JAWS

NEWS

2010-07-07 Released mz-0.40: New features including configurable packet sequences, IP fragmentation (also with overlaps), better PVST+ and IP loose source routing, lots of bugfixes, etc. See the ChangeLog.

2010-03-07 Released mz-0.39: Fixed the nasty CPU-consumption bug that occurred on systems with the latest libpcap-dev, improved jitter measurement, updated documentation. Everybody should upgrade to this release for security and stability reasons! See the ChangeLog for more information about this and the previous releases.

2009-12-24 Released mz-0.38 which is a major release; probably 'Mausezahn next-generation'. It is now multi-threaded and provides a Cisco-style command line. Other features include improved jitter measurements, and the new MOPS-part supports nanosecond inter-packet delay, IGMP (v1, v2), LLDP, and ARP monitoring. The quick old style operation is still supported and has also been improved. This is a X-mas release; I will still be busy the next weeks and months so expect many additional features soon.

2009-08-06 Released mz-0.34.9 - which fixed some problems during the build process on different platforms.

2009-07-29 Released mz-0.34.8 - Only a small 'cosmetic' update to enhance the build process with safety checks.

2009-07-27 Released mz-0.34.7 - A security bugfix with some additional features: RTP packet drop count, disorder count (the number of permutations needed to regain the correct sequence) now also written in log files, and RTP jitter estimation as specified in RFC3550 (smoothed mean deviation). This is NOT the promised summer update (which will come in August) but only a small update of the 'legacy code'.

2008-12-10 Released mz-0.34.6 which supports easier creation of fragmented IP packets (the flags df, mf, and rf can be set more easily).

2008-10-30 Released mz-0.34.5 which includes one important bugfix and also supports measuring the degree of out-of-order RTP packets as well as dropped RTP packets.

2008-10-26 FYI: just to inform you that I am not lazy, the next Mausezahn release (0.35) is coming soon. Lots of new features and fixes will be included!

2008-10-07 I've got some reports that v0.34 has some problems with the high precision timer on some systems. I immediately fixed that in mz-0.34.1 which automatically determines which timer is the most usable on your system. See also the download section below.

2008-09-24 Version 0.34, improved timer for jitter measurement, IP source route options, and ICMP improvements. See also the changelog.

2008-09-11 Version 0.33.2, fixed bugs with BPDUs, PVST+, and RTP. Got reports that some Cisco switches do not accept Mausezahn's CDP packets anymore...even Wireshark recognizes a bad checksum in the original CDP packets (while Mausezahn's checksum is OK)...does anybody know what's going on there? I will focus on that...

2008-09-04 Version 0.33.1, minor fixes.

2008-08-20 Version 0.33 out now! Now an cmake-based build mechanism is included, support for the Syslog protocol, minor bugfixes, and most importantly, the license is now clearly defined: GPLv2.

Due to death of Herbert Haas on 25.6.2011 this version will not be maintained any more. For newer releases please refer to http://netsniff-ng.org/ .

Thanks to the developers of netsniff-ng who have included Mausezahn in their tool package and will further maintain Herbert Haas´ work.

What is Mausezahn?

Mausezahn is a free fast traffic generator written in C which allows you to send nearly every possible and impossible packet. It is mainly used to test VoIP or multicast networks but also for security audits to check whether your systems are hardened enough for specific attacks.

Mausezahn can be used for example:

...and more. Mausezahn is basically a versatile packet creation tool on the command line with a simple syntax and context help. It could also be used within (bash-) scripts to perform combination of tests. By the way, Mausezahn is quite fast; when started on my old PIII-Laptop (1.4 GHz, Gigabit Ethernet) I measured 755 Mbit/s using the interface packet counters of an HP ProCurve 5400 switch.

Currently Mausezahn is only available for Linux platforms. Please do NOT PORT Mausezahn to Windows! (Here is a nice explanation why; I really share Felix von Leitner's point of view.)

Quick Introduction

As of version 0.38, Mausezahn supports the following protocols:

All packets can be VLAN-tagged and/or include an MPLS label stack (both in arbitrary depth). Furthermore, all header parameters are easily accessible, many of them support ranges, and even invalid settings are possible. By default the most appropriate header parameters are chosen.

Let me give you a quick example to demonstrate how simple it is to work with Mausezahn.

▶ Send an arbitrary sequence of bytes through your network card 1000 times:

# mz eth0 -c 1000 \
"ff:ff:ff:ff:ff:ff ff:ff:ff:ff:ff:ff cc:dd 00:00:00:ca:fe:ba:be"
Note that this 'frame' is (by intention) completely invalid with respect to the Ethernet standard; the frame is too short (called a 'runt') and has a broadcast source address.

▶ But you can send more complex packets easily with the built-in packet builders using the -t option. Let's send a forged DNS response to host 192.168.1.2 by impersonating the DNS server 10.7.7.42:

# mz eth0  -A 10.7.7.42 -B 192.168.1.2 \
-t dns "q=www.thehostyouseek.com, a=172.16.6.66"
Of course you can manipulate much more in the DNS header, simply type mz -t dns help for additional help.

▶ Perform a TCP SYN-Flood attack against all hosts in subnet 10.5.5.0/24 which are in VLAN 100. Try out all 1023 well-known ports. Provided that you are in the native VLAN 50 you can reach the target via VLAN-hopping. Repeat the whole attack endlessly by setting the count option to zero:

# mz eth0 -c 0 -Q 50,100 -A rand -B 10.5.5.0/25 \
-t tcp "flags=syn, dp=1-1023"

Confuse the spanning tree: Behave like a root bridge and generate BPDUs with lowest Bridge ID every two seconds:

# mz eth0 -c 0 -d 2s -t bpdu 
As you see you don't even need to specify any other BPDU parameters because Mausezahn assumes that your PC wants to be the root per default. Of course you can modify every BPDU parameter. Event the Cisco-proprietary per-vlan spanning tree PVST+ is supported:
# mz eth0 -c 0 -d 2s -t bpdu vlan=314

▶ Voice over IP connections suffer from jitter (delay variations). Hence it is important to know the jitter across a given path. Using Mausezahn you can precisely measure the jitter continuously. Simply configure a Mausezahn sender and a receiver:

TX# mz eth0 -t rtp -B rx.somewhere.net
RX# mz eth0 -T rtp "log, path=/tmp"
Using these settings, the sender (TX) sends RTP packets every 20 msec to the specified receiver (RX). Station RX stores moving average data in /tmp/rtp_avg_20080801-120233 (filename is current timestamp). The data is a comma seperated list that can be easily analyzed and visualized with standard tools, e. g. R, Matlab, Octave, or this python tool (which needs the matplotlib). An example output is seen below, I only measured the jitter across a local gigabit link. JAWS

Real-time jitter monitoring As with version 0.38, Mausezahn supports two nicer displays of the jitter measurements. The default is 'bar':

JAWS

...the other is 'txt':

JAWS

Interactive and multi-threaded mode As with version 0.38, Mausezahn alternatively provides an interactive mode with Cisco-style command line. To try out, start Mausezahn e. g. with

# mz  -x 99
    

and open a telnet connection to port 99 from another terminal or computer. Here are some impressions:

JAWS

JAWS

JAWS

JAWS

JAWS

JAWS

JAWS

JAWS

JAWS

JAWS

Disclaimer and License

Mausezahn is basically a network and firewall testing tool. Don't use this tool when you are not aware of its consequences or have only little knowledge about networks and data communication. If you abuse Mausezahn for unauthorized attacks and get caught, or damage something of your own, then this is completely your fault.

Mausezahn (C)2007-2009 by Herbert Haas is licensed under the GNU Public License (GPL) version 2.

Download Mausezahn

mz-0.40.tar.gz md5sum: d3d959c9 2cbf3d81 224f5b2f 8409e9d8 Released 7th July 2010

Since Mausezahn is open source (and now part of Debian SID and other Linux distributions) I only provide tar balls here. In order to build the binary you need the cmake package, as well as actual versions of libnet and libpcap. See the INSTALL instructions in the Mausezahn package.

For FreeBSD users, many thanks to Jacob Myers, who wrote: I have successfully built a fully-functional Mausezahn copy on FreeBSD without any source modification. I merely added

    -I/usr/local/include/libnet11 -L/usr/local/lib/libnet11 
    -D_POSIX_C_SOURCE 199309L
to CMAKE_C_FLAGS and changed the build type to None using ccmake. I plan to set up a BSD system to make Mausezahn easier portable to those (real) UNIXes.



Documentation

I have written a short introduction into Mausezahn which comes in two parts:
  1. Mausezahn in direct mode
  2. Mausezahn in interactive mode

Bugs and Feedback

Please tell me about your experience with Mausezahn, which features you miss, and which bugs you have found.

Dear developers: Currently Mausezahn is undergoing significant architectural changes and cleanups - therefore you should not add your own code to it because it will be incompatible later. For now it is better you tell me your desired features and I will put them on the (continuously growing) wishlist.

You can reach me via herbertXXXperihel.at (replace the XXX with one @ symbol) and please mention "MAUSEZAHN" in the subject line.

Before you send me a bug report please look at the changelog.