been combined.
524       For example the packet with packet-id 2 ("Test") utilizes Ethernet (E),
525       IP  (I), and TCP (T). Additionally an 802.1Q tag (Q) has been inserted.
526       Now start one of these packet processes:
527
528         mz# start slot 3
529         Activate [3]
530         mz# show packet
531         Packet   layer   flags:   E=Ethernet,   S=SNAP,   Q=802.1Q,   M=MPLS,
532       I/i=IP/delivery_off, U=UDP, T=TCP
533         PktID   PktName             Layers   Proto    Size  State      Device
534       Delay      Count/CntX
535            1    sysARP_servic...    E-----   ARP         60   config       lo
536       100 msec       1/0 (100%)
537            2    Test                E-Q-IT             125   config      eth0
538       1000 usec    1000/1000 (0%)
539            3   PKT0003             E-----   LLDP        36   config      eth0
540       30 sec        0/1 (0%)
541         3 packets defined, 1 active.
542
543       Let's have a more detailed look at a specific packet process:
544
545         mz# show packet 2
546         Packet [2] Test
547         Description: This is just a test
548         State: config, Count=1000, delay=1000 usec (0 s 1000000 nsec), inter‐
549       val= (undefined)
550         Headers:
551          Ethernet: 00-30-05-76-2e-8d => ff-ff-ff-ff-ff-ff  [0800 after 802.1Q
552       tag]
553          Auto-delivery  is ON (that is, the actual MAC is adapted upon trans‐
554       mission)
555          802.1Q: 0 tag(s);  (VLAN:CoS)
556          IP:  SA=192.168.0.4 (not random) (no range)
557               DA=255.255.255.255 (no range)
558               ToS=0x00  proto=17  TTL=255  ID=0  offset=0  flags: -|-|-
559               len=49664(correct)  checksum=0x2e8d(correct)
560          TCP: 83 bytes segment size (including TCP header)
561               SP=0 (norange) (not random), DP=0 (norange) (not random)
562               SQNR=3405691582 (start 0, stop 4294967295, delta 0) --  ACKNR=0
563       (invalid)
564               Flags:  ------------------------SYN----,  reserved field is 00,
565       urgent pointer= 0
566               Announced window size= 100
567               Offset= 0 (times  32  bit;  value  is  valid),  checksum=  ffff
568       (valid)
569               (No TCP options attached) - 0 bytes defined
570          Payload size: 43 bytes
571          Frame size: 125 bytes
572           1          ff:ff:ff:ff:ff:ff:00:30          05:76:2e:8d:81:00:e0:01
573       81:00:a0:c8:08:00:45:00  00:67:00:00:00:00:ff:06
574          33          fa:e4:c0:a8:00:04:ff:ff          ff:ff:00:00:00:00:ca:fe
575       ba:be:00:00:00:00:a0:07  00:64:f7:ab:00:00:02:04
576          65          05:ac:04:02:08:0a:19:35          90:c3:00:00:00:00:01:03
577       03:05:54:68:69:73:20:69  73:20:61:20:64:75:6d:6d
578          97          79:20:70:61:79:6c:6f:61          64:20:66:6f:72:20:6d:79
579       20:66:69:72:73:74:20:70  61:63:6b:65:74
580         mz#
581
582       If you want to stop one or more packet processes, use the stop command.
583       The "emergency stop" is when you use stop all:
584
585         mz# stop all
586         Stopping
587         [3] PKT0003
588         Stopped 1 transmission processe(s)
589
590       The launch command provides a shortcut for commonly  used  packet  pro‐
591       cesses.  For  example  to  behave  like a STP-capable bridge we want to
592       start an BPDU process with typical parameters:
593
594         mz# launch bpdu
595         Allocated new packet sysBPDU at slot 5
596         mz# show packet
597         Packet   layer   flags:   E=Ethernet,   S=SNAP,   Q=802.1Q,   M=MPLS,
598       I/i=IP/delivery_off, U=UDP, T=TCP
599         PktID   PktName            Layers   Proto     Size  State      Device
600       Delay       Count/CntX
601             1   sysARP_servic...   E-----   ARP         60    config       lo
602       100 msec        1/0 (100%)
603             2    Test               E-Q-IT             125   config      eth0
604       1000 usec     1000/1000 (0%)
605             3   PKT0003            E-----   LLDP        36   config      eth0
606       30 sec        0/12 (0%)
607             4   PKT0004            E---I-   IGMP        46   config      eth0
608       100 msec        0/0 (0%)
609             5   sysBPDU            ES----   BPDU        29   active      eth0
610       2 sec        0/1 (0%)
611         5 packets defined, 1 active.
612
613       Now  a  Configuration  BPDU is sent every 2 seconds, claiming to be the
614       root bridge (and usually confusing the LAN. Note  that  only  packet  5
615       (i.e.  the  last row) is active and therefore sending packets while all
616       other packets are in state config (i.e. they have been  configured  but
617       they are not doing anything at the moment).
618
619   Configuring a greater interval:
620       Sometimes  you  may want to send a burst of packets at a greater inter‐
621       val:
622
623         mz(config)# packet 2
624         Modify packet parameters for packet Test [2]
625         mz(config-pkt-2)# interval
626         Configure a greater packet interval in days, hours, minutes, or  sec‐
627       onds
628         Arguments: <value>  <days | hours | minutes | seconds>
629         Use a zero value to disable an interval.
630         mz(config-pkt-2)# interval 1 hour
631         mz(config-pkt-2)# count 10
632         mz(config-pkt-2)# delay 15 usec
633         Inter-packet delay set to 0 sec and 15000 nsec
634
635       Now  this  packet  is  sent  ten times with an inter-packet delay of 15
636       microseconds and this is repeated every hour.  When  you  look  at  the
637       packet list, an interval is indicated with the additional flag 'i' when
638       inactive or 'I' when active:
639
640         mz# show packet
641         Packet   layer   flags:   E=Ethernet,   S=SNAP,   Q=802.1Q,   M=MPLS,
642       I/i=IP/delivery_off, U=UDP, T=TCP
643         PktID   PktName            Layers   Proto     Size  State      Device
644       Delay       Count/CntX
645             1   sysARP_servic...   E-----   ARP         60    config       lo
646       100 msec        1/0 (100%)
647             2    Test               E-Q-IT             125   config-i    eth0
648       15 usec       10/10 (0%)
649             3   PKT0003            E-----   LLDP        36   config      eth0
650       30 sec        0/12 (0%)
651             4   PKT0004            E---I-   IGMP        46   config      eth0
652       100 msec        0/0 (0%)
653             5   sysBPDU            ES----   BPDU        29   active      eth0
654       2 sec        0/251 (0%)
655         5 packets defined, 1 active.
656         mz# start slot 2
657         Activate [2]
658         mz# show packet
659         Packet   layer   flags:   E=Ethernet,   S=SNAP,   Q=802.1Q,   M=MPLS,
660       I/i=IP/delivery_off, U=UDP, T=TCP
661         PktID  PktName           Layers   Proto     Size   State       Device
662       Delay       Count/CntX
663             1    sysARP_servic...    E-----   ARP         60   config      lo
664       100 msec        1/0 (100%)
665             2   Test               E-Q-IT             125   config+I     eth0
666       15 usec       10/0 (100%)
667             3   PKT0003            E-----   LLDP        36   config      eth0
668       30 sec        0/12 (0%)
669             4   PKT0004            E---I-   IGMP        46   config      eth0
670       100 msec        0/0 (0%)
671             5   sysBPDU            ES----   BPDU        29   active      eth0
672       2 sec        0/256 (0%)
673         5 packets defined, 1 active.
674
675       Note that the flag 'I' indicates that an interval  has  been  specified
676       for packet 2. The process is not active at the moment (only packet 5 is
677       active here) but it will become active at a regular interval.  You  can
678       verify  the  actual  interval  when  viewing the packet details via the
679       'show packet 2' command.
680
681   Load prepared configurations:
682       You can prepare packet configurations using the same  commands  as  you
683       would  type them in on the CLI and then load them to the CLI. For exam‐
684       ple, assume we have prepared a file 'test.mops' containing:
685
686         configure terminal
687         packet
688         name IGMP_TEST
689         desc This is only a demonstration how to load a file to mops
690         type igmp
691
692       Then we can add this packet configuration to our packet list using  the
693       load command:
694
695         mz# load test.mops
696         Read commands from test.mops...
697         Allocated new packet PKT0002 at slot 2
698         mz# show packet
699         Packet   layer   flags:   E=Ethernet,   S=SNAP,   Q=802.1Q,   M=MPLS,
700       I/i=IP/delivery_off, U=UDP, T=TCP
701         PktID  PktName           Layers   Proto     Size   State       Device
702       Delay       Count/CntX
703             1    sysARP_servic...    E-----   ARP         60   config      lo
704       100 msec        1/0 (100%)
705             2   IGMP_TEST          E---I-   IGMP        46   config      eth0
706       100 msec        0/0 (0%)
707         2 packets defined, 0 active.
708
709       The   file  src/examples/mausezahn/example_lldp.conf  contains  another
710       example list of commands to create a bogus LLDP packet.  You  can  load
711       this configuration from the mausezahn command line as follows:
712
713         mz# load /home/hh/tmp/example_lldp.conf
714
715       In  case  you  copied  the  file in that path. Now when you enter 'show
716       packet' you will see a new packet entry in the  packet  list.  Use  the
717       'start slot <nr>' command to activate this packet.
718
719       You  can store your own packet creations in such a file and easily load
720       them when you need them. Every command within such configuration  files
721       is  executed on the command line interface as if you had typed it in --
722       so be careful about the order and don't forget to use 'configure termi‐
723       nal' as first command.
724
725       You can even load other files from within a central config file.
726

DIRECT MODE HOWTO

728   How to specify hexadecimal digits:
729       Many  arguments  allow  direct byte input. Bytes are represented as two
730       hexadecimal digits. Multiple bytes must be separated either by  spaces,
731       colons,  or  dashes  - whichever you prefer. The following byte strings
732       are equivalent:
733
734         "aa:bb cc-dd-ee ff 01 02 03-04 05"
735         "aa bb cc dd ee ff:01:02:03:04 05"
736
737       To begin with, you may  want  to  send  an  arbitrary  fancy  (possibly
738       invalid) frame right through your network card:
739
740         mausezahn ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:08:00:ca:fe:ba:be
741
742        or equivalent but more readable:
743
744         mausezahn ff:ff:ff:ff:ff:ff-ff:ff:ff:ff:ff:ff-08:00-ca:fe:ba:be
745
746   Basic operations:
747       All  major  command  line options are listed when you execute mausezahn
748       without arguments. For practical usage, keep the following special (not
749       so widely known) options in mind:
750
751         -r                     Multiplies  the  specified delay with a random
752       value.
753         -p <length>           Pad the raw frame to  specified  length  (using
754       random bytes).
755         -P <ASCII Payload>    Use the specified ASCII payload.
756         -f <filename>         Read the ASCII payload from a file.
757         -F <filename>         Read the hexadecimal payload from a file.
758         -S                     Simulation  mode: DOES NOT put anything on the
759       wire.
760                               This is typically combined with one of the ver‐
761       bose
762                               modes (-v or V).
763
764       Many  options  require  a  keyword  or a number but the -t option is an
765       exception since it requires both a packet type (such as ip,  udp,  dns,
766       etc)  and  an  argument  string which is specific for that packet type.
767       Here are some simple examples:
768
769         mausezahn -t help
770         mausezahn -t tcp help
771         mausezahn eth3 -t udp sp=69,dp=69,p=ca:fe:ba:be
772
773       Note: Don't forget that on the CLI the Linux shell (usually  the  Bash)
774       interprets spaces as a delimiting character. That is, if you are speci‐
775       fying an argument that  consists  of  multiple  words  with  spaces  in
776       between, you MUST group these within quotes. For example, instead of
777
778         mausezahn eth0 -t udp sp=1,dp=80,p=00:11:22:33
779
780        you could either omit the spaces
781
782         mausezahn eth0 -t udp sp=1,dp=80,p=00:11:22:33
783
784        or, for greater safety, use quotes:
785
786         mausezahn eth0 -t udp "sp=1,dp=80,p=00:11:22:33"
787
788       In  order  to  monitor what's going on, you can enable the verbose mode
789       using the -v option. The opposite is the quiet  mode  (-q)  which  will
790       keep  mausezahn  absolutely  quiet (except for error messages and warn‐
791       ings.)
792
793       Don't confuse the payload argument p=... with the  padding  option  -p.
794       The latter is used outside the quotes!
795
796   The automatic packet builder:
797       An  important  argument is -t which invokes a packet builder. Currently
798       there are packet builders for ARP, BPDU, CDP,  IP,  partly  ICMP,  UDP,
799       TCP, RTP, DNS, and SYSLOG. (Additionally you can insert a VLAN tag or a
800       MPLS label stack but this works independently of the packet builder.)
801
802       You get context specific help for every packet builder using  the  help
803       keyword, such as:
804
805         mausezahn -t bpdu help
806         mausezahn -t tcp help
807
808       For  every packet you may specify an optional payload. This can be done
809       either via hexadecimal notation using the payload (or short p) argument
810       or directly as ASCII text using the -P option:
811
812         mausezahn  eth0 -t ip -P "Hello World"                        # ASCII
813       payload
814         mausezahn eth0 -t ip p=68:65:6c:6c:6f:20:77:6f:72:6c:64        #  hex
815       payload
816         mausezahn eth0 -t ip "proto=89,                           \
817                               p=68:65:6c:6c:6f:20:77:6f:72:6c:64,  \   # same
818       with other
819                               ttl=1"                                    #  IP
820       arguments
821
822       Note:  The  raw  link  access  mode  only  accepts hexadecimal payloads
823       (because you specify everything in hexadecimal here.)
824
825   Packet count and delay:
826       By default only one packet is sent. If you want to  send  more  packets
827       then use the count option -c <count>. When count is zero then mausezahn
828       will send forever. By default, mausezahn sends at  maximum  speed  (and
829       this  is  really fast ;-)). If you don't want to overwhelm your network
830       devices or have other reasons to send at a slower rate then  you  might
831       want to specify a delay using the -d <delay> option.
832
833       If  you  only  specify a numeric value it is interpreted in microsecond
834       units.  Alternatively, for easier use, you might specify units such  as
835       seconds, sec, milliseconds, or msec. (You can also abbreviate this with
836       s or m.)  Note: Don't use spaces between the value and the  unit!  Here
837       are typical examples:
838
839       Send an infinite number of frames as fast as possible:
840
841         mausezahn -c 0  "aa bb cc dd ...."
842
843       Send 100,000 frames with a 50 msec interval:
844
845         mausezahn -c 100000 -d 50msec "aa bb cc dd ...."
846
847       Send an unlimited number of BPDU frames in a 2 second interval:
848
849         mausezahn -c 0 -d 2s -t bpdu conf
850
851       Note:  mausezahn  does  not  support fractional numbers. If you want to
852       specify for example 2.5 seconds then express this in milliseconds (2500
853       msec).
854
855   Source and destination addresses:
856       As  a mnemonic trick keep in mind that all packets run from "A" to "B".
857       You can always specify source and destination MAC addresses  using  the
858       -a and -b options, respectively. These options also allow keywords such
859       as rand, own, bpdu, cisco, and others.
860
861       Similarly, you can specify source and destination  IP  addresses  using
862       the  -A  and -B options, respectively. These options also support FQDNs
863       (i.e.  domain   names)   and   ranges   such   as   192.168.0.0/24   or
864       10.0.0.11-10.0.3.22.  Additionally,  the source address option supports
865       the rand keyword (ideal for "attacks").
866
867       Note: When you use the packet builder for IP-based packets (e.g. UDP or
868       TCP)  then  mausezahn  automatically  cares  about  correct  MAC and IP
869       addresses (i.e.  it performs ARP, DHCP, and DNS for you). But when  you
870       specify  at  least  a single link-layer address (or any other L2 option
871       such as a VLAN tag or MPLS header) then ARP is disabled  and  you  must
872       care for the Ethernet destination address for yourself.
873
874   Layer-2:
875   `-- Direct link access:
876       mausezahn  allows  you to send ANY chain of bytes directly through your
877       Ethernet interface:
878
879         mausezahn    eth0    "ff:ff:ff:ff:ff:ff    ff:ff:ff:ff:ff:ff    00:00
880       ca:fe:ba:be"
881
882       This  way  you  can  craft  every packet you want but you must do it by
883       hand. Note: On Wi-Fi interfaces the header is much more complicated and
884       automatically  created  by the Wi-Fi driver. As an example to introduce
885       some interesting options, lets continuously send frames  at  max  speed
886       with random source MAC address and broadcast destination address, addi‐
887       tionally pad the frame to 1000 bytes:
888
889         mausezahn eth0 -c 0 -a rand -b bcast -p 1000 "08 00 aa bb cc dd"
890
891       The direct link access supports automatic padding using the  -p  <total
892       frame  length>  option.  This  allows  you to pad a raw L2 frame to the
893       desired length.  You must specify the total length, and the total frame
894       length  must  have  at least 15 bytes for technical reasons. Zero bytes
895       are used for padding.
896
897   `-- ARP:
898       mausezahn provides a simple interface to the ARP packet. You can  spec‐
899       ify the ARP method (request|reply) and up to four arguments: sendermac,
900       targetmac, senderip, targetip,  or  short  smac,  tmac,  sip,  tip.  By
901       default,  an  ARP  reply  is  sent with your own interface addresses as
902       source MAC and IP address, and  a  broadcast  destination  MAC  and  IP
903       address.  Send  a  gratuitous  ARP  request  (as  used for duplicate IP
904       address detection):
905
906         mausezahn eth0 -t arp
907
908       ARP cache poisoning:
909
910         mausezahn  eth0  -t   arp   "reply,   senderip=192.168.0.1,   target‐
911       mac=00:00:0c:01:02:03, \
912                                 targetip=172.16.1.50"
913
914        where by default your interface MAC address will be used as sendermac,
915       senderip denotes the spoofed IP address, targetmac and targetip identi‐
916       fies  the  receiver.  By  default,  the Ethernet source address is your
917       interface MAC and the destination address is the broadcast address. You
918       can change this using the flags -a and -b.
919
920   `-- BPDU:
921       mausezahn  provides  a simple interface to the 802.1D BPDU frame format
922       (used to create the Spanning Tree in  bridged  networks).  By  default,
923       standard  IEEE  802.1D  BPDUs are sent and it is assumed that your com‐
924       puter wants to become the root bridge (rid=bid). Optionally  the  802.3
925       destination address can be a specified MAC address, broadcast, own MAC,
926       or Cisco's PVST+ MAC address. The  destination  MAC  can  be  specified
927       using  the  -b  command  which, besides MAC addresses, accepts keywords
928       such as bcast, own, pvst, or stp (default). PVST+ is supported as well.
929       Simply specify the VLAN for which you want to send a BPDU:
930
931         mausezahn eth0 -t bpdu "vlan=123, rid=2000"
932
933       See mausezahn -t bpdu help for more details.
934
935   `-- CDP:
936       mausezahn  can  send Cisco Discovery Protocol (CDP) messages since this
937       protocol has security relevance. Of course lots  of  dirty  tricks  are
938       possible; for example arbitrary TLVs can be created (using the hex-pay‐
939       load argument for example p=00:0e:00:07:01:01:90) and if  you  want  to
940       stress  the  CDP  database  of some device, mausezahn can send each CDP
941       message with another system-id using the change keyword:
942
943         mausezahn -t cdp change -c 0
944
945       Some routers and switches may run into deep problems ;-) See  mausezahn
946       -t cdp help for more details.
947
948   `-- 802.1Q VLAN Tags:
949       mausezahn  allows  simple  VLAN tagging for IP (and other higher layer)
950       packets.  Simply use the option -Q <[CoS:]VLAN>, such as -Q  10  or  -Q
951       3:921.  By  default  CoS=0.  For  example send a TCP packet in VLAN 500
952       using CoS=7:
953
954         mausezahn eth0 -t tcp -Q 7:500 "dp=80, flags=rst, p=aa:aa:aa"
955
956       You can create as many VLAN tags as you want! This  is  interesting  to
957       create QinQ encapsulations or VLAN hopping: Send a UDP packet with VLAN
958       tags 100 (outer) and 651 (inner):
959
960         mausezahn eth0 -t udp "dp=8888, sp=13442" -P "Mausezahn is great"  -Q
961       100,651
962
963       Don't know if this is useful anywhere but at least it is possible:
964
965         mausezahn eth0 -t udp "dp=8888, sp=13442" -P "Mausezahn is great"  \
966                        -Q 6:5,7:732,5:331,5,6
967
968       Mix it with MPLS:
969
970         mausezahn  eth0 -t udp "dp=8888, sp=13442" -P "Mausezahn is great" -Q
971       100,651 -M 314
972
973       When in raw Layer 2 mode you must create the  VLAN  tag  completely  by
974       yourself.   For example if you want to send a frame in VLAN 5 using CoS
975       0 simply specify 81:00 as type field and for the next two bytes the CoS
976       (PCP), DEI (CFI), and VLAN ID values (all together known as TCI):
977
978         mausezahn eth0 -b bc -a rand "81:00 00:05 08:00 aa-aa-aa-aa-aa-aa-aa-
979       aa-aa"
980
981   `-- MPLS labels:
982       mausezahn allows you to insert one or more MPLS headers. Simply use the
983       option -M <label:CoS:TTL:BoS> where only the label is mandatory. If you
984       specify a second number it is interpreted as the experimental bits (the
985       CoS  usually).  If you specify a third number it is interpreted as TTL.
986       By default the TTL is set to 255. The Bottom of Stack flag is set auto‐
987       matically,  otherwise  the  frame would be invalid, but if you want you
988       can also set or unset it using the S (set) and s (unset) argument. Note
989       that  the BoS must be the last argument in each MPLS header definition.
990       Here are some examples:
991
992       Use MPLS label 214:
993
994         mausezahn eth0 -M 214 -t tcp "dp=80" -P "HTTP..." -B myhost.com
995
996       Use three labels (the 214 is now the outer):
997
998         mausezahn  eth0  -M  9999,51,214  -t  tcp  "dp=80"  -P  "HTTP..."  -B
999       myhost.com
1000
1001       Use two labels, one with CoS=5 and TTL=1, the other with CoS=7:
1002
1003         mausezahn  eth0  -M  100:5:1,500:7  -t  tcp  "dp=80"  -P "HTTP..." -B
1004       myhost.com
1005
1006       Unset the BoS flag (which will result in an invalid frame):
1007
1008         mausezahn eth0 -M 214:s -t tcp "dp=80" -P "HTTP..." -B myhost.com
1009
1010   Layer 3-7:
1011       IP, UDP, and TCP packets can be padded using the -p  option.  Currently
1012       0x42 is used as padding byte ('the answer'). You cannot pad DNS packets
1013       (would be useless anyway).
1014
1015   `-- IP:
1016       mausezahn allows you to send any malformed or correct IP packet.  Every
1017       field  in  the  IP  header  can be manipulated. The IP addresses can be
1018       specified via the -A and -B options, denoting the source  and  destina‐
1019       tion  address, respectively. You can also specify an address range or a
1020       host name (FQDN).  Additionally, the source address can also be random.
1021       By default the source address is your interface IP address and the des‐
1022       tination address is a broadcast address. Here are some examples:
1023
1024       ASCII payload:
1025
1026         mausezahn eth0 -t ip -A rand -B 192.168.1.0/24  -P "hello world"
1027
1028       Hexadecimal payload:
1029
1030         mausezahn eth0 -t  ip  -A  10.1.0.1-10.1.255.254  -B  255.255.255.255
1031       p=ca:fe:ba:be
1032
1033       Will use correct source IP address:
1034
1035         mausezahn eth0 -t ip -B www.xyz.com
1036
1037       The  Type of Service (ToS) byte can either be specified directly by two
1038       hexadecimal digits, which means you can also easily  set  the  Explicit
1039       Congestion  Notification (ECN) bits (LSB 1 and 2), or you may only want
1040       to specify a common DSCP  value  (bits  3-8)  using  a  decimal  number
1041       (0..63):
1042
1043       Packet sent with DSCP = Expedited Forwarding (EF):
1044
1045         mausezahn eth0 -t ip dscp=46,ttl=1,proto=1,p=08:00:5a:a2:de:ad:be:af
1046
1047       If you leave the checksum as zero (or unspecified) the correct checksum
1048       will be automatically computed. Note that you  can  only  use  a  wrong
1049       checksum when you also specify at least one L2 field manually.
1050
1051   `-- UDP:
1052       mausezahn  supports  easy  UDP  datagram generation. Simply specify the
1053       destination address (-B option)  and  optionally  an  arbitrary  source
1054       address  (-A  option) and as arguments you may specify the port numbers
1055       using the dp (destination port) and sp (source port)  arguments  and  a
1056       payload.  You  can  also  easily  specify a whole port range which will
1057       result in sending multiple packets. Here are some examples:
1058
1059       Send test packets to the RTP port range:
1060
1061         mausezahn eth0 -B 192.168.1.1 -t udp "dp=16384-32767, \
1062                          p=A1:00:CC:00:00:AB:CD:EE:EE:DD:DD:00"
1063
1064       Send a DNS request as local broadcast (often a local router replies):
1065
1066         mausezahn                 eth0                 -t                 udp
1067       dp=53,p=c5-2f-01-00-00-01-00-00-00-00-00-00-03-77-77-\
1068                                        77-03-78-79-7a-03-63-6f-6d-00-00-01-00-01"
1069
1070       Additionally you may specify the length and checksum using the len  and
1071       sum  arguments (will be set correctly by default). Note: several proto‐
1072       cols have same arguments such as len (length) and  sum  (checksum).  If
1073       you  specified a UDP type packet (via -t udp) and want to modify the IP
1074       length, then use the alternate keyword iplen and ipsum. Also note  that
1075       you  must  specify at least one L2 field which tells mausezahn to build
1076       everything without the help of your kernel (the kernel would not  allow
1077       modifying the IP checksum and the IP length).
1078
1079   `-- ICMP:
1080       mausezahn  currently  only  supports  the  following ICMP methods: PING
1081       (echo request), Redirect (various types), Unreachable (various  types).
1082       Additional  ICMP types will be supported in future. Currently you would
1083       need to tailor them by yourself, e.g. using the IP packet builder (set‐
1084       ting  proto=1).  Use  the  mausezahn -t icmp help for help on currently
1085       implemented options.
1086
1087   `-- TCP:
1088       mausezahn allows you to easily tailor any TCP packet. Similarly as with
1089       UDP  you  can specify source and destination port (ranges) using the sp
1090       and dp arguments.  Then you can  directly  specify  the  desired  flags
1091       using  an  "|"  as delimiter if you want to specify multiple flags. For
1092       example, a SYN-Flood attack against host 1.1.1.1 using a random  source
1093       IP  address  and  periodically using all 1023 well-known ports could be
1094       created via:
1095
1096         mausezahn eth0 -A rand -B 1.1.1.1 -c 0 -t tcp "dp=1-1023,  flags=syn"
1097       \
1098                        -P   "Good  morning!  This  is  a  SYN  Flood  Attack.
1099       \
1100                            We apologize for any inconvenience."
1101
1102       Be careful with such SYN floods and only use them for firewall testing.
1103       Check  your  legal position! Remember that a host with an open TCP ses‐
1104       sion only accepts packets with correct  socket  information  (addresses
1105       and ports) and a valid TCP sequence number (SQNR). If you want to try a
1106       DoS attack by sending a RST-flood and you do NOT know the target's ini‐
1107       tial  SQNR  (which  is  normally  the  case) then you may want to sweep
1108       through a range of sequence numbers:
1109
1110         mausezahn eth0 -A legal.host.com -B target.host.com \
1111                        -t tcp "sp=80,dp=80,s=1-4294967295"
1112
1113       Fortunately, the SQNR must match the target host's acknowledgement num‐
1114       ber  plus  the  announced window size. Since the typical window size is
1115       something between 40000 and 65535 you are MUCH quicker  when  using  an
1116       increment via the ds argument:
1117
1118         mausezahn eth0 -A legal.host.com -B target.host.com \
1119                        -t tcp "sp=80, dp=80, s=1-4294967295, ds=40000"
1120
1121       In  the  latter case mausezahn will only send 107375 packets instead of
1122       4294967295 (which results in a duration of approximately 1 second  com‐
1123       pared  to 11 hours!). Of course you can tailor any TCP packet you like.
1124       As with other L4 protocols mausezahn builds a correct IP header but you
1125       can  additionally access every field in the IP packet (also in the Eth‐
1126       ernet frame).
1127
1128   `-- DNS:
1129       mausezahn supports UDP-based DNS requests or responses.  Typically  you
1130       may  want  to send a query or an answer. As usual, you can modify every
1131       flag in the header.  Here is an example of a simple query:
1132
1133         mausezahn eth0 -B mydns-server.com -t dns "q=www.ibm.com"
1134
1135       You can also create server-type messages:
1136
1137         mausezahn eth0 -A spoofed.dns-server.com -B target.host.com \
1138                        "q=www.topsecret.com, a=172.16.1.1"
1139
1140       The syntax according to the online help (-t dns help) is:
1141
1142         query|q = <name>[:<type>]  ............. where type  is  per  default
1143       "A"
1144                                                  (and class is always "IN")
1145         answer|a = [<type>:<ttl>:]<rdata> ...... ttl is per default 0.
1146                  = [<type>:<ttl>:]<rdata>/[<type>:<ttl>:]<rdata>/...
1147
1148       Note:  If  you only use the 'query' option then a query is sent. If you
1149       additionally add an 'answer' then an answer is sent. Examples:
1150
1151         q = www.xyz.com
1152         q = www.xyz.com, a=192.168.1.10
1153         q = www.xyz.com, a=A:3600:192.168.1.10
1154         q = www.xyz.com, a=CNAME:3600:abc.com/A:3600:192.168.1.10
1155
1156       Please try out mausezahn -t dns help to see  the  many  other  optional
1157       command line options.
1158
1159   `-- RTP and VoIP path measurements:
1160       mausezahn  can  send  arbitrary  Real  Time  Protocol (RTP) packets. By
1161       default a classical G.711 codec packet of 20 ms segment  size  and  160
1162       bytes  is  assumed. You can measure jitter, packet loss, and reordering
1163       along a path between two hosts running mausezahn. The  jitter  measure‐
1164       ment is either done following the variance low-pass filtered estimation
1165       specified in RFC 3550 or using an alternative "real-time" method  which
1166       is  even  more precise (the RFC-method is used by default). For example
1167       on Host1 you start a transmission process:
1168
1169         mausezahn -t rtp -B 192.168.1.19
1170
1171       And on Host2 (192.168.1.19) a receiving process which performs the mea‐
1172       surement:
1173
1174         mausezahn -T rtp
1175
1176       Note  that  the  option  flag  with  the capital "T" means that it is a
1177       server RTP process, waiting for incoming RTP packets from any mausezahn
1178       source.  In  case  you  want  to restrict the measurement to a specific
1179       source or you want to perform a  bidirectional  measurement,  you  must
1180       specify a stream identifier.  Here is an example for bidirectional mea‐
1181       surements which logs the running jitter average in a file:
1182
1183         Host1# mausezahn -t rtp id=11:11:11:11 -B 192.168.2.2 &
1184         Host1# mausezahn -T rtp id=22:22:22:22 "log, path=/tmp/mz/"
1185
1186         Host2# mausezahn -t rtp id=22:22:22:22 -B 192.168.1.1 &
1187         Host2# mausezahn -T rtp id=11:11:11:11 "log, path=/tmp/mz/"
1188
1189       In any case the measurements are printed continuously onto the  screen;
1190       by default it looks like this:
1191
1192         0.00                            0.19                             0.38
1193       0.57
1194         |-------------------------|-------------------------|-------------------------|
1195         #########
1196       0.07 msec
1197         ####################
1198       0.14 msec
1199         ##
1200       0.02 msec
1201         ###
1202       0.02 msec
1203         #########
1204       0.07 msec
1205         ####
1206       0.03 msec
1207         #########
1208       0.07 msec
1209         #############
1210       0.10 msec
1211         ##
1212       0.02 msec
1213         ###########################################
1214       0.31 msec
1215         #########
1216       0.07 msec
1217         ##############################################
1218       0.33 msec
1219         ###############
1220       0.11 msec
1221         ##########
1222       0.07 msec
1223         ###############
1224       0.11 msec
1225         ##########################################################
1226       0.42 msec
1227         #####
1228       0.04 msec
1229
1230       More information is shown using the txt keyword:
1231
1232         mausezahn -T rtp txt
1233         Got 100 packets from host 192.168.0.3: 0 lost (0  absolute  lost),  1
1234       out of order
1235           Jitter_RFC (low pass filtered) = 30 usec
1236           Samples jitter (min/avg/max)   = 1/186/2527 usec
1237           Delta-RX (min/avg/max)         = 2010/20167/24805 usec
1238         Got  100  packets  from host 192.168.0.3: 0 lost (0 absolute lost), 1
1239       out of order
1240           Jitter_RFC (low pass filtered) = 17 usec
1241           Samples jitter (min/avg/max)   = 1/53/192 usec
1242           Delta-RX (min/avg/max)         = 20001/20376/20574 usec
1243         Got 100 packets from host 192.168.0.3: 0 lost (0  absolute  lost),  1
1244       out of order
1245           Jitter_RFC (low pass filtered) = 120 usec
1246           Samples jitter (min/avg/max)   = 0/91/1683 usec
1247           Delta-RX (min/avg/max)         = 18673/20378/24822 usec
1248
1249       See mausezahn -t rtp help and mz -T rtp help for more details.
1250
1251   `-- Syslog:
1252       The  traditional  Syslog  protocol  is widely used even in professional
1253       networks and is sometimes vulnerable.  For  example  you  might  insert
1254       forged  Syslog messages by spoofing your source address (e.g. imperson‐
1255       ate the address of a legit network device):
1256
1257         mausezahn  -t  syslog  sev=3  -P  "You  have  been  mausezahned."  -A
1258       10.1.1.109 -B 192.168.7.7
1259
1260       See mausezahn -t syslog help for more details.
1261

NOTE

1263       When  multiple  ranges  are specified, e.g. destination port ranges and
1264       destination address ranges, then all possible combinations of ports and
1265       addresses  are  used  for  packet  generation. Furthermore, this can be
1266       mixed with other ranges e.g. a TCP sequence  number  range.  Note  that
1267       combining  ranges  can lead to a very huge number of frames to be sent.
1268       As a rule of thumb you can assume that about 100,000  frames  and  more
1269       are  sent in a fraction of one second, depending on your network inter‐
1270       face.
1271
1272       mausezahn has been designed as a fast traffic generator  so  you  might
1273       easily  overwhelm  a  LAN  segment with myriads of packets. And because
1274       mausezahn could also support security audits it is possible  to  create
1275       malicious  or invalid packets, SYN floods, port and address sweeps, DNS
1276       and ARP poisoning, etc.
1277
1278       Therefore, don't use this tool when you are not aware of  the  possible
1279       consequences  or  have  only a little knowledge about networks and data
1280       communication. If you abuse mausezahn for 'unallowed' attacks  and  get
1281       caught,  or  damage something of your own, then this is completely your
1282       fault. So the safest solution is to try it out in a lab environment.
1283
1284       Also have a look at the netsniff-ng(8) note  section  on  how  you  can
1285       properly setup and tune your system.
1286
1288       mausezahn is licensed under the GNU GPL version 2.0.
1289

HISTORY

1291       mausezahn was originally written by Herbert Haas. According to his web‐
1292       site [1], he unfortunately passed away in 2011 thus leaving  this  tool
1293       unmaintained.   It has been adopted and integrated into the netsniff-ng
1294       toolkit and is further being maintained and developed from there. Main‐
1295       tainers  are  Tobias  Klauser <tklauser@distanz.ch> and Daniel Borkmann
1296       <dborkma@tik.ee.ethz.ch>.
1297
1298         [1] http://www.perihel.at/
1299

SEE ALSO

1301       netsniff-ng(8), trafgen(8), ifpps(8),  bpfc(8),  flowtop(8),  astracer‐
1302       oute(8), curvetun(8)
1303

AUTHOR

1305       Manpage was written by Herbert Haas and modified by Daniel Borkmann.
1306

COLOPHON

1308       This  page is part of the Linux netsniff-ng toolkit project. A descrip‐
1309       tion of the project, and information about reporting bugs, can be found
1310       at http://netsniff-ng.org/.
1311
1312
1313
1314Linux                            03 March 2013                    MAUSEZAHN(8)
Impressum