An ICMP packet carrying a hidden message

Therefore, we may establish a covert channel if the initial value of the Pointer field is greater than the value of the Length field, or just greater than the length of the hidden message. Specifically, if we set the initial value of the Pointer field greater than the value of the Length field, then no router can write its IP address. In this case, we can use all the remaining 36 bytes of the IP header option to insert a hidden message. This is shown in Figure 6.a. However, if we set the initial value of the Pointer field to a value greater than the length of the hidden message, then a number of routers can still write their IP addresses in the remaining bytes of the IP header option. This is shown in Figure 6.b. Frameip packet generator [26] is used to generate an ICMP Ping packet [27] including the record route option. The value of the Pointer field in the packet is set to be greater than the value of the Length field. The IP addresses of the source and destination hosts are 172.16.16.3 and 172.16.16.20, respectively. The hidden message written in the Options field is: “ This is a covert channel ” and its length is 24 bytes. Consequently, the value of the Length field is 39 bytes. The value of the Pointer field is set to 28, in order to force any router to write its IP address in the 4-byte-field that just follows the hidden message. The contents of the Options field in the sent and received packets are decoded using the Ethereal Sniffer program. Figure 7 shows that the first router (which is the destination host in our case) has inserted its IP address just after the hidden message. Using this technique, a covert channel is established and a secure communication using hidden messages can be done. This technique has the following advantages:

https://www.researchgate.net/figure/268401309_fig3_Figure-7-An-ICMP-packet-carrying-a-hidden-message