1 .\" netsniff-ng - the packet sniffing beast
2 .\" Copyright 2013 Herbert Haas, modified by Daniel Borkmann.
3 .\" Subject to the GPL, version 2.
5 .TH MAUSEZAHN 8 "03 March 2013" "Linux" "netsniff-ng toolkit"
7 mausezahn \- a fast versatile packet generator with Cisco-cli
11 \fB mausezahn\fR { [\fIoptions\fR] "<arg-string> | <hex-string>" }
15 mausezahn is a fast traffic generator which allows you to send nearly every
16 possible and impossible packet. In contrast to trafgen(8), mausezahn's packet
17 configuration is on protocol-level instead of byte-level and mausezahn also
18 comes with a built-in Cisco-like command-line interface, making it suitable
19 as a network traffic generator box in your network lab.
21 Next to network labs, it can also be used as a didactical tool and for security
22 audits including penetration and DoS testing. As a traffic generator, mausezahn
23 is also able to test IP multicast or VoIP networks. Packet rates close to the
24 physical limit are reachable, depending on the hardware platform.
26 mausezahn supports two modes, ``direct mode'' and a multi-threaded ``interactive
29 The ``direct mode'' allows you to create a packet directly on the command line
30 and every packet parameter is specified in the argument list when calling
33 The ``interactive mode'' is an advanced multi-threaded configuration mode with
34 its own command line interface (cli). This mode allows you to create an arbitrary
35 number of packet types and streams in parallel, each with different parameters.
37 The interactive mode utilizes a completely redesigned and more flexible protocol
38 framework called ``mops'' (mausezahn's own packet system). The look and feel of
39 the cli is very close to the Cisco IOS^tm command line.
41 You can start the interactive mode by executing mausezahn with the ``\-x''
42 argument (an optional port number may follow, otherwise it is 25542). Then use
43 telnet(1) to connect to this mausezahn instance. If not otherwise specified,
44 the default login/password combination is mz:mz, enable password is: mops.
45 This can be changed in /etc/netsniff-ng/mausezahn.conf.
47 The direct mode supports two specification schemes: The ``raw-layer-2'' scheme,
48 where every single byte to be sent can be specified, and ``higher-layer'' scheme,
49 where packet builder interfaces are used (using the ``\-t'' option).
51 To use the ``raw-layer-2'' scheme, simply specify the desired frame as
52 hexadecimal sequence (the ``hex-string''), such as:
54 mausezahn eth0 "00:ab:cd:ef:00 00:00:00:00:00:01 08:00 ca:fe:ba:be"
56 In this example, whitespaces within the byte string are optional and separate
57 the Ethernet fields (destination and source address, type field, and a short
58 payload). The only additional options supported are ``\-a'', ``\-b'', ``\-c'',
59 and ``\-p''. The frame length must be greater or equal 15 bytes.
61 The ``higher-layer'' scheme is enabled using the ``\-t <packet-type>'' option.
62 This option activates a packet builder and besides the ``packet-type'' an
63 optional ``arg-string'' can be specified. The ``arg-string'' contains
64 packet-specific parameters, such as TCP flags, port numbers, etc (see example
69 mausezahn provides a built-in context-specific help. Thus, simply append the
70 keyword ``help'' after the configuration options. The most important options
74 Start mausezahn in interactive mode with a Cisco-like cli. Use telnet to log
75 into the local mausezahn instance. If no port has been specified, port 25542
79 Verbose mode. Capital \-V is even more verbose.
82 Simulation mode, i.e. don't put anything on the wire. This is typically combined
83 with the verbose mode.
86 Quiet mode where only warnings and errors are displayed.
89 Send the packet count times (default: 1, infinite: 0).
92 Apply delay between transmissions. The delay value can be specified in usec
93 (default, no additional unit needed), or in msec (e.g. 100m or 100msec), or
94 in seconds (e.g. 100s or 100sec). Note: mops also supports nanosecond delay
95 granulation if you need it (see interactive mode).
98 Pad the raw frame to specified length using zero bytes. Note that for raw
99 layer 2 frames the specified length defines the whole frame length, while for
100 higher layer packets the number of additional padding bytes are specified.
102 .SS -a <src-mac|keyword>
103 Use specified source MAC address with hex notation such as 00:00:aa:bb:cc:dd.
104 By default the interface MAC address will be used. The keywords ``rand'' and
105 ``own'' refer to a random MAC address (only unicast addresses are created)
106 and the own address, respectively. You can also use the keywords mentioned
107 below although broadcast-type source addresses are officially invalid.
109 .SS -b <dst-mac|keyword>
110 Use specified destination MAC address. By default, a broadcast is sent in raw
111 layer 2 mode or the destination hosts/gateways interface MAC address in normal
112 (IP) mode. You can use the same keywords as mentioned above, as well as
113 ``bc'' or ``bcast'', ``cisco'', and ``stp''. Please note that for the destination
114 MAC address the ``rand'' keyword is supported but creates a random address only
115 once, even when you send multiple packets.
117 .SS -A <src-ip|range|rand>
118 Use specified source IP address, default is own interface IP. Optionally, the
119 keyword ``rand'' can again be used for a random source IP address or a range
120 can be specified, such as ``192.168.1.1-192.168.1.100'' or ``10.1.0.0/16''.
121 Also, a DNS name can be specified for which mausezahn tries to determine the
122 corresponding IP address automatically.
124 .SS -B <dst-ip|range>
125 Use specified destination IP address (default is broadcast i.e. 255.255.255.255).
126 As with the source address (see above) you can also specify a range or a DNS name.
129 Create the specified packet type using the built-in packet builder. Currently,
130 supported packet types are: ``arp'', ``bpdu'', ``ip'', ``udp'', ``tcp'', ``rtp'',
131 and ``dns''. There is currently also a limited support for ``icmp''. Type
132 ``\-t help'' to verify which packet builders your actual mausezahn version
133 supports. Also, for any particular packet type, for example ``tcp'' type
134 ``mausezahn \-t tcp help'' to receive a more in-depth context specific help.
137 Make this mausezahn instance the receiving station. Currently, only ``rtp'' is
138 an option here and provides precise jitter measurements. For this purpose, start
139 another mausezahn instance on the sending station and the local receiving station
140 will output jitter statistics. See ``mausezahn \-T rtp help'' for a detailed help.
142 .SS -Q <[CoS:]vlan> [, <[CoS:]vlan>, ...]
143 Specify 802.1Q VLAN tag and optional Class of Service. An arbitrary number of
144 VLAN tags can be specified (that is you can simulate QinQ or even QinQinQinQ..).
145 Multiple tags must be separated via a comma or a period (e.g. "5:10,20,2:30").
146 VLAN tags are not supported for ARP and BPDU packets (in which case you could
147 specify the whole frame in hex using the raw layer 2 interface of mausezahn).
149 .SS -M <label[:cos[:ttl]][bos]> [, <label...>]
150 Specify a MPLS label or even a MPLS label stack. Optionally, for each label the
151 experimental bits (usually the Class of Service, CoS) and the Time To Live
152 (TTL) can be specified. And if you are really crazy you can set/unset the
153 Bottom of Stack (BoS) bit at each label using the ``S'' (set) and ``s''
154 (unset) option. By default, the BoS is set automatically and correct. Any other
155 setting will lead to invalid frames. Enter ``\-M help'' for detailed instructions
158 .SS -P <ascii-payload>
159 Specify a cleartext payload. Alternatively, each packet type supports a
160 hexadecimal specification of the payload (see for example ``\-t udp help'').
163 Read the ascii payload from the specified file.
166 Read the hex payload from the specified file. Actually, this file must be also
167 an ascii text file, but must contain hexadecimal digits, e.g. "aa:bb:cc:0f:e6...".
168 You can use also spaces as separation characters.
172 For more comprehensive examples, have a look at the two follow-up howto sections.
174 .SS mausezahn eth0 \-c 0 \-d 2s \-t bpdu vlan=5
175 Send BPDU frames for VLAN 5 as used with Cisco's PVST+ type of STP. By default
176 mausezahn assumes that you want to become the root bridge.
178 .SS mausezahn eth0 \-c 128000 \-a rand \-p 64
179 Perform a CAM table overflow attack.
181 .SS mausezahn eth0 \-c 0 \-Q 5,100 \-t tcp "flags=syn,dp=1-1023" \-p 20 \-A rand \-B 10.100.100.0/24
182 Perform a SYN flood attack to another VLAN using VLAN hopping. This only works
183 if you are connected to the same VLAN which is configured as native VLAN on the
184 trunk. We assume that the victim VLAN is VLAN 100 and the native VLAN is VLAN 5.
185 Lets attack every host in VLAN 100 which use a IP prefix of 10.100.100.0/24, also
186 try out all ports between 1 and 1023 and use a random source IP address.
188 .SS mausezahn eth0 \-c 0 \-d 10msec \-B 230.1.1.1 \-t udp "dp=32000,dscp=46" \-P "Multicast test packet"
189 Send IP multicast packets to the multicast group 230.1.1.1 using a UDP header
190 with destination port 32000 and set the IP DSCP field to EF (46). Send one
193 .SS mausezahn eth0 \-Q 6:420 \-M 100,200,300:5 \-A 172.30.0.0/16 \-B target.anynetwork.foo \-t udp "sp=666,dp=1-65535" \-p 1000 \-c 10
194 Send UDP packets to the destination host target.anynetwork.foo using all
195 possible destination ports and send every packet with all possible source
196 addresses of the range 172.30.0.0/16; additionally use a source port of 666
197 and three MPLS labels, 100, 200, and 300, the outer (300) with QoS field 5.
198 Send the frame with a VLAN tag 420 and CoS 6; eventually pad with 1000 bytes
199 and repeat the whole thing 10 times.
201 .SS mausezahn \-t syslog sev=3 \-P "Main reactor reached critical temperature." \-A 192.168.33.42 \-B 10.1.1.9 \-c 6 \-d 10s
202 Send six forged syslog messages with severity 3 to a Syslog server 10.1.1.9; use
203 a forged source IP address 192.168.33.42 and let mausezahn decide which local
204 interface to use. Use an inter-packet delay of 10 seconds.
206 .SS mausezahn \-t tcp "flags=syn|urg|rst, sp=145, dp=145, win=0, s=0-4294967295, ds=1500, urg=666" \-a bcast \-b bcast \-A bcast \-B 10.1.1.6 \-p 5
207 Send an invalid TCP packet with only a 5 byte payload as layer-2 broadcast and
208 also use the broadcast MAC address as source address. The target should be
209 10.1.1.6 but use a broadcast source address. The source and destination port
210 shall be 145 and the window size 0. Set the TCP flags SYN, URG, and RST
211 simultaneously and sweep through the whole TCP sequence number space with an
212 increment of 1500. Finally set the urgent pointer to 666, i.e. pointing to
215 .SH INTERACTIVE MODE HOWTO
219 Using the interactive mode requires to start mausezahn as server:
223 Now you can telnet(1) to that server using the default port number 25542, but also
224 an arbitrary port number can be specified:
228 mausezahn accepts incoming telnet connections on port 99.
230 mz: Problems opening config file. Will use defaults
232 Either from another terminal or from another host try to telnet to the
235 caprica$ telnet galactica 99
236 Trying 192.168.0.4...
237 Connected to galactica.
238 Escape character is '^]'.
248 It is recommended to configure your own login credentials in
249 /etc/mausezahn/mz.cfg, such as:
257 Since you reached the mausezahn prompt, lets try some first commands. You can
258 use the '?' character at any time for a content-sensitive help.
260 First try out the show command:
264 mausezahn maintains its own ARP table and observes anomalies. There is an entry
265 for every physical interface (however this host has only one):
268 Intf Index IP address MAC address last Ch UCast BCast Info
269 ----------------------------------------------------------------------------------
270 eth0 [1] D 192.168.0.1 00:09:5b:9a:15:84 23:44:41 1 1 0 0000
272 The column Ch tells us that the announced MAC address has only changed one time
273 (= when it was learned). The columns Ucast and BCast tell us how often this
274 entry was announced via unicast or broadcast respectively.
276 Let's check our interfaces:
279 Available network interfaces:
280 real real used (fake) used (fake)
281 device IPv4 address MAC address IPv4 address MAC address
282 ---------------------------------------------------------------------------------------
283 > eth0 192.168.0.4 00:30:05:76:2e:8d 192.168.0.4 00:30:05:76:2e:8d
284 lo 127.0.0.1 00:00:00:00:00:00 127.0.0.1 00:00:00:00:00:00
286 Default interface is eth0.
288 .SS Defining packets:
290 Let's check the current packet list:
293 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=UDP, T=TCP
294 PktID PktName Layers Proto Size State Device Delay Count/CntX
295 1 sysARP_servic... E----- ARP 60 config lo 100 msec 1/0 (100%)
296 1 packets defined, 0 active.
298 We notice that there is already one system-defined packet process; it has been
299 created and used only once (during startup) by mausezahn's ARP service.
300 Currently, its state is config which means that the process is sleeping.
302 .SS General packet options:
304 Now let's create our own packet process and therefore switch into the global
309 Allocated new packet PKT0002 at slot 2
312 name Assign a unique name
313 description Assign a packet description text
314 bind Select the network interface
315 count Configure the packet count value
316 delay Configure the inter-packet delay
317 interval Configure a greater interval
318 type Specify packet type
319 mac Configure packet's MAC addresses
321 payload Configure a payload
322 port Configure packet's port numbers
323 end End packet configuration mode
324 ethernet Configure frame's Ethernet, 802.2, 802.3, or SNAP settings
325 ip Configure packet's IP settings
326 udp Configure packet's UDP header parameters
327 tcp Configure packet's TCP header parameters
329 Here are a lot of options but normally you only need a few of them. When you
330 configure lots of different packets you might assign a reasonable name and
331 description for them:
333 mz(config-pkt-2)# name Test
334 mz(config-pkt-2)# desc This is just a test
336 You can e.g. change the default settings for the source and destination MAC/IP
337 addresses using the mac and ip commands:
339 mz(config-pkt-2)# ip address dest 10.1.1.0 /24
340 mz(config-pkt-2)# ip addr source random
342 In the example above, we configured a range of addresses (all hosts in the
343 network 10.1.1.0 should be addressed). Additionally we spoof our source IP
344 address. Of course, we can also add one or more VLAN and/or MPLS tag(s):
346 mz(config-pkt-2)# tag ?
347 dot1q Configure 802.1Q (and 802.1P) parameters
348 mpls Configure MPLS label stack
349 mz(config-pkt-2)# tag dot ?
350 Configure 802.1Q tags:
351 VLAN[:CoS] [VLAN[:CoS]] ... The leftmost tag is the outer tag in the frame
352 remove <tag-nr> | all Remove one or more tags (<tag-nr> starts with 1),
353 by default the first (=leftmost,outer) tag is removed,
354 keyword 'all' can be used instead of tag numbers.
355 cfi | nocfi [<tag-nr>] Set or unset the CFI-bit in any tag (by default
356 assuming the first tag).
357 mz(config-pkt-2)# tag dot 1:7 200:5
359 .SS Configure count and delay:
361 mz(config-pkt-2)# count 1000
362 mz(config-pkt-2)# delay ?
363 delay <value> [hour | min | sec | msec | usec | nsec]
365 Specify the inter-packet delay in hours, minutes, seconds, milliseconds,
366 microseconds or nanoseconds. The default unit is milliseconds (i.e. when no
369 mz(config-pkt-2)# delay 1 msec
370 Inter-packet delay set to 0 sec and 1000000 nsec
373 .SS Configuring protocol types:
375 mausezahn's interactive mode supports a growing list of protocols and only
376 relies on the MOPS architecture (and not on libnet as it is the case with
377 the legacy direct mode):
379 mz(config-pkt-2)# type
380 Specify a packet type from the following list:
388 mz(config-pkt-2)# type tcp
389 mz(config-pkt-2-tcp)#
391 seqnr Configure the TCP sequence number
392 acknr Configure the TCP acknowledgement number
393 hlen Configure the TCP header length
394 reserved Configure the TCP reserved field
395 flags Configure a combination of TCP flags at once
396 cwr Set or unset the TCP CWR flag
397 ece Set or unset the TCP ECE flag
398 urg Set or unset the TCP URG flag
399 ack set or unset the TCP ACK flag
400 psh set or unset the TCP PSH flag
401 rst set or unset the TCP RST flag
402 syn set or unset the TCP SYN flag
403 fin set or unset the TCP FIN flag
404 window Configure the TCP window size
405 checksum Configure the TCP checksum
406 urgent-pointer Configure the TCP urgend pointer
407 options Configure TCP options
408 end End TCP configuration mode
409 mz(config-pkt-2-tcp)# flags syn fin rst
410 Current setting is: --------------------RST-SYN-FIN
411 mz(config-pkt-2-tcp)# end
412 mz(config-pkt-2)# paylo ascii This is a dummy payload for my first packet
413 mz(config-pkt-2)# end
415 Now configure another packet, for example let's assume we want an LLDP process:
418 Allocated new packet PKT0003 at slot 3
419 mz(config-pkt-3)# ty lldp
420 mz(config-pkt-3-lldp)# exit
423 In the above example we only use the default LLDP settings and don't configure
424 further LLDP options or TLVs. Back in the top level of the CLI let's verify
428 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=UDP, T=TCP
429 PktID PktName Layers Proto Size State Device Delay Count/CntX
430 1 sysARP_servic... E----- ARP 60 config lo 100 msec 1/0 (100%)
431 2 Test E-Q-IT 125 config eth0 1000 usec 1000/1000 (0%)
432 3 PKT0003 E----- LLDP 36 config eth0 30 sec 0/0 (0%)
433 3 packets defined, 0 active.
435 The column Layers indicates which major protocols have been combined. For
436 example the packet with packet-id 2 ("Test") utilizes Ethernet (E),
437 IP (I), and TCP (T). Additionally an 802.1Q tag (Q) has been inserted. Now
438 start one of these packet processes:
443 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=UDP, T=TCP
444 PktID PktName Layers Proto Size State Device Delay Count/CntX
445 1 sysARP_servic... E----- ARP 60 config lo 100 msec 1/0 (100%)
446 2 Test E-Q-IT 125 config eth0 1000 usec 1000/1000 (0%)
447 3 PKT0003 E----- LLDP 36 config eth0 30 sec 0/1 (0%)
448 3 packets defined, 1 active.
450 Let's have a more detailed look at a specific packet process:
454 Description: This is just a test
455 State: config, Count=1000, delay=1000 usec (0 s 1000000 nsec), interval= (undefined)
457 Ethernet: 00-30-05-76-2e-8d => ff-ff-ff-ff-ff-ff [0800 after 802.1Q tag]
458 Auto-delivery is ON (that is, the actual MAC is adapted upon transmission)
459 802.1Q: 0 tag(s); (VLAN:CoS)
460 IP: SA=192.168.0.4 (not random) (no range)
461 DA=255.255.255.255 (no range)
462 ToS=0x00 proto=17 TTL=255 ID=0 offset=0 flags: -|-|-
463 len=49664(correct) checksum=0x2e8d(correct)
464 TCP: 83 bytes segment size (including TCP header)
465 SP=0 (norange) (not random), DP=0 (norange) (not random)
466 SQNR=3405691582 (start 0, stop 4294967295, delta 0) -- ACKNR=0 (invalid)
467 Flags: ------------------------SYN----, reserved field is 00, urgent pointer= 0
468 Announced window size= 100
469 Offset= 0 (times 32 bit; value is valid), checksum= ffff (valid)
470 (No TCP options attached) - 0 bytes defined
471 Payload size: 43 bytes
472 Frame size: 125 bytes
473 1 ff:ff:ff:ff:ff:ff:00:30 05:76:2e:8d:81:00:e0:01 81:00:a0:c8:08:00:45:00 00:67:00:00:00:00:ff:06
474 33 fa:e4:c0:a8:00:04:ff:ff ff:ff:00:00:00:00:ca:fe ba:be:00:00:00:00:a0:07 00:64:f7:ab:00:00:02:04
475 65 05:ac:04:02:08:0a:19:35 90:c3:00:00:00:00:01:03 03:05:54:68:69:73:20:69 73:20:61:20:64:75:6d:6d
476 97 79:20:70:61:79:6c:6f:61 64:20:66:6f:72:20:6d:79 20:66:69:72:73:74:20:70 61:63:6b:65:74
479 If you want to stop one or more packet processes, use the stop command. The
480 "emergency stop" is when you use stop all:
485 Stopped 1 transmission processe(s)
487 The launch command provides a shortcut for commonly used packet processes. For
488 example to behave like a STP-capable bridge we want to start an BPDU process
489 with typical parameters:
492 Allocated new packet sysBPDU at slot 5
494 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=UDP, T=TCP
495 PktID PktName Layers Proto Size State Device Delay Count/CntX
496 1 sysARP_servic... E----- ARP 60 config lo 100 msec 1/0 (100%)
497 2 Test E-Q-IT 125 config eth0 1000 usec 1000/1000 (0%)
498 3 PKT0003 E----- LLDP 36 config eth0 30 sec 0/12 (0%)
499 4 PKT0004 E---I- IGMP 46 config eth0 100 msec 0/0 (0%)
500 5 sysBPDU ES---- BPDU 29 active eth0 2 sec 0/1 (0%)
501 5 packets defined, 1 active.
503 Now a Configuration BPDU is sent every 2 seconds, claiming to be the root
504 bridge (and usually confusing the LAN. Note that only packet 5 (i.e. the
505 last row) is active and therefore sending packets while all other packets
506 are in state config (i.e. they have been configured but they are not doing
507 anything at the moment).
509 .SS Configuring a greater interval:
511 Sometimes you may want to send a burst of packets at a greater interval:
514 Modify packet parameters for packet Test [2]
515 mz(config-pkt-2)# interv
516 Configure a greater packet interval in days, hours, minutes, or seconds
517 Arguments: <value> <days | hours | minutes | seconds>
518 Use a zero value to disable an interval.
519 mz(config-pkt-2)# interv 1 h
520 mz(config-pkt-2)# count 10
521 mz(config-pkt-2)# delay 15 usec
522 Inter-packet delay set to 0 sec and 15000 nsec
524 Now this packet is sent ten times with an inter-packet delay of 15 microsecond
525 and this is repeated every hour. When you look at the packet list, an interval
526 is indicated with the additional flag 'i' when inactive or 'I' when active:
529 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=UDP, T=TCP
530 PktID PktName Layers Proto Size State Device Delay Count/CntX
531 1 sysARP_servic... E----- ARP 60 config lo 100 msec 1/0 (100%)
532 2 Test E-Q-IT 125 config-i eth0 15 usec 10/10 (0%)
533 3 PKT0003 E----- LLDP 36 config eth0 30 sec 0/12 (0%)
534 4 PKT0004 E---I- IGMP 46 config eth0 100 msec 0/0 (0%)
535 5 sysBPDU ES---- BPDU 29 active eth0 2 sec 0/251 (0%)
536 5 packets defined, 1 active.
540 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=UDP, T=TCP
541 PktID PktName Layers Proto Size State Device Delay Count/CntX
542 1 sysARP_servic... E----- ARP 60 config lo 100 msec 1/0 (100%)
543 2 Test E-Q-IT 125 config+I eth0 15 usec 10/0 (100%)
544 3 PKT0003 E----- LLDP 36 config eth0 30 sec 0/12 (0%)
545 4 PKT0004 E---I- IGMP 46 config eth0 100 msec 0/0 (0%)
546 5 sysBPDU ES---- BPDU 29 active eth0 2 sec 0/256 (0%)
547 5 packets defined, 1 active.
549 Note that the flag 'I' indicates that an interval has been specified for
550 packet 2. The process is not active at the moment (only packet 5 is active
551 here) but it will become active in a regular interval. You can verify the
552 actual interval when viewing the packet details via the show packet 2 command.
554 .SS Load prepared configurations:
556 You can prepare packet configurations using the same commands as you would
557 type them in on the CLI and then load them to the CLI. For example assume we
558 have prepared a file 'test.mops' containing:
563 desc This is only a demonstration how to load a file to mops
566 Then we can add this packet configuration to our packet list using the load
570 Read commands from test.mops...
571 Allocated new packet PKT0002 at slot 2
573 Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=UDP, T=TCP
574 PktID PktName Layers Proto Size State Device Delay Count/CntX
575 1 sysARP_servic... E----- ARP 60 config lo 100 msec 1/0 (100%)
576 2 IGMP_TEST E---I- IGMP 46 config eth0 100 msec 0/0 (0%)
577 2 packets defined, 0 active.
579 The file src/examples/mausezahn/example_lldp.conf contains another example
580 list of commands to create a bogus LLDP packet. You can load this
581 configuration from the mausezahn command line, e.g. via:
583 mz# load /home/hh/tmp/example_lldp.conf
585 In case you copied the file in that path. Now when you enter 'show packet' you
586 will see a new packet entry in the packet list. Use the 'start slot <nr>'
587 command to activate this packet.
589 You can store your own packet creations in such file and easily load them when
590 you need them. Every command within such configuration files is executed on the
591 command line interface as if you had typed it in -- so be careful about the
592 order and don't forget to use 'configure terminal' as first command.
594 You can even load other files from within a central config file.
596 .SH DIRECT MODE HOWTO
598 .SS How to specify hex digits:
600 Many arguments allow direct byte input. Bytes are represented as two
601 hexadecimal digits. Multiple bytes must be separated either by spaces, colons,
602 or dashes - whatever you prefer. The following byte strings are equivalent:
604 "aa:bb cc-dd-ee ff 01 02 03-04 05"
605 "aa bb cc dd ee ff:01:02:03:04 05"
607 As first example, you may want to send an arbitrary fancy (possibly invalid)
608 frame right through your network card:
610 mausezahn ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:08:00:ca:fe:ba:be
612 or equivalently but more readable:
614 mausezahn ff:ff:ff:ff:ff:ff-ff:ff:ff:ff:ff:ff-08:00-ca:fe:ba:be
616 .SS Basic operations:
618 All major command line options are listed when you execute mausezahn without
619 arguments. For practical usage keep the following special (not so widely
620 known) options in mind:
622 \-r Multiplies the specified delay with a random value.
623 \-p <length> Pad the raw frame to specified length (using random bytes).
624 \-P <ASCII Payload> Use the specified ASCII payload.
625 \-f <filename> Read the ASCII payload from a file.
626 \-F <filename> Read the hexadecimal payload from a file.
627 \-S Simulation mode: DOES NOT put anything on the wire.
628 This is typically combined with one of the verbose
631 Many options require a keyword or a number but the \-t option is an exception
632 since it requires both a packet type (such as ip, udp, dns, etc) and an
633 argument string which is specific for that packet type. Here are some simple
637 mausezahn \-t tcp help
638 mausezahn eth3 \-t udp sp=69,dp=69,p=ca:fe:ba:be
640 Note: Don't forget that on the CLI the Linux shell (usually the Bash)
641 interprets spaces as a delimiter character. That is, if you are specifying
642 an argument that consists of multiple words with spaces in between, you MUST
643 group this with quotes. For example, instead of
645 mausezahn eth0 \-t udp sp=1,dp=80,p=00:11:22:33
647 you could either omit the spaces
649 mausezahn eth0 \-t udp sp=1,dp=80,p=00:11:22:33
651 or, even more safe, use quotes:
653 mausezahn eth0 \-t udp "sp=1,dp=80,p=00:11:22:33"
655 In order to monitor what's going on, you can enable the verbose mode using
656 the \-v option. The opposite is the quiet mode (\-q) which will keep mausezahn
657 absolutely quiet (except for error messages and warnings.)
659 Don't confuse the payload argument p=... with the padding option \-p. The latter
660 is used outside the quotes!
662 .SS The automatic packet builder:
664 An important argument is "\-t" which invokes a packet builder. Currently there
665 are packet builders for ARP, BPDU, CDP, IP, partly ICMP, UDP, TCP, RTP, DNS,
666 and SYSLOG. (Additionally you can insert a VLAN tag or a MPLS label stack but
667 this works independent of the packet builder.)
669 You get context specific help of every packet builder using the help keyword,
672 mausezahn \-t bpdu help
673 mausezahn \-t tcp help
675 For every packet you may specify an optional payload. This can be done either
676 via HEX notation using the payload (or short p) argument or directly as ASCII
677 text using the \-P option:
679 mausezahn eth0 \-t ip \-P "Hello World" # ASCII payload
680 mausezahn eth0 \-t ip p=68:65:6c:6c:6f:20:77:6f:72:6c:64 # hex payload
681 mausezahn eth0 \-t ip "proto=89, \\
682 p=68:65:6c:6c:6f:20:77:6f:72:6c:64, \\ # same with other
683 ttl=1" # IP arguments
685 Note: The raw link access mode only accepts hex payloads (because you specify
686 everything in hex here.)
688 .SS Packet count and delay:
690 Per default only one packet is sent. If you want to send more packets then
691 use the count option \-c <count>. When count is zero then mausezahn will send
692 forever. Per default mausezahn sends at maximum speed (and this is really
693 fast ;-)). If you don't want to overwhelm your network devices or have other
694 reasons to send at a slower rate then you might want to specify a delay using
695 the \-d <delay> option.
697 If you only specify a numeric value it is interpreted in microsecond units.
698 Alternatively, for easier use, you might specify units such as seconds sec or
699 milliseconds msec. (You can also abbreviate this with s or m.) Note: Don't use
700 spaces between the value and the unit! Here are typical examples:
702 Send infinite frames as fast as possible:
704 mausezahn \-c 0 "aa bb cc dd ...."
706 Send 100,000 frames with a 50 msec interval:
708 mausezahn \-c 100000 \-d 50msec "aa bb cc dd ...."
710 Send infinite BPDU frames in a 2 second interval:
712 mausezahn \-c 0 \-d 2s \-t bpdu conf
714 Note: mausezahn does not support fractional numbers. If you want to specify for
715 example 2.5 seconds then express this e.g. in milliseconds (2500 msec).
717 .SS Source and destination addresses:
719 As mnemonic trick keep in mind that all packets run from "A" to "B". You can
720 always specify source and/or destination MAC addresses using the \-a and \-b
721 options, respectively. These options also allow keywords such as rand, own,
722 bpdu, cisco, and others.
724 Similarly, you can specify source and destination IP addresses using the \-A
725 and \-B options, respectively. These options also support FQDNs (i.e. domain
726 names) and ranges such as 192.168.0.0/24 or 10.0.0.11-10.0.3.22. Additionally
727 (only) the source address supports the rand keyword (ideal for "attacks").
729 Note: When you use the packet builder for IP-based packets (e.g. UDP or TCP)
730 then mausezahn automatically cares about correct MAC and IP addresses (i.e.
731 it performs ARP, DHCP, and DNS for you). But when you specify at least a single
732 link-layer address (or any other L2 option such as a VLAN tag or MPLS header)
733 then ARP is disabled and you must care for the Ethernet destination address for
738 .SS `-- Direct link access:
740 mausezahn allows you to send ANY chain of bytes directly through your Ethernet
743 mausezahn eth0 "ff:ff:ff:ff:ff:ff ff:ff:ff:ff:ff:ff 00:00 ca:fe:ba:be"
745 This way you can craft every packet you want but you must do it by hand. Note:
746 On WiFi interfaces the header is much more complicated and automatically
747 created by the WiFi-driver. As example to introduce some interesting options,
748 lets continuously send frames at max speed with random source MAC address and
749 broadcast destination address, additionally pad the frame to 1000 bytes:
751 mausezahn eth0 \-c 0 \-a rand \-b bcast \-p 1000 "08 00 aa bb cc dd"
753 The direct link access supports automatic padding using the \-p <total frame
754 length> option. This allows you to pad a raw L2 frame to the desired length.
755 You must specify the total length and the total frame length must have at
756 least 15 bytes for technical reasons. Zero bytes are used for this padding.
760 mausezahn provides a simple interface to the ARP packet. You can specify the
761 ARP method (request|reply) and up to four arguments: sendermac, targetmac,
762 senderip, targetip, or short smac, tmac, sip, tip. By default an ARP reply is
763 sent with your own interface addresses as source MAC and IP address, and a
764 broadcast destination MAC/IP address. Send a gratitious ARP (as used for
765 duplicate IP detection):
767 mausezahn eth0 \-t arp
771 mausezahn eth0 \-t arp "reply, senderip=192.168.0.1, targetmac=00:00:0c:01:02:03, \\
772 targetip=172.16.1.50"
774 where by default your interface MAC address will be used as sendermac,
775 senderip denotes the spoofed IP, targetmac and targetip identifies the
776 receiver. By default the Ethernet source address is your interface MAC and the
777 destination address is broadcast. Of course you can change this using again the
782 mausezahn provides a simple interface to the 802.1d BPDU frame format (used to
783 create the Spanning Tree in bridged networks). By default standard IEEE 802.1d
784 (CST) BPDUs are sent and it is assumed that your computer wants to become the
785 root bridge (rid=bid). Optionally the 802.3 destination address can be a
786 specified MAC address, broadcast, own MAC, or Cisco's PVST+ MAC address. The
787 destination MAC can be specified using the \-b command which (besides MAC
788 addresses) accepts keywords such as bcast, own, pvst, or stp (default). Since
789 version 0.16 PVST+ is supported. Simply specify the VLAN for which you want
792 mausezahn eth0 \-t bpdu "vlan=123, rid=2000"
794 See mausezahn \-t bpdu help for more details.
798 mausezahn can send Cisco Discovery Protocol (CDP) messages since this protocol
799 has security relevance. Of course lots of dirty tricks are possible; for
800 example arbitrary TLVs can be created (using the hex-payload argument for
801 example p=00:0e:00:07:01:01:90) and if you want to stress the CDP database of
802 some device, mausezahn can send each CDP message with another system-id using
805 mausezahn \-t cdp change \-c 0
807 Some routers and switches may run into deep problems ;-) See
808 mausezahn \-t cdp help for more details.
810 .SS `-- 802.1Q VLAN Tags:
812 mausezahn allows simple VLAN tagging for IP (and other higher layer) packets.
813 Simply use the option \-Q <[CoS:]VLAN>, such as \-Q 10 or \-Q 3:921. By
814 default CoS=0. For example send a TCP packet in VLAN 500 using CoS=7:
816 mausezahn eth0 \-t tcp \-Q 7:500 "dp=80, flags=rst, p=aa:aa:aa"
818 You can create as many VLAN tags as you want! This is interesting to create
819 QinQ encapsulations or VLAN hopping: Send a UDP packet with VLAN tags 100
820 (outer) and 651 (inner):
822 mausezahn eth0 \-t udp "dp=8888, sp=13442" \-P "Mausezahn is great" \-Q 100,651
824 Don't know if this is useful anywhere but at least it is possible:
826 mausezahn eth0 \-t udp "dp=8888, sp=13442" \-P "Mausezahn is great" \\
827 \-Q 6:5,7:732,5:331,5,6
831 mausezahn eth0 \-t udp "dp=8888, sp=13442" \-P "Mausezahn is great" \-Q 100,651 \-M 314
833 Only in raw Layer 2 mode you must create the VLAN tag completely by yourself.
834 For example if you want to send a frame in VLAN 5 using CoS 0 simply specify
835 81:00 as type field and for the next two bytes the CoS (, CFI) and VLAN values:
837 mausezahn eth0 \-b bc \-a rand "81:00 00:05 08:00 aa-aa-aa-aa-aa-aa-aa-aa-aa"
841 mausezahn allows you to insert one or more MPLS headers. Simply use the option
842 \-M <label:CoS:TTL:BoS> where only the label is mandatory. If you specify a
843 second number it is interpreted as the experimental bits (the CoS usually). If
844 you specify a third number it is interpreted as TTL. Per default the TTL is
845 set to 255. The Bottom of Stack flag is set automatically (otherwise the frame
846 would be invalid) but if you want you can also set or unset it using the
847 S (set) and s (unset) argument. Note that the BoS must be the last argument in
848 each MPLS header definition. Here are some examples:
852 mausezahn eth0 \-M 214 \-t tcp "dp=80" \-P "HTTP..." \-B myhost.com
854 Use three labels (the 214 is now the outer):
856 mausezahn eth0 \-M 9999,51,214 \-t tcp "dp=80" \-P "HTTP..." \-B myhost.com
858 Use two labels, one with CoS=5 and TTL=1, the other with CoS=7:
860 mausezahn eth0 \-M 100:5:1,500:7 \-t tcp "dp=80" \-P "HTTP..." \-B myhost.com
862 Unset the BoS flag (which will result in an invalid frame):
864 mausezahn eth0 \-M 214:s \-t tcp "dp=80" \-P "HTTP..." \-B myhost.com
868 IP, UDP, and TCP packets can be padded using the \-p option. Currently 0x42 is
869 used as padding byte ('the answer'). You cannot pad DNS packets (would be
874 mausezahn allows you to send any (malformed or correct) IP packet. Every field
875 in the IP header can be manipulated. The IP addresses can be specified via
876 the \-A and \-B options, denoting the source and destination address,
877 respectively. You can also specify an address range or a host name (FQDN).
878 Additionally, the source address can also be random. By default the source
879 address is your interface IP address and the destination address is a
880 broadcast. Here are some examples:
884 mausezahn eth0 \-t ip \-A rand \-B 192.168.1.0/24 \-P "hello world"
888 mausezahn eth0 \-t ip \-A 10.1.0.1-10.1.255.254 \-B 255.255.255.255 p=ca:fe:ba:be
890 Will use correct source IP address:
892 mausezahn eth0 \-t ip \-B www.xyz.com
894 The Type of Service (ToS) byte can either be specified directly by two
895 hexadecimal digits (which means you can also easily set the Explicit
896 Congestion Notification (ECN) bits (LSB 1 and 2) or you may only want to
897 specify a common DSCP value (bits 3-8) using a decimal number (0..63):
899 Packet sent with DSCP = Expedited Forwarding (EF):
901 mausezahn eth0 \-t ip dscp=46,ttl=1,proto=1,p=08:00:5a:a2:de:ad:be:af
903 If you leave the checksum zero (or unspecified) the correct checksum will
904 be automatically computed. Note that you can only use a wrong checksum when
905 you also specify at least one L2 field manually.
909 mausezahn support easy UDP datagram generation. Simply specify the
910 destination address (\-B option) and optionally an arbitrary source address
911 (\-A option) and as arguments you may specify the port numbers using the
912 dp (destination port) and sp (source port) arguments and a payload. You can
913 also easily specify a whole port range which will result in sending multiple
914 packets. Here are some examples:
916 Send test packets to the RTP port range:
918 mausezahn eth0 \-B 192.168.1.1 \-t udp "dp=16384-32767, \\
919 p=A1:00:CC:00:00:AB:CD:EE:EE:DD:DD:00"
921 Send a DNS request as local broadcast (often a local router replies):
923 mausezahn eth0 \-t udp dp=53,p=c5-2f-01-00-00-01-00-00-00-00-00-00-03-77-77-\\
924 77-03-78-79-7a-03-63-6f-6d-00-00-01-00-01"
926 Additionally you may specify the length and checksum using the len and sum
927 arguments (will be set correctly by default). Note: several protocols have same
928 arguments such as len (length) and sum (checksum). If you specified a udp type
929 packet (via \-t udp) and want to modify the IP length, then use the alternate
930 keyword iplen and ipsum. Also note that you must specify at least one L2 field
931 which tells mausezahn to build everything without help of your kernel (the
932 kernel would not allow to modify the IP checksum and the IP length).
936 mausezahn currently only supports the following ICMP methods: PING (echo
937 request), Redirect (various types), Unreachable (various types). Additional
938 ICMP types will be supported in future. Currently you would need to tailor them
939 by your own, e.g. using the IP packet builder (setting proto=1). Use the
940 mausezahn \-t icmp help for help on actually implemented options.
944 mausezahn allows you to easily tailor any TCP packet. Similar as with UDP you
945 can specify source and destination port (ranges) using the sp and dp arguments.
946 Then you can directly specify the desired flags using an "|" as delimiter if
947 you want to specify multiple flags. For example, a SYN-Flood attack against
948 host 1.1.1.1 using a random source IP address and periodically using all 1023
949 well-known ports could be created via:
951 mausezahn eth0 \-A rand \-B 1.1.1.1 \-c 0 \-t tcp "dp=1-1023, flags=syn" \\
952 \-P "Good morning! This is a SYN Flood Attack. \\
953 We apologize for any inconvenience."
955 Be careful with such SYN floods and only use them for firewall testing. Check
956 your legal position! Remember that a host with an open TCP session only accepts
957 packets with correct socket information (addresses and ports) and a valid TCP
958 sequence number (SQNR). If you want to try a DoS attack by sending a RST-flood
959 and you do NOT know the target's initial SQNR (which is normally the case) then
960 you may want to sweep through a range of sequence numbers:
962 mausezahn eth0 \-A legal.host.com \-B target.host.com \\
963 \-t tcp "sp=80,dp=80,s=1-4294967295"
965 Fortunately, the SQNR must match the target host's acknowledgement number plus
966 the announced window size. Since the typical window size is something between
967 40000 and 65535 you are MUCH quicker when using an increment using the ds
970 mausezahn eth0 \-A legal.host.com \-B target.host.com \\
971 \-t tcp "sp=80, dp=80, s=1-4294967295, ds=40000"
973 In the latter case mausezahn will only send 107375 packets instead of
974 4294967295 (which results in a duration of approximately 1 second compared to
975 11 hours!). Of course you can tailor any TCP packet you like. As with other L4
976 protocols mausezahn builds a correct IP header but you can additionally access
977 every field in the IP packet (also in the Ethernet frame).
981 mausezahn supports UDP-based DNS requests or responses. Typically you may want
982 to send a query or an answer. As usual you can modify every flag in the header.
983 Here is an example of a simple query:
985 mausezahn eth0 \-B mydns-server.com \-t dns "q=www.ibm.com"
987 You can also create server-type messages:
989 mausezahn eth0 \-A spoofed.dns-server.com \-B target.host.com \\
990 "q=www.topsecret.com, a=172.16.1.1"
992 The syntax according to the online help (\-t dns help) is:
994 query|q = <name>[:<type>] ............. where type is per default "A"
995 (and class is always "IN")
996 answer|a = [<type>:<ttl>:]<rdata> ...... ttl is per default 0.
997 = [<type>:<ttl>:]<rdata>/[<type>:<ttl>:]<rdata>/...
999 Note: If you only use the 'query' option then a query is sent. If you
1000 additionally add an 'answer' then an answer is sent. Examples:
1003 q = www.xyz.com, a=192.168.1.10
1004 q = www.xyz.com, a=A:3600:192.168.1.10
1005 q = www.xyz.com, a=CNAME:3600:abc.com/A:3600:192.168.1.10
1007 Please try out mausezahn \-t dns help to see the many other optional command
1010 .SS `-- RTP and VoIP path measurements:
1012 mausezahn can send arbitrary Real Time Protocol (RTP) packets. Per default a
1013 classical G.711 codec (20 ms segment size, 160 bytes) is assumed. You can
1014 measure jitter, packet loss and reordering along a path between two hosts
1015 running mausezahn. The jitter measurement is either done following the variance
1016 low-pass filtered estimation specified in RFC 3550 or using an alternative
1017 "real-time" method which is even more precise (the RFC-method is used by
1018 default). For example on Host1 you start a transmission process:
1020 mausezahn \-t rtp \-B 192.168.1.19
1022 And on Host2 (192.168.1.19) a receiving process which performs the measurement:
1026 Note that the option flag with the capital "T" means that it is a server RTP
1027 process, waiting for incoming RTP packets from any mausezahn source. In case
1028 you want to restrict the measurement to a specific source or you want to
1029 perform a bidirectional measurement, you must specify a stream identifier.
1030 Here is an example for bidirectional measurements which logs the running
1031 jitter average in a file:
1033 Host1# mausezahn \-t rtp id=11:11:11:11 \-B 192.168.2.2 &
1034 Host1# mausezahn \-T rtp id=22:22:22:22 "log, path=/tmp/mz/"
1036 Host2# mausezahn \-t rtp id=22:22:22:22 \-B 192.168.1.1 &
1037 Host2# mausezahn \-T rtp id=11:11:11:11 "log, path=/tmp/mz/"
1039 In any case the measurements are printed continuously onto the screen; by
1040 default it looks like this:
1043 |-------------------------|-------------------------|-------------------------|
1045 #################### 0.14 msec
1051 ############# 0.10 msec
1053 ########################################### 0.31 msec
1055 ############################################## 0.33 msec
1056 ############### 0.11 msec
1057 ########## 0.07 msec
1058 ############### 0.11 msec
1059 ########################################################## 0.42 msec
1062 More information is shown using the txt keyword:
1064 mausezahn \-T rtp txt
1065 Got 100 packets from host 192.168.0.3: 0 lost (0 absolute lost), 1 out of order
1066 Jitter_RFC (low pass filtered) = 30 usec
1067 Samples jitter (min/avg/max) = 1/186/2527 usec
1068 Delta-RX (min/avg/max) = 2010/20167/24805 usec
1069 Got 100 packets from host 192.168.0.3: 0 lost (0 absolute lost), 1 out of order
1070 Jitter_RFC (low pass filtered) = 17 usec
1071 Samples jitter (min/avg/max) = 1/53/192 usec
1072 Delta-RX (min/avg/max) = 20001/20376/20574 usec
1073 Got 100 packets from host 192.168.0.3: 0 lost (0 absolute lost), 1 out of order
1074 Jitter_RFC (low pass filtered) = 120 usec
1075 Samples jitter (min/avg/max) = 0/91/1683 usec
1076 Delta-RX (min/avg/max) = 18673/20378/24822 usec
1078 See mausezahn \-t rtp help and mz \-T rtp help for more details.
1082 The traditional Syslog protocol is widely used even in professional networks
1083 and is sometimes vulnerable. For example you might insert forged Syslog
1084 messages by spoofing your source address (e.g. impersonate the address of a
1085 legit network device):
1087 mausezahn \-t syslog sev=3 \-P "You have been mausezahned." \-A 10.1.1.109 \-B 192.168.7.7
1089 See mausezahn \-t syslog help for more details.
1093 When multiple ranges are specified, e.g. destination port ranges and
1094 destination address ranges, then all possible combinations of ports and
1095 addresses are used for packet generation. Furthermore, this can be mixed with
1096 other ranges e.g. a TCP sequence number range. Note that combining ranges
1097 can lead to a very huge number of frames to be sent. As a rule of thumb you
1098 can assume that about 100,000 frames and more are sent in a fraction of one
1099 second, depending on your network interface.
1101 mausezahn has been designed as fast traffic generator so you might easily
1102 overwhelm a LAN segment with myriads of packets. And because mausezahn should
1103 also support security audits it is also possible to create malicious or
1104 invalid packets, SYN floods, port and address sweeps, DNS and ARP poisoning,
1107 Therefore, don't use this tool when you are not aware of possible consequences
1108 or have only little knowledge about networks and data communication. If you
1109 abuse mausezahn for 'unallowed' attacks and get caught, or damage something of
1110 your own, then this is completely your fault. So the safest solution is to try
1111 it out in a lab environment.
1113 Also have a look at the netsniff-ng(8) note section on how you can properly
1114 setup and tune your system.
1117 mausezahn is licensed under the GNU GPL version 2.0.
1121 was originally written by Herbert Haas. According to his website [1], he
1122 unfortunately passed away in 2011. Thus, having this tool unmaintained as well.
1123 It has been adopted and integrated into the netsniff-ng toolkit and is further
1124 being maintained and developed from there. Maintainers are Tobias Klauser
1125 <tklauser@distanz.ch> and Daniel Borkmann <dborkma@tik.ee.ethz.ch>.
1127 [1] http://www.perihel.at/
1130 .BR netsniff-ng (8),
1135 .BR astraceroute (8),
1139 Manpage was written by Herbert Haas and modified by Daniel Borkmann.