IPv4 Packet Syntax

IP sends and receives IP packets. An IP packet consists of an IP Packet Header, followed by a Transport Layer Header (or ICMP header), followed by the packet payload or data.

The IP packet header is like a shipping label. It contains a source IP address (address of the original sender) and a destination IP address (address of the original recipient). It contains a few other things used by IP.

The Transport Layer header contains the source port number and destination port number, along with other things required by either TCP or UDP.

An ICMP header contains the ICMP message type, and miscellaneous other information. They are used to do things like ping or traceroute. There are only a few ICMP message types for ICMPv4, but quite a few for ICMPv6. In fact there are two other Ipv6 support “protocols” (ND, or Neighbor Discovery and MLD, or Multicast Listener Discovery) that are really just additional ICMPv6 messages.

IPv4 Packet HeaderThe IPv4 packet header is normally 20 bytes long. The options field is rarely used, but can extend the header length to a maximum of 60 bytes.

The Version field contains a 4 bit value (0 to 15 decimal) that contains 0100 (4 decimal) for IPv4 packets.

The IHL field contains the entire length of the header, in 32 bit words. Since most IPv4 packet headers are 20 bytes long, that is 5 32-bit words (4 bytes per word), so this usually contains the value 5.

The Type of Service field contains two items – 6 bits of the Differentiated Services Code Point, which is used in QoS (Quality of Service), and 2 bits of Explicit Congestion Notification.

The Total Length field contains the total length of the packet, in bytes, including the packet header (so the payload is typically TL – 20 bytes long).

The Identification (or Fragment ID) field contains a number that indicates which packet this is a fragment of. All fragments of a given packet will contain the same number. Fragments of any other packet will have a different number.

The DF field is the Don’t Fragment flag. If Set (1), the packet cannot be fragmented. If a packet with this set cannot go through the next hop, it will be returned as undeliverable.

The MF field is for “more fragments” (to come). A 1 means there are more fragments after this one. A 0 means this is the final fragment of a large packet.

The Fragment Offset field contains the offset within the reconstructed packet where this fragment should start (in units of 16 bytes).

The Time To Live (TTL) field is really a maximum hop count, not a time. Each router it crosses decrements this count by 1. When it reaches 0, the packet is dropped and an ICMPv4 error message is sent to the sender.

The Protocol field indicates what the next part of the packet contains. 1 means the IP header is followed by an ICMPv4 message. 6 means a TCP header follows. 17 means a UDP header follows.

The Header Checksum field contains a checksum of the header.

The Source Address field contains the IPv4 address of the original sender.

The Destination Address field contains the Ipv4 address of the original recipient.

The Options field is rarely used, but can be up to 40 bytes long.

After the IPv4 Packet Header, either a ICMPv4 message, a TCP header (and data) or a UDP header (and data) follow, depending on the contents of the Protocol field in the header.