"Why? Because any non-standard protocol data will be thrown out by the first switch or router on the path out of the target LAN. "
That's not necessarily true. Misconfigurations and weird issues in networking gear caused vendors to be kind of permissive about some things. Depending on the vendor, they might drop it or pass it through. Network security folks in the field, in or away from NSA, probably have a good idea of what things make it through most often plus fall-back options. They might even keep current documentation of it based on field reports over time. They'd just use that stuff. Also, intelligence work is very difficult and opportunistic already. A method doesn't have to work all the time: just enough to keep trying it.
That's not necessarily true. Misconfigurations and weird issues in networking gear caused vendors to be kind of permissive about some things. Depending on the vendor, they might drop it or pass it through. Network security folks in the field, in or away from NSA, probably have a good idea of what things make it through most often plus fall-back options. They might even keep current documentation of it based on field reports over time. They'd just use that stuff. Also, intelligence work is very difficult and opportunistic already. A method doesn't have to work all the time: just enough to keep trying it.