1MAUSEZAHN(8) netsniff-ng toolkit MAUSEZAHN(8)
2
6 mausezahn - a fast versatile packet generator with Cisco-cli
7
9 mausezahn { [options] "<arg-string> | <hex-string>" }
10
12 mausezahn is a fast traffic generator which allows you to send nearly
13 every possible and impossible packet. In contrast to trafgen(8),
14 mausezahn's packet configuration is on a protocol-level instead of
15 byte-level and mausezahn also comes with a built-in Cisco-like command-
16 line interface, making it suitable as a network traffic generator box
17 in your network lab.
18 Next to network labs, it can also be used as a didactical tool and for
20 security audits including penetration and DoS testing. As a traffic
21 generator, mausezahn is also able to test IP multicast or VoIP net‐
22 works. Packet rates close to the physical limit are reachable, depend‐
23 ing on the hardware platform.
24 mausezahn supports two modes, ''direct mode'' and a multi-threaded
26 ''interactive mode''.
27 The ''direct mode'' allows you to create a packet directly on the com‐
29 mand line and every packet parameter is specified in the argument list
30 when calling mausezahn.
31 The ''interactive mode'' is an advanced multi-threaded configuration
33 mode with its own command line interface (CLI). This mode allows you to
34 create an arbitrary number of packet types and streams in parallel,
35 each with different parameters.
36 The interactive mode utilizes a completely redesigned and more flexible
38 protocol framework called ''mops'' (mausezahn's own packet system). The
39 look and feel of the CLI is very close to the Cisco IOS^tm command line
40 interface.
41 You can start the interactive mode by executing mausezahn with the
43 ''-x'' argument (an optional port number may follow, otherwise it is
44 25542). Then use telnet(1) to connect to this mausezahn instance. If
45 not otherwise specified, the default login and password combination is
46 mz:mz and the enable password is: mops. This can be changed in
47 /etc/netsniff-ng/mausezahn.conf.
48 The direct mode supports two specification schemes: The ''raw-layer-2''
50 scheme, where every single byte to be sent can be specified, and
51 ''higher-layer'' scheme, where packet builder interfaces are used
52 (using the ''-t'' option).
53 To use the ''raw-layer-2'' scheme, simply specify the desired frame as
55 a hexadecimal sequence (the ''hex-string''), such as:
56 mausezahn eth0 "00:ab:cd:ef:00 00:00:00:00:00:01 08:00 ca:fe:ba:be"
58 In this example, whitespaces within the byte string are optional and
60 separate the Ethernet fields (destination and source address, type
61 field, and a short payload). The only additional options supported are
62 ''-a'', ''-b'', ''-c'', and ''-p''. The frame length must be greater
63 than or equal to 15 bytes.
64 The ''higher-layer'' scheme is enabled using the ''-t <packet-type>''
66 option. This option activates a packet builder, and besides the
67 ''packet-type'', an optional ''arg-string'' can be specified. The
68 ''arg-string'' contains packet- specific parameters, such as TCP flags,
69 port numbers, etc. (see example section).
70
72 mausezahn provides a built-in context-specific help. Append the keyword
73 ''help'' after the configuration options. The most important options
74 are:
75 -x [<port>]
77 Start mausezahn in interactive mode with a Cisco-like CLI. Use telnet
78 to log into the local mausezahn instance. If no port has been speci‐
79 fied, port 25542 is used by default.
80 -6
82 Specify IPv6 mode (IPv4 is the default).
83 -l <IP>
85 Specify the IP address mausezahn should bind to when in interactive
86 mode, default: 0.0.0.0.
87 -R <PRIO>
89 Set priority of sent packets. This configures SO_PRIORITY at the socket
90 through which the packets are sent. Usual priority numbers are 0..15,
91 but the value can also be a class ID for purposes of Qdisc classifica‐
92 tion. In that case, a class ID such is 1234:5678 would be specified as
93 0x12345678.
94 -v
96 Verbose mode. Capital -V is even more verbose.
97 -S
99 Simulation mode, i.e. don't put anything on the wire. This is typically
100 combined with the verbose mode.
101 -q
103 Quiet mode where only warnings and errors are displayed.
104 -c <count>
106 Send the packet count times (default: 1, infinite: 0).
107 -d <delay>
109 Apply delay between transmissions. The delay value can be specified in
110 usec (default, no additional unit needed), or in msec (e.g. 100m or
111 100msec), or in seconds (e.g. 100s or 100sec). Note: mops also supports
112 nanosecond delay resolution if you need it (see interactive mode).
113 -r
115 Multiply the specified delay with a random value.
116 -p <length>
118 Pad the raw frame to specified length using zero bytes. Note that for
119 raw layer 2 frames the specified length defines the whole frame length,
120 while for higher layer packets the number of additional padding bytes
121 are specified.
122 -a <src-mac|keyword>
124 Use specified source MAC address with hexadecimal notation such as
125 00:00:aa:bb:cc:dd. By default the interface MAC address will be used.
126 The keywords ''rand'' and ''own'' refer to a random MAC address (only
127 unicast addresses are created) and the own address, respectively. You
128 can also use the keywords mentioned below although broadcast-type
129 source addresses are officially invalid.
130 -b <dst-mac|keyword>
132 Use specified destination MAC address. By default, a broadcast is sent
133 in raw layer 2 mode or to the destination hosts or gateway interface
134 MAC address in normal (IP) mode. You can use the same keywords as men‐
135 tioned above, as well as ''bc'' or ''bcast'', ''cisco'', and ''stp''.
136 -A <src-ip|range|rand>
138 Use specified source IP address, default is own interface address.
139 Optionally, the keyword ''rand'' can again be used for a random source
140 IP address or a range can be specified, such as
141 ''192.168.1.1-192.168.1.100'' or ''10.1.0.0/16''. Also, a DNS name can
142 be specified for which mausezahn tries to determine the corresponding
143 IP address automatically.
144 -B <dst-ip|range>
146 Use specified destination IP address (default is broadcast i.e.
147 255.255.255.255). As with the source address (see above) you can also
148 specify a range or a DNS name.
149 -t <packet-type [help] | help>
151 Create the specified packet type using the built-in packet builder.
152 Currently, supported packet types are: ''arp'', ''bpdu'', ''ip'',
153 ''udp'', ''tcp'', ''rtp'', and ''dns''. Currently, there is also lim‐
154 ited support for ''icmp''. Type
155 ''-t help'' to verify which packet builders your actual mausezahn ver‐
156 sion supports. Also, for any particular packet type, for example
157 ''tcp'' type
158 ''mausezahn -t tcp help'' to receive a more in-depth context specific
159 help.
160 -T <packet-type>
162 Make this mausezahn instance the receiving station. Currently, only
163 ''rtp'' is an option here and provides precise jitter measurements. For
164 this purpose, start another mausezahn instance on the sending station
165 and the local receiving station will output jitter statistics. See
166 ''mausezahn -T rtp help'' for a detailed help.
167 -Q <[CoS:]vlan> [, <[CoS:]vlan>, ...]
169 Specify 802.1Q VLAN tag and optional Class of Service. An arbitrary
170 number of VLAN tags can be specified (that is, you can simulate QinQ or
171 even QinQinQinQ..). Multiple tags must be separated via a comma or a
172 period (e.g. "5:10,20,2:30"). VLAN tags are not supported for ARP and
173 BPDU packets (in which case you could specify the whole frame in hexa‐
174 decimal using the raw layer 2 interface of mausezahn).
175 -M <label[:cos[:ttl]][bos]> [, <label...>]
177 Specify a MPLS label or even a MPLS label stack. Optionally, for each
178 label the experimental bits (usually the Class of Service, CoS) and the
179 Time To Live (TTL) can be specified. If you are really crazy you can
180 set and unset the Bottom of Stack (BoS) bit for each label using the
181 ''S'' (set) and ''s'' (unset) option. By default, the BoS is set auto‐
182 matically and correctly. Any other setting will lead to invalid frames.
183 Enter ''-M help'' for detailed instructions and examples.
184 -P <ascii-payload>
186 Specify a cleartext payload. Alternatively, each packet type supports a
187 hexadecimal specification of the payload (see for example ''-t udp
188 help'').
189 -f <filename>
191 Read the ASCII payload from the specified file.
192 -F <filename>
194 Read the hexadecimal payload from the specified file. Actually, this
195 file must be also an ASCII text file, but must contain hexadecimal dig‐
196 its, e.g. "aa:bb:cc:0f:e6...". You can use also spaces as separation
197 characters.
198
200 For more comprehensive examples, have a look at the two following HOWTO
201 sections.
202 mausezahn eth0 -c 0 -d 2s -t bpdu vlan=5
204 Send BPDU frames for VLAN 5 as used with Cisco's PVST+ type of STP. By
205 default mausezahn assumes that you want to become the root bridge.
206 mausezahn eth0 -c 128000 -a rand -p 64
208 Perform a CAM table overflow attack.
209 mausezahn eth0 -c 0 -Q 5,100 -t tcp flags=syn,dp=1-1023 -p 20 -A rand -B
211 10.100.100.0/24
212 Perform a SYN flood attack to another VLAN using VLAN hopping. This
213 only works if you are connected to the same VLAN which is configured as
214 native VLAN on the trunk. We assume that the victim VLAN is VLAN 100
215 and the native VLAN is VLAN 5. Lets attack every host in VLAN 100
216 which use an IP prefix of 10.100.100.0/24, also try out all ports
217 between 1 and 1023 and use a random source IP address.
218 mausezahn eth0 -c 0 -d 10msec -B 230.1.1.1 -t udp dp=32000,dscp=46 -P Mul‐
220 ticast test packet
221 Send IP multicast packets to the multicast group 230.1.1.1 using a UDP
222 header with destination port 32000 and set the IP DSCP field to EF
223 (46). Send one frame every 10 msec.
224 mausezahn eth0 -Q 6:420 -M 100,200,300:5 -A 172.30.0.0/16 -B target.anynet‐
226 work.foo -t udp sp=666,dp=1-65535 -p 1000 -c 10
227 Send UDP packets to the destination host target.anynetwork.foo using
228 all possible destination ports and send every packet with all possible
229 source addresses of the range 172.30.0.0/16; additionally use a source
230 port of 666 and three MPLS labels, 100, 200, and 300, the outer (300)
231 with QoS field 5. Send the frame with a VLAN tag 420 and CoS 6; even‐
232 tually pad with 1000 bytes and repeat the whole thing 10 times.
233 mausezahn -t syslog sev=3 -P Main reactor reached critical temperature. -A
235 192.168.33.42 -B 10.1.1.9 -c 6 -d 10s
236 Send six forged syslog messages with severity 3 to a Syslog server
237 10.1.1.9; use a forged source IP address 192.168.33.42 and let
238 mausezahn decide which local interface to use. Use an inter-packet
239 delay of 10 seconds.
240 mausezahn -t tcp flags=syn|urg|rst, sp=145, dp=145, win=0, s=0-4294967295,
242 ds=1500, urg=666 -a bcast -b bcast -A bcast -B 10.1.1.6 -p 5
243 Send an invalid TCP packet with only a 5 byte payload as layer-2 broad‐
244 cast and also use the broadcast MAC address as source address. The tar‐
245 get should be 10.1.1.6 but use a broadcast source address. The source
246 and destination port shall be 145 and the window size 0. Set the TCP
247 flags SYN, URG, and RST simultaneously and sweep through the whole TCP
248 sequence number space with an increment of 1500. Finally set the urgent
249 pointer to 666, i.e. pointing to nowhere.
250
252 When mausezahn is run in interactive mode it automatically looks for
253 and reads a configuration file located at /etc/netsniff-
254 ng/mausezahn.conf for custom options if the file is available, other‐
255 wise it uses defaults set at compile time.
256 Config file: /etc/netsniff-ng/mausezahn.conf
258 The configuration file contains lines of the form:
259 option = value
261 Options supported in the configuration file are:
263 Option: Description:
264 user Username for authentication (default: mz)
266 password Password for authentication (default: mz)
267 enable Password to enter privilege mode (default: mops)
268 port The listening port for the CLI (default: 25542)
269 listen-addr IP address to bind CLI to (default: 0.0.0.0)
270 management-only Set management interface (no data traffic is
271 allowed to pass through)
272 cli-device Interface to bind CLI to (default: all) *not fully
273 implemented*
274 automops Path to automops file (contains XML data describing
275 protocols) *in development*
276 Example:
279 $ cat /etc/netsniff-ng/mausezahn.conf
280 user = mzadmin
281 password = mzpasswd
282 enable = privilege-mode-passwd
283 port = 65000
284 listen-addr = 127.0.0.1
285
287 Telnet:
288 Using the interactive mode requires starting mausezahn as a server:
289 # mausezahn -x
291 Now you can telnet(1) to that server using the default port number
293 25542, but also an arbitrary port number can be specified:
294 # mausezahn -x 99
296 mausezahn accepts incoming telnet connections on port 99.
297 mz: Problems opening config file. Will use defaults
298 Either from another terminal or from another host try to telnet to the
300 mausezahn server:
301 caprica$ telnet galactica 99
303 Trying 192.168.0.4...
304 Connected to galactica.
305 Escape character is '^]'.
306 mausezahn <version>
307 Username: mz
309 Password: mz
310 mz> enable
312 Password: mops
313 mz#
314 It is recommended to configure your own login credentials in /etc/net‐
316 sniff-ng/mausezahn.conf, (see configuration file section)
317 Basics:
319 Since you reached the mausezahn prompt, lets try some common commands.
320 You can use the '?' character at any time for context-specific help.
321 Note that Cisco-like short form of commands are accepted in interactive
322 mode. For example, one can use "sh pac" instead of "show packet";
323 another common example is to use "config t" in place of "configure ter‐
324 minal". For readability, this manual will continue with the full com‐
325 mands.
326 First try out the show command:
328 mz# show ?
330 mausezahn maintains its own ARP table and observes anomalies. There is
332 an entry for every physical interface (however this host has only one):
333 mz# show arp
335 Intf Index IP address MAC address last Ch
336 UCast BCast Info
337 ----------------------------------------------------------------------------------
338 eth0 [1] D 192.168.0.1 00:09:5b:9a:15:84 23:44:41 1
339 1 0 0000
340 The column Ch tells us that the announced MAC address has only changed
342 one time (= when it was learned). The columns Ucast and BCast tell us
343 how often this entry was announced via unicast or broadcast respec‐
344 tively.
345 Let's check our interfaces:
347 mz# show interface
349 Available network interfaces:
350 real real used (fake)
351 used (fake)
352 device IPv4 address MAC address IPv4 address
353 MAC address
354 ---------------------------------------------------------------------------------------
355 > eth0 192.168.0.4 00:30:05:76:2e:8d 192.168.0.4
356 00:30:05:76:2e:8d
357 lo 127.0.0.1 00:00:00:00:00:00 127.0.0.1
358 00:00:00:00:00:00
359 2 interfaces found.
360 Default interface is eth0.
361 Defining packets:
363 Let's check the current packet list:
364 mz# show packet
366 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
367 I/i=IP/delivery_off, U=UDP, T=TCP
368 PktID PktName Layers Proto Size State Device
369 Delay Count/CntX
370 1 sysARP_servic... E----- ARP 60 config lo
371 100 msec 1/0 (100%)
372 1 packets defined, 0 active.
373 We notice that there is already one system-defined packet process; it
375 has been created and used only once (during startup) by mausezahn's ARP
376 service. Currently, its state is config which means that the process
377 is sleeping.
378 General packet options:
380 Now let's create our own packet process and switch into the global con‐
381 figuration mode:
382 mz# configure terminal
384 mz(config)# packet
385 Allocated new packet PKT0002 at slot 2
386 mz(config-pkt-2)# ?
387 ...
388 name Assign a unique name
389 description Assign a packet description text
390 bind Select the network interface
391 count Configure the packet count value
392 delay Configure the inter-packet delay
393 interval Configure a greater interval
394 type Specify packet type
395 mac Configure packet's MAC addresses
396 tag Configure tags
397 payload Configure a payload
398 port Configure packet's port numbers
399 end End packet configuration mode
400 ethernet Configure frame's Ethernet, 802.2, 802.3, or
401 SNAP settings
402 ip Configure packet's IP settings
403 udp Configure packet's UDP header parameters
404 tcp Configure packet's TCP header parameters
405 Here are a lot of options but normally you only need a few of them.
407 When you configure lots of different packets you might assign a reason‐
408 able name and description for them:
409 mz(config-pkt-2)# name Test
411 mz(config-pkt-2)# description This is just a test
412 You can, for example, change the default settings for the source and
414 destination MAC or IP addresses using the mac and ip commands:
415 mz(config-pkt-2)# ip address destination 10.1.1.0 /24
417 mz(config-pkt-2)# ip address source random
418 In the example above, we configured a range of addresses (all hosts in
420 the network 10.1.1.0 should be addressed). Additionally we spoof our
421 source IP address. Of course, we can also add one or more VLAN and, or,
422 MPLS tag(s):
423 mz(config-pkt-2)# tag ?
425 dot1q Configure 802.1Q (and 802.1P) parameters
426 mpls Configure MPLS label stack
427 mz(config-pkt-2)# tag dot ?
428 Configure 802.1Q tags:
429 VLAN[:CoS] [VLAN[:CoS]] ... The leftmost tag is the outer tag in
430 the frame
431 remove <tag-nr> | all Remove one or more tags (<tag-nr>
432 starts with 1),
433 by default the first (=leftmost,outer)
434 tag is removed,
435 keyword 'all' can be used instead of
436 tag numbers.
437 cfi | nocfi [<tag-nr>] Set or unset the CFI-bit in any tag (by
438 default
439 assuming the first tag).
440 mz(config-pkt-2)# tag dot 1:7 200:5
441 Configure count and delay:
443 mz(config-pkt-2)# count 1000
444 mz(config-pkt-2)# delay ?
445 delay <value> [hour | min | sec | msec | usec | nsec]
446 Specify the inter-packet delay in hours, minutes, seconds, millisec‐
448 onds, microseconds or nanoseconds. The default unit is milliseconds
449 (i.e. when no unit is given).
450 mz(config-pkt-2)# delay 1 msec
452 Inter-packet delay set to 0 sec and 1000000 nsec
453 mz(config-pkt-2)#
454 Configuring protocol types:
456 mausezahn's interactive mode supports a growing list of protocols and
457 only relies on the MOPS architecture (and not on libnet as is the case
458 with the legacy direct mode):
459 mz(config-pkt-2)# type
461 Specify a packet type from the following list:
462 arp
463 bpdu
464 igmp
465 ip
466 lldp
467 tcp
468 udp
469 mz(config-pkt-2)# type tcp
470 mz(config-pkt-2-tcp)#
471 ....
472 seqnr Configure the TCP sequence number
473 acknr Configure the TCP acknowledgement number
474 hlen Configure the TCP header length
475 reserved Configure the TCP reserved field
476 flags Configure a combination of TCP flags at once
477 cwr Set or unset the TCP CWR flag
478 ece Set or unset the TCP ECE flag
479 urg Set or unset the TCP URG flag
480 ack set or unset the TCP ACK flag
481 psh set or unset the TCP PSH flag
482 rst set or unset the TCP RST flag
483 syn set or unset the TCP SYN flag
484 fin set or unset the TCP FIN flag
485 window Configure the TCP window size
486 checksum Configure the TCP checksum
487 urgent-pointer Configure the TCP urgent pointer
488 options Configure TCP options
489 end End TCP configuration mode
490 mz(config-pkt-2-tcp)# flags syn fin rst
491 Current setting is: --------------------RST-SYN-FIN
492 mz(config-pkt-2-tcp)# end
493 mz(config-pkt-2)# payload ascii This is a dummy payload for my first
494 packet
495 mz(config-pkt-2)# end
496 Now configure another packet, for example let's assume we want an LLDP
498 process:
499 mz(config)# packet
501 Allocated new packet PKT0003 at slot 3
502 mz(config-pkt-3)# type lldp
503 mz(config-pkt-3-lldp)# exit
504 mz(config)# exit
505 In the above example we only use the default LLDP settings and don't
507 configure further LLDP options or TLVs. Back in the top level of the
508 CLI let's verify what we had done:
509 mz# show packet
511 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
512 I/i=IP/delivery_off, U=UDP, T=TCP
513 PktID PktName Layers Proto Size State Device
514 Delay Count/CntX
515 1 sysARP_servic... E----- ARP 60 config lo
516 100 msec 1/0 (100%)
517 2 Test E-Q-IT 125 config eth0
518 1000 usec 1000/1000 (0%)
519 3 PKT0003 E----- LLDP 36 config eth0
520 30 sec 0/0 (0%)
521 3 packets defined, 0 active.
522 The column Layers indicates which major protocols have been combined.
524 For example the packet with packet-id 2 ("Test") utilizes Ethernet (E),
525 IP (I), and TCP (T). Additionally an 802.1Q tag (Q) has been inserted.
526 Now start one of these packet processes:
527 mz# start slot 3
529 Activate [3]
530 mz# show packet
531 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
532 I/i=IP/delivery_off, U=UDP, T=TCP
533 PktID PktName Layers Proto Size State Device
534 Delay Count/CntX
535 1 sysARP_servic... E----- ARP 60 config lo
536 100 msec 1/0 (100%)
537 2 Test E-Q-IT 125 config eth0
538 1000 usec 1000/1000 (0%)
539 3 PKT0003 E----- LLDP 36 config eth0
540 30 sec 0/1 (0%)
541 3 packets defined, 1 active.
542 Let's have a more detailed look at a specific packet process:
544 mz# show packet 2
546 Packet [2] Test
547 Description: This is just a test
548 State: config, Count=1000, delay=1000 usec (0 s 1000000 nsec), inter‐
549 val= (undefined)
550 Headers:
551 Ethernet: 00-30-05-76-2e-8d => ff-ff-ff-ff-ff-ff [0800 after 802.1Q
552 tag]
553 Auto-delivery is ON (that is, the actual MAC is adapted upon trans‐
554 mission)
555 802.1Q: 0 tag(s); (VLAN:CoS)
556 IP: SA=192.168.0.4 (not random) (no range)
557 DA=255.255.255.255 (no range)
558 ToS=0x00 proto=17 TTL=255 ID=0 offset=0 flags: -|-|-
559 len=49664(correct) checksum=0x2e8d(correct)
560 TCP: 83 bytes segment size (including TCP header)
561 SP=0 (norange) (not random), DP=0 (norange) (not random)
562 SQNR=3405691582 (start 0, stop 4294967295, delta 0) -- ACKNR=0
563 (invalid)
564 Flags: ------------------------SYN----, reserved field is 00,
565 urgent pointer= 0
566 Announced window size= 100
567 Offset= 0 (times 32 bit; value is valid), checksum= ffff
568 (valid)
569 (No TCP options attached) - 0 bytes defined
570 Payload size: 43 bytes
571 Frame size: 125 bytes
572 1 ff:ff:ff:ff:ff:ff:00:30 05:76:2e:8d:81:00:e0:01
573 81:00:a0:c8:08:00:45:00 00:67:00:00:00:00:ff:06
574 33 fa:e4:c0:a8:00:04:ff:ff ff:ff:00:00:00:00:ca:fe
575 ba:be:00:00:00:00:a0:07 00:64:f7:ab:00:00:02:04
576 65 05:ac:04:02:08:0a:19:35 90:c3:00:00:00:00:01:03
577 03:05:54:68:69:73:20:69 73:20:61:20:64:75:6d:6d
578 97 79:20:70:61:79:6c:6f:61 64:20:66:6f:72:20:6d:79
579 20:66:69:72:73:74:20:70 61:63:6b:65:74
580 mz#
581 If you want to stop one or more packet processes, use the stop command.
583 The "emergency stop" is when you use stop all:
584 mz# stop all
586 Stopping
587 [3] PKT0003
588 Stopped 1 transmission processe(s)
589 The launch command provides a shortcut for commonly used packet pro‐
591 cesses. For example to behave like a STP-capable bridge we want to
592 start an BPDU process with typical parameters:
593 mz# launch bpdu
595 Allocated new packet sysBPDU at slot 5
596 mz# show packet
597 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
598 I/i=IP/delivery_off, U=UDP, T=TCP
599 PktID PktName Layers Proto Size State Device
600 Delay Count/CntX
601 1 sysARP_servic... E----- ARP 60 config lo
602 100 msec 1/0 (100%)
603 2 Test E-Q-IT 125 config eth0
604 1000 usec 1000/1000 (0%)
605 3 PKT0003 E----- LLDP 36 config eth0
606 30 sec 0/12 (0%)
607 4 PKT0004 E---I- IGMP 46 config eth0
608 100 msec 0/0 (0%)
609 5 sysBPDU ES---- BPDU 29 active eth0
610 2 sec 0/1 (0%)
611 5 packets defined, 1 active.
612 Now a Configuration BPDU is sent every 2 seconds, claiming to be the
614 root bridge (and usually confusing the LAN. Note that only packet 5
615 (i.e. the last row) is active and therefore sending packets while all
616 other packets are in state config (i.e. they have been configured but
617 they are not doing anything at the moment).
618 Configuring a greater interval:
620 Sometimes you may want to send a burst of packets at a greater inter‐
621 val:
622 mz(config)# packet 2
624 Modify packet parameters for packet Test [2]
625 mz(config-pkt-2)# interval
626 Configure a greater packet interval in days, hours, minutes, or sec‐
627 onds
628 Arguments: <value> <days | hours | minutes | seconds>
629 Use a zero value to disable an interval.
630 mz(config-pkt-2)# interval 1 hour
631 mz(config-pkt-2)# count 10
632 mz(config-pkt-2)# delay 15 usec
633 Inter-packet delay set to 0 sec and 15000 nsec
634 Now this packet is sent ten times with an inter-packet delay of 15
636 microseconds and this is repeated every hour. When you look at the
637 packet list, an interval is indicated with the additional flag 'i' when
638 inactive or 'I' when active:
639 mz# show packet
641 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
642 I/i=IP/delivery_off, U=UDP, T=TCP
643 PktID PktName Layers Proto Size State Device
644 Delay Count/CntX
645 1 sysARP_servic... E----- ARP 60 config lo
646 100 msec 1/0 (100%)
647 2 Test E-Q-IT 125 config-i eth0
648 15 usec 10/10 (0%)
649 3 PKT0003 E----- LLDP 36 config eth0
650 30 sec 0/12 (0%)
651 4 PKT0004 E---I- IGMP 46 config eth0
652 100 msec 0/0 (0%)
653 5 sysBPDU ES---- BPDU 29 active eth0
654 2 sec 0/251 (0%)
655 5 packets defined, 1 active.
656 mz# start slot 2
657 Activate [2]
658 mz# show packet
659 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
660 I/i=IP/delivery_off, U=UDP, T=TCP
661 PktID PktName Layers Proto Size State Device
662 Delay Count/CntX
663 1 sysARP_servic... E----- ARP 60 config lo
664 100 msec 1/0 (100%)
665 2 Test E-Q-IT 125 config+I eth0
666 15 usec 10/0 (100%)
667 3 PKT0003 E----- LLDP 36 config eth0
668 30 sec 0/12 (0%)
669 4 PKT0004 E---I- IGMP 46 config eth0
670 100 msec 0/0 (0%)
671 5 sysBPDU ES---- BPDU 29 active eth0
672 2 sec 0/256 (0%)
673 5 packets defined, 1 active.
674 Note that the flag 'I' indicates that an interval has been specified
676 for packet 2. The process is not active at the moment (only packet 5 is
677 active here) but it will become active at a regular interval. You can
678 verify the actual interval when viewing the packet details via the
679 'show packet 2' command.
680 Load prepared configurations:
682 You can prepare packet configurations using the same commands as you
683 would type them in on the CLI and then load them to the CLI. For exam‐
684 ple, assume we have prepared a file 'test.mops' containing:
685 configure terminal
687 packet
688 name IGMP_TEST
689 desc This is only a demonstration how to load a file to mops
690 type igmp
691 Then we can add this packet configuration to our packet list using the
693 load command:
694 mz# load test.mops
696 Read commands from test.mops...
697 Allocated new packet PKT0002 at slot 2
698 mz# show packet
699 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
700 I/i=IP/delivery_off, U=UDP, T=TCP
701 PktID PktName Layers Proto Size State Device
702 Delay Count/CntX
703 1 sysARP_servic... E----- ARP 60 config lo
704 100 msec 1/0 (100%)
705 2 IGMP_TEST E---I- IGMP 46 config eth0
706 100 msec 0/0 (0%)
707 2 packets defined, 0 active.
708 The file src/examples/mausezahn/example_lldp.conf contains another
710 example list of commands to create a bogus LLDP packet. You can load
711 this configuration from the mausezahn command line as follows:
712 mz# load /home/hh/tmp/example_lldp.conf
714 In case you copied the file in that path. Now when you enter 'show
716 packet' you will see a new packet entry in the packet list. Use the
717 'start slot <nr>' command to activate this packet.
718 You can store your own packet creations in such a file and easily load
720 them when you need them. Every command within such configuration files
721 is executed on the command line interface as if you had typed it in --
722 so be careful about the order and don't forget to use 'configure termi‐
723 nal' as first command.
724 You can even load other files from within a central config file.
726
728 How to specify hexadecimal digits:
729 Many arguments allow direct byte input. Bytes are represented as two
730 hexadecimal digits. Multiple bytes must be separated either by spaces,
731 colons, or dashes - whichever you prefer. The following byte strings
732 are equivalent:
733 "aa:bb cc-dd-ee ff 01 02 03-04 05"
735 "aa bb cc dd ee ff:01:02:03:04 05"
736 To begin with, you may want to send an arbitrary fancy (possibly
738 invalid) frame right through your network card:
739 mausezahn ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:08:00:ca:fe:ba:be
741 or equivalent but more readable:
743 mausezahn ff:ff:ff:ff:ff:ff-ff:ff:ff:ff:ff:ff-08:00-ca:fe:ba:be
745 Basic operations:
747 All major command line options are listed when you execute mausezahn
748 without arguments. For practical usage, keep the following special (not
749 so widely known) options in mind:
750 -r Multiplies the specified delay with a random
752 value.
753 -p <length> Pad the raw frame to specified length (using
754 random bytes).
755 -P <ASCII Payload> Use the specified ASCII payload.
756 -f <filename> Read the ASCII payload from a file.
757 -F <filename> Read the hexadecimal payload from a file.
758 -S Simulation mode: DOES NOT put anything on the
759 wire.
760 This is typically combined with one of the ver‐
761 bose
762 modes (-v or V).
763 Many options require a keyword or a number but the -t option is an
765 exception since it requires both a packet type (such as ip, udp, dns,
766 etc) and an argument string which is specific for that packet type.
767 Here are some simple examples:
768 mausezahn -t help
770 mausezahn -t tcp help
771 mausezahn eth3 -t udp sp=69,dp=69,p=ca:fe:ba:be
772 Note: Don't forget that on the CLI the Linux shell (usually the Bash)
774 interprets spaces as a delimiting character. That is, if you are speci‐
775 fying an argument that consists of multiple words with spaces in
776 between, you MUST group these within quotes. For example, instead of
777 mausezahn eth0 -t udp sp=1,dp=80,p=00:11:22:33
779 you could either omit the spaces
781 mausezahn eth0 -t udp sp=1,dp=80,p=00:11:22:33
783 or, for greater safety, use quotes:
785 mausezahn eth0 -t udp "sp=1,dp=80,p=00:11:22:33"
787 In order to monitor what's going on, you can enable the verbose mode
789 using the -v option. The opposite is the quiet mode (-q) which will
790 keep mausezahn absolutely quiet (except for error messages and warn‐
791 ings.)
792 Don't confuse the payload argument p=... with the padding option -p.
794 The latter is used outside the quotes!
795 The automatic packet builder:
797 An important argument is -t which invokes a packet builder. Currently
798 there are packet builders for ARP, BPDU, CDP, IP, partly ICMP, UDP,
799 TCP, RTP, DNS, and SYSLOG. (Additionally you can insert a VLAN tag or a
800 MPLS label stack but this works independently of the packet builder.)
801 You get context specific help for every packet builder using the help
803 keyword, such as:
804 mausezahn -t bpdu help
806 mausezahn -t tcp help
807 For every packet you may specify an optional payload. This can be done
809 either via hexadecimal notation using the payload (or short p) argument
810 or directly as ASCII text using the -P option:
811 mausezahn eth0 -t ip -P "Hello World" # ASCII
813 payload
814 mausezahn eth0 -t ip p=68:65:6c:6c:6f:20:77:6f:72:6c:64 # hex
815 payload
816 mausezahn eth0 -t ip "proto=89, \
817 p=68:65:6c:6c:6f:20:77:6f:72:6c:64, \ # same
818 with other
819 ttl=1" # IP
820 arguments
821 Note: The raw link access mode only accepts hexadecimal payloads
823 (because you specify everything in hexadecimal here.)
824 Packet count and delay:
826 By default only one packet is sent. If you want to send more packets
827 then use the count option -c <count>. When count is zero then mausezahn
828 will send forever. By default, mausezahn sends at maximum speed (and
829 this is really fast ;-)). If you don't want to overwhelm your network
830 devices or have other reasons to send at a slower rate then you might
831 want to specify a delay using the -d <delay> option.
832 If you only specify a numeric value it is interpreted in microsecond
834 units. Alternatively, for easier use, you might specify units such as
835 seconds, sec, milliseconds, or msec. (You can also abbreviate this with
836 s or m.) Note: Don't use spaces between the value and the unit! Here
837 are typical examples:
838 Send an infinite number of frames as fast as possible:
840 mausezahn -c 0 "aa bb cc dd ...."
842 Send 100,000 frames with a 50 msec interval:
844 mausezahn -c 100000 -d 50msec "aa bb cc dd ...."
846 Send an unlimited number of BPDU frames in a 2 second interval:
848 mausezahn -c 0 -d 2s -t bpdu conf
850 Note: mausezahn does not support fractional numbers. If you want to
852 specify for example 2.5 seconds then express this in milliseconds (2500
853 msec).
854 Source and destination addresses:
856 As a mnemonic trick keep in mind that all packets run from "A" to "B".
857 You can always specify source and destination MAC addresses using the
858 -a and -b options, respectively. These options also allow keywords such
859 as rand, own, bpdu, cisco, and others.
860 Similarly, you can specify source and destination IP addresses using
862 the -A and -B options, respectively. These options also support FQDNs
863 (i.e. domain names) and ranges such as 192.168.0.0/24 or
864 10.0.0.11-10.0.3.22. Additionally, the source address option supports
865 the rand keyword (ideal for "attacks").
866 Note: When you use the packet builder for IP-based packets (e.g. UDP or
868 TCP) then mausezahn automatically cares about correct MAC and IP
869 addresses (i.e. it performs ARP, DHCP, and DNS for you). But when you
870 specify at least a single link-layer address (or any other L2 option
871 such as a VLAN tag or MPLS header) then ARP is disabled and you must
872 care for the Ethernet destination address for yourself.
873 Layer-2:
875 `-- Direct link access:
876 mausezahn allows you to send ANY chain of bytes directly through your
877 Ethernet interface:
878 mausezahn eth0 "ff:ff:ff:ff:ff:ff ff:ff:ff:ff:ff:ff 00:00
880 ca:fe:ba:be"
881 This way you can craft every packet you want but you must do it by
883 hand. Note: On Wi-Fi interfaces the header is much more complicated and
884 automatically created by the Wi-Fi driver. As an example to introduce
885 some interesting options, lets continuously send frames at max speed
886 with random source MAC address and broadcast destination address, addi‐
887 tionally pad the frame to 1000 bytes:
888 mausezahn eth0 -c 0 -a rand -b bcast -p 1000 "08 00 aa bb cc dd"
890 The direct link access supports automatic padding using the -p <total
892 frame length> option. This allows you to pad a raw L2 frame to the
893 desired length. You must specify the total length, and the total frame
894 length must have at least 15 bytes for technical reasons. Zero bytes
895 are used for padding.
896 `-- ARP:
898 mausezahn provides a simple interface to the ARP packet. You can spec‐
899 ify the ARP method (request|reply) and up to four arguments: sendermac,
900 targetmac, senderip, targetip, or short smac, tmac, sip, tip. By
901 default, an ARP reply is sent with your own interface addresses as
902 source MAC and IP address, and a broadcast destination MAC and IP
903 address. Send a gratuitous ARP request (as used for duplicate IP
904 address detection):
905 mausezahn eth0 -t arp
907 ARP cache poisoning:
909 mausezahn eth0 -t arp "reply, senderip=192.168.0.1, target‐
911 mac=00:00:0c:01:02:03, \
912 targetip=172.16.1.50"
913 where by default your interface MAC address will be used as sendermac,
915 senderip denotes the spoofed IP address, targetmac and targetip identi‐
916 fies the receiver. By default, the Ethernet source address is your
917 interface MAC and the destination address is the broadcast address. You
918 can change this using the flags -a and -b.
919 `-- BPDU:
921 mausezahn provides a simple interface to the 802.1D BPDU frame format
922 (used to create the Spanning Tree in bridged networks). By default,
923 standard IEEE 802.1D BPDUs are sent and it is assumed that your com‐
924 puter wants to become the root bridge (rid=bid). Optionally the 802.3
925 destination address can be a specified MAC address, broadcast, own MAC,
926 or Cisco's PVST+ MAC address. The destination MAC can be specified
927 using the -b command which, besides MAC addresses, accepts keywords
928 such as bcast, own, pvst, or stp (default). PVST+ is supported as well.
929 Simply specify the VLAN for which you want to send a BPDU:
930 mausezahn eth0 -t bpdu "vlan=123, rid=2000"
932 See mausezahn -t bpdu help for more details.
934 `-- CDP:
936 mausezahn can send Cisco Discovery Protocol (CDP) messages since this
937 protocol has security relevance. Of course lots of dirty tricks are
938 possible; for example arbitrary TLVs can be created (using the hex-pay‐
939 load argument for example p=00:0e:00:07:01:01:90) and if you want to
940 stress the CDP database of some device, mausezahn can send each CDP
941 message with another system-id using the change keyword:
942 mausezahn -t cdp change -c 0
944 Some routers and switches may run into deep problems ;-) See mausezahn
946 -t cdp help for more details.
947 `-- 802.1Q VLAN Tags:
949 mausezahn allows simple VLAN tagging for IP (and other higher layer)
950 packets. Simply use the option -Q <[CoS:]VLAN>, such as -Q 10 or -Q
951 3:921. By default CoS=0. For example send a TCP packet in VLAN 500
952 using CoS=7:
953 mausezahn eth0 -t tcp -Q 7:500 "dp=80, flags=rst, p=aa:aa:aa"
955 You can create as many VLAN tags as you want! This is interesting to
957 create QinQ encapsulations or VLAN hopping: Send a UDP packet with VLAN
958 tags 100 (outer) and 651 (inner):
959 mausezahn eth0 -t udp "dp=8888, sp=13442" -P "Mausezahn is great" -Q
961 100,651
962 Don't know if this is useful anywhere but at least it is possible:
964 mausezahn eth0 -t udp "dp=8888, sp=13442" -P "Mausezahn is great" \
966 -Q 6:5,7:732,5:331,5,6
967 Mix it with MPLS:
969 mausezahn eth0 -t udp "dp=8888, sp=13442" -P "Mausezahn is great" -Q
971 100,651 -M 314
972 When in raw Layer 2 mode you must create the VLAN tag completely by
974 yourself. For example if you want to send a frame in VLAN 5 using CoS
975 0 simply specify 81:00 as type field and for the next two bytes the CoS
976 (PCP), DEI (CFI), and VLAN ID values (all together known as TCI):
977 mausezahn eth0 -b bc -a rand "81:00 00:05 08:00 aa-aa-aa-aa-aa-aa-aa-
979 aa-aa"
980 `-- MPLS labels:
982 mausezahn allows you to insert one or more MPLS headers. Simply use the
983 option -M <label:CoS:TTL:BoS> where only the label is mandatory. If you
984 specify a second number it is interpreted as the experimental bits (the
985 CoS usually). If you specify a third number it is interpreted as TTL.
986 By default the TTL is set to 255. The Bottom of Stack flag is set auto‐
987 matically, otherwise the frame would be invalid, but if you want you
988 can also set or unset it using the S (set) and s (unset) argument. Note
989 that the BoS must be the last argument in each MPLS header definition.
990 Here are some examples:
991 Use MPLS label 214:
993 mausezahn eth0 -M 214 -t tcp "dp=80" -P "HTTP..." -B myhost.com
995 Use three labels (the 214 is now the outer):
997 mausezahn eth0 -M 9999,51,214 -t tcp "dp=80" -P "HTTP..." -B
999 myhost.com
1000 Use two labels, one with CoS=5 and TTL=1, the other with CoS=7:
1002 mausezahn eth0 -M 100:5:1,500:7 -t tcp "dp=80" -P "HTTP..." -B
1004 myhost.com
1005 Unset the BoS flag (which will result in an invalid frame):
1007 mausezahn eth0 -M 214:s -t tcp "dp=80" -P "HTTP..." -B myhost.com
1009 Layer 3-7:
1011 IP, UDP, and TCP packets can be padded using the -p option. Currently
1012 0x42 is used as padding byte ('the answer'). You cannot pad DNS packets
1013 (would be useless anyway).
1014 `-- IP:
1016 mausezahn allows you to send any malformed or correct IP packet. Every
1017 field in the IP header can be manipulated. The IP addresses can be
1018 specified via the -A and -B options, denoting the source and destina‐
1019 tion address, respectively. You can also specify an address range or a
1020 host name (FQDN). Additionally, the source address can also be random.
1021 By default the source address is your interface IP address and the des‐
1022 tination address is a broadcast address. Here are some examples:
1023 ASCII payload:
1025 mausezahn eth0 -t ip -A rand -B 192.168.1.0/24 -P "hello world"
1027 Hexadecimal payload:
1029 mausezahn eth0 -t ip -A 10.1.0.1-10.1.255.254 -B 255.255.255.255
1031 p=ca:fe:ba:be
1032 Will use correct source IP address:
1034 mausezahn eth0 -t ip -B www.xyz.com
1036 The Type of Service (ToS) byte can either be specified directly by two
1038 hexadecimal digits, which means you can also easily set the Explicit
1039 Congestion Notification (ECN) bits (LSB 1 and 2), or you may only want
1040 to specify a common DSCP value (bits 3-8) using a decimal number
1041 (0..63):
1042 Packet sent with DSCP = Expedited Forwarding (EF):
1044 mausezahn eth0 -t ip dscp=46,ttl=1,proto=1,p=08:00:5a:a2:de:ad:be:af
1046 If you leave the checksum as zero (or unspecified) the correct checksum
1048 will be automatically computed. Note that you can only use a wrong
1049 checksum when you also specify at least one L2 field manually.
1050 `-- UDP:
1052 mausezahn supports easy UDP datagram generation. Simply specify the
1053 destination address (-B option) and optionally an arbitrary source
1054 address (-A option) and as arguments you may specify the port numbers
1055 using the dp (destination port) and sp (source port) arguments and a
1056 payload. You can also easily specify a whole port range which will
1057 result in sending multiple packets. Here are some examples:
1058 Send test packets to the RTP port range:
1060 mausezahn eth0 -B 192.168.1.1 -t udp "dp=16384-32767, \
1062 p=A1:00:CC:00:00:AB:CD:EE:EE:DD:DD:00"
1063 Send a DNS request as local broadcast (often a local router replies):
1065 mausezahn eth0 -t udp
1067 dp=53,p=c5-2f-01-00-00-01-00-00-00-00-00-00-03-77-77-\
1068 77-03-78-79-7a-03-63-6f-6d-00-00-01-00-01"
1069 Additionally you may specify the length and checksum using the len and
1071 sum arguments (will be set correctly by default). Note: several proto‐
1072 cols have same arguments such as len (length) and sum (checksum). If
1073 you specified a UDP type packet (via -t udp) and want to modify the IP
1074 length, then use the alternate keyword iplen and ipsum. Also note that
1075 you must specify at least one L2 field which tells mausezahn to build
1076 everything without the help of your kernel (the kernel would not allow
1077 modifying the IP checksum and the IP length).
1078 `-- ICMP:
1080 mausezahn currently only supports the following ICMP methods: PING
1081 (echo request), Redirect (various types), Unreachable (various types).
1082 Additional ICMP types will be supported in future. Currently you would
1083 need to tailor them by yourself, e.g. using the IP packet builder (set‐
1084 ting proto=1). Use the mausezahn -t icmp help for help on currently
1085 implemented options.
1086 `-- TCP:
1088 mausezahn allows you to easily tailor any TCP packet. Similarly as with
1089 UDP you can specify source and destination port (ranges) using the sp
1090 and dp arguments. Then you can directly specify the desired flags
1091 using an "|" as delimiter if you want to specify multiple flags. For
1092 example, a SYN-Flood attack against host 1.1.1.1 using a random source
1093 IP address and periodically using all 1023 well-known ports could be
1094 created via:
1095 mausezahn eth0 -A rand -B 1.1.1.1 -c 0 -t tcp "dp=1-1023, flags=syn"
1097 \
1098 -P "Good morning! This is a SYN Flood Attack.
1099 \
1100 We apologize for any inconvenience."
1101 Be careful with such SYN floods and only use them for firewall testing.
1103 Check your legal position! Remember that a host with an open TCP ses‐
1104 sion only accepts packets with correct socket information (addresses
1105 and ports) and a valid TCP sequence number (SQNR). If you want to try a
1106 DoS attack by sending a RST-flood and you do NOT know the target's ini‐
1107 tial SQNR (which is normally the case) then you may want to sweep
1108 through a range of sequence numbers:
1109 mausezahn eth0 -A legal.host.com -B target.host.com \
1111 -t tcp "sp=80,dp=80,s=1-4294967295"
1112 Fortunately, the SQNR must match the target host's acknowledgement num‐
1114 ber plus the announced window size. Since the typical window size is
1115 something between 40000 and 65535 you are MUCH quicker when using an
1116 increment via the ds argument:
1117 mausezahn eth0 -A legal.host.com -B target.host.com \
1119 -t tcp "sp=80, dp=80, s=1-4294967295, ds=40000"
1120 In the latter case mausezahn will only send 107375 packets instead of
1122 4294967295 (which results in a duration of approximately 1 second com‐
1123 pared to 11 hours!). Of course you can tailor any TCP packet you like.
1124 As with other L4 protocols mausezahn builds a correct IP header but you
1125 can additionally access every field in the IP packet (also in the Eth‐
1126 ernet frame).
1127 `-- DNS:
1129 mausezahn supports UDP-based DNS requests or responses. Typically you
1130 may want to send a query or an answer. As usual, you can modify every
1131 flag in the header. Here is an example of a simple query:
1132 mausezahn eth0 -B mydns-server.com -t dns "q=www.ibm.com"
1134 You can also create server-type messages:
1136 mausezahn eth0 -A spoofed.dns-server.com -B target.host.com \
1138 "q=www.topsecret.com, a=172.16.1.1"
1139 The syntax according to the online help (-t dns help) is:
1141 query|q = <name>[:<type>] ............. where type is per default
1143 "A"
1144 (and class is always "IN")
1145 answer|a = [<type>:<ttl>:]<rdata> ...... ttl is per default 0.
1146 = [<type>:<ttl>:]<rdata>/[<type>:<ttl>:]<rdata>/...
1147 Note: If you only use the 'query' option then a query is sent. If you
1149 additionally add an 'answer' then an answer is sent. Examples:
1150 q = www.xyz.com
1152 q = www.xyz.com, a=192.168.1.10
1153 q = www.xyz.com, a=A:3600:192.168.1.10
1154 q = www.xyz.com, a=CNAME:3600:abc.com/A:3600:192.168.1.10
1155 Please try out mausezahn -t dns help to see the many other optional
1157 command line options.
1158 `-- RTP and VoIP path measurements:
1160 mausezahn can send arbitrary Real Time Protocol (RTP) packets. By
1161 default a classical G.711 codec packet of 20 ms segment size and 160
1162 bytes is assumed. You can measure jitter, packet loss, and reordering
1163 along a path between two hosts running mausezahn. The jitter measure‐
1164 ment is either done following the variance low-pass filtered estimation
1165 specified in RFC 3550 or using an alternative "real-time" method which
1166 is even more precise (the RFC-method is used by default). For example
1167 on Host1 you start a transmission process:
1168 mausezahn -t rtp -B 192.168.1.19
1170 And on Host2 (192.168.1.19) a receiving process which performs the mea‐
1172 surement:
1173 mausezahn -T rtp
1175 Note that the option flag with the capital "T" means that it is a
1177 server RTP process, waiting for incoming RTP packets from any mausezahn
1178 source. In case you want to restrict the measurement to a specific
1179 source or you want to perform a bidirectional measurement, you must
1180 specify a stream identifier. Here is an example for bidirectional mea‐
1181 surements which logs the running jitter average in a file:
1182 Host1# mausezahn -t rtp id=11:11:11:11 -B 192.168.2.2 &
1184 Host1# mausezahn -T rtp id=22:22:22:22 "log, path=/tmp/mz/"
1185 Host2# mausezahn -t rtp id=22:22:22:22 -B 192.168.1.1 &
1187 Host2# mausezahn -T rtp id=11:11:11:11 "log, path=/tmp/mz/"
1188 In any case the measurements are printed continuously onto the screen;
1190 by default it looks like this:
1191 0.00 0.19 0.38
1193 0.57
1194 |-------------------------|-------------------------|-------------------------|
1195 #########
1196 0.07 msec
1197 ####################
1198 0.14 msec
1199 ##
1200 0.02 msec
1201 ###
1202 0.02 msec
1203 #########
1204 0.07 msec
1205 ####
1206 0.03 msec
1207 #########
1208 0.07 msec
1209 #############
1210 0.10 msec
1211 ##
1212 0.02 msec
1213 ###########################################
1214 0.31 msec
1215 #########
1216 0.07 msec
1217 ##############################################
1218 0.33 msec
1219 ###############
1220 0.11 msec
1221 ##########
1222 0.07 msec
1223 ###############
1224 0.11 msec
1225 ##########################################################
1226 0.42 msec
1227 #####
1228 0.04 msec
1229 More information is shown using the txt keyword:
1231 mausezahn -T rtp txt
1233 Got 100 packets from host 192.168.0.3: 0 lost (0 absolute lost), 1
1234 out of order
1235 Jitter_RFC (low pass filtered) = 30 usec
1236 Samples jitter (min/avg/max) = 1/186/2527 usec
1237 Delta-RX (min/avg/max) = 2010/20167/24805 usec
1238 Got 100 packets from host 192.168.0.3: 0 lost (0 absolute lost), 1
1239 out of order
1240 Jitter_RFC (low pass filtered) = 17 usec
1241 Samples jitter (min/avg/max) = 1/53/192 usec
1242 Delta-RX (min/avg/max) = 20001/20376/20574 usec
1243 Got 100 packets from host 192.168.0.3: 0 lost (0 absolute lost), 1
1244 out of order
1245 Jitter_RFC (low pass filtered) = 120 usec
1246 Samples jitter (min/avg/max) = 0/91/1683 usec
1247 Delta-RX (min/avg/max) = 18673/20378/24822 usec
1248 See mausezahn -t rtp help and mz -T rtp help for more details.
1250 `-- Syslog:
1252 The traditional Syslog protocol is widely used even in professional
1253 networks and is sometimes vulnerable. For example you might insert
1254 forged Syslog messages by spoofing your source address (e.g. imperson‐
1255 ate the address of a legit network device):
1256 mausezahn -t syslog sev=3 -P "You have been mausezahned." -A
1258 10.1.1.109 -B 192.168.7.7
1259 See mausezahn -t syslog help for more details.
1261
1263 When multiple ranges are specified, e.g. destination port ranges and
1264 destination address ranges, then all possible combinations of ports and
1265 addresses are used for packet generation. Furthermore, this can be
1266 mixed with other ranges e.g. a TCP sequence number range. Note that
1267 combining ranges can lead to a very huge number of frames to be sent.
1268 As a rule of thumb you can assume that about 100,000 frames and more
1269 are sent in a fraction of one second, depending on your network inter‐
1270 face.
1271 mausezahn has been designed as a fast traffic generator so you might
1273 easily overwhelm a LAN segment with myriads of packets. And because
1274 mausezahn could also support security audits it is possible to create
1275 malicious or invalid packets, SYN floods, port and address sweeps, DNS
1276 and ARP poisoning, etc.
1277 Therefore, don't use this tool when you are not aware of the possible
1279 consequences or have only a little knowledge about networks and data
1280 communication. If you abuse mausezahn for 'unallowed' attacks and get
1281 caught, or damage something of your own, then this is completely your
1282 fault. So the safest solution is to try it out in a lab environment.
1283 Also have a look at the netsniff-ng(8) note section on how you can
1285 properly setup and tune your system.
1286
1288 mausezahn is licensed under the GNU GPL version 2.0.
1289
1291 mausezahn was originally written by Herbert Haas. According to his web‐
1292 site [1], he unfortunately passed away in 2011 thus leaving this tool
1293 unmaintained. It has been adopted and integrated into the netsniff-ng
1294 toolkit and is further being maintained and developed from there. Main‐
1295 tainers are Tobias Klauser <tklauser@distanz.ch> and Daniel Borkmann
1296 <dborkma@tik.ee.ethz.ch>.
1297 [1] http://www.perihel.at/
1299
1301 netsniff-ng(8), trafgen(8), ifpps(8), bpfc(8), flowtop(8), astracer‐
1302 oute(8), curvetun(8)
1303
1305 Manpage was written by Herbert Haas and modified by Daniel Borkmann.
1306
1308 This page is part of the Linux netsniff-ng toolkit project. A descrip‐
1309 tion of the project, and information about reporting bugs, can be found
1310 at http://netsniff-ng.org/.
1311Linux 03 March 2013 MAUSEZAHN(8)