The Forest

Prerequisites & Requirements

• Basic familiarity with TCP/IP and application-layer protocols (especially FTP)
• A working copy of Wireshark (or any pcap-capable tool) and a text editor
• Python 3 (optional, for the supplied solver script) and scapy if you want to run the provided code
• Comfort reading ASCII/UTF-8 and a little mental arithmetic (you’ll be doing small integer calculations)

What will you learn?

• How a covert channel can hide a message inside seemingly normal control traffic
• How to spot the channel in a noisy capture, reassemble TCP application data, and extract the embedded bytes
• A minimal, reliable parsing approach (both manual Wireshark steps and a short Python solver)
• The attacker mindset: how to look for unusual repetition and numeric patterns in protocol fields

Tools

• Wireshark: For manual analysis and TCP reassembly
• Python 3 + scapy: For an automated solver (optional but convenient)
• A plain text editor: To copy/paste reassembled streams into