IPv4 Packet or IP Packet Format: Understanding the Anatomy of IPv4 Data Transmission

It is very important to understand the structure of an IP packet especially if you are indulged in a lot of IP network troubleshooting. Today most of the networks has been built on IP and IPv4 is the most common IP addressing scheme used. IP addressing can be quite difficult with subnetting and supernetting coming in.  An IPv4 Packet header contains the fields as shown in the diagram:

A short description of all the fields is as below:

• Version: It is a 4 bit field. Defines the version to which IP packet belongs. In this case it is version 4, If it is represented in Binary, it will be written as 0100. For IPv6(also called as IPng: next generation IP), this field is set to 6.
• Header Length: 4 bit field, defines the header length, as IPv4 header can be of variable length because of Option field present in IP header. It represents the number of 32 bit words.  The minimum value for this field must be 5. Hence the minimum length of IP header comes out to be 5*32=160 bits or 20 bytes. Hence a smallest IP header is of 20 bytes. Header length is a 4 bit field, hence it can be a value between 5 and 15.
• Type of Service(TOS): 8 bit field. It is used to carry Quality of Service information. Different services in network can be categorized in different QoS class and each can be represented with this field of IP header. It can contain IP precedence, Differentiated Service Code Point(DSCP), Class of Service(CoS) values, depending upon the QoS model used.
• Total length: 16 bit field. The total length describes the total length of IP packet including the header. Hence a receiver can calculate the length of payload by subtracting Header Length from Total Length. It describes the number of octets of an IP packet. It is a 16 bit field, hence can count until 65,535. Hence maximum size of an IP packet can not be more than 65,535 bytes or octets.
• Identifier: 16 bit field. An IP packet has to go through different Media and different Media might have different MTU(Maximum Transfer Unit) sizes. MTU size is the maximum size of the packet, a particular interface can transmit. So if an interface has MTU of 1500 bytes and it wants to transmit a packet of 2000 bytes. It has to fragment the packet into 2 fragments and has to transfer. Hence router will mark both the packets with same identifier so that the other end router can group the packets together.
• Flags: 3 bit field. First bit is not being used. Second bit represents the Don’t Fragment Bit and third bit is More Fragment bit.
• Don’t Fragment(DF) Bit: This bit can be used in troubleshooting of MTU issues in the network. If this bit is set, router will not fragment the packet and will drop the packet. For example, if router’s interface MTU is 1500 bytes and if it receives a packet of more than 1500 bytes and if DF bit is on, router will not fragment the packet but will drop the packet. For troubleshooting, you can send a packet with a higher size and set this bit and can trace which router is dropping the packet. This can be done with the help of an extended ping.
• More Fragment(MF) Bit: The last bit of flags field define that whether more fragments are expected or not. In a series of fragmented packets, all the fragments will have this bit set other than the last fragment.
• Fragment Offset:This field solves the problem of sequencing fragments by indicating the recipient device where in the overall message each particular fragment should be placed. The field is 13 bits wide, so the offset can be from 0 to 8191. Fragments are specified in units of 8 bytes, which is why fragment length must be a multiple of 8. Hence if a router is fragmenting a 5000 bytes packet into 3 packets of maximum 1480 bytes. Fragment offset for first fragment will be 0. For second it will be 1480/8 = 185 and last fragment will be set to 2960/8=370.
• Time to Live: 8 bit field. Will be set to a particular value, depending upon the implementation. Cisco routers set it to 255. Once packet pass through routers in the network, each router will decrement the value by 1. Hence it is value driven by 255 – number of hops. Once the values reaches 0. The packet will be dropped and sender will be notified about it. This is used to avoid loops in the network. It was initially thought to implement it as time instead of hops hence called Time to Live. But that approach approved to be difficult to implement. Hence we use hop counts in Time to Live field.
• Protocols: 8 bit field. Describes the address or Protocol number of higher layer protocol i.e. Protocol at Transport layer(OSI layer model) or Host-to-Host Layer(TCP/IP Model).
• Header Checksum: 16 bit field. It is the error correction field for the IP -header. The checksum is not calculated for the encapsulated data; UDP, TCP, and ICMP have their own checksums for doing this. The field contains a16-bit one’s complement checksum, calculated by the originator of the packet. The receiver will again calculate a 16-bit one’s complement sum, including the original checksum. If no errors have occurred during the packet’s travels, the resulting checksum will be all ones. Remember that each router decrements the TTL; therefore, the checksum must be recalculated at each router.
• Source Address: 32 bit field. This is 32 bit IP address. Usually represented in decimal as x.x.x.x format where x is any decimal value ranging from 0 to 255. This represents the source address of the packet.
• Destination Address: 32 bit field. Used to find the address to which packet is going. Represented in same format as source address.
• Option: Variable length. As name implies this is an optional field in IP header. Mostly used for testing purposes. It can have some special handling instructions for the router. Some examples might be Copied, Loose Source Routing, Strict Source Routing, Record Route, Timestamp etc.
• Padding: As option is a variable length field. It might happen that it does not end on a 32 bit boundary. Hence router adds 0’s in the padding field to ensure that header remains a multiple of 32 bits.

Below is the capture of an IP packet, please take some time to verify all the fields:

Note: For fragmentation to work correctly, Identifier, flags and fragmentation field has to work in conjunction.