The winner of the “Check It Out” Packet Challenge is Jamie Starkel (@jstarkel on Twitter) Here’s Jamie’s solution:
Jamie writes:
Given the sample packet beginning with 4500 tells us a few things. The first is that the first byte (45) means that it is an IPv4 packet, and the 5 is the Internet Header Length, which is actually 20, because the field is measured in 32-bit multiples.
So our working set of bytes is the first 20:
4500 0527 0001 4000 4006 0000 c0a8 0102
c0a8 0101
Putting alongside the binary value makes the calculations easier.
I ended up with a table like the following:
Hex Binary
4500 0100010100000000
0527 0000010100100111
0001 0000000000000001
4000 0100000000000000
4006 0100000000000110
0000 0000000000000000 <– the checksum is set to zero
c0a8 1100000010101000
0102 0000000100000010
c0a8 1100000010101000
0101 0000000100000001
We are going to take the binary value of the first two bytes and add them together. Then we’ll take that result and add it to the next two bytes, and so on. If we need to carry a bit, we’ll go ahead and do that but drop the extra bit when adding it to the next two bytes since we have to keep them as 16-bit words. Once we get the eighth and last result, we’ll have to take the ones complement of it and that will give us our final checksum.
So here we go:
0527 0000010100100111
4a27 0100101000100111 <– This is the 1st result.
4a27 0100101000100111 <– First result plus next 16-bit word.
0001 0000000000000001
4a28 0100101000101000 <– This is the 2nd result.
4a28 0100101000101000 <– Second result plus next 16-bit word.
4000 0100000000000000
8a28 1000101000101000 <– This is the 3rd result.
8a28 1000101000101000 <– Third result plus next 16-bit word.
4006 0100000000000110
ca2e 1100101000101110 <– This is the 4th result.
ca2e 1100101000101110 <–Fourth result plus next 16-bit word.
c0a8 1100000010101000
18ad6 11000101011010110 <– Fifth result has a carry bit. Since we need to keep these in 16-bit words, we add the carry bit to the result.
18ad6 11000101011010110
.8ad7 1000101011010111 <– This is the final 5th result
8ad7 1000101011010111 <– Final 5th result plus next 16-bit word
0102 0000000100000010
8bd9 1000101111011001 <– This is the 6th result
8bd9 1000101111011001 <– Sixth result plus next 16-bit word.
c0a8 1100000010101000
14c81 10100110010000001 <– Seventh result has a carry bit. Since we need to keep these in 16-bit words, we add the carry bit to the result.
14c81 10100110010000001
.4c82 0100110010000010 <– This is the final 7th result
4c82 0100110010000010 <– Seventh result plus last 16-bit word.
0101 0000000100000001
4d83 0100110110000011 <– Last result
4d83 0100110110000011
b27c 1011001001111100 <– Ones complement of last result is the checksum
So the final checksum of this packet is b27c.
Chris continues:
Congrats Jamie! Even though there are many cool tools that can do this work for you, it’s nice to know how the checksum is actually calculated. Speaking of cool tools, Thursday I’ll post a solution that was sent in using Scapy.
Also, did anyone take a look at the payload? 🙂
Leave a Comment so far
Leave a comment
I Smell Packets 