mz - a fast versatile packet generator
]<arg_string> | <hex_string>
is a free fast traffic generator written in C which allows you
to send nearly every possible and impossible packet.
Mausezahn can also be used for example as didactical tool in network labs or for
security audits including penetration and DoS testing. As traffic generator
Mausezahn is for example used test IP multicast or VoIP networks. Speeds close
to the Ethernet limit are reachable (depending on the hardware platform,
especially the quality of the network interface card).
Mausezahn supports two modes, direct mode
and a multi-threaded
The direct mode
allows you to create a packet directly on the Linux/UN*X
shell and every packet parameter is specified in the argument list when
The interactive mode
is an advanced multi-threaded configuration mode
with its own command line interface (CLI). This mode allows you to create an
arbitrary number of packet types and streams in parallel, each with different
parameters. The interactive mode utilizes a completely redesigned and more
flexible protocol framework called MOPS (Mausezahn's Own Packet System). The
look and feel of the CLI is very similar to the Cisco IOS(tm) command line.
You can start the interactive mode by executing Mausezahn with the -x
argument (an optional port number may follow, otherwise it is 25542). Then use
Telnet to connect to this Mausezahn instance (the default login expects the
user 'mz' with password 'mz', and enable password 'mops'; you can change this
in /etc/mausezahn/mz.cfg). More information about the interactive mode and
MOPS is provided on the Mausezahn website.
The direct mode
supports two specification schemes: The
scheme, where every single byte to be sent can be
specified, and higher-layer
scheme, where packet builder interfaces are
used (using the -t
To use the raw-layer-2
scheme, simply specify the desired frame as
hexadecimal sequence (the hex_string
), such as
mz eth0 "00:ab:cd:ef:00 00:00:00:00:00:01 08:00 ca:fe:ba:be"
In this example, the spaces within the byte string are optional and separate the
Ethernet fields (destination and source address, type field, and a short
payload). The only additional options supported are -a
, and -p
. The frame length MUST be greater or equal 15 bytes.
scheme is enabled using the -t
option. This option activates a packet builder and
besides the packet_type
an optional arg_string
can be specified.
contains packet-specific parameters, such as TCP flags,
port numbers, etc; see the EXAMPLES below.
Note that Mausezahn requires root privileges. Please see the Mausezahn User's
Guide for more details or use Mausezahn's command line help.
Mausezahn provides a built-in context-specific help. Simply append the keyword
to the configuration options.
The most important options are:
- Verbose mode. Capital -V is even more verbose.
- Simulation mode, i. e. don't put anything on the wire. This is typically
combined with the verbose mode.
- Quiet mode (only warnings and errors are displayed).
- -c <count>
- Send the packet count times (default: 1, infinite: 0).
- -d <delay>
- Apply delay between transmissions. The delay value can be specified in
usec (default, no additional unit needed), or in msec (e. g. 100m or
100msec), or in seconds (e. g. 100s or 100sec). Note: MOPS also supports
nanosecond delay granulation if you need it (see: interactive mode).
- -p <lenght>
- Pad the raw frame to specified length (using zero bytes). Note that for
raw layer 2 frames the specified length defines the whole frame length,
while for higher layer packets the number of additional padding bytes are
- -a <Src_MAC|keyword>
- Use specified source mac address (use hex notation such as
00:00:aa:bb:cc:dd). By default the interface MAC address will be used. The
keywords rand and own refer to a random MAC address (only
unicast addresses are created) and the own address, respectively. You can
also use the keywords mentioned below (although broadcast-type source
addresses are officially invalid).
- -b <Dst_MAC|keyword>
- Use specified destination mac address. By default a broadcast is sent in
raw layer 2 mode or the destination hosts/gateways interface MAC address
in normal (IP) mode. You can use the same keywords as mentioned above as
well as bc (or bcast), cisco, and stp. Please
note that for the destination MAC address the rand keyword is
supported but creates a random address only once, even when you send
- -A <Src_IP|range|rand>
- Use specified source IP address (default is own interface IP). Optionally
the keyword rand can again be used for a random source IP address
or a range can be specified, such as 192.168.1.1-192.168.1.100 or
10.1.0.0/16. Also a DNS name can be specified for which Mausezahn tries to
determine the corresponding IP address automatically.
- -B <Dst_IP|range>
- Use specified destination IP address (default is broadcast i. e.
255.255.255.255). As with the source address (see above) you can also
specify a range or a DNS name.
- -t <packet_type>
- Create the specified packet type using the built-in packet builder.
Currently supported packet types are: arp, bpdu, ip,
udp, tcp, rtp, and dns. There is currently
also a limited support for ICMP. Enter -t help to verify which
packet builders your actual Mausezahn version supports. Also, for any
particular packet type, for example tcp enter mz -t tcp help
to receive a context specific help.
- -T <packet_type>
- Make this Mausezahn instance the receiving station. Currently (version
0.30) only rtp is an option here and provides precise jitter
measurements. For this purpose start another Mausezahn instance on the
sending station and the local receiving station will output jitter
statistics. See mz -T rtp help for a detailed help.
- -Q <[CoS:]vlan> [, <[CoS:]vlan>, ...]
- Specify 802.1Q VLAN tag and optional Class of Service. An arbitrary number
of VLAN tags can be specified (that is you can simulate QinQ or even
QinQinQinQ...). Multiple tags must be separated via a comma or a period
(e. g. "5:10,20,2:30"). VLAN tags are not supported for ARP and
BPDU packets (in which case you could specify the whole frame in hex using
the raw layer 2 interface of Mausezahn).
- -M <label[:cos[:ttl]][bos]> [, <label...>]
- Specify a MPLS label or even a MPLS label stack. Optionally for each label
the experimental bits (usually the Class of Service, CoS) and the Time To
Live (TTL) can be specified. And if you are really crazy you can set/unset
the Bottom of Stack (BoS) bit at each label using the S (set) and
s (unset) option. By default the BoS is set automatically and
correctly. Any other setting will lead to invalid frames. Enter -M
help for detailed instructions and examples.
- -P <ASCII_payload>
- Specify a cleartext payload. Alternatively each packet type supports a
hexadecimal specification of the payload (see for example -t udp
- -f <filename>
- Read the ASCII payload from the specified file.
- -F <filename>
- Read the HEX payload from the specified file. Actually this file must be
also an ASCII file (text file) but must contain hexadecimal digits, e. g.
"aa:bb:cc:0f:e6...". You can use also spaces as separation
COMBINATION OF RANGES¶
When multiple ranges are specified, e. g. destination port ranges AND
destination address ranges, then all
possible combinations of ports and
addresses are used for packet generation. Furthermore, this can be mixed with
other ranges e. g. a TCP sequence number range. Note that combining ranges can
lead to a very huge number of frames to be sent. As a rule of thumb you can
assume that about 100,000 frames are sent in a fraction of one second,
depending on your network interface.
DISCLAIMER AND WARNING¶
Mausezahn has been designed as fast traffic generator so you can easily
overwhelm a LAN segment with myriads of packets. And because Mausezahn should
also support security audits it is also possible to create malicious or
“invalid” packets, SYN floods, port and address sweeps, DNS and
ARP poisoning, etc.
Therefore, don't use this tool when you are not aware of possible consequences
or have only little knowledge about networks and data communication. If you
abuse Mausezahn for 'unallowed' attacks and get caught, or damage something of
your own, then this is completely your fault. So the safest solution is to try
it out in a lab environment.
Send BPDU frames for VLAN 5 as used with Cisco's PVST+ type of STP. Per default
Mausezahn assumes that you want to become the root bridge:
# mz eth0 -c 0 -d 2s -t bpdu vlan=5
Perform a CAM table overflow attack:
# mz eth0 -c 128000 -a rand -p 64
Perform a SYN flood attack to another VLAN using VLAN hopping. This only works
if you are connected to the same VLAN which is configured as native VLAN on
the trunk. We assume that the victim VLAN is VLAN 100 and the native VLAN is
VLAN 5. Lets attack every host in VLAN 100 which use a IP prefix of
10.100.100.0/24, also try out all ports between 1 and 1023 and use a random
source IP address:
# mz eth0 -c 0 -Q 5,100 -t tcp "flags=syn,dp=1-1023" -p 20 -A rand -B
Send IP multicast packets to the multicast group 220.127.116.11 using a UDP header
with destination port 32000 and set the IP DSCP field to EF (46). Send one
frame every 10 msec:
# mz eth0 -c 0 -d 10msec -B 18.104.22.168 -t udp "dp=32000,dscp=46" -P
"Multicast test packet"
Send UDP packets to the destination host target.anynetwork.foo using all
possible destination ports and send every packet with all possible source
addresses of the range 172.30.0.0/16; additionally use a source port of 666
and three MPLS labels, 100, 200, and 300, the outer (300) with QoS field 5.
Send the frame with a VLAN tag 420 and CoS 6; eventually pad with 1000 bytes
and repeat the whole thing 10 times:
# mz eth0 -Q 6:420 -M 100,200,300:5 -A 172.30.0.0/16 -B target.anynetwork.foo -t
udp "sp=666,dp=1-65535" -p 1000 -c 10
Send six forged Syslog messages with severity 3 to a Syslog server 10.1.1.9; use
a forged source IP address 192.168.33.42 and let Mausezahn decide which local
interface to use. Use an inter-packet delay of 10 seconds:
# mz -t syslog sev=3 -P "Main reactor reached critical temperature."
-A 192.168.33.42 -B 10.1.1.9 -c 6 -d 10s
Send an invalid TCP packet with only a 5 byte payload as layer-2 broadcast and
also use the broadcast MAC address as source address. The target should be
10.1.1.6 but use a broadcast source address. The source and destination port
shall be 145 and the window size 0. Set the TCP flags SYN, URG, and RST
simultaneously and sweep through the whole TCP sequence number space with an
increment of 1500. Finally set the urgent pointer to 666, i. e. pointing to
# mz -t tcp "flags=syn|urg|rst, sp=145, dp=145, win=0, s=0-4294967295,
ds=1500, urg=666" -a bcast -b bcast -A bcast -B 10.1.1.6 -p 5
Visit www.perihel.at/sec/mz/ for Mausezahn news and additional information.
This manual page was written by Herbert Haas <herbert AT perihel DOT at>,
for the Debian project.