Packet Structure

6 min read

Parent
📦
Packet Switching
Breaking data into manageable pieces
Current
📋
Packet Structure
Header, data, checksum

Packet Structure

Part of Networking

How data is organized at the network layer for routing across interconnected networks.

Why This Matters

A packet is the fundamental unit of data at the network layer — the layer responsible for routing data across multiple interconnected networks. Every piece of data transmitted across the internet travels as packets. Understanding packet structure means understanding how addressing, routing, fragmentation, and protocol identification work at the level where the actual routing decisions are made.

Packet structure is the basis for network analysis, firewall rule writing, and protocol debugging. When you look at a Wireshark capture or a firewall log, you are reading packet headers. When you write a firewall rule that permits TCP traffic on port 80, you are describing packets by their header fields. When a router makes a forwarding decision, it reads the destination IP address from the packet header. Understanding the structure makes all of these activities meaningful rather than mechanical.

IPv4 Packet Structure

An IPv4 packet consists of a header (minimum 20 bytes, maximum 60 bytes) followed by the payload (data from the layer above). The header contains all information needed to route the packet to its destination and reassemble fragmented packets.

Version (4 bits): The value 4 indicates IPv4. (IPv6 packets have version 6.)

Internet Header Length (4 bits): The length of the IP header in 32-bit words. Minimum value is 5 (20 bytes), maximum is 15 (60 bytes). Values above 5 indicate the presence of optional fields.

Differentiated Services Code Point (6 bits): Formerly called Type of Service. Used for Quality of Service (QoS) marking — indicating that this packet should receive priority treatment (low latency for voice) or best-effort treatment (bulk data transfer).

Explicit Congestion Notification (2 bits): Allows network devices to signal congestion without dropping packets. Both endpoint and network must support ECN for it to function.

Total Length (16 bits): The total length of the IP packet in bytes, including header and payload. Maximum value is 65,535 bytes, but actual maximum is constrained by the network’s MTU (typically 1500 bytes for Ethernet).

Identification (16 bits): A value assigned by the sender, used to associate fragments of the same original packet. All fragments of one packet share the same identification value.

Flags (3 bits): The Reserved bit (must be 0), the Don’t Fragment (DF) bit, and the More Fragments (MF) bit. DF=1 tells routers not to fragment the packet — if it is too large for the next link, drop it and send an ICMP “Fragmentation Needed” error. MF=1 indicates more fragments follow; MF=0 on the last (or only) fragment.

Fragment Offset (13 bits): The position of this fragment’s data in the original packet, measured in 8-byte units. First fragment has offset 0. Used to reassemble fragments in the correct order.

Time to Live (8 bits): An integer decremented by each router that forwards the packet. When TTL reaches 0, the packet is discarded and an ICMP “Time Exceeded” message is sent to the source. This prevents packets from circulating forever in routing loops. Initial TTL values are typically 64 (Linux) or 128 (Windows).

Protocol (8 bits): Identifies the protocol of the payload. Common values: 1=ICMP, 6=TCP, 17=UDP, 41=IPv6-in-IPv4 (tunnel), 50=ESP (encrypted payload for IPsec).

Header Checksum (16 bits): One’s complement checksum of the IP header only. Not the payload — TCP and UDP have their own checksums. Recalculated by each router that decrements the TTL.

Source Address (32 bits): The IPv4 address of the sender.

Destination Address (32 bits): The IPv4 address of the intended recipient. This is the field routers use to make forwarding decisions.

Options (0-40 bytes): Variable-length field for optional IP header extensions. Rarely used in practice. Record Route (each router records its address), Timestamp (each router records its address and time), and Strict/Loose Source Route (specify required routing path) are defined options. Most firewalls drop packets with IP options.

IPv6 Packet Structure

IPv6 simplifies the IP header by removing rarely used fields and moving optional extensions outside the main header. The fixed header is 40 bytes.

Version (4 bits): Always 6.

Traffic Class (8 bits): Equivalent to IPv4’s DSCP/ECN — QoS marking and congestion notification.

Flow Label (20 bits): Identifies a flow — a sequence of packets between the same source and destination that require the same handling. Routers can use the flow label for load balancing and traffic prioritization without examining the transport layer headers.

Payload Length (16 bits): Length of the payload (not including the 40-byte fixed header).

Next Header (8 bits): Identifies the type of header following the IPv6 header. Can be a transport protocol (6=TCP, 17=UDP, 58=ICMPv6) or an extension header (0=Hop-by-Hop Options, 43=Routing, 44=Fragment, 50=ESP, 51=AH, 60=Destination Options).

Hop Limit (8 bits): Equivalent to IPv4’s TTL.

Source Address (128 bits): 16 bytes, written as eight groups of four hex digits separated by colons (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334).

Destination Address (128 bits): The routing destination.

IPv6’s extension headers form a chain: each extension header’s Next Header field identifies the type of the following header. This allows arbitrary combinations of optional headers without reserving space in the fixed header. The absence of options in the fixed header allows hardware to parse it at line speed without variable-length processing.

Packet Fragmentation

When a packet is larger than the MTU of a link it must traverse, the packet must be fragmented into smaller pieces or discarded. IPv4 permits fragmentation at any router. IPv6 permits fragmentation only at the source — if an IPv6 packet is too large for a link, the router discards it and sends an ICMPv6 “Packet Too Big” message to the source, which then reduces its packet size.

Fragmentation is expensive: it requires the router to reassemble the IP header fragments, wait for all fragments to arrive (or timeout if one is lost), and process the reassembled packet. Fragment reassembly attacks (sending many fragment headers to exhaust reassembly buffers) are a known denial-of-service vector.

Path MTU Discovery (PMTUD) avoids fragmentation by discovering the minimum MTU along the entire path from source to destination. The source sends packets with DF=1 and listens for ICMP “Fragmentation Needed” responses. When it receives one, it reduces its packet size. This process converges on the minimum MTU along the path and prevents fragmentation entirely. PMTUD requires that ICMP is not blocked — a common misconfiguration that breaks PMTUD and causes mysterious connectivity failures (the link appears up but large file transfers fail).

Reading Packet Headers

Wireshark and tcpdump display packet headers in decoded form. A simple IP header from a TCP connection to a web server might show:

  • Source: 192.168.1.100 (your machine)
  • Destination: 93.184.216.34 (web server)
  • Protocol: TCP
  • TTL: 64
  • Identification: 0x1234
  • Flags: DF set
  • Total Length: 1500

The IP header carries only routing information. To understand what the packet contains, you look at the next layer — the TCP header (inside the IP payload), and then the application data (inside the TCP payload). Each layer wraps the layers above it, and stripping the headers in sequence reveals the actual user data at the innermost layer.