NAME
mz - a fast versatile packet generator
SYNOPSIS
mz [options]<arg_string> | <hex_string>
DESCRIPTION
Mausezahn is a free fast traffic generator written in C which allows
you to send nearly every possible and impossible packet.
Mausezahn can also be used for example as didactical tool in network
labs or for security audits including penetration and DoS testing. As
traffic generator Mausezahn is for example used test IP multicast or
VoIP networks. Speeds close to the Ethernet limit are reachable
(depending on the hardware platform, especially the quality of the
network interface card).
USAGE
Mausezahn supports two modes, direct mode and a multi-threaded
interactive mode.
The direct mode allows you to create a packet directly on the
Linux/UN*X shell and every packet parameter is specified in the
argument list when calling Mausezahn.
The interactive mode is an advanced multi-threaded configuration mode
with its own command line interface (CLI). This mode allows you to
create an arbitrary number of packet types and streams in parallel,
each with different parameters. The interactive mode utilizes a
completely redesigned and more flexible protocol framework called MOPS
(Mausezahn’s Own Packet System). The look and feel of the CLI is very
similar to the Cisco IOS(tm) command line. You can start the
interactive mode by executing Mausezahn with the -x argument (an
optional port number may follow, otherwise it is 25542). Then use
Telnet to connect to this Mausezahn instance (the default login expects
the user ’mz’ with password ’mz’, and enable password ’mops’; you can
change this in /etc/mausezahn/mz.cfg). More information about the
interactive mode and MOPS is provided on the Mausezahn website.
The direct mode supports two specification schemes: The raw-layer-2
scheme, where every single byte to be sent can be specified, and
higher-layer scheme, where packet builder interfaces are used (using
the -t option).
To use the raw-layer-2 scheme, simply specify the desired frame as
hexadecimal sequence (the hex_string), such as
mz eth0 "00:ab:cd:ef:00 00:00:00:00:00:01 08:00 ca:fe:ba:be"
In this example, the spaces within the byte string are optional and
separate the Ethernet fields (destination and source address, type
field, and a short payload). The only additional options supported are
-a, -b, -c, and -p. The frame length MUST be greater or equal 15 bytes.
The higher-layer scheme is enabled using the -t <packet_type> option.
This option activates a packet builder and besides the packet_type an
optional arg_string can be specified. The arg_string contains packet-
specific parameters, such as TCP flags, port numbers, etc; see the
EXAMPLES below.
Note that Mausezahn requires root privileges. Please see the Mausezahn
User’s Guide for more details or use Mausezahn’s command line help.
OPTIONS
Mausezahn provides a built-in context-specific help. Simply append the
keyword help to the configuration options.
The most important options are:
-v Verbose mode. Capital -V is even more verbose.
-S Simulation mode, i. e. don’t put anything on the wire. This is
typically combined with the verbose mode.
-q Quiet mode (only warnings and errors are displayed).
-c <count>
Send the packet count times (default: 1, infinite: 0).
-d <delay>
Apply delay between transmissions. The delay value can be
specified in usec (default, no additional unit needed), or in
msec (e. g. 100m or 100msec), or in seconds (e. g. 100s or
100sec). Note: MOPS also supports nanosecond delay granulation
if you need it (see: interactive mode).
-p <lenght>
Pad the raw frame to specified length (using zero bytes). Note
that for raw layer 2 frames the specified length defines the
whole frame length, while for higher layer packets the number of
additional padding bytes are specified.
-a <Src_MAC|keyword>
Use specified source mac address (use hex notation such as
00:00:aa:bb:cc:dd). By default the interface MAC address will
be used. The keywords rand and own refer to a random MAC address
(only unicast addresses are created) and the own address,
respectively. You can also use the keywords mentioned below
(although broadcast-type source addresses are officially
invalid).
-b <Dst_MAC|keyword>
Use specified destination mac address. By default a broadcast
is sent in raw layer 2 mode or the destination hosts/gateways
interface MAC address in normal (IP) mode. You can use the same
keywords as mentioned above as well as bc (or bcast), cisco, and
stp. Please note that for the destination MAC address the rand
keyword is supported but creates a random address only once,
even when you send multiple packets.
-A <Src_IP|range|rand>
Use specified source IP address (default is own interface IP).
Optionally the keyword rand can again be used for a random
source IP address or a range can be specified, such as
192.168.1.1-192.168.1.100 or 10.1.0.0/16. Also a DNS name can be
specified for which Mausezahn tries to determine the
corresponding IP address automatically.
-B <Dst_IP|range>
Use specified destination IP address (default is broadcast i. e.
255.255.255.255). As with the source address (see above) you can
also specify a range or a DNS name.
-t <packet_type>
Create the specified packet type using the built-in packet
builder. Currently supported packet types are: arp, bpdu, ip,
udp, tcp, rtp, and dns. There is currently also a limited
support for ICMP. Enter -t help to verify which packet builders
your actual Mausezahn version supports. Also, for any particular
packet type, for example tcp enter mz -t tcp help to receive a
context specific help.
-T <packet_type>
Make this Mausezahn instance the receiving station. Currently
(version 0.30) only rtp is an option here and provides precise
jitter measurements. For this purpose start another Mausezahn
instance on the sending station and the local receiving station
will output jitter statistics. See mz -T rtp help for a detailed
help.
-Q <[CoS:]vlan> [, <[CoS:]vlan>, ...]
Specify 802.1Q VLAN tag and optional Class of Service. An
arbitrary number of VLAN tags can be specified (that is you can
simulate QinQ or even QinQinQinQ...). Multiple tags must be
separated via a comma or a period (e. g. "5:10,20,2:30"). VLAN
tags are not supported for ARP and BPDU packets (in which case
you could specify the whole frame in hex using the raw layer 2
interface of Mausezahn).
-M <label[:cos[:ttl]][bos]> [, <label...>]
Specify a MPLS label or even a MPLS label stack. Optionally for
each label the experimental bits (usually the Class of Service,
CoS) and the Time To Live (TTL) can be specified. And if you are
really crazy you can set/unset the Bottom of Stack (BoS) bit at
each label using the S (set) and s (unset) option. By default
the BoS is set automatically and correctly. Any other setting
will lead to invalid frames. Enter -M help for detailed
instructions and examples.
-P <ASCII_payload>
Specify a cleartext payload. Alternatively each packet type
supports a hexadecimal specification of the payload (see for
example -t udp help).
-f <filename>
Read the ASCII payload from the specified file.
-F <filename>
Read the HEX payload from the specified file. Actually this file
must be also an ASCII file (text file) but must contain
hexadecimal digits, e. g. "aa:bb:cc:0f:e6...". You can use also
spaces as separation characters.
COMBINATION OF RANGES
When multiple ranges are specified, e. g. destination port ranges AND
destination address ranges, then all possible combinations of ports and
addresses are used for packet generation. Furthermore, this can be
mixed with other ranges e. g. a TCP sequence number range. Note that
combining ranges can lead to a very huge number of frames to be sent.
As a rule of thumb you can assume that about 100,000 frames are sent in
a fraction of one second, depending on your network interface.
DISCLAIMER AND WARNING
Mausezahn has been designed as fast traffic generator so you can easily
overwhelm a LAN segment with myriads of packets. And because Mausezahn
should also support security audits it is also possible to create
malicious or “invalid” packets, SYN floods, port and address sweeps,
DNS and ARP poisoning, etc.
Therefore, don’t use this tool when you are not aware of possible
consequences or have only little knowledge about networks and data
communication. If you abuse Mausezahn for ’unallowed’ attacks and get
caught, or damage something of your own, then this is completely your
fault. So the safest solution is to try it out in a lab environment.
EXAMPLES
Send BPDU frames for VLAN 5 as used with Cisco’s PVST+ type of STP. Per
default Mausezahn assumes that you want to become the root bridge:
# mz eth0 -c 0 -d 2s -t bpdu vlan=5
Perform a CAM table overflow attack:
# mz eth0 -c 128000 -a rand -p 64
Perform a SYN flood attack to another VLAN using VLAN hopping. This
only works if you are connected to the same VLAN which is configured as
native VLAN on the trunk. We assume that the victim VLAN is VLAN 100
and the native VLAN is VLAN 5. Lets attack every host in VLAN 100 which
use a IP prefix of 10.100.100.0/24, also try out all ports between 1
and 1023 and use a random source IP address:
# mz eth0 -c 0 -Q 5,100 -t tcp "flags=syn,dp=1-1023" -p 20 -A rand -B
10.100.100.0/24
Send IP multicast packets to the multicast group 230.1.1.1 using a UDP
header with destination port 32000 and set the IP DSCP field to EF
(46). Send one frame every 10 msec:
# mz eth0 -c 0 -d 10msec -B 230.1.1.1 -t udp "dp=32000,dscp=46" -P
"Multicast test packet"
Send UDP packets to the destination host target.anynetwork.foo using
all possible destination ports and send every packet with all possible
source addresses of the range 172.30.0.0/16; additionally use a source
port of 666 and three MPLS labels, 100, 200, and 300, the outer (300)
with QoS field 5. Send the frame with a VLAN tag 420 and CoS 6;
eventually pad with 1000 bytes and repeat the whole thing 10 times:
# mz eth0 -Q 6:420 -M 100,200,300:5 -A 172.30.0.0/16 -B
target.anynetwork.foo -t udp "sp=666,dp=1-65535" -p 1000 -c 10
Send six forged Syslog messages with severity 3 to a Syslog server
10.1.1.9; use a forged source IP address 192.168.33.42 and let
Mausezahn decide which local interface to use. Use an inter-packet
delay of 10 seconds:
# mz -t syslog sev=3 -P "Main reactor reached critical temperature." -A
192.168.33.42 -B 10.1.1.9 -c 6 -d 10s
Send an invalid TCP packet with only a 5 byte payload as layer-2
broadcast and also use the broadcast MAC address as source address. The
target should be 10.1.1.6 but use a broadcast source address. The
source and destination port shall be 145 and the window size 0. Set the
TCP flags SYN, URG, and RST simultaneously and sweep through the whole
TCP sequence number space with an increment of 1500. Finally set the
urgent pointer to 666, i. e. pointing to nowhere:
# mz -t tcp "flags=syn|urg|rst, sp=145, dp=145, win=0, s=0-4294967295,
ds=1500, urg=666" -a bcast -b bcast -A bcast -B 10.1.1.6 -p 5
SEE ALSO
mz.cfg(1)
AUTHOR
Herbert Haas
Visit www.perihel.at/sec/mz/ for Mausezahn news and additional
information.
This manual page was written by Herbert Haas <herbert AT perihel DOT
at>, for the Debian project.
March 7, 2010