The winner of the “Check It Out” Packet Challenge is Jamie Starkel (@jstarkel on Twitter) Here’s Jamie’s solution:

**Jamie writes:**** **

Given the sample packet beginning with 4500 tells us a few things. The first is that the first byte (45) means that it is an IPv4 packet, and the 5 is the Internet Header Length, which is actually 20, because the field is measured in 32-bit multiples.

So our working set of bytes is the first 20:

4500 0527 0001 4000 4006 0000 c0a8 0102

c0a8 0101

Putting alongside the binary value makes the calculations easier.

I ended up with a table like the following:

Hex Binary

4500 0100010100000000

0527 0000010100100111

0001 0000000000000001

4000 0100000000000000

4006 0100000000000110

0000 0000000000000000 <– the checksum is set to zero

c0a8 1100000010101000

0102 0000000100000010

c0a8 1100000010101000

0101 0000000100000001

We are going to take the binary value of the first two bytes and add them together. Then we’ll take that result and add it to the next two bytes, and so on. If we need to carry a bit, we’ll go ahead and do that but drop the extra bit when adding it to the next two bytes since we have to keep them as 16-bit words. Once we get the eighth and last result, we’ll have to take the ones complement of it and that will give us our final checksum.

So here we go:

0527 0000010100100111

4a27 0100101000100111 <– This is the 1st result.

4a27 0100101000100111 <– First result plus next 16-bit word.

0001 0000000000000001

4a28 0100101000101000 <– This is the 2nd result.

4a28 0100101000101000 <– Second result plus next 16-bit word.

4000 0100000000000000

8a28 1000101000101000 <– This is the 3rd result.

8a28 1000101000101000 <– Third result plus next 16-bit word.

4006 0100000000000110

ca2e 1100101000101110 <– This is the 4th result.

ca2e 1100101000101110 <–Fourth result plus next 16-bit word.

c0a8 1100000010101000

18ad6 11000101011010110 <– Fifth result has a carry bit. Since we need to keep these in 16-bit words, we add the carry bit to the result.

18ad6 11000101011010110

.8ad7 1000101011010111 <– This is the final 5th result

8ad7 1000101011010111 <– Final 5th result plus next 16-bit word

0102 0000000100000010

8bd9 1000101111011001 <– This is the 6th result

8bd9 1000101111011001 <– Sixth result plus next 16-bit word.

c0a8 1100000010101000

14c81 10100110010000001 <– Seventh result has a carry bit. Since we need to keep these in 16-bit words, we add the carry bit to the result.

14c81 10100110010000001

.4c82 0100110010000010 <– This is the final 7th result

4c82 0100110010000010 <– Seventh result plus last 16-bit word.

0101 0000000100000001

4d83 0100110110000011 <– Last result

4d83 0100110110000011

b27c 1011001001111100 <– Ones complement of last result is the checksum

So the final checksum of this packet is b27c.

**Chris continues:**

** **Congrats Jamie! Even though there are many cool tools that can do this work for you, it’s nice to know how the checksum is actually calculated. Speaking of cool tools, Thursday I’ll post a solution that was sent in using Scapy.

Also, did anyone take a look at the payload? 🙂