Fun under the nose::: Am not sure if this has been discussed anytime before but whatever !!! May sound bit silly :D, but it is very much possible.... This possibly explains how a spyware module can communicate with the other host and may send some confidential data without actually putting anything in the payload, right under administrator's eyes. Neither am I sure if it has been implemented before but something like this is easy to implement in my opinion. Imagine a Watchdog client(WDC) probing some XYZ host after every 30 seconds for some service etc... Attach to the WDClient is nothing but a spyware module, now since WDClient generally runs in superuser mode as it has to alert or log etc it is easy for WDC... to make use of all those restircted resources. After it has the confidential text it can encrypt it in some number form and send it in the TCP Header and not the payload. Yes TCP header as the acknowledgement number. It need not modify the payload or the actual data content. If the Text is too big simply fragment it and put it across as the different tcp acks and number the sequence number accordingly to reassemble the text properly. Actually this sounds funny or not possible but for any watchdog that may work over tcp it can be very simply implemented. You will say that on the receiving end the tcp/kernel stack maintaining any connections will simply drop this packet as the ack number is bogus, but what if we are using some sniffer made with libpcap and sniffing the packets at the ethernet layer etc. Here in the libnet generated packet I am simply sending the text "Rohit" TCP header. Look at the acknowledgement field each char is it's actual position in the alphabetic list. R-18 o-15 etc... Similary in the next packet I can send something Like "Sharma" but with the Sequence nos 11112 from the test example from the libnet project /* * Build the TCP header. */ libnet_build_tcp(src_prt, /* Source TCP port */ dst_prt, /* Destination TCP port */ 11111, /* Sequence number */ 1815080920, /* Acknowledgement number */ TH_SYN, /* Control flags */ 1024, /* Window size */ 0, /* Urgent pointer */ NULL, /* Pointer to payload (none) */ 0, buf + LIBNET_IP_H); /* Packet header memory */ It is very much possible that the administrator will never look at the ack field for any packet that is generating after every 30 seconds or so. The other end will simply read such a packet ... to differentiate among the other normal packets the sequence nos starting with all 1's or 2's etc can differentiate well. __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com