Provided by: netsniff-ng_0.6.0-1build2_i386 bug

NAME

       mausezahn - a fast versatile packet generator with Cisco-cli

SYNOPSIS

       mausezahn { [options] "<arg-string> | <hex-string>" }

DESCRIPTION

       mausezahn  is  a fast traffic generator which allows you to send nearly
       every possible  and  impossible  packet.  In  contrast  to  trafgen(8),
       mausezahn's  packet  configuration  is  on  a protocol-level instead of
       byte-level and mausezahn also comes with a built-in Cisco-like command-
       line  interface,  making it suitable as a network traffic generator box
       in your network lab.

       Next to network labs, it can also be used as a didactical tool and  for
       security  audits  including  penetration  and DoS testing. As a traffic
       generator, mausezahn  is  also  able  to  test  IP  multicast  or  VoIP
       networks.  Packet  rates  close  to  the  physical limit are reachable,
       depending on the hardware platform.

       mausezahn supports two modes,  ''direct  mode''  and  a  multi-threaded
       ''interactive mode''.

       The  ''direct  mode''  allows  you  to  create a packet directly on the
       command line and every packet parameter is specified  in  the  argument
       list when calling mausezahn.

       The  ''interactive  mode''  is an advanced multi-threaded configuration
       mode with its own command line interface (CLI). This mode allows you to
       create  an  arbitrary  number  of packet types and streams in parallel,
       each with different parameters.

       The interactive mode utilizes a completely redesigned and more flexible
       protocol framework called ''mops'' (mausezahn's own packet system). The
       look and feel of the CLI is very close to the Cisco IOS^tm command line
       interface.

       You  can  start  the  interactive  mode by executing mausezahn with the
       ''-x'' argument (an optional port number may follow,  otherwise  it  is
       25542).  Then  use  telnet(1) to connect to this mausezahn instance. If
       not otherwise specified, the default login and password combination  is
       mz:mz  and  the  enable  password  is:  mops.   This  can be changed in
       /etc/netsniff-ng/mausezahn.conf.

       The direct mode supports two specification schemes: The ''raw-layer-2''
       scheme,  where  every  single  byte  to  be  sent can be specified, and
       ''higher-layer'' scheme,  where  packet  builder  interfaces  are  used
       (using the ''-t'' option).

       To  use the ''raw-layer-2'' scheme, simply specify the desired frame as
       a hexadecimal sequence (the ''hex-string''), such as:

         mausezahn eth0 "00:ab:cd:ef:00 00:00:00:00:00:01 08:00 ca:fe:ba:be"

       In this example, whitespaces within the byte string  are  optional  and
       separate  the  Ethernet  fields  (destination  and source address, type
       field, and a short payload). The only additional options supported  are
       ''-a'',  ''-b'',  ''-c'',  and ''-p''. The frame length must be greater
       than or equal to 15 bytes.

       The ''higher-layer'' scheme is enabled using the  ''-t  <packet-type>''
       option.   This  option  activates  a  packet  builder,  and besides the
       ''packet-type'', an  optional  ''arg-string''  can  be  specified.  The
       ''arg-string'' contains packet- specific parameters, such as TCP flags,
       port numbers, etc. (see example section).

OPTIONS

       mausezahn provides a built-in context-specific help. Append the keyword
        ''help'' after the configuration options. The most  important  options
       are:

   -x [<port>]
       Start  mausezahn  in interactive mode with a Cisco-like CLI. Use telnet
       to log  into  the  local  mausezahn  instance.  If  no  port  has  been
       specified, port 25542 is used by default.

   -l <IP>
       Specify  the  IP  address  mausezahn should bind to when in interactive
       mode, default: 0.0.0.0.

   -v
       Verbose mode. Capital -V is even more verbose.

   -S
       Simulation mode, i.e. don't put anything on the wire. This is typically
       combined with the verbose mode.

   -q
       Quiet mode where only warnings and errors are displayed.

   -c <count>
       Send the packet count times (default: 1, infinite: 0).

   -d <delay>
       Apply  delay between transmissions. The delay value can be specified in
       usec (default, no additional unit needed), or in  msec  (e.g.  100m  or
       100msec), or in seconds (e.g. 100s or 100sec). Note: mops also supports
       nanosecond delay resolution if you need it (see interactive mode).

   -p <length>
       Pad the raw frame to specified length using zero bytes. Note  that  for
       raw layer 2 frames the specified length defines the whole frame length,
       while for higher layer packets the number of additional  padding  bytes
       are specified.

   -a <src-mac|keyword>
       Use  specified  source  MAC  address  with hexadecimal notation such as
       00:00:aa:bb:cc:dd.  By default the interface MAC address will be  used.
       The  keywords  ''rand''  and and the own address, respectively. You can
       also use the keywords mentioned below  although  broadcast-type  source
       addresses are officially invalid.

   -b <dst-mac|keyword>
       Use  specified destination MAC address. By default, a broadcast is sent
       in raw layer 2 mode or to the destination hosts  or  gateway  interface
       MAC  address  in  normal  (IP)  mode.  You can use the same keywords as
       mentioned above, as  well  as  MAC  address  the  ''rand''  keyword  is
       supported  but  creates  a random address only once, even when you send
       multiple packets.

   -A <src-ip|range|rand>
       Use specified source IP address,  default  is  own  interface  address.
       Optionally,  the keyword ''rand'' can again be used for a random source
       IP   address   or   a    range    can    be    specified,    such    as
       ''192.168.1.1-192.168.1.100'' or ''10.1.0.0/16''.  Also, a DNS name can
       be specified for which mausezahn tries to determine  the  corresponding
       IP address automatically.

   -B <dst-ip|range>
       Use  specified  destination  IP  address  (default  is  broadcast  i.e.
       255.255.255.255).  As with the source address (see above) you can  also
       specify a range or a DNS name.

   -t <packet-type [help] | help>
       Create  the  specified  packet  type using the built-in packet builder.
       Currently, supported  packet  types  are:  ''arp'',  ''bpdu'',  ''ip'',
       ''udp'',  ''tcp'',  ''rtp'',  and  ''dns''.  Currently,  there  is also
       limited support for ''icmp''. Type supports. Also, for  any  particular
       packet type, for example ''tcp'' type
        ''mausezahn  -t tcp help'' to receive a more in-depth context specific
       help.

   -T <packet-type>
       Make this mausezahn instance the  receiving  station.  Currently,  only
       ''rtp'' is an option here and provides precise jitter measurements. For
       this purpose, start another mausezahn instance on the  sending  station
       and  the  local  receiving  station  will output jitter statistics. See
       ''mausezahn -T rtp help'' for a detailed help.

   -Q <[CoS:]vlan> [, <[CoS:]vlan>, ...]
       Specify 802.1Q VLAN tag and optional Class  of  Service.  An  arbitrary
       number of VLAN tags can be specified (that is, you can simulate QinQ or
       even QinQinQinQ..).  Multiple tags must be separated via a comma  or  a
       period  (e.g. "5:10,20,2:30").  VLAN tags are not supported for ARP and
       BPDU packets (in which case  you  could  specify  the  whole  frame  in
       hexadecimal using the raw layer 2 interface of mausezahn).

   -M <label[:cos[:ttl]][bos]> [, <label...>]
       Specify  a  MPLS label or even a MPLS label stack. Optionally, for each
       label the experimental bits (usually the Class of Service, CoS) and the
       Time  To  Live  (TTL) can be specified. If you are really crazy you can
       set and unset the Bottom of Stack (BoS) bit for each  label  using  the
       ''S''  (set)  and  ''s''  (unset)  option.  By  default, the BoS is set
       automatically and correctly. Any other setting  will  lead  to  invalid
       frames. Enter ''-M help'' for detailed instructions and examples.

   -P <ascii-payload>
       Specify a cleartext payload. Alternatively, each packet type supports a
       hexadecimal specification of the payload  (see  for  example  ''-t  udp
       help'').

   -f <filename>
       Read the ASCII payload from the specified file.

   -F <filename>
       Read  the  hexadecimal  payload from the specified file. Actually, this
       file must be also an ASCII text  file,  but  must  contain  hexadecimal
       digits,   e.g.   "aa:bb:cc:0f:e6...".   You  can  use  also  spaces  as
       separation characters.

USAGE EXAMPLE

       For more comprehensive examples, have a look at the two following HOWTO
       sections.

   mausezahn eth0 -c 0 -d 2s -t bpdu vlan=5
       Send  BPDU frames for VLAN 5 as used with Cisco's PVST+ type of STP. By
       default mausezahn assumes that you want to become the root bridge.

   mausezahn eth0 -c 128000 -a rand -p 64
       Perform a CAM table overflow attack.

   mausezahn eth0 -c 0 -Q 5,100 -t tcp flags=syn,dp=1-1023 -p 20  -A  rand  -B
       10.100.100.0/24
       Perform  a  SYN  flood  attack to another VLAN using VLAN hopping. This
       only works if you are connected to the same VLAN which is configured as
       native  VLAN  on  the trunk. We assume that the victim VLAN is VLAN 100
       and the native VLAN is VLAN 5.  Lets attack  every  host  in  VLAN  100
       which  use  an  IP  prefix  of  10.100.100.0/24, also try out all ports
       between 1 and 1023 and use a random source IP address.

   mausezahn eth0 -c 0 -d 10msec  -B  230.1.1.1  -t  udp  dp=32000,dscp=46  -P
       Multicast test packet
       Send  IP multicast packets to the multicast group 230.1.1.1 using a UDP
       header with destination port 32000 and set the  IP  DSCP  field  to  EF
       (46). Send one frame every 10 msec.

   mausezahn   eth0   -Q   6:420   -M   100,200,300:5   -A   172.30.0.0/16  -B
       target.anynetwork.foo -t udp sp=666,dp=1-65535 -p 1000 -c 10
       Send UDP packets to the destination  host  target.anynetwork.foo  using
       all  possible destination ports and send every packet with all possible
       source addresses of the range 172.30.0.0/16; additionally use a  source
       port  of  666 and three MPLS labels, 100, 200, and 300, the outer (300)
       with QoS field 5.  Send the frame with  a  VLAN  tag  420  and  CoS  6;
       eventually pad with 1000 bytes and repeat the whole thing 10 times.

   mausezahn  -t syslog sev=3 -P Main reactor reached critical temperature. -A
       192.168.33.42 -B 10.1.1.9 -c 6 -d 10s
       Send six forged syslog messages with severity  3  to  a  Syslog  server
       10.1.1.9;  use  a  forged  source  IP  address  192.168.33.42  and  let
       mausezahn decide which local interface  to  use.  Use  an  inter-packet
       delay of 10 seconds.

   mausezahn  -t tcp flags=syn|urg|rst, sp=145, dp=145, win=0, s=0-4294967295,
       ds=1500, urg=666 -a bcast -b bcast -A bcast -B 10.1.1.6 -p 5
       Send an invalid TCP packet with  only  a  5  byte  payload  as  layer-2
       broadcast and also use the broadcast MAC address as source address. The
       target should be 10.1.1.6 but  use  a  broadcast  source  address.  The
       source and destination port shall be 145 and the window size 0. Set the
       TCP flags SYN, URG, and RST simultaneously and sweep through the  whole
       TCP  sequence  number  space with an increment of 1500. Finally set the
       urgent pointer to 666, i.e. pointing to nowhere.

CONFIGURATION FILE

       When mausezahn is run in interactive mode it  automatically  looks  for
       and    reads   a   configuration   file   located   at   /etc/netsniff-
       ng/mausezahn.conf  for  custom  options  if  the  file  is   available,
       otherwise it uses defaults set at compile time.

   Config file: /etc/netsniff-ng/mausezahn.conf
       The configuration file contains lines of the form:

            option = value

       Options supported in the configuration file are:
          Option:          Description:

          user             Username for authentication (default: mz)
          password         Password for authentication (default: mz)
          enable           Password to enter privilege mode (default: mops)
          port             The listening port for the CLI (default: 25542)
          listen-addr      IP address to bind CLI to (default: 0.0.0.0)
          management-only  Set   management  interface  (no  data  traffic  is
       allowed to pass through)
          cli-device       Interface to bind CLI to (default: all) *not  fully
       implemented*
          automops         Path to automops file (contains XML data describing
       protocols) *in development*

   Example:
        $ cat /etc/netsniff-ng/mausezahn.conf
        user = mzadmin
        password = mzpasswd
        enable = privilege-mode-passwd
        port = 65000
        listen-addr = 127.0.0.1

INTERACTIVE MODE HOWTO

   Telnet:
       Using the interactive mode requires starting mausezahn as a server:

         # mausezahn -x

       Now you can telnet(1) to that server  using  the  default  port  number
       25542, but also an arbitrary port number can be specified:

         # mausezahn -x 99
         mausezahn accepts incoming telnet connections on port 99.
         mz: Problems opening config file. Will use defaults

       Either  from another terminal or from another host try to telnet to the
       mausezahn server:

         caprica$ telnet galactica 99
         Trying 192.168.0.4...
         Connected to galactica.
         Escape character is '^]'.
         mausezahn <version>

         Username: mz
         Password: mz

         mz> enable
         Password: mops
         mz#

       It  is  recommended  to  configure  your  own  login   credentials   in
       /etc/netsniff-ng/mausezahn.conf, (see configuration file section)

   Basics:
       Since  you reached the mausezahn prompt, lets try some common commands.
       You can use the '?' character at any time  for  context-specific  help.
       Note that Cisco-like short form of commands are accepted in interactive
       mode. For example, one can use  "sh  pac"  instead  of  "show  packet";
       another  common  example  is  to  use "config t" in place of "configure
       terminal". For readability, this manual will  continue  with  the  full
       commands.

       First try out the show command:

         mz# show ?

       mausezahn  maintains its own ARP table and observes anomalies. There is
       an entry for every physical interface (however this host has only one):

         mz# show arp
         Intf    Index     IP  address      MAC  address        last        Ch
       UCast BCast Info
         ----------------------------------------------------------------------------------
         eth0    [1]  D      192.168.0.1   00:09:5b:9a:15:84   23:44:41      1
       1     0  0000

       The  column Ch tells us that the announced MAC address has only changed
       one time (= when it was learned). The columns Ucast and BCast  tell  us
       how   often   this   entry  was  announced  via  unicast  or  broadcast
       respectively.

       Let's check our interfaces:

         mz# show interface
         Available network interfaces:
                        real              real                   used   (fake)
       used (fake)
          device         IPv4  address      MAC address           IPv4 address
       MAC address
         ---------------------------------------------------------------------------------------
         >  eth0          192.168.0.4       00:30:05:76:2e:8d      192.168.0.4
       00:30:05:76:2e:8d
           lo             127.0.0.1          00:00:00:00:00:00       127.0.0.1
       00:00:00:00:00:00
         2 interfaces found.
         Default interface is eth0.

   Defining packets:
       Let's check the current packet list:

         mz# show packet
         Packet   layer   flags:   E=Ethernet,   S=SNAP,   Q=802.1Q,   M=MPLS,
       I/i=IP/delivery_off, U=UDP, T=TCP
         PktID  PktName           Layers   Proto     Size   State       Device
       Delay       Count/CntX
             1    sysARP_servic...    E-----   ARP         60   config      lo
       100 msec        1/0 (100%)
         1 packets defined, 0 active.

       We notice that there is already one system-defined packet  process;  it
       has been created and used only once (during startup) by mausezahn's ARP
       service.  Currently, its state is config which means that  the  process
       is sleeping.

   General packet options:
       Now  let's  create  our  own  packet process and switch into the global
       configuration mode:

         mz# configure terminal
         mz(config)# packet
         Allocated new packet PKT0002 at slot 2
         mz(config-pkt-2)# ?
         ...
         name                 Assign a unique name
         description          Assign a packet description text
         bind                 Select the network interface
         count                Configure the packet count value
         delay                Configure the inter-packet delay
         interval             Configure a greater interval
         type                 Specify packet type
         mac                  Configure packet's MAC addresses
         tag                  Configure tags
         payload              Configure a payload
         port                 Configure packet's port numbers
         end                  End packet configuration mode
         ethernet             Configure frame's  Ethernet,  802.2,  802.3,  or
       SNAP settings
         ip                   Configure packet's IP settings
         udp                  Configure packet's UDP header parameters
         tcp                  Configure packet's TCP header parameters

       Here  are  a  lot  of options but normally you only need a few of them.
       When you configure  lots  of  different  packets  you  might  assign  a
       reasonable name and description for them:

         mz(config-pkt-2)# name Test
         mz(config-pkt-2)# description This is just a test

       You  can,  for  example, change the default settings for the source and
       destination MAC or IP addresses using the mac and ip commands:

         mz(config-pkt-2)# ip address destination 10.1.1.0 /24
         mz(config-pkt-2)# ip address source random

       In the example above, we configured a range of addresses (all hosts  in
       the  network  10.1.1.0  should be addressed). Additionally we spoof our
       source IP address. Of course, we can also add one or more VLAN and, or,
       MPLS tag(s):

         mz(config-pkt-2)# tag ?
         dot1q                Configure 802.1Q (and 802.1P) parameters
         mpls                 Configure MPLS label stack
         mz(config-pkt-2)# tag dot ?
         Configure 802.1Q tags:
         VLAN[:CoS]  [VLAN[:CoS]]  ...    The leftmost tag is the outer tag in
       the frame
         remove <tag-nr> | all          Remove  one  or  more  tags  (<tag-nr>
       starts with 1),
                                       by  default the first (=leftmost,outer)
       tag is removed,
                                       keyword 'all' can be  used  instead  of
       tag numbers.
         cfi | nocfi [<tag-nr>]        Set or unset the CFI-bit in any tag (by
       default
                                       assuming the first tag).
         mz(config-pkt-2)# tag dot 1:7 200:5

   Configure count and delay:
         mz(config-pkt-2)# count 1000
         mz(config-pkt-2)# delay ?
         delay <value> [hour | min | sec | msec | usec | nsec]

       Specify  the   inter-packet   delay   in   hours,   minutes,   seconds,
       milliseconds,   microseconds   or  nanoseconds.  The  default  unit  is
       milliseconds (i.e. when no unit is given).

         mz(config-pkt-2)# delay 1 msec
         Inter-packet delay set to 0 sec and 1000000 nsec
         mz(config-pkt-2)#

   Configuring protocol types:
       mausezahn's interactive mode supports a growing list of  protocols  and
       only  relies on the MOPS architecture (and not on libnet as is the case
       with the legacy direct mode):

         mz(config-pkt-2)# type
         Specify a packet type from the following list:
         arp
         bpdu
         igmp
         ip
         lldp
         tcp
         udp
         mz(config-pkt-2)# type tcp
         mz(config-pkt-2-tcp)#
         ....
         seqnr                Configure the TCP sequence number
         acknr                Configure the TCP acknowledgement number
         hlen                 Configure the TCP header length
         reserved             Configure the TCP reserved field
         flags                Configure a combination of TCP flags at once
         cwr                  Set or unset the TCP CWR flag
         ece                  Set or unset the TCP ECE flag
         urg                  Set or unset the TCP URG flag
         ack                  set or unset the TCP ACK flag
         psh                  set or unset the TCP PSH flag
         rst                  set or unset the TCP RST flag
         syn                  set or unset the TCP SYN flag
         fin                  set or unset the TCP FIN flag
         window               Configure the TCP window size
         checksum             Configure the TCP checksum
         urgent-pointer       Configure the TCP urgent pointer
         options              Configure TCP options
         end                  End TCP configuration mode
         mz(config-pkt-2-tcp)# flags syn fin rst
         Current setting is: --------------------RST-SYN-FIN
         mz(config-pkt-2-tcp)# end
         mz(config-pkt-2)# payload ascii This is a dummy payload for my  first
       packet
         mz(config-pkt-2)# end

       Now  configure another packet, for example let's assume we want an LLDP
       process:

         mz(config)# packet
         Allocated new packet PKT0003 at slot 3
         mz(config-pkt-3)# type lldp
         mz(config-pkt-3-lldp)# exit
         mz(config)# exit

       In the above example we only use the default LLDP  settings  and  don't
       configure  further  LLDP  options or TLVs. Back in the top level of the
       CLI let's verify what we had done:

         mz# show packet
         Packet   layer   flags:   E=Ethernet,   S=SNAP,   Q=802.1Q,   M=MPLS,
       I/i=IP/delivery_off, U=UDP, T=TCP
         PktID   PktName             Layers   Proto    Size  State      Device
       Delay      Count/CntX
            1    sysARP_servic...    E-----   ARP         60   config       lo
       100 msec       1/0 (100%)
            2    Test                E-Q-IT             125   config      eth0
       1000 usec    1000/1000 (0%)
            3   PKT0003             E-----   LLDP        36   config      eth0
       30 sec        0/0 (0%)
         3 packets defined, 0 active.

       The  column  Layers indicates which major protocols have been combined.
       For example the packet with packet-id 2 ("Test") utilizes Ethernet (E),
       IP  (I), and TCP (T). Additionally an 802.1Q tag (Q) has been inserted.
       Now start one of these packet processes:

         mz# start slot 3
         Activate [3]
         mz# show packet
         Packet   layer   flags:   E=Ethernet,   S=SNAP,   Q=802.1Q,   M=MPLS,
       I/i=IP/delivery_off, U=UDP, T=TCP
         PktID   PktName             Layers   Proto    Size  State      Device
       Delay      Count/CntX
            1    sysARP_servic...    E-----   ARP         60   config       lo
       100 msec       1/0 (100%)
            2    Test                E-Q-IT             125   config      eth0
       1000 usec    1000/1000 (0%)
            3   PKT0003             E-----   LLDP        36   config      eth0
       30 sec        0/1 (0%)
         3 packets defined, 1 active.

       Let's have a more detailed look at a specific packet process:

         mz# show packet 2
         Packet [2] Test
         Description: This is just a test
         State:  config,  Count=1000,  delay=1000  usec  (0  s  1000000 nsec),
       interval= (undefined)
         Headers:
          Ethernet: 00-30-05-76-2e-8d => ff-ff-ff-ff-ff-ff  [0800 after 802.1Q
       tag]
          Auto-delivery  is  ON  (that  is,  the  actual  MAC  is adapted upon
       transmission)
          802.1Q: 0 tag(s);  (VLAN:CoS)
          IP:  SA=192.168.0.4 (not random) (no range)
               DA=255.255.255.255 (no range)
               ToS=0x00  proto=17  TTL=255  ID=0  offset=0  flags: -|-|-
               len=49664(correct)  checksum=0x2e8d(correct)
          TCP: 83 bytes segment size (including TCP header)
               SP=0 (norange) (not random), DP=0 (norange) (not random)
               SQNR=3405691582 (start 0, stop 4294967295, delta 0) --  ACKNR=0
       (invalid)
               Flags:  ------------------------SYN----,  reserved field is 00,
       urgent pointer= 0
               Announced window size= 100
               Offset= 0 (times  32  bit;  value  is  valid),  checksum=  ffff
       (valid)
               (No TCP options attached) - 0 bytes defined
          Payload size: 43 bytes
          Frame size: 125 bytes
           1          ff:ff:ff:ff:ff:ff:00:30          05:76:2e:8d:81:00:e0:01
       81:00:a0:c8:08:00:45:00  00:67:00:00:00:00:ff:06
          33          fa:e4:c0:a8:00:04:ff:ff          ff:ff:00:00:00:00:ca:fe
       ba:be:00:00:00:00:a0:07  00:64:f7:ab:00:00:02:04
          65          05:ac:04:02:08:0a:19:35          90:c3:00:00:00:00:01:03
       03:05:54:68:69:73:20:69  73:20:61:20:64:75:6d:6d
          97          79:20:70:61:79:6c:6f:61          64:20:66:6f:72:20:6d:79
       20:66:69:72:73:74:20:70  61:63:6b:65:74
         mz#

       If you want to stop one or more packet processes, use the stop command.
       The "emergency stop" is when you use stop all:

         mz# stop all
         Stopping
         [3] PKT0003
         Stopped 1 transmission processe(s)

       The launch  command  provides  a  shortcut  for  commonly  used  packet
       processes.  For  example to behave like a STP-capable bridge we want to
       start an BPDU process with typical parameters:

         mz# launch bpdu
         Allocated new packet sysBPDU at slot 5
         mz# show packet
         Packet   layer   flags:   E=Ethernet,   S=SNAP,   Q=802.1Q,   M=MPLS,
       I/i=IP/delivery_off, U=UDP, T=TCP
         PktID   PktName            Layers   Proto     Size  State      Device
       Delay       Count/CntX
             1   sysARP_servic...   E-----   ARP         60    config       lo
       100 msec        1/0 (100%)
             2    Test               E-Q-IT             125   config      eth0
       1000 usec     1000/1000 (0%)
             3   PKT0003            E-----   LLDP        36   config      eth0
       30 sec        0/12 (0%)
             4   PKT0004            E---I-   IGMP        46   config      eth0
       100 msec        0/0 (0%)
             5   sysBPDU            ES----   BPDU        29   active      eth0
       2 sec        0/1 (0%)
         5 packets defined, 1 active.

       Now  a  Configuration  BPDU is sent every 2 seconds, claiming to be the
       root bridge (and usually confusing the LAN. Note  that  only  packet  5
       (i.e.  the  last row) is active and therefore sending packets while all
       other packets are in state config (i.e. they have been  configured  but
       they are not doing anything at the moment).

   Configuring a greater interval:
       Sometimes  you  may  want  to  send  a  burst  of  packets at a greater
       interval:

         mz(config)# packet 2
         Modify packet parameters for packet Test [2]
         mz(config-pkt-2)# interval
         Configure a greater packet  interval  in  days,  hours,  minutes,  or
       seconds
         Arguments: <value>  <days | hours | minutes | seconds>
         Use a zero value to disable an interval.
         mz(config-pkt-2)# interval 1 hour
         mz(config-pkt-2)# count 10
         mz(config-pkt-2)# delay 15 usec
         Inter-packet delay set to 0 sec and 15000 nsec

       Now  this  packet  is  sent  ten times with an inter-packet delay of 15
       microseconds and this is repeated every hour.  When  you  look  at  the
       packet list, an interval is indicated with the additional flag 'i' when
       inactive or 'I' when active:

         mz# show packet
         Packet   layer   flags:   E=Ethernet,   S=SNAP,   Q=802.1Q,   M=MPLS,
       I/i=IP/delivery_off, U=UDP, T=TCP
         PktID   PktName            Layers   Proto     Size  State      Device
       Delay       Count/CntX
             1   sysARP_servic...   E-----   ARP         60    config       lo
       100 msec        1/0 (100%)
             2    Test               E-Q-IT             125   config-i    eth0
       15 usec       10/10 (0%)
             3   PKT0003            E-----   LLDP        36   config      eth0
       30 sec        0/12 (0%)
             4   PKT0004            E---I-   IGMP        46   config      eth0
       100 msec        0/0 (0%)
             5   sysBPDU            ES----   BPDU        29   active      eth0
       2 sec        0/251 (0%)
         5 packets defined, 1 active.
         mz# start slot 2
         Activate [2]
         mz# show packet
         Packet   layer   flags:   E=Ethernet,   S=SNAP,   Q=802.1Q,   M=MPLS,
       I/i=IP/delivery_off, U=UDP, T=TCP
         PktID  PktName           Layers   Proto     Size   State       Device
       Delay       Count/CntX
             1    sysARP_servic...    E-----   ARP         60   config      lo
       100 msec        1/0 (100%)
             2   Test               E-Q-IT             125   config+I     eth0
       15 usec       10/0 (100%)
             3   PKT0003            E-----   LLDP        36   config      eth0
       30 sec        0/12 (0%)
             4   PKT0004            E---I-   IGMP        46   config      eth0
       100 msec        0/0 (0%)
             5   sysBPDU            ES----   BPDU        29   active      eth0
       2 sec        0/256 (0%)
         5 packets defined, 1 active.

       Note that the flag 'I' indicates that an interval  has  been  specified
       for packet 2. The process is not active at the moment (only packet 5 is
       active here) but it will become active at a regular interval.  You  can
       verify  the  actual  interval  when  viewing the packet details via the
       'show packet 2' command.

   Load prepared configurations:
       You can prepare packet configurations using the same  commands  as  you
       would  type  them  in  on  the  CLI  and then load them to the CLI. For
       example, assume we have prepared a file 'test.mops' containing:

         configure terminal
         packet
         name IGMP_TEST
         desc This is only a demonstration how to load a file to mops
         type igmp

       Then we can add this packet configuration to our packet list using  the
       load command:

         mz# load test.mops
         Read commands from test.mops...
         Allocated new packet PKT0002 at slot 2
         mz# show packet
         Packet   layer   flags:   E=Ethernet,   S=SNAP,   Q=802.1Q,   M=MPLS,
       I/i=IP/delivery_off, U=UDP, T=TCP
         PktID  PktName           Layers   Proto     Size   State       Device
       Delay       Count/CntX
             1    sysARP_servic...    E-----   ARP         60   config      lo
       100 msec        1/0 (100%)
             2   IGMP_TEST          E---I-   IGMP        46   config      eth0
       100 msec        0/0 (0%)
         2 packets defined, 0 active.

       The   file  src/examples/mausezahn/example_lldp.conf  contains  another
       example list of commands to create a bogus LLDP packet.  You  can  load
       this configuration from the mausezahn command line as follows:

         mz# load /home/hh/tmp/example_lldp.conf

       In  case  you  copied  the  file in that path. Now when you enter 'show
       packet' you will see a new packet entry in the  packet  list.  Use  the
       'start slot <nr>' command to activate this packet.

       You  can store your own packet creations in such a file and easily load
       them when you need them. Every command within such configuration  files
       is  executed on the command line interface as if you had typed it in --
       so be careful about the  order  and  don't  forget  to  use  'configure
       terminal' as first command.

       You can even load other files from within a central config file.

DIRECT MODE HOWTO

   How to specify hexadecimal digits:
       Many  arguments  allow  direct byte input. Bytes are represented as two
       hexadecimal digits. Multiple bytes must be separated either by  spaces,
       colons,  or  dashes  - whichever you prefer. The following byte strings
       are equivalent:

         "aa:bb cc-dd-ee ff 01 02 03-04 05"
         "aa bb cc dd ee ff:01:02:03:04 05"

       To begin with, you may  want  to  send  an  arbitrary  fancy  (possibly
       invalid) frame right through your network card:

         mausezahn ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:08:00:ca:fe:ba:be

        or equivalent but more readable:

         mausezahn ff:ff:ff:ff:ff:ff-ff:ff:ff:ff:ff:ff-08:00-ca:fe:ba:be

   Basic operations:
       All  major  command  line options are listed when you execute mausezahn
       without arguments. For practical usage, keep the following special (not
       so widely known) options in mind:

         -r                     Multiplies  the  specified delay with a random
       value.
         -p <length>           Pad the raw frame to  specified  length  (using
       random bytes).
         -P <ASCII Payload>    Use the specified ASCII payload.
         -f <filename>         Read the ASCII payload from a file.
         -F <filename>         Read the hexadecimal payload from a file.
         -S                     Simulation  mode: DOES NOT put anything on the
       wire.
                               This is typically  combined  with  one  of  the
       verbose
                               modes (-v or V).

       Many  options  require  a  keyword  or a number but the -t option is an
       exception since it requires both a packet type (such as ip,  udp,  dns,
       etc)  and  an  argument  string which is specific for that packet type.
       Here are some simple examples:

         mausezahn -t help
         mausezahn -t tcp help
         mausezahn eth3 -t udp sp=69,dp=69,p=ca:fe:ba:be

       Note: Don't forget that on the CLI the Linux shell (usually  the  Bash)
       interprets  spaces  as  a  delimiting  character.  That  is, if you are
       specifying an argument that consists of multiple words with  spaces  in
       between, you MUST group these within quotes. For example, instead of

         mausezahn eth0 -t udp sp=1,dp=80,p=00:11:22:33

        you could either omit the spaces

         mausezahn eth0 -t udp sp=1,dp=80,p=00:11:22:33

        or, for greater safety, use quotes:

         mausezahn eth0 -t udp "sp=1,dp=80,p=00:11:22:33"

       In  order  to  monitor what's going on, you can enable the verbose mode
       using the -v option. The opposite is the quiet  mode  (-q)  which  will
       keep   mausezahn  absolutely  quiet  (except  for  error  messages  and
       warnings.)

       Don't confuse the payload argument p=... with the  padding  option  -p.
       The latter is used outside the quotes!

   The automatic packet builder:
       An  important  argument is -t which invokes a packet builder. Currently
       there are packet builders for ARP, BPDU, CDP,  IP,  partly  ICMP,  UDP,
       TCP, RTP, DNS, and SYSLOG. (Additionally you can insert a VLAN tag or a
       MPLS label stack but this works independently of the packet builder.)

       You get context specific help for every packet builder using  the  help
       keyword, such as:

         mausezahn -t bpdu help
         mausezahn -t tcp help

       For  every packet you may specify an optional payload. This can be done
       either via hexadecimal notation using the payload (or short p) argument
       or directly as ASCII text using the -P option:

         mausezahn  eth0 -t ip -P "Hello World"                        # ASCII
       payload
         mausezahn eth0 -t ip p=68:65:6c:6c:6f:20:77:6f:72:6c:64        #  hex
       payload
         mausezahn eth0 -t ip "proto=89,                           \
                               p=68:65:6c:6c:6f:20:77:6f:72:6c:64,  \   # same
       with other
                               ttl=1"                                    #  IP
       arguments

       Note:  The  raw  link  access  mode  only  accepts hexadecimal payloads
       (because you specify everything in hexadecimal here.)

   Packet count and delay:
       By default only one packet is sent. If you want to  send  more  packets
       then use the count option -c <count>. When count is zero then mausezahn
       will send forever. By default, mausezahn sends at  maximum  speed  (and
       this  is  really fast ;-)). If you don't want to overwhelm your network
       devices or have other reasons to send at a slower rate then  you  might
       want to specify a delay using the -d <delay> option.

       If  you  only  specify a numeric value it is interpreted in microsecond
       units.  Alternatively, for easier use, you might specify units such  as
       seconds, sec, milliseconds, or msec. (You can also abbreviate this with
       s or m.)  Note: Don't use spaces between the value and the  unit!  Here
       are typical examples:

       Send an infinite number of frames as fast as possible:

         mausezahn -c 0  "aa bb cc dd ...."

       Send 100,000 frames with a 50 msec interval:

         mausezahn -c 100000 -d 50msec "aa bb cc dd ...."

       Send an unlimited number of BPDU frames in a 2 second interval:

         mausezahn -c 0 -d 2s -t bpdu conf

       Note:  mausezahn  does  not  support fractional numbers. If you want to
       specify for example 2.5 seconds then express this in milliseconds (2500
       msec).

   Source and destination addresses:
       As  a mnemonic trick keep in mind that all packets run from "A" to "B".
       You can always specify source and destination MAC addresses  using  the
       -a and -b options, respectively. These options also allow keywords such
       as rand, own, bpdu, cisco, and others.

       Similarly, you can specify source and destination  IP  addresses  using
       the  -A  and -B options, respectively. These options also support FQDNs
       (i.e.  domain   names)   and   ranges   such   as   192.168.0.0/24   or
       10.0.0.11-10.0.3.22.  Additionally,  the source address option supports
       the rand keyword (ideal for "attacks").

       Note: When you use the packet builder for IP-based packets (e.g. UDP or
       TCP)  then  mausezahn  automatically  cares  about  correct  MAC and IP
       addresses (i.e.  it performs ARP, DHCP, and DNS for you). But when  you
       specify  at  least  a single link-layer address (or any other L2 option
       such as a VLAN tag or MPLS header) then ARP is disabled  and  you  must
       care for the Ethernet destination address for yourself.

   Layer-2:
   `-- Direct link access:
       mausezahn  allows  you to send ANY chain of bytes directly through your
       Ethernet interface:

         mausezahn    eth0    "ff:ff:ff:ff:ff:ff    ff:ff:ff:ff:ff:ff    00:00
       ca:fe:ba:be"

       This  way  you  can  craft  every packet you want but you must do it by
       hand. Note: On Wi-Fi interfaces the header is much more complicated and
       automatically  created  by the Wi-Fi driver. As an example to introduce
       some interesting options, lets continuously send frames  at  max  speed
       with  random  source  MAC  address  and  broadcast destination address,
       additionally pad the frame to 1000 bytes:

         mausezahn eth0 -c 0 -a rand -b bcast -p 1000 "08 00 aa bb cc dd"

       The direct link access supports automatic padding using the  -p  <total
       frame  length>  option.  This  allows  you to pad a raw L2 frame to the
       desired length.  You must specify the total length, and the total frame
       length  must  have  at least 15 bytes for technical reasons. Zero bytes
       are used for padding.

   `-- ARP:
       mausezahn provides a simple  interface  to  the  ARP  packet.  You  can
       specify  the  ARP  method  (request|reply)  and  up  to four arguments:
       sendermac, targetmac, senderip, targetip, or  short  smac,  tmac,  sip,
       tip. By default, an ARP reply is sent with your own interface addresses
       as source MAC and IP address, and a broadcast destination  MAC  and  IP
       address.  Send  a  gratuitous  ARP  request  (as  used for duplicate IP
       address detection):

         mausezahn eth0 -t arp

       ARP cache poisoning:

         mausezahn    eth0    -t     arp     "reply,     senderip=192.168.0.1,
       targetmac=00:00:0c:01:02:03, \
                                 targetip=172.16.1.50"

        where by default your interface MAC address will be used as sendermac,
       senderip  denotes  the  spoofed  IP  address,  targetmac  and  targetip
       identifies  the  receiver.  By  default, the Ethernet source address is
       your interface  MAC  and  the  destination  address  is  the  broadcast
       address. You can change this using the flags -a and -b.

   `-- BPDU:
       mausezahn  provides  a simple interface to the 802.1D BPDU frame format
       (used to create the Spanning Tree in  bridged  networks).  By  default,
       standard  IEEE  802.1D  BPDUs  are  sent  and  it  is assumed that your
       computer wants to become the  root  bridge  (rid=bid).  Optionally  the
       802.3  destination  address  can be a specified MAC address, broadcast,
       own MAC, or Cisco's PVST+ MAC  address.  The  destination  MAC  can  be
       specified  using  the  -b command which, besides MAC addresses, accepts
       keywords such as bcast, own, pvst, or stp (default). PVST+ is supported
       as well. Simply specify the VLAN for which you want to send a BPDU:

         mausezahn eth0 -t bpdu "vlan=123, rid=2000"

       See mausezahn -t bpdu help for more details.

   `-- CDP:
       mausezahn  can  send Cisco Discovery Protocol (CDP) messages since this
       protocol has security relevance. Of course lots  of  dirty  tricks  are
       possible;  for  example  arbitrary  TLVs can be created (using the hex-
       payload argument for example p=00:0e:00:07:01:01:90) and if you want to
       stress  the  CDP  database  of some device, mausezahn can send each CDP
       message with another system-id using the change keyword:

         mausezahn -t cdp change -c 0

       Some routers and switches may run into deep problems ;-) See  mausezahn
       -t cdp help for more details.

   `-- 802.1Q VLAN Tags:
       mausezahn  allows  simple  VLAN tagging for IP (and other higher layer)
       packets.  Simply use the option -Q <[CoS:]VLAN>, such as -Q  10  or  -Q
       3:921.  By  default  CoS=0.  For  example send a TCP packet in VLAN 500
       using CoS=7:

         mausezahn eth0 -t tcp -Q 7:500 "dp=80, flags=rst, p=aa:aa:aa"

       You can create as many VLAN tags as you want! This  is  interesting  to
       create QinQ encapsulations or VLAN hopping: Send a UDP packet with VLAN
       tags 100 (outer) and 651 (inner):

         mausezahn eth0 -t udp "dp=8888, sp=13442" -P "Mausezahn is great"  -Q
       100,651

       Don't know if this is useful anywhere but at least it is possible:

         mausezahn eth0 -t udp "dp=8888, sp=13442" -P "Mausezahn is great"  \
                        -Q 6:5,7:732,5:331,5,6

       Mix it with MPLS:

         mausezahn  eth0 -t udp "dp=8888, sp=13442" -P "Mausezahn is great" -Q
       100,651 -M 314

       When in raw Layer 2 mode you must create the  VLAN  tag  completely  by
       yourself.   For example if you want to send a frame in VLAN 5 using CoS
       0 simply specify 81:00 as type field and for the next two bytes the CoS
       (PCP), DEI (CFI), and VLAN ID values (all together known as TCI):

         mausezahn eth0 -b bc -a rand "81:00 00:05 08:00 aa-aa-aa-aa-aa-aa-aa-
       aa-aa"

   `-- MPLS labels:
       mausezahn allows you to insert one or more MPLS headers. Simply use the
       option -M <label:CoS:TTL:BoS> where only the label is mandatory. If you
       specify a second number it is interpreted as the experimental bits (the
       CoS  usually).  If you specify a third number it is interpreted as TTL.
       By default the TTL is set to 255. The  Bottom  of  Stack  flag  is  set
       automatically,  otherwise  the  frame would be invalid, but if you want
       you can also set or unset it using the S (set) and s (unset)  argument.
       Note  that  the  BoS  must  be  the  last  argument in each MPLS header
       definition. Here are some examples:

       Use MPLS label 214:

         mausezahn eth0 -M 214 -t tcp "dp=80" -P "HTTP..." -B myhost.com

       Use three labels (the 214 is now the outer):

         mausezahn  eth0  -M  9999,51,214  -t  tcp  "dp=80"  -P  "HTTP..."  -B
       myhost.com

       Use two labels, one with CoS=5 and TTL=1, the other with CoS=7:

         mausezahn  eth0  -M  100:5:1,500:7  -t  tcp  "dp=80"  -P "HTTP..." -B
       myhost.com

       Unset the BoS flag (which will result in an invalid frame):

         mausezahn eth0 -M 214:s -t tcp "dp=80" -P "HTTP..." -B myhost.com

   Layer 3-7:
       IP, UDP, and TCP packets can be padded using the -p  option.  Currently
       0x42 is used as padding byte ('the answer'). You cannot pad DNS packets
       (would be useless anyway).

   `-- IP:
       mausezahn allows you to send any malformed or correct IP packet.  Every
       field  in  the  IP  header  can be manipulated. The IP addresses can be
       specified  via  the  -A  and  -B  options,  denoting  the  source   and
       destination  address,  respectively.  You  can  also specify an address
       range or a host name (FQDN).  Additionally, the source address can also
       be  random.  By default the source address is your interface IP address
       and the destination address is  a  broadcast  address.  Here  are  some
       examples:

       ASCII payload:

         mausezahn eth0 -t ip -A rand -B 192.168.1.0/24  -P "hello world"

       Hexadecimal payload:

         mausezahn  eth0  -t  ip  -A  10.1.0.1-10.1.255.254 -B 255.255.255.255
       p=ca:fe:ba:be

       Will use correct source IP address:

         mausezahn eth0 -t ip -B www.xyz.com

       The Type of Service (ToS) byte can either be specified directly by  two
       hexadecimal  digits,  which  means you can also easily set the Explicit
       Congestion Notification (ECN) bits (LSB 1 and 2), or you may only  want
       to  specify  a  common  DSCP  value  (bits  3-8) using a decimal number
       (0..63):

       Packet sent with DSCP = Expedited Forwarding (EF):

         mausezahn eth0 -t ip dscp=46,ttl=1,proto=1,p=08:00:5a:a2:de:ad:be:af

       If you leave the checksum as zero (or unspecified) the correct checksum
       will  be  automatically  computed.  Note  that you can only use a wrong
       checksum when you also specify at least one L2 field manually.

   `-- UDP:
       mausezahn supports easy UDP datagram  generation.  Simply  specify  the
       destination  address  (-B  option)  and  optionally an arbitrary source
       address (-A option) and as arguments you may specify the  port  numbers
       using  the  dp  (destination port) and sp (source port) arguments and a
       payload. You can also easily specify a  whole  port  range  which  will
       result in sending multiple packets. Here are some examples:

       Send test packets to the RTP port range:

         mausezahn eth0 -B 192.168.1.1 -t udp "dp=16384-32767, \
                          p=A1:00:CC:00:00:AB:CD:EE:EE:DD:DD:00"

       Send a DNS request as local broadcast (often a local router replies):

         mausezahn                 eth0                 -t                 udp
       dp=53,p=c5-2f-01-00-00-01-00-00-00-00-00-00-03-77-77-\
                                        77-03-78-79-7a-03-63-6f-6d-00-00-01-00-01"

       Additionally  you may specify the length and checksum using the len and
       sum arguments  (will  be  set  correctly  by  default).  Note:  several
       protocols  have same arguments such as len (length) and sum (checksum).
       If you specified a UDP type packet (via -t udp) and want to modify  the
       IP  length,  then  use the alternate keyword iplen and ipsum. Also note
       that you must specify at least one L2 field which  tells  mausezahn  to
       build  everything without the help of your kernel (the kernel would not
       allow modifying the IP checksum and the IP length).

   `-- ICMP:
       mausezahn currently only supports  the  following  ICMP  methods:  PING
       (echo  request), Redirect (various types), Unreachable (various types).
       Additional ICMP types will be supported in future. Currently you  would
       need  to  tailor  them  by  yourself,  e.g. using the IP packet builder
       (setting proto=1). Use the mausezahn -t icmp help for help on currently
       implemented options.

   `-- TCP:
       mausezahn allows you to easily tailor any TCP packet. Similarly as with
       UDP you can specify source and destination port (ranges) using  the  sp
       and  dp  arguments.   Then  you  can directly specify the desired flags
       using an "|" as delimiter if you want to specify  multiple  flags.  For
       example,  a SYN-Flood attack against host 1.1.1.1 using a random source
       IP address and periodically using all 1023 well-known  ports  could  be
       created via:

         mausezahn  eth0 -A rand -B 1.1.1.1 -c 0 -t tcp "dp=1-1023, flags=syn"
       \
                        -P  "Good  morning!  This  is  a  SYN  Flood   Attack.
       \
                            We apologize for any inconvenience."

       Be careful with such SYN floods and only use them for firewall testing.
       Check your legal position! Remember  that  a  host  with  an  open  TCP
       session only accepts packets with correct socket information (addresses
       and ports) and a valid TCP sequence number (SQNR). If you want to try a
       DoS  attack  by  sending  a  RST-flood and you do NOT know the target's
       initial SQNR (which is normally the case) then you may  want  to  sweep
       through a range of sequence numbers:

         mausezahn eth0 -A legal.host.com -B target.host.com \
                        -t tcp "sp=80,dp=80,s=1-4294967295"

       Fortunately,  the  SQNR  must  match  the target host's acknowledgement
       number plus the announced window size. Since the typical window size is
       something  between  40000  and 65535 you are MUCH quicker when using an
       increment via the ds argument:

         mausezahn eth0 -A legal.host.com -B target.host.com \
                        -t tcp "sp=80, dp=80, s=1-4294967295, ds=40000"

       In the latter case mausezahn will only send 107375 packets  instead  of
       4294967295  (which  results  in  a  duration  of approximately 1 second
       compared to 11 hours!). Of course you can tailor  any  TCP  packet  you
       like.  As  with other L4 protocols mausezahn builds a correct IP header
       but you can additionally access every field in the IP packet  (also  in
       the Ethernet frame).

   `-- DNS:
       mausezahn  supports  UDP-based DNS requests or responses. Typically you
       may want to send a query or an answer. As usual, you can  modify  every
       flag in the header.  Here is an example of a simple query:

         mausezahn eth0 -B mydns-server.com -t dns "q=www.ibm.com"

       You can also create server-type messages:

         mausezahn eth0 -A spoofed.dns-server.com -B target.host.com \
                        "q=www.topsecret.com, a=172.16.1.1"

       The syntax according to the online help (-t dns help) is:

         query|q  =  <name>[:<type>]   ............. where type is per default
       "A"
                                                  (and class is always "IN")
         answer|a = [<type>:<ttl>:]<rdata> ...... ttl is per default 0.
                  = [<type>:<ttl>:]<rdata>/[<type>:<ttl>:]<rdata>/...

       Note: If you only use the 'query' option then a query is sent.  If  you
       additionally add an 'answer' then an answer is sent. Examples:

         q = www.xyz.com
         q = www.xyz.com, a=192.168.1.10
         q = www.xyz.com, a=A:3600:192.168.1.10
         q = www.xyz.com, a=CNAME:3600:abc.com/A:3600:192.168.1.10

       Please  try  out  mausezahn  -t dns help to see the many other optional
       command line options.

   `-- RTP and VoIP path measurements:
       mausezahn can send arbitrary  Real  Time  Protocol  (RTP)  packets.  By
       default  a  classical  G.711 codec packet of 20 ms segment size and 160
       bytes is assumed. You can measure jitter, packet loss,  and  reordering
       along   a   path  between  two  hosts  running  mausezahn.  The  jitter
       measurement is either done following  the  variance  low-pass  filtered
       estimation  specified  in  RFC 3550 or using an alternative "real-time"
       method which is even more precise (the RFC-method is used by  default).
       For example on Host1 you start a transmission process:

         mausezahn -t rtp -B 192.168.1.19

       And  on  Host2  (192.168.1.19)  a  receiving process which performs the
       measurement:

         mausezahn -T rtp

       Note that the option flag with the capital  "T"  means  that  it  is  a
       server RTP process, waiting for incoming RTP packets from any mausezahn
       source. In case you want to restrict  the  measurement  to  a  specific
       source  or  you  want  to perform a bidirectional measurement, you must
       specify a stream identifier.  Here  is  an  example  for  bidirectional
       measurements which logs the running jitter average in a file:

         Host1# mausezahn -t rtp id=11:11:11:11 -B 192.168.2.2 &
         Host1# mausezahn -T rtp id=22:22:22:22 "log, path=/tmp/mz/"

         Host2# mausezahn -t rtp id=22:22:22:22 -B 192.168.1.1 &
         Host2# mausezahn -T rtp id=11:11:11:11 "log, path=/tmp/mz/"

       In  any case the measurements are printed continuously onto the screen;
       by default it looks like this:

         0.00                            0.19                             0.38
       0.57
         |-------------------------|-------------------------|-------------------------|
         #########
       0.07 msec
         ####################
       0.14 msec
         ##
       0.02 msec
         ###
       0.02 msec
         #########
       0.07 msec
         ####
       0.03 msec
         #########
       0.07 msec
         #############
       0.10 msec
         ##
       0.02 msec
         ###########################################
       0.31 msec
         #########
       0.07 msec
         ##############################################
       0.33 msec
         ###############
       0.11 msec
         ##########
       0.07 msec
         ###############
       0.11 msec
         ##########################################################
       0.42 msec
         #####
       0.04 msec

       More information is shown using the txt keyword:

         mausezahn -T rtp txt
         Got  100  packets  from host 192.168.0.3: 0 lost (0 absolute lost), 1
       out of order
           Jitter_RFC (low pass filtered) = 30 usec
           Samples jitter (min/avg/max)   = 1/186/2527 usec
           Delta-RX (min/avg/max)         = 2010/20167/24805 usec
         Got 100 packets from host 192.168.0.3: 0 lost (0  absolute  lost),  1
       out of order
           Jitter_RFC (low pass filtered) = 17 usec
           Samples jitter (min/avg/max)   = 1/53/192 usec
           Delta-RX (min/avg/max)         = 20001/20376/20574 usec
         Got  100  packets  from host 192.168.0.3: 0 lost (0 absolute lost), 1
       out of order
           Jitter_RFC (low pass filtered) = 120 usec
           Samples jitter (min/avg/max)   = 0/91/1683 usec
           Delta-RX (min/avg/max)         = 18673/20378/24822 usec

       See mausezahn -t rtp help and mz -T rtp help for more details.

   `-- Syslog:
       The traditional Syslog protocol is widely  used  even  in  professional
       networks  and  is  sometimes  vulnerable.  For example you might insert
       forged  Syslog  messages  by  spoofing  your   source   address   (e.g.
       impersonate the address of a legit network device):

         mausezahn  -t  syslog  sev=3  -P  "You  have  been  mausezahned."  -A
       10.1.1.109 -B 192.168.7.7

       See mausezahn -t syslog help for more details.

NOTE

       When multiple ranges are specified, e.g. destination  port  ranges  and
       destination address ranges, then all possible combinations of ports and
       addresses are used for packet  generation.  Furthermore,  this  can  be
       mixed  with  other  ranges  e.g. a TCP sequence number range. Note that
       combining ranges can lead to a very huge number of frames to  be  sent.
       As  a  rule  of thumb you can assume that about 100,000 frames and more
       are sent in a  fraction  of  one  second,  depending  on  your  network
       interface.

       mausezahn  has  been  designed as a fast traffic generator so you might
       easily overwhelm a LAN segment with myriads  of  packets.  And  because
       mausezahn  could  also support security audits it is possible to create
       malicious or invalid packets, SYN floods, port and address sweeps,  DNS
       and ARP poisoning, etc.

       Therefore,  don't  use this tool when you are not aware of the possible
       consequences or have only a little knowledge about  networks  and  data
       communication.  If  you abuse mausezahn for 'unallowed' attacks and get
       caught, or damage something of your own, then this is  completely  your
       fault. So the safest solution is to try it out in a lab environment.

       Also  have  a  look  at  the netsniff-ng(8) note section on how you can
       properly setup and tune your system.

LEGAL

       mausezahn is licensed under the GNU GPL version 2.0.

HISTORY

       mausezahn was originally written by  Herbert  Haas.  According  to  his
       website  [1],  he  unfortunately  passed away in 2011 thus leaving this
       tool unmaintained.   It  has  been  adopted  and  integrated  into  the
       netsniff-ng  toolkit and is further being maintained and developed from
       there. Maintainers are Tobias Klauser <tklauser@distanz.ch> and  Daniel
       Borkmann <dborkma@tik.ee.ethz.ch>.

         [1] http://www.perihel.at/

SEE ALSO

       netsniff-ng(8),     trafgen(8),    ifpps(8),    bpfc(8),    flowtop(8),
       astraceroute(8), curvetun(8)

AUTHOR

       Manpage was written by Herbert Haas and modified by Daniel Borkmann.

COLOPHON

       This  page  is  part  of  the  Linux  netsniff-ng  toolkit  project.  A
       description  of  the project, and information about reporting bugs, can
       be found at http://netsniff-ng.org/.