Unlock Free Cisco Lessons - No Credit Card Needed!Free Sign Up
You are here: Home » Cisco » CCNA 200-301

IPv4 Packet Header

The IPv4 header is a 20-60 byte structure that contains information fields about the packet at the beginning of every IPv4 packet. It acts like a shipping label, telling routers where the packet is destined and how to handle it.

Understanding these fields helps you troubleshoot network issues, configure Quality of Service (QoS), and diagnose fragmentation problems. In this lesson, we’ll walk through each field in the IPv4 header, explain what each field is for, and show you an example of what an actual IPv4 packet looks like. For a broader introduction to IPv4, see our Introduction to IP Version 4 lesson. Let’s start with this picture:

Internet Protocol 4 Packet Header Fields

This picture contains all the fields you find in an IPv4 packet header. The blue items are the fixed header with the mandatory fields. Every IP packet requires these fields. The header grows when you add IP options. Most packets won’t need any IP options, so the default header is fine.

IPv4 packets are stateless. Each packet is independent and unaware of other packets or connections. Connection tracking occurs at higher layers, such as TCP.

Header Fields

Let’s dive into each header field.

Version

The first field tells us which IP version we are using; only IPv4 uses this header, so you will always find the decimal value 4 here. The IPv6 header uses a completely different structure.

Header Length

This 4-bit field tells us the length of the IP header in 32-bit increments. The minimum length of an IP header is 20 bytes, so with 32-bit increments, you would see a value of 5 here. The maximum value we can create with 4 bits is 15, so with 32-bit increments, that would be a header length of 60 bytes. This is the absolute limit of the header length. This field is also called the Internet Header Length (IHL).

Type of Service (ToS)

This field is used for Quality of Service (QoS). There are 8 bits that we can use to give the packet a certain treatment in our network. This is useful because not all packets are equal. Some of your packets might be for Voice over IP (VoIP) traffic, and other traffic could be less important, such as file downloads. In the original IPv4 specification (RFC 791) from 1981, this field is named the Type of Service (ToS) field. Later, in 1998, the ToS field was deprecated and redefined, and split into two in RFC 2474:

  • 6 bits for Differentiated Services Code Point (DSCP)
  • 2 bits for Explicit Congestion Notification (ECN)

DSCP is used to tell what priority the packet has, as explained in my IP precedence and DSCP lesson. The ECN field enables congestion notification, which allows senders to slow down before packet loss. The receiver can set the ECN bit to tell the sender to slow down.

Total Length

This 16-bit field indicates the entire size of the IP packet (header and data) in bytes. The minimum size is 20 bytes (if you have no data), and the maximum size is 65535 bytes, that’s the highest value you can create with 16 bits.

Identification

If the IP packet is fragmented, then each fragmented packet will use the same 16-bit identification number to identify which IP packet it belongs to. If a packet is fragmented, all fragments use the same identification value. How this value is generated depends on the operating system.

IP Flags

These 3 bits are used for fragmentation:

  • The first bit is reserved and must always be set to 0.
  • The second bit, called the DF (Don’t Fragment) bit, indicates that this packet should not be fragmented.
  • The third bit, called the MF (More Fragments) bit, is set on all fragmented packets except the last one.
The DF bit is also used for Path MTU Discovery (PMTUD). If a packet is too large for a link and the DF bit is set, the router drops the packet and sends an ICMP “Fragmentation Needed” message back to the sender.

Fragment Offset

This 13-bit field specifies the position of the fragment in the original fragmented IP packet. It is measured in 8-byte units. For example, if you see a value of 185 in this field, the data actually starts at byte 1480. 185 * 8 = 1480.  With 13 bits, the highest value we can set is 8191.

8191 x 8 = 65528 bytes. This makes sense because the maximum IP packet size is 65535 bytes. A fragment offset of 65528 bytes leaves just enough room (65535 – 65528 = 7 bytes) for a final fragment payload of up to 7 bytes.

Time to Live (TTL)

Every time an IP packet passes through a router, the time-to-live field is decremented by 1. Once it reaches 0, the router will drop the packet and send an ICMP time-exceeded message to the sender. The time-to-live (TTL) field has 8 bits and prevents packets from looping forever (if you have a routing loop). This is used in traceroute, which sends packets with incrementally higher TTL values to map the path to a destination. It’s also used as a security mechanism sometimes, where the TTL is set to 1, meaning the packet can’t be routed.

Protocol

This 8-bit field tells us which protocol is encapsulated in the IP packet. Here are some examples:

  • ICMP: 1
  • TCP: 6
  • UDP: 17

Header Checksum

This 16-bit field stores a checksum of the header. The receiver can use the checksum to detect errors in the header. This checksum does not validate the payload data. Upper-layer protocols, such as TCP or UDP, can perform data integrity. When a router forwards an IP packet, the TTL decrements by one, and the router must recalculate the header checksum. This recalculation happens at every router hop. This way, header integrity is ensured throughout the packet’s journey.

Source Address

Here you will find the sender’s 32-bit source IP address.

Destination Address

Here you will find the receiver’s 32-bit destination IP address. Routers use this to make forwarding decisions.

IP Option

This field is rarely used, optional, and has a variable length depending on the options used. When you use this field, the value in the header length field will increase. Here are some examples:

  • Record route: Records the IP addresses of the routers through which an IP packet passes.
  • Timestamp: Records timing information.
  • Source Routing: Specifies the path that the packet should take.
  • Security: Used for classification levels.

Many routers or firewalls drop IP packets with IP options set for security and performance reasons. IP options can expose network topology, which is why they are often blocked for security reasons. IP packets with IP options are processed by the router’s CPU, which is why they are often blocked due to performance reasons.

Wireshark Capture

When we look at the IP header, the fields are transmitted in a specific sequence. We call this Network Byte Order. It uses Big-Endian format, which means the most significant byte is sent first. This is important because different computer processors store data differently in memory. By enforcing a standard order, we ensure that every router, switch, and server interprets the IP header values exactly the same way.

Here’s what an actual packet looks like:

Frame 3: Packet, 114 bytes on wire (912 bits), 114 bytes captured (912 bits) on interface eth1, id 0
Ethernet II, Src: aa:bb:cc:00:01:10 (aa:bb:cc:00:01:10), Dst: aa:bb:cc:00:02:10 (aa:bb:cc:00:02:10)
Internet Protocol Version 4, Src: 192.168.12.1, Dst: 192.168.12.2
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 100
    Identification: 0x0000 (0)
    000. .... = Flags: 0x0
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 255
    Protocol: ICMP (1)
    Header Checksum: 0x2245 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.12.1
    Destination Address: 192.168.12.2
    [Stream index: 0]
Internet Control Message Protocol

Let me explain what we see above:

  • Version: 4 – Indicates this is an IPv4 packet (as opposed to IPv6)
  • Differentiated Services Field: 0x00 – Used for Quality of Service (QoS); value 0x00 means default/best-effort delivery with no special priority.
  • Total Length: 100 – The entire IP packet size is 100 bytes, including header and data.
  • Flags: 0x0 – Control bits for fragmentation; all set to 0 means the packet is not fragmented, and fragmentation is allowed.
  • Fragment Offset: 0 – Indicates the position of this fragment in the original packet; 0 means this is either the first fragment or the packet is not fragmented.
  • Time to Live: 255 – Maximum number of hops (routers) the packet can pass through before being discarded; starts at 255.
  • Protocol: ICMP (1) – Identifies the protocol used in the data portion of the packet; value 1 indicates ICMP (Internet Control Message Protocol), commonly used for ping.
  • Header Checksum: 0x2245 – Error-checking value for the IP header to detect corruption during transmission.
  • Source Address: 192.168.12.1 – The IP address of the device sending this packet.
  • Destination Address: 192.168.12.2 – The IP address of the device that should receive this packet.

If you want to take a look for yourself, here is a capture of two Cisco routers where we send a ping from one router to another:

Packet Capture: ICMP Echo Request Reply Two Cisco Routers

FAQ

Can the TTL field be used to determine the operating system of the sender?

Yes, different operating systems use different default TTL values, which can help identify the sender’s OS. For example, Windows typically uses 128, Linux uses 64, and some network devices use 255. However, this is not foolproof as TTL values can be manually configured, and the value decreases at each hop, so you’d need to account for the number of routers in the path.

Does the Source or Destination IP address ever change while the packet is traveling?

In standard routing, these addresses do not change. However, there is a common exception called Network Address Translation (NAT). When a packet leaves your home or office network to go to the Internet, the router usually replaces the private internal Source IP with the public external Source IP of the router. This allows many devices to share a single public IP address.

If the maximum packet size is 65,535 bytes, why are most packets on the Internet much smaller (usually 1500 bytes)?

While the IPv4 header allows for massive packets, the physical network cables and switches usually have a lower limit. This is called the Maximum Transmission Unit (MTU). The standard MTU for Ethernet (the most common network type) is 1500 bytes. If you try to send a packet larger than the MTU, it must be fragmented (split up), which slows down the network. Therefore, devices usually negotiate to keep packets under 1500 bytes to avoid this efficiency penalty.

How does the router handle the “Options” field if the header length is variable?

This is the primary reason the IHL (Header Length) field exists. Because the Options field can vary in size (or not exist at all), the router reads the IHL bits first. This tells the router exactly where the header ends and where the data payload begins. Without the IHL, the router wouldn’t know if the data started at byte 20, byte 24, or byte 60. This variable length is actually considered a design flaw by modern standards because it makes hardware processing harder; IPv6 fixed this by enforcing a fixed header size.

 

Unlock This Lesson for Free - No Credit Card Needed!

If you like to keep on reading, register now!

  • Learn CCNA, CCNP and CCIE R&S. Explained As Simple As Possible.
  • Get Instant Access to this Full Lesson, Completely for Free!
  • Unlock More to Read. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
Register for Free - in just 1 Minute ►
2003 Sign Ups in the last 30 days

Forum Replies

  1. Hello Rene,
    Could you please help on below queries

    How network layer decides whether a packet to be fragmented or not?
    Is it possible for a admin/application to enforce a fragmentation decision on IP packet?
    Is there any relation between total length field and mtu?

  3. Thanks a lot Rene.. It was well explained there…

  4. Hi Rene,

    Why Header maximum length limited to 24 bytes ?

    As per the theory, For 5 bit header field , maximum value is 15 so header length will be 4* 15 = 60 bytes.

    Please correct me if it is limited to 24 bytes in production.

    Regards,

    SV

     

  5. Hi SV,

    Good question, some sources (for example Routing TCP/IP Volume 1) state that the maximum header length is 24 bytes so that 6 would be the maximum value. I can’t find any proof for this, it’s not in the RFC.

    I just updated the lesson, with 4 bits, the highest value we can create is 15 so 15x32 = 480 bits (60 bytes)

    Thanks for the input!

    Rene

61 more replies! Ask a question or join the discussion by visiting our Community Forum