45 20 01 b4 96 25 40 00 39 06 60 6a 5d b8 d7 c8 0a 01 0a 13
A packet is between 20-60 bytes and a length greater than 20 means we have options. So how long is this packet?
Each hexadecimal character is four bits and 8 bits = a byte, so every two characters is one byte.So let's count the bytes:
| 45 | 20 | 01 | b4 | 96 | 25 | 40 | 00 | 39 | 06 | 60 | 6a | 5d | b8 | d7 | c8 | 0a | 01 | 0a | 13 |
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 |
Ok looks like we have a 20 byte header so there are no options.
We'll need a couple things for our translation -- the cheat sheets in my last post to convert hex to binary and decimal:
http://websitenotebook.blogspot.com/2014/05/hexadecimal-to-binary-to-decimal-cheat.html
Also the layout for the IPv4 header in this post which tells us the purpose of the hex values in the various positions:
http://websitenotebook.blogspot.com/2014/03/ip-internet-protocol_1.html
Byte 1 (45)
The first two numbers are always the version and header length.
4 in hex = version 4 (IPv4) which is the default version.
5 is the length. 5 in hex = 5 in decimal and it's a quad number so we multiply by 4 to get our length = 20 (confirms our analysis above).
Byte 2 (20)
Byte 2 is 20. This is Type of Service. Going to skip this one for now as most routers ignore
Bytes 3-4 (01 b4)
This is the datagram length (header + payload)
So the binary version of this, using our cheat sheet in prior post is:
0 0 0 0 0 0 0 1 1 0 1 1 0 1 0 0
We've got 1's in positions: 2, 4, 5, 7, 8
We grab the decimal values for these and add them up:
4 + 16 + 32 + 128 + 256 = 436
Yep, that matches up with Wireshark so cool.
Bytes 5-6 (96 25)
This is our unique id - it should be a random number so not going to bother translating this one righht now. Might be important if you want to verify randomness.
Next 4 bits - flags (4)
We need to turn this value into 4 bits to determine our flags.
Binary version of 4 is:
0 1 0 0
That means we have one flag set - 1 indicates datagram may be fragmented, however the next bit indicates no more fragments exist.
Next 12 bits (0 0 0)
This is our fragment offset. Although the packet says it may be fragmented, the flag to indicate no more fragments was set as noted and the fragment offset of this packet is 0 so seems like there is only one packet.
Next byte (39)
Next byte is time to live. 39 in hex translated to binary:
0 0 1 1 1 0 0 1
We've got values in positions: 0, 3, 4, 5 - grab the decimal values:
1 + 8 + 16 + 32 = 57
Cool - matches Wireshark again.
1 byte for the protocol (06)
Translate to binary
0 0 0 0 0 1 1 0
Translate to decimal - positions 1, 2
2 + 4 = 6
Take a look at our nifty protocol chart:
| # | protocol |
| 1 | ICMP |
| 2 | IGMP |
| 6 | TCP |
| 9 | IGRP |
| 17 | UDP |
| 47 | GRE |
| 50 | ESP |
| 51 | AH |
| 57 | SKIP |
| 88 | EIGRP |
| 89 | OSPF |
| 115 | L2TP |
Looks like we have TCP (#6).
Next 2 bytes (60 6a)
This is our checksum. Equipment uses this to verify nothing has inadvertently changed.
4 bytes (5d b8 d7 c8)
Source address
We need to figure out if we have a Class A, B or C IP address to know which bytes refer to network and which bytes refer to host in the address.
A - one byte for network, three bytes for host
B - two bytes for network, two bytes for host
C - three bytes for network one byte for host
Look at first number to determine if class A, B or C:
1-127 = A
128-191 = B
192-223 = C
Each byte is part of address with dot (.) in between (dotted notation)
5d = 0 1 0 1 1 1 0 1 = positions = 0, 2, 3, 4, 6 = 1 + 4 + 8 + 16 + 64 = 93
b8 = 1 0 1 1 1 0 0 0 = positions = 3, 4, 5, 7 = 8 + 16 + 32 + 128 = 184
d7 = 1 1 0 1 0 1 1 1 = positions = 0, 1, 2, 4, 6, 7 = 1 + 2 + 4 + 16 + 64 + 128 = 215
c8 = 1 1 0 0 1 0 0 0 = positions = 3, 6, 7 = 8 + 64 + 128 = 200
So we have a class A address (93).
Address is 93.184.215.200
We can look that up at ARIN.net...but wait...it's a RIPE address?? Not sure why a computer on my network is connecting to a European address...but that's a topic for http://randominternet.blogspot.com
inetnum: 93.184.212.0 - 93.184.215.255 netname: EDGECAST-NETBLK-03 descr: NETBLK-03-EU-93-184-212-0-22 country: EU admin-c: DS7892-RIPE tech-c: DS7892-RIPE status: ASSIGNED PA mnt-by: MNT-EDGECAST source: RIPE # Filtered
4 bytes (0a 01 0a 13)
Destination address
Same concept as above.
