1 .\" netsniff-ng - the packet sniffing beast
2 .\" Copyright 2013 Herbert Haas, modified by Daniel Borkmann.
3 .\" Subject to the GPL, version 2.
4 .TH MAUSEZAHN 8 "03 March 2013" "Linux" "netsniff-ng toolkit"
6 mausezahn \- a fast versatile packet generator with Cisco-cli
10 \fBmausezahn\fR { [\fIoptions\fR] "<arg-string> | <hex-string>" }
14 mausezahn is a fast traffic generator which allows you to send nearly every
15 possible and impossible packet. In contrast to trafgen(8), mausezahn's packet
16 configuration is on a protocol-level instead of byte-level and mausezahn also
17 comes with a built-in Cisco-like command-line interface, making it suitable
18 as a network traffic generator box in your network lab.
20 Next to network labs, it can also be used as a didactical tool and for security
21 audits including penetration and DoS testing. As a traffic generator, mausezahn
22 is also able to test IP multicast or VoIP networks. Packet rates close to the
23 physical limit are reachable, depending on the hardware platform.
25 mausezahn supports two modes, ''direct mode'' and a multi-threaded ''interactive
28 The ''direct mode'' allows you to create a packet directly on the command line
29 and every packet parameter is specified in the argument list when calling
32 The ''interactive mode'' is an advanced multi-threaded configuration mode with
33 its own command line interface (CLI). This mode allows you to create an arbitrary
34 number of packet types and streams in parallel, each with different parameters.
36 The interactive mode utilizes a completely redesigned and more flexible protocol
37 framework called ''mops'' (mausezahn's own packet system). The look and feel of
38 the CLI is very close to the Cisco IOS^tm command line interface.
40 You can start the interactive mode by executing mausezahn with the ''\-x''
41 argument (an optional port number may follow, otherwise it is 25542). Then use
42 telnet(1) to connect to this mausezahn instance. If not otherwise specified,
43 the default login and password combination is mz:mz and the enable password is: mops.
44 This can be changed in /etc/netsniff-ng/mausezahn.conf.
46 The direct mode supports two specification schemes: The ''raw-layer-2'' scheme,
47 where every single byte to be sent can be specified, and ''higher-layer'' scheme,
48 where packet builder interfaces are used (using the ''\-t'' option).
50 To use the ''raw-layer-2'' scheme, simply specify the desired frame as a
51 hexadecimal sequence (the ''hex-string''), such as:
53 mausezahn eth0 "00:ab:cd:ef:00 00:00:00:00:00:01 08:00 ca:fe:ba:be"
55 In this example, whitespaces within the byte string are optional and separate
56 the Ethernet fields (destination and source address, type field, and a short
57 payload). The only additional options supported are ''\-a'', ''\-b'', ''\-c'',
58 and ''\-p''. The frame length must be greater than or equal to 15 bytes.
60 The ''higher-layer'' scheme is enabled using the ''\-t <packet-type>'' option.
61 This option activates a packet builder, and besides the ''packet-type'', an
62 optional ''arg-string'' can be specified. The ''arg-string'' contains packet-
63 specific parameters, such as TCP flags, port numbers, etc. (see example section).
67 mausezahn provides a built-in context-specific help. Append the keyword
68 ''help'' after the configuration options. The most important options
72 Start mausezahn in interactive mode with a Cisco-like CLI. Use telnet to log
73 into the local mausezahn instance. If no port has been specified, port 25542
77 Specify IPv6 mode (IPv4 is the default).
80 Specify the IP address mausezahn should bind to when in interactive mode, default: 0.0.0.0.
83 Set priority of sent packets. This configures SO_PRIORITY at the socket through
84 which the packets are sent. Usual priority numbers are 0..15, but the value can
85 also be a class ID for purposes of Qdisc classification. In that case, a class
86 ID such is 1234:5678 would be specified as 0x12345678.
89 Verbose mode. Capital \-V is even more verbose.
92 Simulation mode, i.e. don't put anything on the wire. This is typically combined
93 with the verbose mode.
96 Quiet mode where only warnings and errors are displayed.
99 Send the packet count times (default: 1, infinite: 0).
102 Apply delay between transmissions. The delay value can be specified in usec
103 (default, no additional unit needed), or in msec (e.g. 100m or 100msec), or
104 in seconds (e.g. 100s or 100sec). Note: mops also supports nanosecond delay
105 resolution if you need it (see interactive mode).
108 Multiply the specified delay with a random value.
111 Pad the raw frame to specified length using zero bytes. Note that for raw
112 layer 2 frames the specified length defines the whole frame length, while for
113 higher layer packets the number of additional padding bytes are specified.
115 .SS -a <src-mac|keyword>
116 Use specified source MAC address with hexadecimal notation such as 00:00:aa:bb:cc:dd.
117 By default the interface MAC address will be used. The keywords ''rand'' and ''own''
118 refer to a random MAC address (only unicast addresses are created)
119 and the own address, respectively. You can also use the keywords mentioned
120 below although broadcast-type source addresses are officially invalid.
122 .SS -b <dst-mac|keyword>
123 Use specified destination MAC address. By default, a broadcast is sent in raw
124 layer 2 mode or to the destination hosts or gateway interface MAC address in normal
125 (IP) mode. You can use the same keywords as mentioned above, as well as ''bc''
126 or ''bcast'', ''cisco'', and ''stp''.
128 .SS -A <src-ip|range|rand>
129 Use specified source IP address, default is own interface address. Optionally, the
130 keyword ''rand'' can again be used for a random source IP address or a range
131 can be specified, such as ''192.168.1.1-192.168.1.100'' or ''10.1.0.0/16''.
132 Also, a DNS name can be specified for which mausezahn tries to determine the
133 corresponding IP address automatically.
135 .SS -B <dst-ip|range>
136 Use specified destination IP address (default is broadcast i.e. 255.255.255.255).
137 As with the source address (see above) you can also specify a range or a DNS name.
139 .SS -t <packet-type [help] | help>
140 Create the specified packet type using the built-in packet builder. Currently,
141 supported packet types are: ''arp'', ''bpdu'', ''ip'', ''udp'', ''tcp'', ''rtp'',
142 and ''dns''. Currently, there is also limited support for ''icmp''. Type
143 ''\-t help'' to verify which packet builders your actual mausezahn version
144 supports. Also, for any particular packet type, for example ''tcp'' type
145 ''mausezahn \-t tcp help'' to receive a more in-depth context specific help.
148 Make this mausezahn instance the receiving station. Currently, only ''rtp'' is
149 an option here and provides precise jitter measurements. For this purpose, start
150 another mausezahn instance on the sending station and the local receiving station
151 will output jitter statistics. See ''mausezahn \-T rtp help'' for a detailed help.
153 .SS -Q <[CoS:]vlan> [, <[CoS:]vlan>, ...]
154 Specify 802.1Q VLAN tag and optional Class of Service. An arbitrary number of
155 VLAN tags can be specified (that is, you can simulate QinQ or even QinQinQinQ..).
156 Multiple tags must be separated via a comma or a period (e.g. "5:10,20,2:30").
157 VLAN tags are not supported for ARP and BPDU packets (in which case you could
158 specify the whole frame in hexadecimal using the raw layer 2 interface of mausezahn).
160 .SS -M <label[:cos[:ttl]][bos]> [, <label...>]
161 Specify a MPLS label or even a MPLS label stack. Optionally, for each label the
162 experimental bits (usually the Class of Service, CoS) and the Time To Live
163 (TTL) can be specified. If you are really crazy you can set and unset the
164 Bottom of Stack (BoS) bit for each label using the ''S'' (set) and ''s''
165 (unset) option. By default, the BoS is set automatically and correctly. Any other
166 setting will lead to invalid frames. Enter ''\-M help'' for detailed instructions
169 .SS -P <ascii-payload>
170 Specify a cleartext payload. Alternatively, each packet type supports a
171 hexadecimal specification of the payload (see for example ''\-t udp help'').
174 Read the ASCII payload from the specified file.
177 Read the hexadecimal payload from the specified file. Actually, this file must be also
178 an ASCII text file, but must contain hexadecimal digits, e.g. "aa:bb:cc:0f:e6...".
179 You can use also spaces as separation characters.
183 For more comprehensive examples, have a look at the two following HOWTO sections.
185 .SS mausezahn eth0 \-c 0 \-d 2s \-t bpdu vlan=5
186 Send BPDU frames for VLAN 5 as used with Cisco's PVST+ type of STP. By default
187 mausezahn assumes that you want to become the root bridge.
189 .SS mausezahn eth0 \-c 128000 \-a rand \-p 64
190 Perform a CAM table overflow attack.
192 .SS mausezahn eth0 \-c 0 \-Q 5,100 \-t tcp "flags=syn,dp=1-1023" \-p 20 \-A rand \-B 10.100.100.0/24
193 Perform a SYN flood attack to another VLAN using VLAN hopping. This only works
194 if you are connected to the same VLAN which is configured as native VLAN on the
195 trunk. We assume that the victim VLAN is VLAN 100 and the native VLAN is VLAN 5.
196 Lets attack every host in VLAN 100 which use an IP prefix of 10.100.100.0/24, also
197 try out all ports between 1 and 1023 and use a random source IP address.
199 .SS mausezahn eth0 \-c 0 \-d 10msec \-B 230.1.1.1 \-t udp "dp=32000,dscp=46" \-P "Multicast test packet"
200 Send IP multicast packets to the multicast group 230.1.1.1 using a UDP header
201 with destination port 32000 and set the IP DSCP field to EF (46). Send one
204 .SS mausezahn eth0 \-Q 6:420 \-M 100,200,300:5 \-A 172.30.0.0/16 \-B target.anynetwork.foo \-t udp "sp=666,dp=1-65535" \-p 1000 \-c 10
205 Send UDP packets to the destination host target.anynetwork.foo using all
206 possible destination ports and send every packet with all possible source
207 addresses of the range 172.30.0.0/16; additionally use a source port of 666
208 and three MPLS labels, 100, 200, and 300, the outer (300) with QoS field 5.
209 Send the frame with a VLAN tag 420 and CoS 6; eventually pad with 1000 bytes
210 and repeat the whole thing 10 times.
212 .SS mausezahn \-t syslog sev=3 \-P "Main reactor reached critical temperature." \-A 192.168.33.42 \-B 10.1.1.9 \-c 6 \-d 10s
213 Send six forged syslog messages with severity 3 to a Syslog server 10.1.1.9; use
214 a forged source IP address 192.168.33.42 and let mausezahn decide which local
215 interface to use. Use an inter-packet delay of 10 seconds.
217 .SS mausezahn \-t tcp "flags=syn|urg|rst, sp=145, dp=145, win=0, s=0-4294967295, ds=1500, urg=666" \-a bcast \-b bcast \-A bcast \-B 10.1.1.6 \-p 5
218 Send an invalid TCP packet with only a 5 byte payload as layer-2 broadcast and
219 also use the broadcast MAC address as source address. The target should be
220 10.1.1.6 but use a broadcast source address. The source and destination port
221 shall be 145 and the window size 0. Set the TCP flags SYN, URG, and RST
222 simultaneously and sweep through the whole TCP sequence number space with an
223 increment of 1500. Finally set the urgent pointer to 666, i.e. pointing to
226 .SH CONFIGURATION FILE
228 When mausezahn is run in interactive mode it automatically looks for and reads
229 a configuration file located at /etc/netsniff-ng/mausezahn.conf for custom options
230 if the file is available, otherwise it uses defaults set at compile time.
231 .SS Config file: /etc/netsniff-ng/mausezahn.conf
233 The configuration file contains lines of the form:
237 Options supported in the configuration file are:
240 user Username for authentication (default: mz)
241 password Password for authentication (default: mz)
242 enable Password to enter privilege mode (default: mops)
243 port The listening port for the CLI (default: 25542)
244 listen-addr IP address to bind CLI to (default: 0.0.0.0)
245 management-only Set management interface (no data traffic is allowed to pass through)
246 cli-device Interface to bind CLI to (default: all) *not fully implemented*
247 automops Path to automops file (contains XML data describing protocols) *in development*
251 $ cat /etc/netsniff-ng/mausezahn.conf
254 enable = privilege-mode-passwd
256 listen-addr = 127.0.0.1
258 .SH INTERACTIVE MODE HOWTO
262 Using the interactive mode requires starting mausezahn as a server:
266 Now you can telnet(1) to that server using the default port number 25542, but also
267 an arbitrary port number can be specified:
270 mausezahn accepts incoming telnet connections on port 99.
271 mz: Problems opening config file. Will use defaults
274 Either from another terminal or from another host try to telnet to the
277 caprica$ telnet galactica 99
278 Trying 192.168.0.4...
279 Connected to galactica.
280 Escape character is '^]'.
290 It is recommended to configure your own login credentials in
291 /etc/netsniff-ng/mausezahn.conf, (see configuration file section)
294 Since you reached the mausezahn prompt, lets try some common commands. You can
295 use the '?' character at any time for context-specific help. Note that Cisco-like
296 short form of commands are accepted in interactive mode. For example, one
297 can use "sh pac" instead of "show packet"; another common example is to use
298 "config t" in place of "configure terminal". For readability, this manual will
299 continue with the full commands.
301 First try out the show command:
305 mausezahn maintains its own ARP table and observes anomalies. There is an entry
306 for every physical interface (however this host has only one):
309 Intf Index IP address MAC address last Ch UCast BCast Info
310 ----------------------------------------------------------------------------------
311 eth0 [1] D 192.168.0.1 00:09:5b:9a:15:84 23:44:41 1 1 0 0000
313 The column Ch tells us that the announced MAC address has only changed one time
314 (= when it was learned). The columns Ucast and BCast tell us how often this
315 entry was announced via unicast or broadcast respectively.
317 Let's check our interfaces:
320 Available network interfaces:
321 real real used (fake) used (fake)
322 device IPv4 address MAC address IPv4 address MAC address
323 ---------------------------------------------------------------------------------------
324 > eth0 192.168.0.4 00:30:05:76:2e:8d 192.168.0.4 00:30:05:76:2e:8d
325 lo 127.0.0.1 00:00:00:00:00:00 127.0.0.1 00:00:00:00:00:00
327 Default interface is eth0.
329 .SS Defining packets:
331 Let's check the current packet list:
334 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=UDP, T=TCP
335 PktID PktName Layers Proto Size State Device Delay Count/CntX
336 1 sysARP_servic... E----- ARP 60 config lo 100 msec 1/0 (100%)
337 1 packets defined, 0 active.
339 We notice that there is already one system-defined packet process; it has been
340 created and used only once (during startup) by mausezahn's ARP service.
341 Currently, its state is config which means that the process is sleeping.
343 .SS General packet options:
345 Now let's create our own packet process and switch into the global
348 mz# configure terminal
350 Allocated new packet PKT0002 at slot 2
353 name Assign a unique name
354 description Assign a packet description text
355 bind Select the network interface
356 count Configure the packet count value
357 delay Configure the inter-packet delay
358 interval Configure a greater interval
359 type Specify packet type
360 mac Configure packet's MAC addresses
362 payload Configure a payload
363 port Configure packet's port numbers
364 end End packet configuration mode
365 ethernet Configure frame's Ethernet, 802.2, 802.3, or SNAP settings
366 ip Configure packet's IP settings
367 udp Configure packet's UDP header parameters
368 tcp Configure packet's TCP header parameters
370 Here are a lot of options but normally you only need a few of them. When you
371 configure lots of different packets you might assign a reasonable name and
372 description for them:
374 mz(config-pkt-2)# name Test
375 mz(config-pkt-2)# description This is just a test
377 You can, for example, change the default settings for the source and destination MAC or IP
378 addresses using the mac and ip commands:
380 mz(config-pkt-2)# ip address destination 10.1.1.0 /24
381 mz(config-pkt-2)# ip address source random
383 In the example above, we configured a range of addresses (all hosts in the
384 network 10.1.1.0 should be addressed). Additionally we spoof our source IP
385 address. Of course, we can also add one or more VLAN and, or, MPLS tag(s):
387 mz(config-pkt-2)# tag ?
388 dot1q Configure 802.1Q (and 802.1P) parameters
389 mpls Configure MPLS label stack
390 mz(config-pkt-2)# tag dot ?
391 Configure 802.1Q tags:
392 VLAN[:CoS] [VLAN[:CoS]] ... The leftmost tag is the outer tag in the frame
393 remove <tag-nr> | all Remove one or more tags (<tag-nr> starts with 1),
394 by default the first (=leftmost,outer) tag is removed,
395 keyword 'all' can be used instead of tag numbers.
396 cfi | nocfi [<tag-nr>] Set or unset the CFI-bit in any tag (by default
397 assuming the first tag).
398 mz(config-pkt-2)# tag dot 1:7 200:5
400 .SS Configure count and delay:
402 mz(config-pkt-2)# count 1000
403 mz(config-pkt-2)# delay ?
404 delay <value> [hour | min | sec | msec | usec | nsec]
406 Specify the inter-packet delay in hours, minutes, seconds, milliseconds,
407 microseconds or nanoseconds. The default unit is milliseconds (i.e. when no
410 mz(config-pkt-2)# delay 1 msec
411 Inter-packet delay set to 0 sec and 1000000 nsec
414 .SS Configuring protocol types:
416 mausezahn's interactive mode supports a growing list of protocols and only
417 relies on the MOPS architecture (and not on libnet as is the case with
418 the legacy direct mode):
420 mz(config-pkt-2)# type
421 Specify a packet type from the following list:
429 mz(config-pkt-2)# type tcp
430 mz(config-pkt-2-tcp)#
432 seqnr Configure the TCP sequence number
433 acknr Configure the TCP acknowledgement number
434 hlen Configure the TCP header length
435 reserved Configure the TCP reserved field
436 flags Configure a combination of TCP flags at once
437 cwr Set or unset the TCP CWR flag
438 ece Set or unset the TCP ECE flag
439 urg Set or unset the TCP URG flag
440 ack set or unset the TCP ACK flag
441 psh set or unset the TCP PSH flag
442 rst set or unset the TCP RST flag
443 syn set or unset the TCP SYN flag
444 fin set or unset the TCP FIN flag
445 window Configure the TCP window size
446 checksum Configure the TCP checksum
447 urgent-pointer Configure the TCP urgent pointer
448 options Configure TCP options
449 end End TCP configuration mode
450 mz(config-pkt-2-tcp)# flags syn fin rst
451 Current setting is: --------------------RST-SYN-FIN
452 mz(config-pkt-2-tcp)# end
453 mz(config-pkt-2)# payload ascii This is a dummy payload for my first packet
454 mz(config-pkt-2)# end
456 Now configure another packet, for example let's assume we want an LLDP process:
459 Allocated new packet PKT0003 at slot 3
460 mz(config-pkt-3)# type lldp
461 mz(config-pkt-3-lldp)# exit
464 In the above example we only use the default LLDP settings and don't configure
465 further LLDP options or TLVs. Back in the top level of the CLI let's verify
469 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=UDP, T=TCP
470 PktID PktName Layers Proto Size State Device Delay Count/CntX
471 1 sysARP_servic... E----- ARP 60 config lo 100 msec 1/0 (100%)
472 2 Test E-Q-IT 125 config eth0 1000 usec 1000/1000 (0%)
473 3 PKT0003 E----- LLDP 36 config eth0 30 sec 0/0 (0%)
474 3 packets defined, 0 active.
476 The column Layers indicates which major protocols have been combined. For
477 example the packet with packet-id 2 ("Test") utilizes Ethernet (E),
478 IP (I), and TCP (T). Additionally an 802.1Q tag (Q) has been inserted. Now
479 start one of these packet processes:
484 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=UDP, T=TCP
485 PktID PktName Layers Proto Size State Device Delay Count/CntX
486 1 sysARP_servic... E----- ARP 60 config lo 100 msec 1/0 (100%)
487 2 Test E-Q-IT 125 config eth0 1000 usec 1000/1000 (0%)
488 3 PKT0003 E----- LLDP 36 config eth0 30 sec 0/1 (0%)
489 3 packets defined, 1 active.
491 Let's have a more detailed look at a specific packet process:
495 Description: This is just a test
496 State: config, Count=1000, delay=1000 usec (0 s 1000000 nsec), interval= (undefined)
498 Ethernet: 00-30-05-76-2e-8d => ff-ff-ff-ff-ff-ff [0800 after 802.1Q tag]
499 Auto-delivery is ON (that is, the actual MAC is adapted upon transmission)
500 802.1Q: 0 tag(s); (VLAN:CoS)
501 IP: SA=192.168.0.4 (not random) (no range)
502 DA=255.255.255.255 (no range)
503 ToS=0x00 proto=17 TTL=255 ID=0 offset=0 flags: -|-|-
504 len=49664(correct) checksum=0x2e8d(correct)
505 TCP: 83 bytes segment size (including TCP header)
506 SP=0 (norange) (not random), DP=0 (norange) (not random)
507 SQNR=3405691582 (start 0, stop 4294967295, delta 0) -- ACKNR=0 (invalid)
508 Flags: ------------------------SYN----, reserved field is 00, urgent pointer= 0
509 Announced window size= 100
510 Offset= 0 (times 32 bit; value is valid), checksum= ffff (valid)
511 (No TCP options attached) - 0 bytes defined
512 Payload size: 43 bytes
513 Frame size: 125 bytes
514 1 ff:ff:ff:ff:ff:ff:00:30 05:76:2e:8d:81:00:e0:01 81:00:a0:c8:08:00:45:00 00:67:00:00:00:00:ff:06
515 33 fa:e4:c0:a8:00:04:ff:ff ff:ff:00:00:00:00:ca:fe ba:be:00:00:00:00:a0:07 00:64:f7:ab:00:00:02:04
516 65 05:ac:04:02:08:0a:19:35 90:c3:00:00:00:00:01:03 03:05:54:68:69:73:20:69 73:20:61:20:64:75:6d:6d
517 97 79:20:70:61:79:6c:6f:61 64:20:66:6f:72:20:6d:79 20:66:69:72:73:74:20:70 61:63:6b:65:74
520 If you want to stop one or more packet processes, use the stop command. The
521 "emergency stop" is when you use stop all:
526 Stopped 1 transmission processe(s)
528 The launch command provides a shortcut for commonly used packet processes. For
529 example to behave like a STP-capable bridge we want to start an BPDU process
530 with typical parameters:
533 Allocated new packet sysBPDU at slot 5
535 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=UDP, T=TCP
536 PktID PktName Layers Proto Size State Device Delay Count/CntX
537 1 sysARP_servic... E----- ARP 60 config lo 100 msec 1/0 (100%)
538 2 Test E-Q-IT 125 config eth0 1000 usec 1000/1000 (0%)
539 3 PKT0003 E----- LLDP 36 config eth0 30 sec 0/12 (0%)
540 4 PKT0004 E---I- IGMP 46 config eth0 100 msec 0/0 (0%)
541 5 sysBPDU ES---- BPDU 29 active eth0 2 sec 0/1 (0%)
542 5 packets defined, 1 active.
544 Now a Configuration BPDU is sent every 2 seconds, claiming to be the root
545 bridge (and usually confusing the LAN. Note that only packet 5 (i.e. the
546 last row) is active and therefore sending packets while all other packets
547 are in state config (i.e. they have been configured but they are not doing
548 anything at the moment).
550 .SS Configuring a greater interval:
552 Sometimes you may want to send a burst of packets at a greater interval:
555 Modify packet parameters for packet Test [2]
556 mz(config-pkt-2)# interval
557 Configure a greater packet interval in days, hours, minutes, or seconds
558 Arguments: <value> <days | hours | minutes | seconds>
559 Use a zero value to disable an interval.
560 mz(config-pkt-2)# interval 1 hour
561 mz(config-pkt-2)# count 10
562 mz(config-pkt-2)# delay 15 usec
563 Inter-packet delay set to 0 sec and 15000 nsec
565 Now this packet is sent ten times with an inter-packet delay of 15 microseconds
566 and this is repeated every hour. When you look at the packet list, an interval
567 is indicated with the additional flag 'i' when inactive or 'I' when active:
570 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=UDP, T=TCP
571 PktID PktName Layers Proto Size State Device Delay Count/CntX
572 1 sysARP_servic... E----- ARP 60 config lo 100 msec 1/0 (100%)
573 2 Test E-Q-IT 125 config-i eth0 15 usec 10/10 (0%)
574 3 PKT0003 E----- LLDP 36 config eth0 30 sec 0/12 (0%)
575 4 PKT0004 E---I- IGMP 46 config eth0 100 msec 0/0 (0%)
576 5 sysBPDU ES---- BPDU 29 active eth0 2 sec 0/251 (0%)
577 5 packets defined, 1 active.
581 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=UDP, T=TCP
582 PktID PktName Layers Proto Size State Device Delay Count/CntX
583 1 sysARP_servic... E----- ARP 60 config lo 100 msec 1/0 (100%)
584 2 Test E-Q-IT 125 config+I eth0 15 usec 10/0 (100%)
585 3 PKT0003 E----- LLDP 36 config eth0 30 sec 0/12 (0%)
586 4 PKT0004 E---I- IGMP 46 config eth0 100 msec 0/0 (0%)
587 5 sysBPDU ES---- BPDU 29 active eth0 2 sec 0/256 (0%)
588 5 packets defined, 1 active.
590 Note that the flag 'I' indicates that an interval has been specified for
591 packet 2. The process is not active at the moment (only packet 5 is active
592 here) but it will become active at a regular interval. You can verify the
593 actual interval when viewing the packet details via the 'show packet 2' command.
595 .SS Load prepared configurations:
597 You can prepare packet configurations using the same commands as you would
598 type them in on the CLI and then load them to the CLI. For example, assume we
599 have prepared a file 'test.mops' containing:
604 desc This is only a demonstration how to load a file to mops
607 Then we can add this packet configuration to our packet list using the load
611 Read commands from test.mops...
612 Allocated new packet PKT0002 at slot 2
614 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=UDP, T=TCP
615 PktID PktName Layers Proto Size State Device Delay Count/CntX
616 1 sysARP_servic... E----- ARP 60 config lo 100 msec 1/0 (100%)
617 2 IGMP_TEST E---I- IGMP 46 config eth0 100 msec 0/0 (0%)
618 2 packets defined, 0 active.
620 The file src/examples/mausezahn/example_lldp.conf contains another example
621 list of commands to create a bogus LLDP packet. You can load this
622 configuration from the mausezahn command line as follows:
624 mz# load /home/hh/tmp/example_lldp.conf
626 In case you copied the file in that path. Now when you enter 'show packet' you
627 will see a new packet entry in the packet list. Use the 'start slot <nr>'
628 command to activate this packet.
630 You can store your own packet creations in such a file and easily load them when
631 you need them. Every command within such configuration files is executed on the
632 command line interface as if you had typed it in -- so be careful about the
633 order and don't forget to use 'configure terminal' as first command.
635 You can even load other files from within a central config file.
637 .SH DIRECT MODE HOWTO
639 .SS How to specify hexadecimal digits:
641 Many arguments allow direct byte input. Bytes are represented as two
642 hexadecimal digits. Multiple bytes must be separated either by spaces, colons,
643 or dashes - whichever you prefer. The following byte strings are equivalent:
645 "aa:bb cc-dd-ee ff 01 02 03-04 05"
646 "aa bb cc dd ee ff:01:02:03:04 05"
648 To begin with, you may want to send an arbitrary fancy (possibly invalid)
649 frame right through your network card:
651 mausezahn ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:08:00:ca:fe:ba:be
653 or equivalent but more readable:
655 mausezahn ff:ff:ff:ff:ff:ff-ff:ff:ff:ff:ff:ff-08:00-ca:fe:ba:be
657 .SS Basic operations:
659 All major command line options are listed when you execute mausezahn without
660 arguments. For practical usage, keep the following special (not so widely
661 known) options in mind:
663 \-r Multiplies the specified delay with a random value.
664 \-p <length> Pad the raw frame to specified length (using random bytes).
665 \-P <ASCII Payload> Use the specified ASCII payload.
666 \-f <filename> Read the ASCII payload from a file.
667 \-F <filename> Read the hexadecimal payload from a file.
668 \-S Simulation mode: DOES NOT put anything on the wire.
669 This is typically combined with one of the verbose
672 Many options require a keyword or a number but the \-t option is an exception
673 since it requires both a packet type (such as ip, udp, dns, etc) and an
674 argument string which is specific for that packet type. Here are some simple
678 mausezahn \-t tcp help
679 mausezahn eth3 \-t udp sp=69,dp=69,p=ca:fe:ba:be
681 Note: Don't forget that on the CLI the Linux shell (usually the Bash)
682 interprets spaces as a delimiting character. That is, if you are specifying
683 an argument that consists of multiple words with spaces in between, you MUST
684 group these within quotes. For example, instead of
686 mausezahn eth0 \-t udp sp=1,dp=80,p=00:11:22:33
688 you could either omit the spaces
690 mausezahn eth0 \-t udp sp=1,dp=80,p=00:11:22:33
692 or, for greater safety, use quotes:
694 mausezahn eth0 \-t udp "sp=1,dp=80,p=00:11:22:33"
696 In order to monitor what's going on, you can enable the verbose mode using
697 the \-v option. The opposite is the quiet mode (\-q) which will keep mausezahn
698 absolutely quiet (except for error messages and warnings.)
700 Don't confuse the payload argument p=... with the padding option \-p. The latter
701 is used outside the quotes!
703 .SS The automatic packet builder:
705 An important argument is \-t which invokes a packet builder. Currently there
706 are packet builders for ARP, BPDU, CDP, IP, partly ICMP, UDP, TCP, RTP, DNS,
707 and SYSLOG. (Additionally you can insert a VLAN tag or a MPLS label stack but
708 this works independently of the packet builder.)
710 You get context specific help for every packet builder using the help keyword,
713 mausezahn \-t bpdu help
714 mausezahn \-t tcp help
716 For every packet you may specify an optional payload. This can be done either
717 via hexadecimal notation using the payload (or short p) argument or directly as ASCII
718 text using the \-P option:
720 mausezahn eth0 \-t ip \-P "Hello World" # ASCII payload
721 mausezahn eth0 \-t ip p=68:65:6c:6c:6f:20:77:6f:72:6c:64 # hex payload
722 mausezahn eth0 \-t ip "proto=89, \\
723 p=68:65:6c:6c:6f:20:77:6f:72:6c:64, \\ # same with other
724 ttl=1" # IP arguments
726 Note: The raw link access mode only accepts hexadecimal payloads (because you specify
727 everything in hexadecimal here.)
729 .SS Packet count and delay:
731 By default only one packet is sent. If you want to send more packets then
732 use the count option \-c <count>. When count is zero then mausezahn will send
733 forever. By default, mausezahn sends at maximum speed (and this is really
734 fast ;-)). If you don't want to overwhelm your network devices or have other
735 reasons to send at a slower rate then you might want to specify a delay using
736 the \-d <delay> option.
738 If you only specify a numeric value it is interpreted in microsecond units.
739 Alternatively, for easier use, you might specify units such as seconds, sec,
740 milliseconds, or msec. (You can also abbreviate this with s or m.)
741 Note: Don't use spaces between the value and the unit! Here are typical examples:
743 Send an infinite number of frames as fast as possible:
745 mausezahn \-c 0 "aa bb cc dd ...."
747 Send 100,000 frames with a 50 msec interval:
749 mausezahn \-c 100000 \-d 50msec "aa bb cc dd ...."
751 Send an unlimited number of BPDU frames in a 2 second interval:
753 mausezahn \-c 0 \-d 2s \-t bpdu conf
755 Note: mausezahn does not support fractional numbers. If you want to specify for
756 example 2.5 seconds then express this in milliseconds (2500 msec).
758 .SS Source and destination addresses:
760 As a mnemonic trick keep in mind that all packets run from "A" to "B". You can
761 always specify source and destination MAC addresses using the \-a and \-b
762 options, respectively. These options also allow keywords such as rand, own,
763 bpdu, cisco, and others.
765 Similarly, you can specify source and destination IP addresses using the \-A
766 and \-B options, respectively. These options also support FQDNs (i.e. domain
767 names) and ranges such as 192.168.0.0/24 or 10.0.0.11-10.0.3.22. Additionally,
768 the source address option supports the rand keyword (ideal for "attacks").
770 Note: When you use the packet builder for IP-based packets (e.g. UDP or TCP)
771 then mausezahn automatically cares about correct MAC and IP addresses (i.e.
772 it performs ARP, DHCP, and DNS for you). But when you specify at least a single
773 link-layer address (or any other L2 option such as a VLAN tag or MPLS header)
774 then ARP is disabled and you must care for the Ethernet destination address for
779 .SS `-- Direct link access:
781 mausezahn allows you to send ANY chain of bytes directly through your Ethernet
784 mausezahn eth0 "ff:ff:ff:ff:ff:ff ff:ff:ff:ff:ff:ff 00:00 ca:fe:ba:be"
786 This way you can craft every packet you want but you must do it by hand. Note:
787 On Wi-Fi interfaces the header is much more complicated and automatically
788 created by the Wi-Fi driver. As an example to introduce some interesting options,
789 lets continuously send frames at max speed with random source MAC address and
790 broadcast destination address, additionally pad the frame to 1000 bytes:
792 mausezahn eth0 \-c 0 \-a rand \-b bcast \-p 1000 "08 00 aa bb cc dd"
794 The direct link access supports automatic padding using the \-p <total frame
795 length> option. This allows you to pad a raw L2 frame to the desired length.
796 You must specify the total length, and the total frame length must have at
797 least 15 bytes for technical reasons. Zero bytes are used for padding.
801 mausezahn provides a simple interface to the ARP packet. You can specify the
802 ARP method (request|reply) and up to four arguments: sendermac, targetmac,
803 senderip, targetip, or short smac, tmac, sip, tip. By default, an ARP reply is
804 sent with your own interface addresses as source MAC and IP address, and a
805 broadcast destination MAC and IP address. Send a gratuitous ARP request (as used for
806 duplicate IP address detection):
808 mausezahn eth0 \-t arp
812 mausezahn eth0 \-t arp "reply, senderip=192.168.0.1, targetmac=00:00:0c:01:02:03, \\
813 targetip=172.16.1.50"
815 where by default your interface MAC address will be used as sendermac,
816 senderip denotes the spoofed IP address, targetmac and targetip identifies the
817 receiver. By default, the Ethernet source address is your interface MAC and the
818 destination address is the broadcast address. You can change this
819 using the flags \-a and \-b.
823 mausezahn provides a simple interface to the 802.1D BPDU frame format (used to
824 create the Spanning Tree in bridged networks). By default, standard IEEE 802.1D
825 BPDUs are sent and it is assumed that your computer wants to become the
826 root bridge (rid=bid). Optionally the 802.3 destination address can be a
827 specified MAC address, broadcast, own MAC, or Cisco's PVST+ MAC address. The
828 destination MAC can be specified using the \-b command which, besides MAC
829 addresses, accepts keywords such as bcast, own, pvst, or stp (default). PVST+
830 is supported as well. Simply specify the VLAN for which you want to send a BPDU:
832 mausezahn eth0 \-t bpdu "vlan=123, rid=2000"
834 See mausezahn \-t bpdu help for more details.
838 mausezahn can send Cisco Discovery Protocol (CDP) messages since this protocol
839 has security relevance. Of course lots of dirty tricks are possible; for
840 example arbitrary TLVs can be created (using the hex-payload argument for
841 example p=00:0e:00:07:01:01:90) and if you want to stress the CDP database of
842 some device, mausezahn can send each CDP message with another system-id using
845 mausezahn \-t cdp change \-c 0
847 Some routers and switches may run into deep problems ;-) See
848 mausezahn \-t cdp help for more details.
850 .SS `-- 802.1Q VLAN Tags:
852 mausezahn allows simple VLAN tagging for IP (and other higher layer) packets.
853 Simply use the option \-Q <[CoS:]VLAN>, such as \-Q 10 or \-Q 3:921. By
854 default CoS=0. For example send a TCP packet in VLAN 500 using CoS=7:
856 mausezahn eth0 \-t tcp \-Q 7:500 "dp=80, flags=rst, p=aa:aa:aa"
858 You can create as many VLAN tags as you want! This is interesting to create
859 QinQ encapsulations or VLAN hopping: Send a UDP packet with VLAN tags 100
860 (outer) and 651 (inner):
862 mausezahn eth0 \-t udp "dp=8888, sp=13442" \-P "Mausezahn is great" \-Q 100,651
864 Don't know if this is useful anywhere but at least it is possible:
866 mausezahn eth0 \-t udp "dp=8888, sp=13442" \-P "Mausezahn is great" \\
867 \-Q 6:5,7:732,5:331,5,6
871 mausezahn eth0 \-t udp "dp=8888, sp=13442" \-P "Mausezahn is great" \-Q 100,651 \-M 314
873 When in raw Layer 2 mode you must create the VLAN tag completely by yourself.
874 For example if you want to send a frame in VLAN 5 using CoS 0 simply specify
875 81:00 as type field and for the next two bytes the CoS (PCP), DEI (CFI), and
876 VLAN ID values (all together known as TCI):
878 mausezahn eth0 \-b bc \-a rand "81:00 00:05 08:00 aa-aa-aa-aa-aa-aa-aa-aa-aa"
882 mausezahn allows you to insert one or more MPLS headers. Simply use the option
883 \-M <label:CoS:TTL:BoS> where only the label is mandatory. If you specify a
884 second number it is interpreted as the experimental bits (the CoS usually). If
885 you specify a third number it is interpreted as TTL. By default the TTL is
886 set to 255. The Bottom of Stack flag is set automatically, otherwise the frame
887 would be invalid, but if you want you can also set or unset it using the
888 S (set) and s (unset) argument. Note that the BoS must be the last argument in
889 each MPLS header definition. Here are some examples:
893 mausezahn eth0 \-M 214 \-t tcp "dp=80" \-P "HTTP..." \-B myhost.com
895 Use three labels (the 214 is now the outer):
897 mausezahn eth0 \-M 9999,51,214 \-t tcp "dp=80" \-P "HTTP..." \-B myhost.com
899 Use two labels, one with CoS=5 and TTL=1, the other with CoS=7:
901 mausezahn eth0 \-M 100:5:1,500:7 \-t tcp "dp=80" \-P "HTTP..." \-B myhost.com
903 Unset the BoS flag (which will result in an invalid frame):
905 mausezahn eth0 \-M 214:s \-t tcp "dp=80" \-P "HTTP..." \-B myhost.com
909 IP, UDP, and TCP packets can be padded using the \-p option. Currently 0x42 is
910 used as padding byte ('the answer'). You cannot pad DNS packets (would be
915 mausezahn allows you to send any malformed or correct IP packet. Every field
916 in the IP header can be manipulated. The IP addresses can be specified via
917 the \-A and \-B options, denoting the source and destination address,
918 respectively. You can also specify an address range or a host name (FQDN).
919 Additionally, the source address can also be random. By default the source
920 address is your interface IP address and the destination address is a
921 broadcast address. Here are some examples:
925 mausezahn eth0 \-t ip \-A rand \-B 192.168.1.0/24 \-P "hello world"
929 mausezahn eth0 \-t ip \-A 10.1.0.1-10.1.255.254 \-B 255.255.255.255 p=ca:fe:ba:be
931 Will use correct source IP address:
933 mausezahn eth0 \-t ip \-B www.xyz.com
935 The Type of Service (ToS) byte can either be specified directly by two
936 hexadecimal digits, which means you can also easily set the Explicit
937 Congestion Notification (ECN) bits (LSB 1 and 2), or you may only want to
938 specify a common DSCP value (bits 3-8) using a decimal number (0..63):
940 Packet sent with DSCP = Expedited Forwarding (EF):
942 mausezahn eth0 \-t ip dscp=46,ttl=1,proto=1,p=08:00:5a:a2:de:ad:be:af
944 If you leave the checksum as zero (or unspecified) the correct checksum will
945 be automatically computed. Note that you can only use a wrong checksum when
946 you also specify at least one L2 field manually.
950 mausezahn supports easy UDP datagram generation. Simply specify the
951 destination address (\-B option) and optionally an arbitrary source address
952 (\-A option) and as arguments you may specify the port numbers using the
953 dp (destination port) and sp (source port) arguments and a payload. You can
954 also easily specify a whole port range which will result in sending multiple
955 packets. Here are some examples:
957 Send test packets to the RTP port range:
959 mausezahn eth0 \-B 192.168.1.1 \-t udp "dp=16384-32767, \\
960 p=A1:00:CC:00:00:AB:CD:EE:EE:DD:DD:00"
962 Send a DNS request as local broadcast (often a local router replies):
964 mausezahn eth0 \-t udp dp=53,p=c5-2f-01-00-00-01-00-00-00-00-00-00-03-77-77-\\
965 77-03-78-79-7a-03-63-6f-6d-00-00-01-00-01"
967 Additionally you may specify the length and checksum using the len and sum
968 arguments (will be set correctly by default). Note: several protocols have same
969 arguments such as len (length) and sum (checksum). If you specified a UDP type
970 packet (via \-t udp) and want to modify the IP length, then use the alternate
971 keyword iplen and ipsum. Also note that you must specify at least one L2 field
972 which tells mausezahn to build everything without the help of your kernel (the
973 kernel would not allow modifying the IP checksum and the IP length).
977 mausezahn currently only supports the following ICMP methods: PING (echo
978 request), Redirect (various types), Unreachable (various types). Additional
979 ICMP types will be supported in future. Currently you would need to tailor them
980 by yourself, e.g. using the IP packet builder (setting proto=1). Use the
981 mausezahn \-t icmp help for help on currently implemented options.
985 mausezahn allows you to easily tailor any TCP packet. Similarly as with UDP you
986 can specify source and destination port (ranges) using the sp and dp arguments.
987 Then you can directly specify the desired flags using an "|" as delimiter if
988 you want to specify multiple flags. For example, a SYN-Flood attack against
989 host 1.1.1.1 using a random source IP address and periodically using all 1023
990 well-known ports could be created via:
992 mausezahn eth0 \-A rand \-B 1.1.1.1 \-c 0 \-t tcp "dp=1-1023, flags=syn" \\
993 \-P "Good morning! This is a SYN Flood Attack. \\
994 We apologize for any inconvenience."
996 Be careful with such SYN floods and only use them for firewall testing. Check
997 your legal position! Remember that a host with an open TCP session only accepts
998 packets with correct socket information (addresses and ports) and a valid TCP
999 sequence number (SQNR). If you want to try a DoS attack by sending a RST-flood
1000 and you do NOT know the target's initial SQNR (which is normally the case) then
1001 you may want to sweep through a range of sequence numbers:
1003 mausezahn eth0 \-A legal.host.com \-B target.host.com \\
1004 \-t tcp "sp=80,dp=80,s=1-4294967295"
1006 Fortunately, the SQNR must match the target host's acknowledgement number plus
1007 the announced window size. Since the typical window size is something between
1008 40000 and 65535 you are MUCH quicker when using an increment via the ds argument:
1010 mausezahn eth0 \-A legal.host.com \-B target.host.com \\
1011 \-t tcp "sp=80, dp=80, s=1-4294967295, ds=40000"
1013 In the latter case mausezahn will only send 107375 packets instead of
1014 4294967295 (which results in a duration of approximately 1 second compared to
1015 11 hours!). Of course you can tailor any TCP packet you like. As with other L4
1016 protocols mausezahn builds a correct IP header but you can additionally access
1017 every field in the IP packet (also in the Ethernet frame).
1021 mausezahn supports UDP-based DNS requests or responses. Typically you may want
1022 to send a query or an answer. As usual, you can modify every flag in the header.
1023 Here is an example of a simple query:
1025 mausezahn eth0 \-B mydns-server.com \-t dns "q=www.ibm.com"
1027 You can also create server-type messages:
1029 mausezahn eth0 \-A spoofed.dns-server.com \-B target.host.com \\
1030 "q=www.topsecret.com, a=172.16.1.1"
1032 The syntax according to the online help (\-t dns help) is:
1034 query|q = <name>[:<type>] ............. where type is per default "A"
1035 (and class is always "IN")
1036 answer|a = [<type>:<ttl>:]<rdata> ...... ttl is per default 0.
1037 = [<type>:<ttl>:]<rdata>/[<type>:<ttl>:]<rdata>/...
1039 Note: If you only use the 'query' option then a query is sent. If you
1040 additionally add an 'answer' then an answer is sent. Examples:
1043 q = www.xyz.com, a=192.168.1.10
1044 q = www.xyz.com, a=A:3600:192.168.1.10
1045 q = www.xyz.com, a=CNAME:3600:abc.com/A:3600:192.168.1.10
1047 Please try out mausezahn \-t dns help to see the many other optional command
1050 .SS `-- RTP and VoIP path measurements:
1052 mausezahn can send arbitrary Real Time Protocol (RTP) packets. By default a
1053 classical G.711 codec packet of 20 ms segment size and 160 bytes is assumed. You
1054 can measure jitter, packet loss, and reordering along a path between two hosts
1055 running mausezahn. The jitter measurement is either done following the variance
1056 low-pass filtered estimation specified in RFC 3550 or using an alternative
1057 "real-time" method which is even more precise (the RFC-method is used by
1058 default). For example on Host1 you start a transmission process:
1060 mausezahn \-t rtp \-B 192.168.1.19
1062 And on Host2 (192.168.1.19) a receiving process which performs the measurement:
1066 Note that the option flag with the capital "T" means that it is a server RTP
1067 process, waiting for incoming RTP packets from any mausezahn source. In case
1068 you want to restrict the measurement to a specific source or you want to
1069 perform a bidirectional measurement, you must specify a stream identifier.
1070 Here is an example for bidirectional measurements which logs the running
1071 jitter average in a file:
1073 Host1# mausezahn \-t rtp id=11:11:11:11 \-B 192.168.2.2 &
1074 Host1# mausezahn \-T rtp id=22:22:22:22 "log, path=/tmp/mz/"
1076 Host2# mausezahn \-t rtp id=22:22:22:22 \-B 192.168.1.1 &
1077 Host2# mausezahn \-T rtp id=11:11:11:11 "log, path=/tmp/mz/"
1079 In any case the measurements are printed continuously onto the screen; by
1080 default it looks like this:
1083 |-------------------------|-------------------------|-------------------------|
1085 #################### 0.14 msec
1091 ############# 0.10 msec
1093 ########################################### 0.31 msec
1095 ############################################## 0.33 msec
1096 ############### 0.11 msec
1097 ########## 0.07 msec
1098 ############### 0.11 msec
1099 ########################################################## 0.42 msec
1102 More information is shown using the txt keyword:
1104 mausezahn \-T rtp txt
1105 Got 100 packets from host 192.168.0.3: 0 lost (0 absolute lost), 1 out of order
1106 Jitter_RFC (low pass filtered) = 30 usec
1107 Samples jitter (min/avg/max) = 1/186/2527 usec
1108 Delta-RX (min/avg/max) = 2010/20167/24805 usec
1109 Got 100 packets from host 192.168.0.3: 0 lost (0 absolute lost), 1 out of order
1110 Jitter_RFC (low pass filtered) = 17 usec
1111 Samples jitter (min/avg/max) = 1/53/192 usec
1112 Delta-RX (min/avg/max) = 20001/20376/20574 usec
1113 Got 100 packets from host 192.168.0.3: 0 lost (0 absolute lost), 1 out of order
1114 Jitter_RFC (low pass filtered) = 120 usec
1115 Samples jitter (min/avg/max) = 0/91/1683 usec
1116 Delta-RX (min/avg/max) = 18673/20378/24822 usec
1118 See mausezahn \-t rtp help and mz \-T rtp help for more details.
1122 The traditional Syslog protocol is widely used even in professional networks
1123 and is sometimes vulnerable. For example you might insert forged Syslog
1124 messages by spoofing your source address (e.g. impersonate the address of a
1125 legit network device):
1127 mausezahn \-t syslog sev=3 \-P "You have been mausezahned." \-A 10.1.1.109 \-B 192.168.7.7
1129 See mausezahn \-t syslog help for more details.
1133 When multiple ranges are specified, e.g. destination port ranges and
1134 destination address ranges, then all possible combinations of ports and
1135 addresses are used for packet generation. Furthermore, this can be mixed with
1136 other ranges e.g. a TCP sequence number range. Note that combining ranges
1137 can lead to a very huge number of frames to be sent. As a rule of thumb you
1138 can assume that about 100,000 frames and more are sent in a fraction of one
1139 second, depending on your network interface.
1141 mausezahn has been designed as a fast traffic generator so you might easily
1142 overwhelm a LAN segment with myriads of packets. And because mausezahn could
1143 also support security audits it is possible to create malicious or invalid
1144 packets, SYN floods, port and address sweeps, DNS and ARP poisoning, etc.
1146 Therefore, don't use this tool when you are not aware of the possible
1147 consequences or have only a little knowledge about networks and data
1148 communication. If you abuse mausezahn for 'unallowed' attacks and get caught,
1149 or damage something of your own, then this is completely your fault. So the
1150 safest solution is to try it out in a lab environment.
1152 Also have a look at the netsniff-ng(8) note section on how you can properly
1153 setup and tune your system.
1156 mausezahn is licensed under the GNU GPL version 2.0.
1160 was originally written by Herbert Haas. According to his website [1], he
1161 unfortunately passed away in 2011 thus leaving this tool unmaintained.
1162 It has been adopted and integrated into the netsniff-ng toolkit and is further
1163 being maintained and developed from there. Maintainers are Tobias Klauser
1164 <tklauser@distanz.ch> and Daniel Borkmann <dborkma@tik.ee.ethz.ch>.
1166 [1] http://www.perihel.at/
1169 .BR netsniff-ng (8),
1174 .BR astraceroute (8),
1178 Manpage was written by Herbert Haas and modified by Daniel Borkmann.
1181 This page is part of the Linux netsniff-ng toolkit project. A description of the project,
1182 and information about reporting bugs, can be found at http://netsniff-ng.org/.