NAME

mausezahn - a fast versatile packet generator

SYNOPSIS

mausezahn [options]<arg_string> | <hex_string>

DESCRIPTION

Mausezahn is a free fast traffic generator written in C which allows you to send nearly every possible and impossible packet.
Mausezahn can also be used for example as didactical tool in network labs or for security audits including penetration and DoS testing. As traffic generator Mausezahn is for example used test IP multicast or VoIP networks. Speeds close to the Ethernet limit are reachable (depending on the HW platform).

USAGE

Mausezahn supports two modes, raw-layer-2 mode, where every single byte to be sent can be specified, and higher-layer mode, where packet builder interfaces are used (using the -t option).
To use the raw-layer-2 mode, simply specify the desired frame as hexadecimal sequence (the hex_string), such as

mausezahn eth0 "00:ab:cd:ef:00 00:00:00:00:00:01 08:00 ca:fe:ba:be"

The spaces within the byte string are optional and separate the Ethernet fields (destination and source address, type field, and a short payload). The only additional options supported are -a, -b, -c, and -p. The frame length MUST be greater or equal 15 bytes.
The higher-layer mode is enabled using the -t <packet_type> option. This option activates a packet builder and besides the packet_type an optional arg_string can be specified. The arg_string contains packet-specific parameters, such as TCP flags, port numbers, etc.

Note that Mausezahn requires root privileges. Please see the Mausezahn User's Guide for more details or use Mausezahn's command line help.

OPTIONS

Mausezahn has a built-in context specific help. Simply append the keyword help to the configuration options.
The most important options are:
-v
Verbose mode.
-q
Quiet mode (only warnings and errors are displayed).
-c <count>
Send the packet count times (default: 1, infinite: 0).
-d <delay>
Apply delay between transmissions. The delay value can be specified in usec (default, no additional unit needed), or in msec (e. g. 100m or 100msec), or in seconds (e. g. 100s or 100sec).
-p <lenght>
Pad the raw frame to specified length (using zero bytes). Note that for raw layer 2 frames the specified length defines the whole frame length, while for higher layer packets the number of additional padding bytes are specified.
-a <Src_MAC|keyword>
Use specified source mac address (use hex notation such as 00:00:aa:bb:cc:dd). By default the interface MAC address will be used. The keywords rand and own refer to a random MAC address (only unicast addresses are created) and the own address, respectively. You can also use the keywords mentioned below (although broadcast-type source addresses are officially invalid).
-b <Dst_MAC|keyword>
Use specified destination mac address. By default a broadcast is sent in raw layer 2 mode or the destination hosts/gateways interface MAC address in normal (IP) mode. You can use the same keywords as mentioned above as well as bc (or bcast), cisco, and stp. Please note that for the destination MAC address the rand keyword is supported but creates a random address only once, even when you send multiple packets.
-A <Src_IP|range|rand>
Use specified source IP address (default is own interface IP). Optionally the keyword rand can again be used for a random source IP address or a range can be specified, such as 192.168.1.1-192.168.1.100 or 10.1.0.0/16. Also a DNS name can be specified for which Mausezahn tries to determine the corresponding IP address automatically.
-B <Dst_IP|range>
Use specified destination IP address (default is broadcast i. e. 255.255.255.255). As with the source address (see above) you can also specify a range or a DNS name.
-t <packet_type>
Create the specified packet type using the built-in packet builder. Currently supported packet types are: arp, bpdu, ip, udp, tcp, rtp, and dns. There is currently also a limited support for ICMP. Enter -t help to verify which packet builders your actual Mausezahn version supports. Also, for any particular packet type, for example tcp enter mausezahn -t tcp help to receive a context specific help.
-T <packet_type>
Make this Mausezahn instance the receiving station. Currently (version 0.30) only rtp is an option here and provides precise jitter measurements. For this purpose start another Mausezahn instance on the sending station and the local receiving station will output jitter statistics. See mausezahn -T rtp help for a detailed help.
-Q <[CoS:]vlan> [, <[CoS:]vlan>, ...]
Specify 802.1Q VLAN tag and optional Class of Service. An arbitrary number of VLAN tags can be specified (that is you can simulate QinQ or even QinQinQinQ...). Multiple tags must be separated via a comma or a period (e. g. "5:10,20,2:30"). VLAN tags are not supported for ARP and BPDU packets (in which case you could specify the whole frame in hex using the raw layer 2 interface of Mausezahn).
-M <label[:cos[:ttl]][bos]> [, <label...>]
Specify a MPLS label or even a MPLS label stack. Optionally for each label the experimental bits (usually the Class of Service, CoS) and the Time To Live (TTL) can be specified. And if you are really crazy you can set/unset the Bottom of Stack (BoS) bit at each label using the S (set) and s (unset) option. By default the BoS is set automatically and correctly. Any other setting will lead to invalid frames. Enter -M help for detailed instructions and examples.
-P <ASCII_payload>
Specify a cleartext payload. Alternatively each packet type supports a hexadecimal specification of the payload (see for example -t udp help).

COMBINATION OF RANGES

When multiple ranges are specified, e. g. destination port ranges AND destination address ranges, then all possible combinations of ports and addresses are used for packet generation. This can lead to a very huge number of frames.

DISCLAIMER AND WARNING

Mausezahn has been designed as fast traffic generator so you quickly can overwhelm a LAN segment with myriads of packets. And because Mausezahn should also support security audits it is easily possible to create malicious packets, SYN floods, specify port and address ranges, DNS and ARP poisoning, etc.
Therefore, don't use this tool when you are not aware of possible consequences or have only little knowledge about networks and data communication. If you abuse Mausezahn for unallowed attacks and get caught, or damage something of your own, then this is completely your fault.

EXAMPLES

Send BPDU frames for VLAN 5 as used with Cisco's PVST+ type of STP. Per default Mausezahn assumes that you want to become the root bridge:

# mausezahn eth0 -c 0 -d 2s -t bpdu vlan=5

Perform a CAM table overflow attack:

# mausezahn eth0 -c 128000 -a rand -p 64

Perform a SYN flood attack to another VLAN using a VLAN hopping attack. This only works if you are connected to the same VLAN which is configured as native VLAN on the trunk. We assume that the victim VLAN is VLAN 100 and the native VLAN is VLAN 5. Also lets attack every host in VLAN 100 which use a IP prefix of 10.100.100.0/24:

# mausezahn eth0 -c 0 -Q 5,100 -t tcp flags=syn -p 20

Send IP multicast packets to the multicast group 230.1.1.1 using a UDP header with destination port 32000. Send one frame every 10 msec:

# mausezahn eth0 -c 0 -d 10msec -B 230.1.1.1 -t udp dp=32000 -P "Multicast test packet"

Send UDP packets to the destination host target.anynetwork.foo using all possible destionation ports and send every packet with all possible source addresses of the range 172.30.0.0/16; pad with 1000 bytes and repeat this 10 times:

# mausezahn eth0 -c 10 -A 172.30.0.0/16 -B target.anynetwork.foo -t udp dp=1-65535 -p 1000

AUTHOR

Herbert Haas
Visit www.perihel.at/sec/mz/ for Mausezahn news and additional information.

This manual page has been written by Vivek Shah <boni.vivek at gmail.com> for the Fedora project.