Provided by: mz_0.40-1.1_amd64 bug

NAME

       mz - a fast versatile packet generator

SYNOPSIS

       mz [options]<arg_string> | <hex_string>

DESCRIPTION

       Mausezahn  is  a  free fast traffic generator written in C which allows you to send nearly
       every possible and impossible packet.
       Mausezahn can also be used for example as didactical tool in network labs or for  security
       audits  including  penetration  and  DoS  testing.  As  traffic generator Mausezahn is for
       example used test IP multicast or VoIP networks.  Speeds close to the Ethernet  limit  are
       reachable  (depending  on  the  hardware  platform,  especially the quality of the network
       interface card).

USAGE

       Mausezahn supports two modes, direct mode and a multi-threaded interactive mode.

       The direct mode allows you to create a packet directly on the Linux/UN*X shell  and  every
       packet parameter is specified in the argument list when calling Mausezahn.

       The interactive mode is an advanced multi-threaded configuration mode with its own command
       line interface (CLI). This mode allows you to create an arbitrary number of  packet  types
       and  streams  in parallel, each with different parameters. The interactive mode utilizes a
       completely redesigned and more flexible protocol framework called  MOPS  (Mausezahn's  Own
       Packet System).  The look and feel of the CLI is very similar to the Cisco IOS(tm) command
       line. You can start the interactive mode by executing Mausezahn with the -x  argument  (an
       optional  port  number  may follow, otherwise it is 25542).  Then use Telnet to connect to
       this Mausezahn instance (the default login expects the user 'mz' with password  'mz',  and
       enable  password  'mops';  you can change this in /etc/mausezahn/mz.cfg). More information
       about the interactive mode and MOPS is provided on the Mausezahn website.

       The direct mode supports two specification schemes: The raw-layer-2  scheme,  where  every
       single  byte  to  be  sent can be specified, and higher-layer scheme, where packet builder
       interfaces are used (using the -t option).
       To use the raw-layer-2 scheme, simply specify the desired frame  as  hexadecimal  sequence
       (the hex_string), such as

       mz eth0 "00:ab:cd:ef:00 00:00:00:00:00:01 08:00 ca:fe:ba:be"

       In  this example, the spaces within the byte string are optional and separate the Ethernet
       fields (destination and source address,  type  field,  and  a  short  payload).  The  only
       additional  options  supported are -a, -b, -c, and -p. The frame length MUST be greater or
       equal 15 bytes.
       The higher-layer scheme  is  enabled  using  the  -t  <packet_type>  option.  This  option
       activates  a  packet  builder  and  besides  the packet_type an optional arg_string can be
       specified. The arg_string contains packet-specific parameters, such  as  TCP  flags,  port
       numbers, etc; see the EXAMPLES below.

       Note  that  Mausezahn  requires root privileges. Please see the Mausezahn User's Guide for
       more details or use Mausezahn's command line help.

OPTIONS

       Mausezahn provides a built-in context-specific help. Simply append the keyword help to the
       configuration options.
       The most important options are:

       -v     Verbose mode. Capital -V is even more verbose.

       -S     Simulation  mode,  i. e. don't put anything on the wire. This is typically combined
              with the verbose mode.

       -q     Quiet mode (only warnings and errors are displayed).

       -c <count>
              Send the packet count times (default: 1, infinite: 0).

       -d <delay>
              Apply delay between transmissions.  The  delay  value  can  be  specified  in  usec
              (default,  no  additional  unit  needed), or in msec (e. g. 100m or 100msec), or in
              seconds (e.  g.  100s  or  100sec).  Note:  MOPS  also  supports  nanosecond  delay
              granulation if you need it (see: interactive mode).

       -p <lenght>
              Pad the raw frame to specified length (using zero bytes). Note that for raw layer 2
              frames the specified length defines the whole frame length, while for higher  layer
              packets the number of additional padding bytes are specified.

       -a <Src_MAC|keyword>
              Use  specified source mac address (use hex notation such as 00:00:aa:bb:cc:dd).  By
              default the interface MAC address will be used. The keywords rand and own refer  to
              a  random  MAC  address  (only  unicast addresses are created) and the own address,
              respectively. You can also use the keywords mentioned  below  (although  broadcast-
              type source addresses are officially invalid).

       -b <Dst_MAC|keyword>
              Use specified destination mac address.  By default a broadcast is sent in raw layer
              2 mode or the destination hosts/gateways interface MAC address in normal (IP) mode.
              You  can  use the same keywords as mentioned above as well as bc (or bcast), cisco,
              and stp.  Please note that for the destination MAC  address  the  rand  keyword  is
              supported  but  creates  a  random  address  only once, even when you send multiple
              packets.

       -A <Src_IP|range|rand>
              Use specified source IP address (default  is  own  interface  IP).  Optionally  the
              keyword  rand  can  again  be used for a random source IP address or a range can be
              specified, such as 192.168.1.1-192.168.1.100 or 10.1.0.0/16. Also a DNS name can be
              specified  for  which  Mausezahn  tries  to  determine the corresponding IP address
              automatically.

       -B <Dst_IP|range>
              Use specified destination IP address (default is broadcast i. e.  255.255.255.255).
              As with the source address (see above) you can also specify a range or a DNS name.

       -t <packet_type>
              Create  the  specified  packet  type  using  the built-in packet builder. Currently
              supported packet types are: arp, bpdu,  ip,  udp,  tcp,  rtp,  and  dns.  There  is
              currently  also  a  limited  support for ICMP. Enter -t help to verify which packet
              builders your actual Mausezahn version supports. Also, for  any  particular  packet
              type, for example tcp enter mz -t tcp help to receive a context specific help.

       -T <packet_type>
              Make  this  Mausezahn instance the receiving station. Currently (version 0.30) only
              rtp is an option here and provides precise jitter measurements.  For  this  purpose
              start  another  Mausezahn  instance  on the sending station and the local receiving
              station will output jitter statistics. See mz -T rtp help for a detailed help.

       -Q <[CoS:]vlan> [, <[CoS:]vlan>, ...]
              Specify 802.1Q VLAN tag and optional Class of Service. An arbitrary number of  VLAN
              tags  can  be  specified  (that  is  you  can simulate QinQ or even QinQinQinQ...).
              Multiple tags must be separated via a comma or a period  (e.  g.   "5:10,20,2:30").
              VLAN  tags  are  not  supported  for  ARP and BPDU packets (in which case you could
              specify the whole frame in hex using the raw layer 2 interface of Mausezahn).

       -M <label[:cos[:ttl]][bos]> [, <label...>]
              Specify a MPLS label or even a MPLS label stack.  Optionally  for  each  label  the
              experimental  bits  (usually  the Class of Service, CoS) and the Time To Live (TTL)
              can be specified. And if you are really crazy you can set/unset the Bottom of Stack
              (BoS)  bit at each label using the S (set) and s (unset) option. By default the BoS
              is set automatically and correctly. Any other setting will lead to invalid  frames.
              Enter -M help for detailed instructions and examples.

       -P <ASCII_payload>
              Specify  a cleartext payload. Alternatively each packet type supports a hexadecimal
              specification of the payload (see for example -t udp help).

       -f <filename>
              Read the ASCII payload from the specified file.

       -F <filename>
              Read the HEX payload from the specified file. Actually this file must  be  also  an
              ASCII   file   (text   file)   but   must   contain   hexadecimal   digits,  e.  g.
              "aa:bb:cc:0f:e6...". You can use also spaces as separation characters.

COMBINATION OF RANGES

       When multiple ranges are specified, e. g. destination port ranges AND destination  address
       ranges,  then  all  possible  combinations  of  ports  and  addresses  are used for packet
       generation. Furthermore, this can be mixed with other ranges e. g. a TCP  sequence  number
       range.  Note that combining ranges can lead to a very huge number of frames to be sent. As
       a rule of thumb you can assume that about 100,000 frames are sent in  a  fraction  of  one
       second, depending on your network interface.

DISCLAIMER AND WARNING

       Mausezahn  has  been  designed as fast traffic generator so you can easily overwhelm a LAN
       segment with myriads of packets. And because Mausezahn should also support security audits
       it is also possible to create malicious or “invalid” packets, SYN floods, port and address
       sweeps, DNS and ARP poisoning, etc.
       Therefore, don't use this tool when you are not aware of  possible  consequences  or  have
       only  little  knowledge about networks and data communication.  If you abuse Mausezahn for
       'unallowed' attacks and get caught,  or  damage  something  of  your  own,  then  this  is
       completely your fault. So the safest solution is to try it out in a lab environment.

EXAMPLES

       Send  BPDU frames for VLAN 5 as used with Cisco's PVST+ type of STP. Per default Mausezahn
       assumes that you want to become the root bridge:

       # mz eth0 -c 0 -d 2s -t bpdu vlan=5

       Perform a CAM table overflow attack:

       # mz eth0 -c 128000 -a rand -p 64

       Perform a SYN flood attack to another VLAN using VLAN hopping. This only works if you  are
       connected  to  the  same  VLAN which is configured as native VLAN on the trunk.  We assume
       that the victim VLAN is VLAN 100 and the native VLAN is VLAN 5. Lets attack every host  in
       VLAN  100  which  use a IP prefix of 10.100.100.0/24, also try out all ports between 1 and
       1023 and use a random source IP address:

       # mz eth0 -c 0 -Q 5,100 -t tcp "flags=syn,dp=1-1023" -p 20 -A rand -B 10.100.100.0/24

       Send IP multicast packets to the  multicast  group  230.1.1.1  using  a  UDP  header  with
       destination port 32000 and set the IP DSCP field to EF (46). Send one frame every 10 msec:

       # mz eth0 -c 0 -d 10msec -B 230.1.1.1 -t udp "dp=32000,dscp=46" -P "Multicast test packet"

       Send  UDP  packets  to  the  destination  host  target.anynetwork.foo  using  all possible
       destination ports and send every packet with all possible source addresses  of  the  range
       172.30.0.0/16;  additionally use a source port of 666 and three MPLS labels, 100, 200, and
       300, the outer (300) with QoS field 5. Send the frame with a  VLAN  tag  420  and  CoS  6;
       eventually pad with 1000 bytes and repeat the whole thing 10 times:

       #  mz  eth0  -Q  6:420  -M  100,200,300:5 -A 172.30.0.0/16 -B target.anynetwork.foo -t udp
       "sp=666,dp=1-65535" -p 1000 -c 10

       Send six forged Syslog messages with severity 3 to a Syslog server 10.1.1.9; use a  forged
       source IP address 192.168.33.42 and let Mausezahn decide which local interface to use. Use
       an inter-packet delay of 10 seconds:

       # mz -t syslog sev=3 -P "Main reactor reached critical temperature." -A  192.168.33.42  -B
       10.1.1.9 -c 6 -d 10s

       Send  an  invalid  TCP packet with only a 5 byte payload as layer-2 broadcast and also use
       the broadcast MAC address as source address. The target  should  be  10.1.1.6  but  use  a
       broadcast source address. The source and destination port shall be 145 and the window size
       0. Set the TCP flags SYN, URG, and RST simultaneously and  sweep  through  the  whole  TCP
       sequence number space with an increment of 1500. Finally set the urgent pointer to 666, i.
       e. pointing to nowhere:

       # mz -t tcp "flags=syn|urg|rst, sp=145, dp=145, win=0, s=0-4294967295,  ds=1500,  urg=666"
       -a bcast -b bcast -A bcast -B 10.1.1.6 -p 5

SEE ALSO

        mz.cfg(1)

AUTHOR

       Herbert Haas

       Visit www.perihel.at/sec/mz/ for Mausezahn news and additional information.

       This  manual  page was written by Herbert Haas <herbert AT perihel DOT at>, for the Debian
       project.

                                          March 7, 2010                                     MZ(1)