# Covert Channels - Needle in the Haystack **Scenario**: We Captured a ton of traffic, can you sift through it to find anything interesting? Some people might think they are secure because they are hidden in the masses, the needle in the haystack. **Process**: Start off with looking at the protocol hierarchy ![](https://689717197-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRCd6UFIiW02sP091P3KT%2Fuploads%2F2OlEwdSUVKO4XgZN9Hrx%2Fimage.png?alt=media\&token=bbceb82d-27b2-495c-9d82-b8c2f072d6f7) We can see that we have the following Protocols to look into: \- UDP: NTP, NBNS, LLMNR, DNS, Data \- TCP: TLS, Telnet, SSH, DRDA, Data, BitTorrent, Malformed Packet We might want to look at the Malformed Packet as we are looking for a needle in the haystack, but that leads us to a dead end. ![](https://689717197-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRCd6UFIiW02sP091P3KT%2Fuploads%2FooiOaqKAMMYUEPXXO6mm%2Fimage.png?alt=media\&token=402a64f7-0e72-46c7-bee8-6dc05bea188f) Next thing to look at would be Telnet as this is easy to view because there is no encryption. We examine the Data field under Telnet to see what is being sent and we see all the characters being typed across the wire ![](https://689717197-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRCd6UFIiW02sP091P3KT%2Fuploads%2FfG10UvgiG3O2wsBdJCeP%2Fimage.png?alt=media\&token=555aa0cc-2f0b-43e2-9930-332d4aeecbb9) Here we get the answer in plain text across the packets. #### PowerShell Solution: ``` -join (.\tshark.exe -r 'needleinahaystack.pcapng' -Y "telnet" -T fields -e telnet.data | ?{$_ -cne " "}) ``` join at the beginning will combine all the items into a single line which will make it easier to read (after the follow is ran) Tshark –r will read in the pcap -Y is the filter of telnet -T fields is to format the output as text based of fields of the packet -e is the field name to extract; here it is the telnet.data All piped to remove any blank lines --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jtone2k8.gitbook.io/ctf-write-ups/network-analysis/covert-channels-needle-in-the-haystack.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.