IPv4 Packet Header

The IPv4 packet header has quite some fields. In this lesson we’ll take a look at them and I’ll explain what everything is used for. Take a look at this picture:

IP packet header fields

Let’s walk through all these fields:

  • Version: the first field tells us which IP version we are using, only IPv4 uses this header so you will always find decimal value 4 here.
  • Header Length: this 4 bit field tells us the length of the IP header in 32 bit increments. The minimum length of an IP header is 20 bytes so with 32 bit increments, you would see value of 5 here. The maximum value we can create with 4 bits is 15 so with 32 bit increments, that would be a header length of 60 bytes. This field is also called the Internet Header Length (IHL).
  • Type of Service: this is used for QoS (Quality of Service). There are 8 bits that we can use to mark the packet which we can use to give the packet a certain treatment. You can read more about this field in my IP precedence and DSCP lesson.
  • Total Length: this 16-bit field indicates the entire size of the IP packet (header and data) in bytes. The minimum size is 20 bytes (if you have no data) and the maximum size is 65.535 bytes, that’s the highest value you can create with 16 bits.
  • Identification: If the IP packet is fragmented then each fragmented packet will use the same 16 bit identification number to identify to which IP packet they belong to.
  • IP Flags: These 3 bits are used for fragmentation:
    • The first bit is always set to 0.
    • The second bit is called the DF (Don’t Fragment) bit and indicates that this packet should not be fragmented.
    • The third bit is called the MF (More Fragments) bit and is set on all fragmented packets except the last one.
  • Fragment Offset: this 13 bit field specifies the position of the fragment in the original fragmented IP packet.
  • Time to Live: Everytime an IP packet passes through a router, the time to live field is decremented by 1. Once it hits 0 the router will drop the packet and sends an ICMP time exceeded message to the sender. The time to live field has 8 bits and is used to prevent packets from looping around forever (if you have a routing loop).
  • Protocol: this 8 bit field tells us which protocol is enapsulated in the IP packet, for example TCP has value 6 and UDP has value 17.
  • Header Checksum: this 16 bit field is used to store a checksum of the header. The receiver can use the checksum to check if there are any errors in the header.
  • Source Address: here you will find the 32 bit source IP address.
  • Destination Address: and here’s the 32 bit destination IP address.
  • IP Option: this field is not used often, is optional and has a variable length based on the options that were used. When you use this field, the value in the header length field will increase. An example of a possible option is “source route” where the sender requests for a certain routing path.

Here’s a real life example of an IP packet in Wireshark where you can see how these fields are used:

Wireshark Capture IP Header Fields

I hope this lesson has been helpful to understand the different fields in the IPv4 packet header. If you have any questions, feel free to leave a comment in our forum.


Forum Replies

  1. Hi Romani,
    Welcome to the forums!

    The key to understand the necessity of Header Length is to realize that with IPv4 the size of the header is not fixed (like it is in IPv6). The size of the IPv4 header must be at least 20 bytes, but it can be bigger, too. What makes it bigger are the additions of “options.” To learn more about options go here

    Since the size of the IPv4 header is variable, the purpose of the Header Length is to specify just how big it actually is, but there are rules as to what sizes are allowed. As mentioned earlier, the minimum is 20 bytes

    ... Continue reading in our forum

  2. Hello Ajay.

    The Header Length is a 4 bit field. That means that it can represent numbers from 0 to 15. The minimum number that the field can have however is 5. The resulting header length is calculated with the following formula:

    Length = Header Length * 32 bits

    If the value of the Header Length field is the minimum, that is 5, then:

    Length = 5 * 32 bits = 160 bits = 20 bytes

    If the value of the header length field is the maximum, that is 15, then:

    Length = 15 * 32 bits = 480 bits = 60 bytes

    The total length is the length of the whole packet. This is a 16 b

    ... Continue reading in our forum

  3. Ajay,
    The Total Length field represents the size in bytes. A 16 bit field has a maximum numeric (decimal) value of 65,535, but that value is just a number. The meaning of that number is “how large is this packet in BYTES.”

    If you receive a packet of 9000 and receiving MTU is less than that, you MUST have DF=0 otherwise the packet will be dropped. As you correctly point out, with DF=0, the packet will be fragmented, but that doesn’t mean it won’t be “without issue.” In this case a performance hit would be expected for two reasons:

    1. The act of fragmenting con
    ... Continue reading in our forum

  4. Hello again Mohammad.

    When any communication is initiated from source to destination, the contents of some network layers change for every hop and some do not change. So, you need some sort of integrity check at different layers to account for that. Let’s look at the following example:

    Your PC with IP address is sending an email to the email server with an IP address of The encapsulation takes place like this:

    Layer 4 TCP checksum checks the header and payload
    Layer 3 IP header checksum checks only the IP header integrity
    Layer 2 Et

    ... Continue reading in our forum

  5. Hi Ganesh,

    The header length can be a bit confusing. It specified the length of the IP header but we only have 4 bits. With 4 bits, you can create values between 0 and 15, that’s it.

    How it works is that each bit represents a 32-bit increment. An IP header has a minimum length, which is 20 bytes.

    1 byte = 8 bits so:

    20 bytes = 160 bits

    160 bits / 32-bit increments = 5

    So by setting the header length to 5, we know that the length of the IP header is 20 bytes.

    The total length and Identification are simple, these are both 16 bits so we can store values from 0 - 6

    ... Continue reading in our forum

50 more replies! Ask a question or join the discussion by visiting our Community Forum