Traffic and Packet Generators

This section discusses the packet-generation capabilities of the BSD ipfilter firewall package, the Linux kernel module packet generator, and some additional tools for heavy load testing and simulated denial-of-service (DoS) patterns. This arsenal is useful to test traffic shapers, forwarding, filtering performance, network quality of service (QoS), stateful inspection, and Network Address Translation (NAT), just to name a few. Traffic generators generally are concerned with a huge amount of output, whereas packet generators typically are used as a "scalpel" to test firewalls and protocol implementations/compliance.


Exercise extreme care when using these facilities in real-life networks; they are extremely powerful. Check the traffic with a sniffer; you will find what is going on pretty impressive.

What You Need in a Small Toolbox

The following tools have proven useful for packet and traffic creation as well as network testing. They are quite similar in nature, and it is really up to you to decide on a favorite:

  • Aicmpsend

  • Sendip

  • IP Sorcery (ipmagic/magic tools)

  • Excalibur

  • Hping2

  • Traffic (client/server)

  • Scapy

Example 6-6 presents aicmpsend, sendip, and ipmagic in action. You can deploy them to test security installations and protocol behavior. See the "Recommended Reading" section at the end of this chapter for download locations of these tools.

Example 6-6. Selection of Packet-Generator Tools

[root@callisto:~#] aicmpsend -d ?E

ICMP packet:  1   TTL=64

Sending ICMP error from to


ICMP error:  Echo

[root@callisto:~#] sendip -p ipv4

[root@callisto:~#] ipmagic -h

Usage: ipmagic [options]

IP: [-is|-id|-ih|-iv|-il|-it|-io|-id|-ip]

-is: source host or address def.

-id: source destination or address def.

-ih: IP header length def. 5

-iv: IP version def. 4

-il: Time-to-Live def. 64

-it: Type-of-Service def. 0

-io: IP frag offset [(D)on't Fragment | (M)ore Fragments | (F)ragment | (N)one]

-i:  IP packet ID for fragmentation def. 0

-ip: IP protocol [TCP | UDP | ICMP | IP] def. TCP

-iO: IP options

TCP: [-ts | -td | -to | -tq | -ta | -tf | -tw | -tu]

-ts: TCP source port, def. rand()

-td: TCP destination port def. 80

-to: TCP data offset of header def. 5

-tq: TCP sequence number def. rand()

-ta: TCP ack sequence number def. 0

-tf: TCP flags [(S)yn | (A)ck | (F)in | (P)ush | (R)st | (U)rg | (N)one] def. S

-tw: TCP Window Size def. rand()

-tu: TCP urg pointer def. 0

UDP: [-us | -ud | -ul]

-us: UDP source port def. rand()

-ud: UDP destination port def. 161

-ul: UDP length

     RIP: [-uR |-uRc |-uRv]

     -uR: Send default RIP packet to port 520

     -uRc: RIP command [RQ | RS | TN | TF | SR | TQ | TS | TA | UQ | US | UA] def. RQ

     For a list of RIP commands run program with -h rip

     -uRv: RIP version [1 | 2] def. 2

Note: Entry Tables should be used with response packets[RS | TS | US]

     -uRa(1 | 2 | etc.): RIP Entry table Address exmp. -uRa1

     -uRn(1 | 2 | etc.): RIP Entry table Netmask, exmp. -uRn2

     -uRh(1 | 2 | etc.): RIP Entry table Next Hop, exmp. -uRn(num)

     -uRm(1 | 2 | etc.): RIP Entry table Metric

     -uRr(1 | 2 | etc.): RIP Entry table Route Tag

     -uRe: Add default RIP entry table to packet

ICMP: [-ct | -cs]

-ct: ICMP type def. ECHO REQUEST

-cs: ICMP sub code def. 0

-ci: ICMP sequence ID def. 0

For list of ICMP Types and Subcodes run program with -h icmp.

IGMP:[-gt | -gc | -ga | -gn]

-gt: IGMP type [D | L | M | MT | MR | P | R1 | R2 | R3] def. M

-gc: IGMP sub code for types P and D def. 0

-gm: IGMP Max. resp. Time for Queries ie. MR

-ga: IGMP group address def. 0

-gn: IGMP no router alert or no internetwork Type-Of-Service [r | i |  | ]

For list of IGMP Types and Subcodes run program with -h igmp.

OSPF:[-ov | -ot | -or | -oe | -oa | -ou]

-ov: OSPF Version

-ot: OSPF Type[(H)ello | (D)b Desc. | (R)equest | (U)pdate | (A)ck]

-or: OSPF Router ID

-oe: OSPF Area ID

-oa: OSPF Auth Type[(N)one | (P)ass | (C)rypto]

-ou <data>: OSPF Authentication Data

-D "<data>": for datapayload

-N <num packets>: send <num packets> number packets

-S <verbosity>: (v)erbose, (s)hort, (t)urn off packet snoop

-v: print version

The BSD ipfilter Traffic Generator

The BSD ipfilter stateful firewall package comes equipped with the following tools primarily designed for firewall testing:

  • ipsend

  • ipresend

  • iptest

Consult the manual pages for further information. Example 6-7 and Example 6-8 present demonstrations of the BSD iptest, ipsend, and ipresend tools.

Example 6-7. BSD ipfilter Ancillary Tools in Action

[root@castor:~#] iptest

Usage: iptest [options] dest


                -d device       Send out on this device

                -g gateway      IP gateway to use if non-local dest.

                -m mtu          fake MTU to use when sending out

                -p pointtest

                -s src          source address for IP packet

                -1              Perform test 1 (IP header)

                -2              Perform test 2 (IP options)

                -3              Perform test 3 (ICMP)

                -4              Perform test 4 (UDP)

                -5              Perform test 5 (TCP)

                -6              Perform test 6 (overlapping fragments)

                -7              Perform test 7 (random packets)

[root@castor:~#] iptest -d ed0 -g -1

Device:  ed0




mtu:     1500

1.1. sending packets with ip_hl < ip_len


1.2. sending packets with ip_hl > ip_len


1.3. ip_v < 4


1.4. ip_v > 4


1.5.0 ip_len < packet size (size++, long packets)


1.5.1 ip_len < packet size (ip_len-, short packets)


1.6.0 ip_len > packet size (increase ip_len)


1.6.1 ip_len > packet size (size--, short packets)


1.7.0 Zero length fragments (ip_off = 0x2000)

1.7.1 Zero length fragments (ip_off = 0x3000)

1.7.2 Zero length fragments (ip_off = 0xa000)

1.7.3 Zero length fragments (ip_off = 0x0100)

1.8.1 63k packet + 1k fragment at offset 0x1ffe


1.8.2 63k packet + 1k fragment at offset 0x1ffe

skip 12800

skip 37376

skip 61952


1.8.3 33k packet


1.9. ip_off & 0x8000 == 0x8000

1.10.0 ip_ttl = 255

1.10.1 ip_ttl = 128

1.10.2 ip_ttl = 0

Example 6-8. Example Use of the ipsend Utility

[root@castor:~#] ipsend

Usage: ipsend [options] dest [flags]


                -d      debug mode

                -i device       Send out on this device

                -f fragflags    can set IP_MF or IP_DF

                -g gateway      IP gateway to use if non-local dest.

                -I code,type[,gw[,dst[,src]]]   Set ICMP protocol

                -m mtu          fake MTU to use when sending out

                -P protocol     Set protocol by name

                -s src          source address for IP packet

                -T              Set TCP protocol

                -t port         destination port

                -U              Set UDP protocol

                -v      verbose mode

                -w <window>     Set the TCP window size

Usage: ipsend [-dv] -L <filename>


                -d      debug mode

                -L filename     Use IP language for sending packets

                -v      verbose mode

[root@castor:~#] ipsend -i ed0 -P tcp -g

Device:  ed0




mtu:     1500

[root@castor:~#] ipresend

Usage: ipresend [options] <-r filename |-R filename>

                -r filename     snoop data file to resend

                -R filename     libpcap data file to resend


                -d device       Send out on this device

                -g gateway      IP gateway to use if non-local dest.

                -m mtu          fake MTU to use when sending out

The Linux Kernel Packet Generator

The Linux packet generator requires compiled-in support as a kernel module (pktgen.o); it is used via a script derived from its documentation (pktgen.txt in the Linux 2.4.x kernel documentation folder). The source code of this script is also provided in Example 6-9.

Example 6-9. Script That Interacts with the Linux Kernel Packet-Generator Module

#! /bin/sh

modprobe pktgen

function pgset() {

    local result

    echo $1 > /proc/net/pg

    result=`cat /proc/net/pg | fgrep "Result: OK:"`

    if [ "$result" = "" ]; then

         cat /proc/net/pg | fgrep Result:



function pg() {

    echo inject > /proc/net/pg

    cat /proc/net/pg


pgset "odev eth0"        # set output interface

pgset "dst"  # set IP destination address

pgset "count 40000"      # set numbers of packets to send

#pgset "multiskb 1"      use multiple SKBs for packet generation

#pgset "multiskb 0"      use single SKB for all transmits

#pgset "pkt_size 9014"   sets packet size to 9014

#pgset "frags 5"         packet will consist of 5 fragments

#pgset "ipg 5000"        sets artificial gap inserted between packets

#                        to 5000 nanoseconds

#pgset "dstmac 00:00:00:00:00:00"    sets MAC destination address

#pgset stop              aborts injection

Performance-Testing and Network-Benchmarking Tools

This family of tools provides network performance information and benchmarking by usually taking a client/server approach that allows collecting very accurate end-to-end information and statistics. These tools are powerful and complex; refer to the repository documentation for further details. Some interesting representatives of this family of tools are as follows:

  • Netperf (Network Performance Benchmarking)

  • NetPIPE (Network Protocol Independent Performance Evaluator)

  • ttcp/wsttcp (Test TCP [TTCP]; a benchmarking tool for measuring TCP and UDP performance)


A thorough discussion of network performance measurement would dive too much into stack internals and go far beyond the scope of this book.