NAME | SYNOPSIS | DESCRIPTION | OPTIONS | USAGE EXAMPLE | CONFIGURATION FILE | INTERACTIVE MODE HOWTO | DIRECT MODE HOWTO | NOTE | LEGAL | HISTORY | SEE ALSO | AUTHOR | COLOPHON | COLOPHON

MAUSEZAHN(8)                 netsniff-ng toolkit                MAUSEZAHN(8)

NAME         top

       mausezahn - a fast versatile packet generator with Cisco-cli

SYNOPSIS         top

       mausezahn { [options] "<arg-string> | <hex-string>" }

DESCRIPTION         top

       mausezahn is a fast traffic generator which allows you to send nearly
       every possible and impossible packet. In contrast to trafgen(8),
       mausezahn's packet configuration is on a protocol-level instead of
       byte-level and mausezahn also comes with a built-in Cisco-like
       command-line interface, making it suitable as a network traffic
       generator box in your network lab.

       Next to network labs, it can also be used as a didactical tool and
       for security audits including penetration and DoS testing. As a
       traffic generator, mausezahn is also able to test IP multicast or
       VoIP networks. Packet rates close to the physical limit are
       reachable, depending on the hardware platform.

       mausezahn supports two modes, ''direct mode'' and a multi-threaded
       ''interactive mode''.

       The ''direct mode'' allows you to create a packet directly on the
       command line and every packet parameter is specified in the argument
       list when calling mausezahn.

       The ''interactive mode'' is an advanced multi-threaded configuration
       mode with its own command line interface (CLI). This mode allows you
       to create an arbitrary number of packet types and streams in
       parallel, each with different parameters.

       The interactive mode utilizes a completely redesigned and more
       flexible protocol framework called ''mops'' (mausezahn's own packet
       system). The look and feel of the CLI is very close to the Cisco
       IOS^tm command line interface.

       You can start the interactive mode by executing mausezahn with the
       ''-x'' argument (an optional port number may follow, otherwise it is
       25542). Then use telnet(1) to connect to this mausezahn instance. If
       not otherwise specified, the default login and password combination
       is mz:mz and the enable password is: mops.  This can be changed in
       /etc/netsniff-ng/mausezahn.conf.

       The direct mode supports two specification schemes: The ''raw-
       layer-2'' scheme, where every single byte to be sent can be
       specified, and ''higher-layer'' scheme, where packet builder
       interfaces are used (using the ''-t'' option).

       To use the ''raw-layer-2'' scheme, simply specify the desired frame
       as a hexadecimal sequence (the ''hex-string''), such as:

         mausezahn eth0 "00:ab:cd:ef:00 00:00:00:00:00:01 08:00 ca:fe:ba:be"

       In this example, whitespaces within the byte string are optional and
       separate the Ethernet fields (destination and source address, type
       field, and a short payload). The only additional options supported
       are ''-a'', ''-b'', ''-c'', and ''-p''. The frame length must be
       greater than or equal to 15 bytes.

       The ''higher-layer'' scheme is enabled using the ''-t <packet-type>''
       option.  This option activates a packet builder, and besides the
       ''packet-type'', an optional ''arg-string'' can be specified. The
       ''arg-string'' contains packet- specific parameters, such as TCP
       flags, port numbers, etc. (see example section).

OPTIONS         top

       mausezahn provides a built-in context-specific help. Append the
       keyword
        ''help'' after the configuration options. The most important options
       are:

   -x [<port>]
       Start mausezahn in interactive mode with a Cisco-like CLI. Use telnet
       to log into the local mausezahn instance. If no port has been
       specified, port 25542 is used by default.

   -6
       Specify IPv6 mode (IPv4 is the default).

   -l <IP>
       Specify the IP address mausezahn should bind to when in interactive
       mode, default: 0.0.0.0.

   -v
       Verbose mode. Capital -V is even more verbose.

   -S
       Simulation mode, i.e. don't put anything on the wire. This is
       typically combined with the verbose mode.

   -q
       Quiet mode where only warnings and errors are displayed.

   -c <count>
       Send the packet count times (default: 1, infinite: 0).

   -d <delay>
       Apply delay between transmissions. The delay value can be specified
       in usec (default, no additional unit needed), or in msec (e.g. 100m
       or 100msec), or in seconds (e.g. 100s or 100sec). Note: mops also
       supports nanosecond delay resolution if you need it (see interactive
       mode).

   -p <length>
       Pad the raw frame to specified length using zero bytes. Note that for
       raw layer 2 frames the specified length defines the whole frame
       length, while for higher layer packets the number of additional
       padding bytes are specified.

   -a <src-mac|keyword>
       Use specified source MAC address with hexadecimal notation such as
       00:00:aa:bb:cc:dd.  By default the interface MAC address will be
       used. The keywords ''rand'' and
        ''own'' refer to a random MAC address (only unicast addresses are
       created) and the own address, respectively. You can also use the
       keywords mentioned below although broadcast-type source addresses are
       officially invalid.

   -b <dst-mac|keyword>
       Use specified destination MAC address. By default, a broadcast is
       sent in raw layer 2 mode or to the destination hosts or gateway
       interface MAC address in normal (IP) mode. You can use the same
       keywords as mentioned above, as well as
        ''bc'' or ''bcast'', ''cisco'', and ''stp''. Please note that for
       the destination MAC address the ''rand'' keyword is supported but
       creates a random address only once, even when you send multiple
       packets.

   -A <src-ip|range|rand>
       Use specified source IP address, default is own interface address.
       Optionally, the keyword ''rand'' can again be used for a random
       source IP address or a range can be specified, such as
       ''192.168.1.1-192.168.1.100'' or ''10.1.0.0/16''.  Also, a DNS name
       can be specified for which mausezahn tries to determine the
       corresponding IP address automatically.

   -B <dst-ip|range>
       Use specified destination IP address (default is broadcast i.e.
       255.255.255.255).  As with the source address (see above) you can
       also specify a range or a DNS name.

   -t <packet-type [help] | help>
       Create the specified packet type using the built-in packet builder.
       Currently, supported packet types are: ''arp'', ''bpdu'', ''ip'',
       ''udp'', ''tcp'', ''rtp'', and ''dns''. Currently, there is also
       limited support for ''icmp''. Type
        ''-t help'' to verify which packet builders your actual mausezahn
       version supports. Also, for any particular packet type, for example
       ''tcp'' type
        ''mausezahn -t tcp help'' to receive a more in-depth context
       specific help.

   -T <packet-type>
       Make this mausezahn instance the receiving station. Currently, only
       ''rtp'' is an option here and provides precise jitter measurements.
       For this purpose, start another mausezahn instance on the sending
       station and the local receiving station will output jitter
       statistics. See ''mausezahn -T rtp help'' for a detailed help.

   -Q <[CoS:]vlan> [, <[CoS:]vlan>, ...]
       Specify 802.1Q VLAN tag and optional Class of Service. An arbitrary
       number of VLAN tags can be specified (that is, you can simulate QinQ
       or even QinQinQinQ..).  Multiple tags must be separated via a comma
       or a period (e.g. "5:10,20,2:30").  VLAN tags are not supported for
       ARP and BPDU packets (in which case you could specify the whole frame
       in hexadecimal using the raw layer 2 interface of mausezahn).

   -M <label[:cos[:ttl]][bos]> [, <label...>]
       Specify a MPLS label or even a MPLS label stack. Optionally, for each
       label the experimental bits (usually the Class of Service, CoS) and
       the Time To Live (TTL) can be specified. If you are really crazy you
       can set and unset the Bottom of Stack (BoS) bit for each label using
       the ''S'' (set) and ''s'' (unset) option. By default, the BoS is set
       automatically and correctly. Any other setting will lead to invalid
       frames. Enter ''-M help'' for detailed instructions and examples.

   -P <ascii-payload>
       Specify a cleartext payload. Alternatively, each packet type supports
       a hexadecimal specification of the payload (see for example ''-t udp
       help'').

   -f <filename>
       Read the ASCII payload from the specified file.

   -F <filename>
       Read the hexadecimal payload from the specified file. Actually, this
       file must be also an ASCII text file, but must contain hexadecimal
       digits, e.g. "aa:bb:cc:0f:e6...".  You can use also spaces as
       separation characters.

USAGE EXAMPLE         top

       For more comprehensive examples, have a look at the two following
       HOWTO sections.

   mausezahn eth0 -c 0 -d 2s -t bpdu vlan=5
       Send BPDU frames for VLAN 5 as used with Cisco's PVST+ type of STP.
       By default mausezahn assumes that you want to become the root bridge.

   mausezahn eth0 -c 128000 -a rand -p 64
       Perform a CAM table overflow attack.

   mausezahn eth0 -c 0 -Q 5,100 -t tcp flags=syn,dp=1-1023 -p 20 -A rand -B
       10.100.100.0/24
       Perform a SYN flood attack to another VLAN using VLAN hopping. This
       only works if you are connected to the same VLAN which is configured
       as native VLAN on the trunk. We assume that the victim VLAN is VLAN
       100 and the native VLAN is VLAN 5.  Lets attack every host in VLAN
       100 which use an IP prefix of 10.100.100.0/24, also try out all ports
       between 1 and 1023 and use a random source IP address.

   mausezahn eth0 -c 0 -d 10msec -B 230.1.1.1 -t udp dp=32000,dscp=46 -P
       Multicast test packet
       Send IP multicast packets to the multicast group 230.1.1.1 using a
       UDP header with destination port 32000 and set the IP DSCP field to
       EF (46). Send one frame every 10 msec.

   mausezahn eth0 -Q 6:420 -M 100,200,300:5 -A 172.30.0.0/16 -B
       target.anynetwork.foo -t udp sp=666,dp=1-65535 -p 1000 -c 10
       Send UDP packets to the destination host target.anynetwork.foo using
       all possible destination ports and send every packet with all
       possible source addresses of the range 172.30.0.0/16; additionally
       use a source port of 666 and three MPLS labels, 100, 200, and 300,
       the outer (300) with QoS field 5.  Send the frame with a VLAN tag 420
       and CoS 6; eventually pad with 1000 bytes and repeat the whole thing
       10 times.

   mausezahn -t syslog sev=3 -P Main reactor reached critical temperature.
       -A 192.168.33.42 -B 10.1.1.9 -c 6 -d 10s
       Send six forged syslog messages with severity 3 to a Syslog server
       10.1.1.9; use a forged source IP address 192.168.33.42 and let
       mausezahn decide which local interface to use. Use an inter-packet
       delay of 10 seconds.

   mausezahn -t tcp flags=syn|urg|rst, sp=145, dp=145, win=0,
       s=0-4294967295, ds=1500, urg=666 -a bcast -b bcast -A bcast -B
       10.1.1.6 -p 5
       Send an invalid TCP packet with only a 5 byte payload as layer-2
       broadcast and also use the broadcast MAC address as source address.
       The target should be 10.1.1.6 but use a broadcast source address. The
       source and destination port shall be 145 and the window size 0. Set
       the TCP flags SYN, URG, and RST simultaneously and sweep through the
       whole TCP sequence number space with an increment of 1500. Finally
       set the urgent pointer to 666, i.e. pointing to nowhere.

CONFIGURATION FILE         top

       When mausezahn is run in interactive mode it automatically looks for
       and reads a configuration file located at /etc/netsniff-
       ng/mausezahn.conf for custom options if the file is available,
       otherwise it uses defaults set at compile time.

   Config file: /etc/netsniff-ng/mausezahn.conf
       The configuration file contains lines of the form:

            option = value

       Options supported in the configuration file are:
          Option:          Description:

          user             Username for authentication (default: mz)
          password         Password for authentication (default: mz)
          enable           Password to enter privilege mode (default: mops)
          port             The listening port for the CLI (default: 25542)
          listen-addr      IP address to bind CLI to (default: 0.0.0.0)
          management-only  Set management interface (no data traffic is
       allowed to pass through)
          cli-device       Interface to bind CLI to (default: all) *not
       fully implemented*
          automops         Path to automops file (contains XML data
       describing protocols) *in development*

   Example:
        $ cat /etc/netsniff-ng/mausezahn.conf
        user = mzadmin
        password = mzpasswd
        enable = privilege-mode-passwd
        port = 65000
        listen-addr = 127.0.0.1

INTERACTIVE MODE HOWTO         top

   Telnet:
       Using the interactive mode requires starting mausezahn as a server:

         # mausezahn -x

       Now you can telnet(1) to that server using the default port number
       25542, but also an arbitrary port number can be specified:

         # mausezahn -x 99
         mausezahn accepts incoming telnet connections on port 99.
         mz: Problems opening config file. Will use defaults

       Either from another terminal or from another host try to telnet to
       the mausezahn server:

         caprica$ telnet galactica 99
         Trying 192.168.0.4...
         Connected to galactica.
         Escape character is '^]'.
         mausezahn <version>

         Username: mz
         Password: mz

         mz> enable
         Password: mops
         mz#

       It is recommended to configure your own login credentials in
       /etc/netsniff-ng/mausezahn.conf, (see configuration file section)

   Basics:
       Since you reached the mausezahn prompt, lets try some common
       commands. You can use the '?' character at any time for context-
       specific help. Note that Cisco-like short form of commands are
       accepted in interactive mode. For example, one can use "sh pac"
       instead of "show packet"; another common example is to use "config t"
       in place of "configure terminal". For readability, this manual will
       continue with the full commands.

       First try out the show command:

         mz# show ?

       mausezahn maintains its own ARP table and observes anomalies. There
       is an entry for every physical interface (however this host has only
       one):

         mz# show arp
         Intf    Index     IP address     MAC address       last       Ch
       UCast BCast Info
         ----------------------------------------------------------------------------------
         eth0    [1] D     192.168.0.1  00:09:5b:9a:15:84  23:44:41     1
       1     0  0000

       The column Ch tells us that the announced MAC address has only
       changed one time (= when it was learned). The columns Ucast and BCast
       tell us how often this entry was announced via unicast or broadcast
       respectively.

       Let's check our interfaces:

         mz# show interface
         Available network interfaces:
                        real             real                  used (fake)
       used (fake)
          device        IPv4 address     MAC address           IPv4 address
       MAC address
         ---------------------------------------------------------------------------------------
         > eth0         192.168.0.4      00:30:05:76:2e:8d     192.168.0.4
       00:30:05:76:2e:8d
           lo           127.0.0.1        00:00:00:00:00:00     127.0.0.1
       00:00:00:00:00:00
         2 interfaces found.
         Default interface is eth0.

   Defining packets:
       Let's check the current packet list:

         mz# show packet
         Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
       I/i=IP/delivery_off, U=UDP, T=TCP
         PktID  PktName           Layers  Proto    Size  State      Device
       Delay       Count/CntX
             1  sysARP_servic...  E-----  ARP        60  config     lo
       100 msec        1/0 (100%)
         1 packets defined, 0 active.

       We notice that there is already one system-defined packet process; it
       has been created and used only once (during startup) by mausezahn's
       ARP service.  Currently, its state is config which means that the
       process is sleeping.

   General packet options:
       Now let's create our own packet process and switch into the global
       configuration mode:

         mz# configure terminal
         mz(config)# packet
         Allocated new packet PKT0002 at slot 2
         mz(config-pkt-2)# ?
         ...
         name                 Assign a unique name
         description          Assign a packet description text
         bind                 Select the network interface
         count                Configure the packet count value
         delay                Configure the inter-packet delay
         interval             Configure a greater interval
         type                 Specify packet type
         mac                  Configure packet's MAC addresses
         tag                  Configure tags
         payload              Configure a payload
         port                 Configure packet's port numbers
         end                  End packet configuration mode
         ethernet             Configure frame's Ethernet, 802.2, 802.3, or
       SNAP settings
         ip                   Configure packet's IP settings
         udp                  Configure packet's UDP header parameters
         tcp                  Configure packet's TCP header parameters

       Here are a lot of options but normally you only need a few of them.
       When you configure lots of different packets you might assign a
       reasonable name and description for them:

         mz(config-pkt-2)# name Test
         mz(config-pkt-2)# description This is just a test

       You can, for example, change the default settings for the source and
       destination MAC or IP addresses using the mac and ip commands:

         mz(config-pkt-2)# ip address destination 10.1.1.0 /24
         mz(config-pkt-2)# ip address source random

       In the example above, we configured a range of addresses (all hosts
       in the network 10.1.1.0 should be addressed). Additionally we spoof
       our source IP address. Of course, we can also add one or more VLAN
       and, or, MPLS tag(s):

         mz(config-pkt-2)# tag ?
         dot1q                Configure 802.1Q (and 802.1P) parameters
         mpls                 Configure MPLS label stack
         mz(config-pkt-2)# tag dot ?
         Configure 802.1Q tags:
         VLAN[:CoS] [VLAN[:CoS]] ...   The leftmost tag is the outer tag in
       the frame
         remove <tag-nr> | all         Remove one or more tags (<tag-nr>
       starts with 1),
                                       by default the first
       (=leftmost,outer) tag is removed,
                                       keyword 'all' can be used instead of
       tag numbers.
         cfi | nocfi [<tag-nr>]        Set or unset the CFI-bit in any tag
       (by default
                                       assuming the first tag).
         mz(config-pkt-2)# tag dot 1:7 200:5

   Configure count and delay:
         mz(config-pkt-2)# count 1000
         mz(config-pkt-2)# delay ?
         delay <value> [hour | min | sec | msec | usec | nsec]

       Specify the inter-packet delay in hours, minutes, seconds,
       milliseconds, microseconds or nanoseconds. The default unit is
       milliseconds (i.e. when no unit is given).

         mz(config-pkt-2)# delay 1 msec
         Inter-packet delay set to 0 sec and 1000000 nsec
         mz(config-pkt-2)#

   Configuring protocol types:
       mausezahn's interactive mode supports a growing list of protocols and
       only relies on the MOPS architecture (and not on libnet as is the
       case with the legacy direct mode):

         mz(config-pkt-2)# type
         Specify a packet type from the following list:
         arp
         bpdu
         igmp
         ip
         lldp
         tcp
         udp
         mz(config-pkt-2)# type tcp
         mz(config-pkt-2-tcp)#
         ....
         seqnr                Configure the TCP sequence number
         acknr                Configure the TCP acknowledgement number
         hlen                 Configure the TCP header length
         reserved             Configure the TCP reserved field
         flags                Configure a combination of TCP flags at once
         cwr                  Set or unset the TCP CWR flag
         ece                  Set or unset the TCP ECE flag
         urg                  Set or unset the TCP URG flag
         ack                  set or unset the TCP ACK flag
         psh                  set or unset the TCP PSH flag
         rst                  set or unset the TCP RST flag
         syn                  set or unset the TCP SYN flag
         fin                  set or unset the TCP FIN flag
         window               Configure the TCP window size
         checksum             Configure the TCP checksum
         urgent-pointer       Configure the TCP urgent pointer
         options              Configure TCP options
         end                  End TCP configuration mode
         mz(config-pkt-2-tcp)# flags syn fin rst
         Current setting is: --------------------RST-SYN-FIN
         mz(config-pkt-2-tcp)# end
         mz(config-pkt-2)# payload ascii This is a dummy payload for my
       first packet
         mz(config-pkt-2)# end

       Now configure another packet, for example let's assume we want an
       LLDP process:

         mz(config)# packet
         Allocated new packet PKT0003 at slot 3
         mz(config-pkt-3)# type lldp
         mz(config-pkt-3-lldp)# exit
         mz(config)# exit

       In the above example we only use the default LLDP settings and don't
       configure further LLDP options or TLVs. Back in the top level of the
       CLI let's verify what we had done:

         mz# show packet
         Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
       I/i=IP/delivery_off, U=UDP, T=TCP
         PktID  PktName            Layers  Proto    Size  State      Device
       Delay      Count/CntX
            1   sysARP_servic...   E-----  ARP        60  config     lo
       100 msec       1/0 (100%)
            2   Test               E-Q-IT            125  config     eth0
       1000 usec    1000/1000 (0%)
            3   PKT0003            E-----  LLDP       36  config     eth0
       30 sec        0/0 (0%)
         3 packets defined, 0 active.

       The column Layers indicates which major protocols have been combined.
       For example the packet with packet-id 2 ("Test") utilizes Ethernet
       (E), IP (I), and TCP (T). Additionally an 802.1Q tag (Q) has been
       inserted. Now start one of these packet processes:

         mz# start slot 3
         Activate [3]
         mz# show packet
         Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
       I/i=IP/delivery_off, U=UDP, T=TCP
         PktID  PktName            Layers  Proto    Size  State      Device
       Delay      Count/CntX
            1   sysARP_servic...   E-----  ARP        60  config     lo
       100 msec       1/0 (100%)
            2   Test               E-Q-IT            125  config     eth0
       1000 usec    1000/1000 (0%)
            3   PKT0003            E-----  LLDP       36  config     eth0
       30 sec        0/1 (0%)
         3 packets defined, 1 active.

       Let's have a more detailed look at a specific packet process:

         mz# show packet 2
         Packet [2] Test
         Description: This is just a test
         State: config, Count=1000, delay=1000 usec (0 s 1000000 nsec),
       interval= (undefined)
         Headers:
          Ethernet: 00-30-05-76-2e-8d => ff-ff-ff-ff-ff-ff  [0800 after
       802.1Q tag]
          Auto-delivery is ON (that is, the actual MAC is adapted upon
       transmission)
          802.1Q: 0 tag(s);  (VLAN:CoS)
          IP:  SA=192.168.0.4 (not random) (no range)
               DA=255.255.255.255 (no range)
               ToS=0x00  proto=17  TTL=255  ID=0  offset=0  flags: -|-|-
               len=49664(correct)  checksum=0x2e8d(correct)
          TCP: 83 bytes segment size (including TCP header)
               SP=0 (norange) (not random), DP=0 (norange) (not random)
               SQNR=3405691582 (start 0, stop 4294967295, delta 0) --
       ACKNR=0 (invalid)
               Flags: ------------------------SYN----, reserved field is 00,
       urgent pointer= 0
               Announced window size= 100
               Offset= 0 (times 32 bit; value is valid), checksum= ffff
       (valid)
               (No TCP options attached) - 0 bytes defined
          Payload size: 43 bytes
          Frame size: 125 bytes
           1  ff:ff:ff:ff:ff:ff:00:30  05:76:2e:8d:81:00:e0:01
       81:00:a0:c8:08:00:45:00  00:67:00:00:00:00:ff:06
          33  fa:e4:c0:a8:00:04:ff:ff  ff:ff:00:00:00:00:ca:fe
       ba:be:00:00:00:00:a0:07  00:64:f7:ab:00:00:02:04
          65  05:ac:04:02:08:0a:19:35  90:c3:00:00:00:00:01:03
       03:05:54:68:69:73:20:69  73:20:61:20:64:75:6d:6d
          97  79:20:70:61:79:6c:6f:61  64:20:66:6f:72:20:6d:79
       20:66:69:72:73:74:20:70  61:63:6b:65:74
         mz#

       If you want to stop one or more packet processes, use the stop
       command. The "emergency stop" is when you use stop all:

         mz# stop all
         Stopping
         [3] PKT0003
         Stopped 1 transmission processe(s)

       The launch command provides a shortcut for commonly used packet
       processes. For example to behave like a STP-capable bridge we want to
       start an BPDU process with typical parameters:

         mz# launch bpdu
         Allocated new packet sysBPDU at slot 5
         mz# show packet
         Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
       I/i=IP/delivery_off, U=UDP, T=TCP
         PktID  PktName           Layers  Proto    Size  State      Device
       Delay       Count/CntX
             1  sysARP_servic...  E-----  ARP        60  config     lo
       100 msec        1/0 (100%)
             2  Test              E-Q-IT            125  config     eth0
       1000 usec     1000/1000 (0%)
             3  PKT0003           E-----  LLDP       36  config     eth0
       30 sec        0/12 (0%)
             4  PKT0004           E---I-  IGMP       46  config     eth0
       100 msec        0/0 (0%)
             5  sysBPDU           ES----  BPDU       29  active     eth0
       2 sec        0/1 (0%)
         5 packets defined, 1 active.

       Now a Configuration BPDU is sent every 2 seconds, claiming to be the
       root bridge (and usually confusing the LAN. Note that only packet 5
       (i.e. the last row) is active and therefore sending packets while all
       other packets are in state config (i.e. they have been configured but
       they are not doing anything at the moment).

   Configuring a greater interval:
       Sometimes you may want to send a burst of packets at a greater
       interval:

         mz(config)# packet 2
         Modify packet parameters for packet Test [2]
         mz(config-pkt-2)# interval
         Configure a greater packet interval in days, hours, minutes, or
       seconds
         Arguments: <value>  <days | hours | minutes | seconds>
         Use a zero value to disable an interval.
         mz(config-pkt-2)# interval 1 hour
         mz(config-pkt-2)# count 10
         mz(config-pkt-2)# delay 15 usec
         Inter-packet delay set to 0 sec and 15000 nsec

       Now this packet is sent ten times with an inter-packet delay of 15
       microseconds and this is repeated every hour. When you look at the
       packet list, an interval is indicated with the additional flag 'i'
       when inactive or 'I' when active:

         mz# show packet
         Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
       I/i=IP/delivery_off, U=UDP, T=TCP
         PktID  PktName           Layers  Proto    Size  State      Device
       Delay       Count/CntX
             1  sysARP_servic...  E-----  ARP        60  config     lo
       100 msec        1/0 (100%)
             2  Test              E-Q-IT            125  config-i   eth0
       15 usec       10/10 (0%)
             3  PKT0003           E-----  LLDP       36  config     eth0
       30 sec        0/12 (0%)
             4  PKT0004           E---I-  IGMP       46  config     eth0
       100 msec        0/0 (0%)
             5  sysBPDU           ES----  BPDU       29  active     eth0
       2 sec        0/251 (0%)
         5 packets defined, 1 active.
         mz# start slot 2
         Activate [2]
         mz# show packet
         Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
       I/i=IP/delivery_off, U=UDP, T=TCP
         PktID  PktName           Layers  Proto    Size  State      Device
       Delay       Count/CntX
             1  sysARP_servic...  E-----  ARP        60  config     lo
       100 msec        1/0 (100%)
             2  Test              E-Q-IT            125  config+I   eth0
       15 usec       10/0 (100%)
             3  PKT0003           E-----  LLDP       36  config     eth0
       30 sec        0/12 (0%)
             4  PKT0004           E---I-  IGMP       46  config     eth0
       100 msec        0/0 (0%)
             5  sysBPDU           ES----  BPDU       29  active     eth0
       2 sec        0/256 (0%)
         5 packets defined, 1 active.

       Note that the flag 'I' indicates that an interval has been specified
       for packet 2. The process is not active at the moment (only packet 5
       is active here) but it will become active at a regular interval. You
       can verify the actual interval when viewing the packet details via
       the 'show packet 2' command.

   Load prepared configurations:
       You can prepare packet configurations using the same commands as you
       would type them in on the CLI and then load them to the CLI. For
       example, assume we have prepared a file 'test.mops' containing:

         configure terminal
         packet
         name IGMP_TEST
         desc This is only a demonstration how to load a file to mops
         type igmp

       Then we can add this packet configuration to our packet list using
       the load command:

         mz# load test.mops
         Read commands from test.mops...
         Allocated new packet PKT0002 at slot 2
         mz# show packet
         Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS,
       I/i=IP/delivery_off, U=UDP, T=TCP
         PktID  PktName           Layers  Proto    Size  State      Device
       Delay       Count/CntX
             1  sysARP_servic...  E-----  ARP        60  config     lo
       100 msec        1/0 (100%)
             2  IGMP_TEST         E---I-  IGMP       46  config     eth0
       100 msec        0/0 (0%)
         2 packets defined, 0 active.

       The file src/examples/mausezahn/example_lldp.conf contains another
       example list of commands to create a bogus LLDP packet. You can load
       this configuration from the mausezahn command line as follows:

         mz# load /home/hh/tmp/example_lldp.conf

       In case you copied the file in that path. Now when you enter 'show
       packet' you will see a new packet entry in the packet list. Use the
       'start slot <nr>' command to activate this packet.

       You can store your own packet creations in such a file and easily
       load them when you need them. Every command within such configuration
       files is executed on the command line interface as if you had typed
       it in -- so be careful about the order and don't forget to use
       'configure terminal' as first command.

       You can even load other files from within a central config file.

DIRECT MODE HOWTO         top

   How to specify hexadecimal digits:
       Many arguments allow direct byte input. Bytes are represented as two
       hexadecimal digits. Multiple bytes must be separated either by
       spaces, colons, or dashes - whichever you prefer. The following byte
       strings are equivalent:

         "aa:bb cc-dd-ee ff 01 02 03-04 05"
         "aa bb cc dd ee ff:01:02:03:04 05"

       To begin with, you may want to send an arbitrary fancy (possibly
       invalid) frame right through your network card:

         mausezahn ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:08:00:ca:fe:ba:be

        or equivalent but more readable:

         mausezahn ff:ff:ff:ff:ff:ff-ff:ff:ff:ff:ff:ff-08:00-ca:fe:ba:be

   Basic operations:
       All major command line options are listed when you execute mausezahn
       without arguments. For practical usage, keep the following special
       (not so widely known) options in mind:

         -r                    Multiplies the specified delay with a random
       value.
         -p <length>           Pad the raw frame to specified length (using
       random bytes).
         -P <ASCII Payload>    Use the specified ASCII payload.
         -f <filename>         Read the ASCII payload from a file.
         -F <filename>         Read the hexadecimal payload from a file.
         -S                    Simulation mode: DOES NOT put anything on the
       wire.
                               This is typically combined with one of the
       verbose
                               modes (-v or V).

       Many options require a keyword or a number but the -t option is an
       exception since it requires both a packet type (such as ip, udp, dns,
       etc) and an argument string which is specific for that packet type.
       Here are some simple examples:

         mausezahn -t help
         mausezahn -t tcp help
         mausezahn eth3 -t udp sp=69,dp=69,p=ca:fe:ba:be

       Note: Don't forget that on the CLI the Linux shell (usually the Bash)
       interprets spaces as a delimiting character. That is, if you are
       specifying an argument that consists of multiple words with spaces in
       between, you MUST group these within quotes. For example, instead of

         mausezahn eth0 -t udp sp=1,dp=80,p=00:11:22:33

        you could either omit the spaces

         mausezahn eth0 -t udp sp=1,dp=80,p=00:11:22:33

        or, for greater safety, use quotes:

         mausezahn eth0 -t udp "sp=1,dp=80,p=00:11:22:33"

       In order to monitor what's going on, you can enable the verbose mode
       using the -v option. The opposite is the quiet mode (-q) which will
       keep mausezahn absolutely quiet (except for error messages and
       warnings.)

       Don't confuse the payload argument p=... with the padding option -p.
       The latter is used outside the quotes!

   The automatic packet builder:
       An important argument is -t which invokes a packet builder. Currently
       there are packet builders for ARP, BPDU, CDP, IP, partly ICMP, UDP,
       TCP, RTP, DNS, and SYSLOG. (Additionally you can insert a VLAN tag or
       a MPLS label stack but this works independently of the packet
       builder.)

       You get context specific help for every packet builder using the help
       keyword, such as:

         mausezahn -t bpdu help
         mausezahn -t tcp help

       For every packet you may specify an optional payload. This can be
       done either via hexadecimal notation using the payload (or short p)
       argument or directly as ASCII text using the -P option:

         mausezahn eth0 -t ip -P "Hello World"                        #
       ASCII payload
         mausezahn eth0 -t ip p=68:65:6c:6c:6f:20:77:6f:72:6c:64       # hex
       payload
         mausezahn eth0 -t ip "proto=89,                           \
                               p=68:65:6c:6c:6f:20:77:6f:72:6c:64, \   #
       same with other
                               ttl=1"                                   # IP
       arguments

       Note: The raw link access mode only accepts hexadecimal payloads
       (because you specify everything in hexadecimal here.)

   Packet count and delay:
       By default only one packet is sent. If you want to send more packets
       then use the count option -c <count>. When count is zero then
       mausezahn will send forever. By default, mausezahn sends at maximum
       speed (and this is really fast ;-)). If you don't want to overwhelm
       your network devices or have other reasons to send at a slower rate
       then you might want to specify a delay using the -d <delay> option.

       If you only specify a numeric value it is interpreted in microsecond
       units.  Alternatively, for easier use, you might specify units such
       as seconds, sec, milliseconds, or msec. (You can also abbreviate this
       with s or m.)  Note: Don't use spaces between the value and the unit!
       Here are typical examples:

       Send an infinite number of frames as fast as possible:

         mausezahn -c 0  "aa bb cc dd ...."

       Send 100,000 frames with a 50 msec interval:

         mausezahn -c 100000 -d 50msec "aa bb cc dd ...."

       Send an unlimited number of BPDU frames in a 2 second interval:

         mausezahn -c 0 -d 2s -t bpdu conf

       Note: mausezahn does not support fractional numbers. If you want to
       specify for example 2.5 seconds then express this in milliseconds
       (2500 msec).

   Source and destination addresses:
       As a mnemonic trick keep in mind that all packets run from "A" to
       "B". You can always specify source and destination MAC addresses
       using the -a and -b options, respectively. These options also allow
       keywords such as rand, own, bpdu, cisco, and others.

       Similarly, you can specify source and destination IP addresses using
       the -A and -B options, respectively. These options also support FQDNs
       (i.e. domain names) and ranges such as 192.168.0.0/24 or
       10.0.0.11-10.0.3.22. Additionally, the source address option supports
       the rand keyword (ideal for "attacks").

       Note: When you use the packet builder for IP-based packets (e.g. UDP
       or TCP) then mausezahn automatically cares about correct MAC and IP
       addresses (i.e.  it performs ARP, DHCP, and DNS for you). But when
       you specify at least a single link-layer address (or any other L2
       option such as a VLAN tag or MPLS header) then ARP is disabled and
       you must care for the Ethernet destination address for yourself.

   Layer-2:
   `-- Direct link access:
       mausezahn allows you to send ANY chain of bytes directly through your
       Ethernet interface:

         mausezahn eth0 "ff:ff:ff:ff:ff:ff ff:ff:ff:ff:ff:ff 00:00
       ca:fe:ba:be"

       This way you can craft every packet you want but you must do it by
       hand. Note: On Wi-Fi interfaces the header is much more complicated
       and automatically created by the Wi-Fi driver. As an example to
       introduce some interesting options, lets continuously send frames at
       max speed with random source MAC address and broadcast destination
       address, additionally pad the frame to 1000 bytes:

         mausezahn eth0 -c 0 -a rand -b bcast -p 1000 "08 00 aa bb cc dd"

       The direct link access supports automatic padding using the -p <total
       frame length> option. This allows you to pad a raw L2 frame to the
       desired length.  You must specify the total length, and the total
       frame length must have at least 15 bytes for technical reasons. Zero
       bytes are used for padding.

   `-- ARP:
       mausezahn provides a simple interface to the ARP packet. You can
       specify the ARP method (request|reply) and up to four arguments:
       sendermac, targetmac, senderip, targetip, or short smac, tmac, sip,
       tip. By default, an ARP reply is sent with your own interface
       addresses as source MAC and IP address, and a broadcast destination
       MAC and IP address. Send a gratuitous ARP request (as used for
       duplicate IP address detection):

         mausezahn eth0 -t arp

       ARP cache poisoning:

         mausezahn eth0 -t arp "reply, senderip=192.168.0.1,
       targetmac=00:00:0c:01:02:03, \
                                 targetip=172.16.1.50"

        where by default your interface MAC address will be used as
       sendermac, senderip denotes the spoofed IP address, targetmac and
       targetip identifies the receiver. By default, the Ethernet source
       address is your interface MAC and the destination address is the
       broadcast address. You can change this using the flags -a and -b.

   `-- BPDU:
       mausezahn provides a simple interface to the 802.1D BPDU frame format
       (used to create the Spanning Tree in bridged networks). By default,
       standard IEEE 802.1D BPDUs are sent and it is assumed that your
       computer wants to become the root bridge (rid=bid). Optionally the
       802.3 destination address can be a specified MAC address, broadcast,
       own MAC, or Cisco's PVST+ MAC address. The destination MAC can be
       specified using the -b command which, besides MAC addresses, accepts
       keywords such as bcast, own, pvst, or stp (default). PVST+ is
       supported as well. Simply specify the VLAN for which you want to send
       a BPDU:

         mausezahn eth0 -t bpdu "vlan=123, rid=2000"

       See mausezahn -t bpdu help for more details.

   `-- CDP:
       mausezahn can send Cisco Discovery Protocol (CDP) messages since this
       protocol has security relevance. Of course lots of dirty tricks are
       possible; for example arbitrary TLVs can be created (using the hex-
       payload argument for example p=00:0e:00:07:01:01:90) and if you want
       to stress the CDP database of some device, mausezahn can send each
       CDP message with another system-id using the change keyword:

         mausezahn -t cdp change -c 0

       Some routers and switches may run into deep problems ;-) See
       mausezahn -t cdp help for more details.

   `-- 802.1Q VLAN Tags:
       mausezahn allows simple VLAN tagging for IP (and other higher layer)
       packets.  Simply use the option -Q <[CoS:]VLAN>, such as -Q 10 or -Q
       3:921. By default CoS=0. For example send a TCP packet in VLAN 500
       using CoS=7:

         mausezahn eth0 -t tcp -Q 7:500 "dp=80, flags=rst, p=aa:aa:aa"

       You can create as many VLAN tags as you want! This is interesting to
       create QinQ encapsulations or VLAN hopping: Send a UDP packet with
       VLAN tags 100 (outer) and 651 (inner):

         mausezahn eth0 -t udp "dp=8888, sp=13442" -P "Mausezahn is great"
       -Q 100,651

       Don't know if this is useful anywhere but at least it is possible:

         mausezahn eth0 -t udp "dp=8888, sp=13442" -P "Mausezahn is great"
       \
                        -Q 6:5,7:732,5:331,5,6

       Mix it with MPLS:

         mausezahn eth0 -t udp "dp=8888, sp=13442" -P "Mausezahn is great"
       -Q 100,651 -M 314

       When in raw Layer 2 mode you must create the VLAN tag completely by
       yourself.  For example if you want to send a frame in VLAN 5 using
       CoS 0 simply specify 81:00 as type field and for the next two bytes
       the CoS (PCP), DEI (CFI), and VLAN ID values (all together known as
       TCI):

         mausezahn eth0 -b bc -a rand "81:00 00:05 08:00 aa-aa-aa-aa-aa-aa-
       aa-aa-aa"

   `-- MPLS labels:
       mausezahn allows you to insert one or more MPLS headers. Simply use
       the option -M <label:CoS:TTL:BoS> where only the label is mandatory.
       If you specify a second number it is interpreted as the experimental
       bits (the CoS usually). If you specify a third number it is
       interpreted as TTL. By default the TTL is set to 255. The Bottom of
       Stack flag is set automatically, otherwise the frame would be
       invalid, but if you want you can also set or unset it using the S
       (set) and s (unset) argument. Note that the BoS must be the last
       argument in each MPLS header definition. Here are some examples:

       Use MPLS label 214:

         mausezahn eth0 -M 214 -t tcp "dp=80" -P "HTTP..." -B myhost.com

       Use three labels (the 214 is now the outer):

         mausezahn eth0 -M 9999,51,214 -t tcp "dp=80" -P "HTTP..." -B
       myhost.com

       Use two labels, one with CoS=5 and TTL=1, the other with CoS=7:

         mausezahn eth0 -M 100:5:1,500:7 -t tcp "dp=80" -P "HTTP..." -B
       myhost.com

       Unset the BoS flag (which will result in an invalid frame):

         mausezahn eth0 -M 214:s -t tcp "dp=80" -P "HTTP..." -B myhost.com

   Layer 3-7:
       IP, UDP, and TCP packets can be padded using the -p option. Currently
       0x42 is used as padding byte ('the answer'). You cannot pad DNS
       packets (would be useless anyway).

   `-- IP:
       mausezahn allows you to send any malformed or correct IP packet.
       Every field in the IP header can be manipulated. The IP addresses can
       be specified via the -A and -B options, denoting the source and
       destination address, respectively. You can also specify an address
       range or a host name (FQDN).  Additionally, the source address can
       also be random. By default the source address is your interface IP
       address and the destination address is a broadcast address. Here are
       some examples:

       ASCII payload:

         mausezahn eth0 -t ip -A rand -B 192.168.1.0/24  -P "hello world"

       Hexadecimal payload:

         mausezahn eth0 -t ip -A 10.1.0.1-10.1.255.254 -B 255.255.255.255
       p=ca:fe:ba:be

       Will use correct source IP address:

         mausezahn eth0 -t ip -B www.xyz.com

       The Type of Service (ToS) byte can either be specified directly by
       two hexadecimal digits, which means you can also easily set the
       Explicit Congestion Notification (ECN) bits (LSB 1 and 2), or you may
       only want to specify a common DSCP value (bits 3-8) using a decimal
       number (0..63):

       Packet sent with DSCP = Expedited Forwarding (EF):

         mausezahn eth0 -t ip
       dscp=46,ttl=1,proto=1,p=08:00:5a:a2:de:ad:be:af

       If you leave the checksum as zero (or unspecified) the correct
       checksum will be automatically computed. Note that you can only use a
       wrong checksum when you also specify at least one L2 field manually.

   `-- UDP:
       mausezahn supports easy UDP datagram generation. Simply specify the
       destination address (-B option) and optionally an arbitrary source
       address (-A option) and as arguments you may specify the port numbers
       using the dp (destination port) and sp (source port) arguments and a
       payload. You can also easily specify a whole port range which will
       result in sending multiple packets. Here are some examples:

       Send test packets to the RTP port range:

         mausezahn eth0 -B 192.168.1.1 -t udp "dp=16384-32767, \
                          p=A1:00:CC:00:00:AB:CD:EE:EE:DD:DD:00"

       Send a DNS request as local broadcast (often a local router replies):

         mausezahn eth0 -t udp
       dp=53,p=c5-2f-01-00-00-01-00-00-00-00-00-00-03-77-77-\
                                        77-03-78-79-7a-03-63-6f-6d-00-00-01-00-01"

       Additionally you may specify the length and checksum using the len
       and sum arguments (will be set correctly by default). Note: several
       protocols have same arguments such as len (length) and sum
       (checksum). If you specified a UDP type packet (via -t udp) and want
       to modify the IP length, then use the alternate keyword iplen and
       ipsum. Also note that you must specify at least one L2 field which
       tells mausezahn to build everything without the help of your kernel
       (the kernel would not allow modifying the IP checksum and the IP
       length).

   `-- ICMP:
       mausezahn currently only supports the following ICMP methods: PING
       (echo request), Redirect (various types), Unreachable (various
       types). Additional ICMP types will be supported in future. Currently
       you would need to tailor them by yourself, e.g. using the IP packet
       builder (setting proto=1). Use the mausezahn -t icmp help for help on
       currently implemented options.

   `-- TCP:
       mausezahn allows you to easily tailor any TCP packet. Similarly as
       with UDP you can specify source and destination port (ranges) using
       the sp and dp arguments.  Then you can directly specify the desired
       flags using an "|" as delimiter if you want to specify multiple
       flags. For example, a SYN-Flood attack against host 1.1.1.1 using a
       random source IP address and periodically using all 1023 well-known
       ports could be created via:

         mausezahn eth0 -A rand -B 1.1.1.1 -c 0 -t tcp "dp=1-1023,
       flags=syn"  \
                        -P "Good morning! This is a SYN Flood Attack.
       \
                            We apologize for any inconvenience."

       Be careful with such SYN floods and only use them for firewall
       testing. Check your legal position! Remember that a host with an open
       TCP session only accepts packets with correct socket information
       (addresses and ports) and a valid TCP sequence number (SQNR). If you
       want to try a DoS attack by sending a RST-flood and you do NOT know
       the target's initial SQNR (which is normally the case) then you may
       want to sweep through a range of sequence numbers:

         mausezahn eth0 -A legal.host.com -B target.host.com \
                        -t tcp "sp=80,dp=80,s=1-4294967295"

       Fortunately, the SQNR must match the target host's acknowledgement
       number plus the announced window size. Since the typical window size
       is something between 40000 and 65535 you are MUCH quicker when using
       an increment via the ds argument:

         mausezahn eth0 -A legal.host.com -B target.host.com \
                        -t tcp "sp=80, dp=80, s=1-4294967295, ds=40000"

       In the latter case mausezahn will only send 107375 packets instead of
       4294967295 (which results in a duration of approximately 1 second
       compared to 11 hours!). Of course you can tailor any TCP packet you
       like. As with other L4 protocols mausezahn builds a correct IP header
       but you can additionally access every field in the IP packet (also in
       the Ethernet frame).

   `-- DNS:
       mausezahn supports UDP-based DNS requests or responses. Typically you
       may want to send a query or an answer. As usual, you can modify every
       flag in the header.  Here is an example of a simple query:

         mausezahn eth0 -B mydns-server.com -t dns "q=www.ibm.com"

       You can also create server-type messages:

         mausezahn eth0 -A spoofed.dns-server.com -B target.host.com \
                        "q=www.topsecret.com, a=172.16.1.1"

       The syntax according to the online help (-t dns help) is:

         query|q = <name>[:<type>]  ............. where type is per default
       "A"
                                                  (and class is always "IN")
         answer|a = [<type>:<ttl>:]<rdata> ...... ttl is per default 0.
                  = [<type>:<ttl>:]<rdata>/[<type>:<ttl>:]<rdata>/...

       Note: If you only use the 'query' option then a query is sent. If you
       additionally add an 'answer' then an answer is sent. Examples:

         q = www.xyz.com
         q = www.xyz.com, a=192.168.1.10
         q = www.xyz.com, a=A:3600:192.168.1.10
         q = www.xyz.com, a=CNAME:3600:abc.com/A:3600:192.168.1.10

       Please try out mausezahn -t dns help to see the many other optional
       command line options.

   `-- RTP and VoIP path measurements:
       mausezahn can send arbitrary Real Time Protocol (RTP) packets. By
       default a classical G.711 codec packet of 20 ms segment size and 160
       bytes is assumed. You can measure jitter, packet loss, and reordering
       along a path between two hosts running mausezahn. The jitter
       measurement is either done following the variance low-pass filtered
       estimation specified in RFC 3550 or using an alternative "real-time"
       method which is even more precise (the RFC-method is used by
       default). For example on Host1 you start a transmission process:

         mausezahn -t rtp -B 192.168.1.19

       And on Host2 (192.168.1.19) a receiving process which performs the
       measurement:

         mausezahn -T rtp

       Note that the option flag with the capital "T" means that it is a
       server RTP process, waiting for incoming RTP packets from any
       mausezahn source. In case you want to restrict the measurement to a
       specific source or you want to perform a bidirectional measurement,
       you must specify a stream identifier.  Here is an example for
       bidirectional measurements which logs the running jitter average in a
       file:

         Host1# mausezahn -t rtp id=11:11:11:11 -B 192.168.2.2 &
         Host1# mausezahn -T rtp id=22:22:22:22 "log, path=/tmp/mz/"

         Host2# mausezahn -t rtp id=22:22:22:22 -B 192.168.1.1 &
         Host2# mausezahn -T rtp id=11:11:11:11 "log, path=/tmp/mz/"

       In any case the measurements are printed continuously onto the
       screen; by default it looks like this:

         0.00                     0.19                      0.38
       0.57
         |-------------------------|-------------------------|-------------------------|
         #########
       0.07 msec
         ####################
       0.14 msec
         ##
       0.02 msec
         ###
       0.02 msec
         #########
       0.07 msec
         ####
       0.03 msec
         #########
       0.07 msec
         #############
       0.10 msec
         ##
       0.02 msec
         ###########################################
       0.31 msec
         #########
       0.07 msec
         ##############################################
       0.33 msec
         ###############
       0.11 msec
         ##########
       0.07 msec
         ###############
       0.11 msec
         ##########################################################
       0.42 msec
         #####
       0.04 msec

       More information is shown using the txt keyword:

         mausezahn -T rtp txt
         Got 100 packets from host 192.168.0.3: 0 lost (0 absolute lost), 1
       out of order
           Jitter_RFC (low pass filtered) = 30 usec
           Samples jitter (min/avg/max)   = 1/186/2527 usec
           Delta-RX (min/avg/max)         = 2010/20167/24805 usec
         Got 100 packets from host 192.168.0.3: 0 lost (0 absolute lost), 1
       out of order
           Jitter_RFC (low pass filtered) = 17 usec
           Samples jitter (min/avg/max)   = 1/53/192 usec
           Delta-RX (min/avg/max)         = 20001/20376/20574 usec
         Got 100 packets from host 192.168.0.3: 0 lost (0 absolute lost), 1
       out of order
           Jitter_RFC (low pass filtered) = 120 usec
           Samples jitter (min/avg/max)   = 0/91/1683 usec
           Delta-RX (min/avg/max)         = 18673/20378/24822 usec

       See mausezahn -t rtp help and mz -T rtp help for more details.

   `-- Syslog:
       The traditional Syslog protocol is widely used even in professional
       networks and is sometimes vulnerable. For example you might insert
       forged Syslog messages by spoofing your source address (e.g.
       impersonate the address of a legit network device):

         mausezahn -t syslog sev=3 -P "You have been mausezahned." -A
       10.1.1.109 -B 192.168.7.7

       See mausezahn -t syslog help for more details.

NOTE         top

       When multiple ranges are specified, e.g. destination port ranges and
       destination address ranges, then all possible combinations of ports
       and addresses are used for packet generation. Furthermore, this can
       be mixed with other ranges e.g. a TCP sequence number range. Note
       that combining ranges can lead to a very huge number of frames to be
       sent. As a rule of thumb you can assume that about 100,000 frames and
       more are sent in a fraction of one second, depending on your network
       interface.

       mausezahn has been designed as a fast traffic generator so you might
       easily overwhelm a LAN segment with myriads of packets. And because
       mausezahn could also support security audits it is possible to create
       malicious or invalid packets, SYN floods, port and address sweeps,
       DNS and ARP poisoning, etc.

       Therefore, don't use this tool when you are not aware of the possible
       consequences or have only a little knowledge about networks and data
       communication. If you abuse mausezahn for 'unallowed' attacks and get
       caught, or damage something of your own, then this is completely your
       fault. So the safest solution is to try it out in a lab environment.

       Also have a look at the netsniff-ng(8) note section on how you can
       properly setup and tune your system.

LEGAL         top

       mausezahn is licensed under the GNU GPL version 2.0.

HISTORY         top

       mausezahn was originally written by Herbert Haas. According to his
       website [1], he unfortunately passed away in 2011 thus leaving this
       tool unmaintained.  It has been adopted and integrated into the
       netsniff-ng toolkit and is further being maintained and developed
       from there. Maintainers are Tobias Klauser <tklauser@distanz.ch> and
       Daniel Borkmann <dborkma@tik.ee.ethz.ch>.

         [1] http://www.perihel.at/

SEE ALSO         top

       netsniff-ng(8), trafgen(8), ifpps(8), bpfc(8), flowtop(8),
       astraceroute(8), curvetun(8)

AUTHOR         top

       Manpage was written by Herbert Haas and modified by Daniel Borkmann.

COLOPHON         top

       This page is part of the Linux netsniff-ng toolkit project. A
       description of the project, and information about reporting bugs, can
       be found at http://netsniff-ng.org/.

COLOPHON         top

       This page is part of the netsniff-ng (a free Linux networking
       toolkit) project.  Information about the project can be found at 
       ⟨http://netsniff-ng.org/⟩.  If you have a bug report for this manual
       page, send it to netsniff-ng@googlegroups.com.  This page was
       obtained from the project's upstream Git repository 
       ⟨git://github.com/netsniff-ng/netsniff-ng.git⟩ on 2017-07-05.  If you
       discover any rendering problems in this HTML version of the page, or
       you believe there is a better or more up-to-date source for the page,
       or you have corrections or improvements to the information in this
       COLOPHON (which is not part of the original manual page), send a mail
       to man-pages@man7.org

Linux                           03 March 2013                   MAUSEZAHN(8)

Pages that refer to this page: astraceroute(8)bpfc(8)curvetun(8)flowtop(8)ifpps(8)netsniff-ng(8)trafgen(8)