Inter-Packet Delay

Inter-Packet Delay (IPD) is a method of transmitting information not inside the packet itself, but in the delays between packets. Instead of focusing on payloads, the timing of traffic carries the hidden message. It has multiple encodings some of which are:

Fixed Interval encoding
Multiple Interval Encoding
Interval Modulation Encoding

The one I’ll focus on here is Fixed-Interval Encoding, since I’ve encountered it twice.

In Fixed-Interval Encoding, there can be two types of delays, a short delay and a long delay.

a short delay = 0 bit

a long delay = 1 bit

when repeated in a sequence of delayed packets, they form a hidden message that is hard to catch prior to knowing the existence of the technique.

lets look at an example:

these are packets, that at first glance, look empty with no immediately useful data, let us first attempt to gain clearer look by reducing noise and adding a column that will help us detect IPD, we want to get the time between each frame and the one before it after filtering, this is called delta time displayed.

Note: the regular Delta Time column shows the time between frames regardless of any applied filters. we’ll go right click on the columns > column preferences > add a column with delta time displayed type.

now we can see a clear picture of the delays that look deliberately constructed and are suspicious, we also see values such as 0.049999, these are just precision -aka skill- issue that we can just treat as 0.05

so what we have is a short interval, 0.05 and a long interval 0.25, the short interval equals 0 and the long interval equals 1. What we’ll do now is extract the delta times, convert them to 1s and 0s to clearly see the binary representation. and decode them.

here’s tshark one-liner will extract the those delays and converts them to raw binary:

tshark -r IPD.pcap -Y "ip.addr == 192.168.1.100" -T fields -e frame.time_delta_displayed | awk '{if ($1 == "0.050000000") print 0; else if ($1 == "0.250000000") print 1; else print 0}' | tr -d "\\n"

output: 0001100000010110000101100001000010000111100000111010111010001000100101011000010000000000100001001001010110000110101011110000010010001010100010000000111100011101000010101000110110101111000111010010001110001100000011000000001000001100000010100

there's a n extra 0 at the start because it counted the interval between it and the previous packet, the if condition converted it into 0, and we should delete it.

Once we convert the extracted bitstream into ASCII, we can recover the hidden information, there was an additional XOR step applied to the decoded text. However, this XOR layer was just part of the challenge and not a standard feature of inter-packet delay (IPD) encoding itself.

Note: I have only seen this technique in research papers and CTFs, I am yet to see it in the real world.

PreviousCovert-channels-made-simple NextReserved bits

Last updated 5 months ago