A tool that uses the TOS bits in IP to set up a covert channel.

Covert channels are a way to hide information within an already set up communication path. Quality of service fields are a possibility to create such a channel using IP packets. One way to do this is use the TOS fields of IPv4. Since often this won't be used anyway we can store one byte of data in it. In IPv6 this is called a traffic class. There is also a flow label field in IPv6 which can be used to store another 20 bits. So each IPv4 packet can store 1 byte and each IPv6 packet can store 3 (and a half) bytes to use as a covert communication channel. The contents of the IP packets are irrelevant. The point is that the sending entity will have to add them to the IP packets and the recipient will have to erase them again and restore the data. But in both cases access is needed to the same packets, so careful planning on how to use this channel is needed.

The fun part of it is that TOS bytes will go unchanged across NAT, IPsec, Firewalls most of the time. And no logs will show up really. PPP may be a problem with header compression.

Anyway, this is merely a proof of the concept and is only for educational purposes. It uses IPtables to copy all matching packets to userspace and the covert_qos tool intercepts these, modifies the packets to include the data bytes or extract them and send the packets on their way. Normally, the sender nor the recipient will never be aware of it.