I Smell Packets


Solution to the “Check It Out” Packet Challenge using Scapy
April 22, 2011, 1:03 am
Filed under: Packet Challenge, scapy | Tags: , ,

Here’s a nifty solution to the “Check It Out” Packet Challenge by StalkR (@stalkr_ on Twitter) that uses Scapy:

StalkR writes:

Just seen the challenge and wanted to try :)

1) save the hexdump on the blog post into packet.txt

2) turn it back into a hex string
$ awk ‘$0!=””{print $0}’ packet.txt |sed ‘s/ //g’ |tr -d ‘\n’ > packet.hex

3) run scapy
$ scapy
Welcome to Scapy (2.1.0)

4) load hex and decode
$ scapy
>>> p = open(‘packet.hex’).read().decode(‘hex’)
>>> p
‘E\x00\x05\’\x00\x01@\x0[...]‘

5) load it as an IP packet
>>> p = IP(p)
>>> p
<IP  version=4L ihl=5L tos=0×0 len=1319 [...] chksum=0×0

6) remove chksum to force calculation
>>> p.chksum = None

7a) force calculation of chksum either with show2()
>>> p.show2()
###[ IP ]###
[...]
chksum= 0xb27c

7b) or just turn packet into string and load it again:
>>> ’0x%04x’ % IP(str(p)).chksum
’0xb27c’

Hurray for scapy \o/

Chris continues:

Very cool use of scapy.  What other tools could we use to solve this?

As always, if you’d like to submit a challenge to http://www.ismellpackets.com contact me at chris (dot) christianson (at) gmail (dot) com.

Bookmark and Share

 



Solution to the “Check It Out” Packet Challenge
April 19, 2011, 4:21 pm
Filed under: checksum, Packet Challenge | Tags: ,

The winner of the “Check It Out” Packet Challenge is Jamie Starkel (@jstarkel on Twitter) Here’s Jamie’s solution:

Jamie writes:

Given the sample packet beginning with 4500 tells us a few things. The first is that the first byte (45) means that it is an IPv4 packet, and the 5 is the Internet Header Length, which is actually 20, because the field is measured in 32-bit multiples.

So our working set of bytes is the first 20:

4500 0527 0001 4000 4006 0000 c0a8 0102

c0a8 0101

Putting alongside the binary value makes the calculations easier.

I ended up with a table like the following:
Hex     Binary
4500    0100010100000000
0527    0000010100100111
0001    0000000000000001
4000    0100000000000000
4006    0100000000000110
0000    0000000000000000 <– the checksum is set to zero
c0a8    1100000010101000
0102    0000000100000010
c0a8    1100000010101000
0101    0000000100000001

We are going to take the binary value of the first two bytes and add them together. Then we’ll take that result and add it to the next two bytes, and so on. If we need to carry a bit, we’ll go ahead and do that but drop the extra bit when adding it to the next two bytes since we have to keep them as 16-bit words. Once we get the eighth and last result, we’ll have to take the ones complement of it and that will give us our final checksum.

So here we go:

4500    0100010100000000
0527    0000010100100111
4a27    0100101000100111    <– This is the 1st result.

4a27    0100101000100111    <– First result plus next 16-bit word.
0001    0000000000000001
4a28    0100101000101000    <– This is the 2nd result.

4a28    0100101000101000    <– Second result plus next 16-bit word.
4000     0100000000000000
8a28    1000101000101000    <– This is the 3rd result.

8a28    1000101000101000    <– Third result plus next 16-bit word.
4006    0100000000000110
ca2e    1100101000101110    <– This is the 4th result.

ca2e    1100101000101110    <–Fourth result plus next 16-bit word.

c0a8    1100000010101000
18ad6  11000101011010110    <– Fifth result has a carry bit. Since we need to keep these in 16-bit words, we add the carry bit to the result.

18ad6   11000101011010110
.8ad7     1000101011010111    <– This is the final 5th result

8ad7    1000101011010111    <– Final 5th result plus next 16-bit word
0102    0000000100000010
8bd9    1000101111011001    <– This is the 6th result

8bd9    1000101111011001    <–    Sixth result plus next 16-bit word.
c0a8    1100000010101000
14c81  10100110010000001    <– Seventh result has a carry bit. Since we need to keep these in 16-bit words, we add the carry bit to the result.

14c81  10100110010000001
.4c82    0100110010000010    <– This is the final 7th result

4c82    0100110010000010    <–    Seventh result plus last 16-bit word.
0101    0000000100000001
4d83    0100110110000011    <– Last result

4d83    0100110110000011
b27c    1011001001111100    <– Ones complement of last result is the checksum

So the final checksum of this packet is b27c.

 

Chris continues:

Congrats Jamie! Even though there are many cool tools that can do this work for you, it’s nice to know how the checksum is actually calculated.  Speaking of cool tools, Thursday I’ll post a solution that was sent in using Scapy.

Also, did anyone take a look at the payload? :)

Bookmark and Share



“Check It Out” Packet Challenge
March 25, 2011, 11:51 pm
Filed under: Packet Challenge | Tags: ,

It’s time for another packet challenge.  This time the challenge is to calculate the IP Header checksum of the following packet:

4500 0527 0001 4000 4006 0000 c0a8 0102

c0a8 0101 2b67 0014 0000 006f 0000 006f

5018 0200 aa32 0000 ffd8 ffe0 0010 4a46

4946 0001 0200 0064 0064 0000 ffec 0011

4475 636b 7900 0100 0400 0000 0a00 00ff

ee00 0e41 646f 6265 0064 c000 0000 01ff

db00 8400 1410 1019 1219 2717 1727 3226

1f26 322e 2626 2626 2e3e 3535 3535 353e

4441 4141 4141 4144 4444 4444 4444 4444

4444 4444 4444 4444 4444 4444 4444 4444

4444 4444 0115 1919 201c 2026 1818 2636

2620 2636 4436 2b2b 3644 4444 4235 4244

4444 4444 4444 4444 4444 4444 4444 4444

4444 4444 4444 4444 4444 4444 4444 4444

4444 4444 44ff c000 1108 004f 004f 0301

2200 0211 0103 1101 ffc4 0075 0000 0203

0101 0000 0000 0000 0000 0000 0000 0401

0305 0602 0101 0000 0000 0000 0000 0000

0000 0000 0000 1000 0201 0204 0403 0308

0b00 0000 0000 0001 0203 0011 2131 1204

4151 6105 8122 1371 9132 a1b1 e142 5262

72d2 c1d1 8292 a233 7393 1415 0611 0100

0000 0000 0000 0000 0000 0000 0000 00ff

da00 0c03 0100 0211 0311 003f 00ec e8a2

8a08 a5e7 df6d f6e4 2cd2 2213 c198 0aa7

72cf 3c83 6d19 2a00 0d23 2e76 37b2 8ea6

c71e 0075 156c 1b28 36ea 4468 0039 9e27

da4e 2683 da6e 6274 f515 d4a0 cd81 b8af

50cc 93a0 9232 191b 222b 13bf 47b5 dbed

a57f 8257 52ab a0e9 2c7a 81f1 0e77 bd87

2a5b fe65 a6dc 6d2c 252a aacc 2c14 13cf

337e 7ca8 3a9a 2926 dbce b8c7 31bf 2915

48f9 029a 9837 4598 c530 d122 8d59 f948

e6a7 e7e4 7c2e 0e51 5153 4054 1c2a 6b27

be6f 7fc6 db32 a8bc 8e19 5074 b5d8 f82d

cfb7 0a05 e0ef 1b78 e52a f706 521e ff00

56ed 8229 e44a a83e 3577 fb19 774d e96c

d6ce 3095 e41e 58cf d9fb cc39 0c38 deb8

5ee6 026f 24c0 140f 80e8 b97b c575 bff3

bbaf 5142 31b9 2194 fe28 ec2f e28c bfbb

eda0 d28f b444 11c4 a4c9 2480 abc8 ff00

158f 2fb2 3a0a 3b3f 6c1d b213 0ab6 abb1

6bda d4de eb72 bb58 ccaf 7205 be11 7389

b655 306e 239d 03c6 da94 d05d 58bd fe29

1a38 de00 0cca fa50 3006 faf0 e387 5f0a

d2dc eee2 db0d 5230 5be4 389f 60cc f852

d0c7 26e6 513c ca51 13f9 4873 b916 2cc3

81b6 0070 c49c 6d60 bbb7 c524 5085 9459

b3d3 7be9 e97e 9f45 3945 1405 5524 4925

8b00 48bd ae39 e06d ed15 6d14 1c07 77ed

13a3 8529 e41e 5f58 02c0 afd5 d400 2750

1e53 cec0 df9e b765 edfb 8450 ea74 841a

53d4 4b6b d56b 9b5f 5016 0a01 cce2 4819

5753 4506 5b4c 2571 b4dd 2697 61a9 0a9f

29d3 63e5 3810 c33e 99dc d67c 9db2 4138

8a19 003a 492e cbe6 0320 d704 5df8 5f97

c57c 2ecf 7585 f73b adbc 31b9 423d 472c

83cc a2d6 cfad edf2 d7a6 ed02 02bb 8819

9a74 fad2 393a c715 3c05 f9db 038d 031b

2ed3 06d0 eb03 5ca7 e295 f162 7f47 8568

d2db 3dca ee63 f517 0372 aca7 3561 983d

47d3 4cd0 1451 4501 4514 5015 141a cc59

7773 ab59 3d33 6c14 f3ea d8df f657 a5e8

16d9 6ecc 9dc2 60c3 062d 1c67 fa5a 6e3d

ec4f 8568 c339 79a5 85f0 29a1 97f0 b0fc

c1ab 9e48 f7bd b1e3 32a0 941f 2974 c717

7b9b 5ed6 66be 937c f020 e62b 5f60 93bc

cdb8 dc80 8ccb a123 e3a6 f7bb 75e8 3e1f

1a0f 7b70 21df 4a83 2915 2523 8061 e53e

fb0f 7569 d677 6f53 297d d3e7 21d2 8392

2e5e 24dc 9f6d 68d0 1451 4501 4514 5015

54d2 a408 6490 e955 cc9a b694 dec3 14d1

6995 b4ad d7cd 7b63 7f2e 7867 6fd5 40af

aafb e68f 446e b12b eb2e f65d 416f 6b2d

f562 6c71 030a 6771 0c8d 224b 115b a061

66fb d6e5 ecaf 036f ba53 e59c 11f7 e204

ff00 0b27 cd53 e9ee f8c9 1ff6 cfe7 a0ce

2dbc d90d 2b8a 8bb6 95b3 d85f ecd9 1ac3

a5cf 4ad0 da6e de56 f4e5 02e5 43a3 21ba

ba9e 38d8 8e17 1ee2 6978 f692 068c 34cb

e507 4e85 b310 73c4 b361 e1cb 2a6b 670e

da2b 8db9 5370 326d 474e 36e2 70ce dc28

1da2 8a28 3fff d9

As always, best explanation wins. Send your answers to chris (dot) christianson (at) gmail (dot) com.

 




Follow

Get every new post delivered to your Inbox.