I Smell Packets


Solution to the “Check It Out” Packet Challenge
April 19, 2011, 4:21 pm
Filed under: checksum, Packet Challenge | Tags: ,

The winner of the “Check It Out” Packet Challenge is Jamie Starkel (@jstarkel on Twitter) Here’s Jamie’s solution:

Jamie writes:

Given the sample packet beginning with 4500 tells us a few things. The first is that the first byte (45) means that it is an IPv4 packet, and the 5 is the Internet Header Length, which is actually 20, because the field is measured in 32-bit multiples.

So our working set of bytes is the first 20:

4500 0527 0001 4000 4006 0000 c0a8 0102

c0a8 0101

Putting alongside the binary value makes the calculations easier.

I ended up with a table like the following:
Hex     Binary
4500    0100010100000000
0527    0000010100100111
0001    0000000000000001
4000    0100000000000000
4006    0100000000000110
0000    0000000000000000 <– the checksum is set to zero
c0a8    1100000010101000
0102    0000000100000010
c0a8    1100000010101000
0101    0000000100000001

We are going to take the binary value of the first two bytes and add them together. Then we’ll take that result and add it to the next two bytes, and so on. If we need to carry a bit, we’ll go ahead and do that but drop the extra bit when adding it to the next two bytes since we have to keep them as 16-bit words. Once we get the eighth and last result, we’ll have to take the ones complement of it and that will give us our final checksum.

So here we go:

4500    0100010100000000
0527    0000010100100111
4a27    0100101000100111    <– This is the 1st result.

4a27    0100101000100111    <– First result plus next 16-bit word.
0001    0000000000000001
4a28    0100101000101000    <– This is the 2nd result.

4a28    0100101000101000    <– Second result plus next 16-bit word.
4000     0100000000000000
8a28    1000101000101000    <– This is the 3rd result.

8a28    1000101000101000    <– Third result plus next 16-bit word.
4006    0100000000000110
ca2e    1100101000101110    <– This is the 4th result.

ca2e    1100101000101110    <–Fourth result plus next 16-bit word.

c0a8    1100000010101000
18ad6  11000101011010110    <– Fifth result has a carry bit. Since we need to keep these in 16-bit words, we add the carry bit to the result.

18ad6   11000101011010110
.8ad7     1000101011010111    <– This is the final 5th result

8ad7    1000101011010111    <– Final 5th result plus next 16-bit word
0102    0000000100000010
8bd9    1000101111011001    <– This is the 6th result

8bd9    1000101111011001    <–    Sixth result plus next 16-bit word.
c0a8    1100000010101000
14c81  10100110010000001    <– Seventh result has a carry bit. Since we need to keep these in 16-bit words, we add the carry bit to the result.

14c81  10100110010000001
.4c82    0100110010000010    <– This is the final 7th result

4c82    0100110010000010    <–    Seventh result plus last 16-bit word.
0101    0000000100000001
4d83    0100110110000011    <– Last result

4d83    0100110110000011
b27c    1011001001111100    <– Ones complement of last result is the checksum

So the final checksum of this packet is b27c.

 

Chris continues:

Congrats Jamie! Even though there are many cool tools that can do this work for you, it’s nice to know how the checksum is actually calculated.  Speaking of cool tools, Thursday I’ll post a solution that was sent in using Scapy.

Also, did anyone take a look at the payload? 🙂

Bookmark and Share

Advertisements

Leave a Comment so far
Leave a comment



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s



%d bloggers like this: